liquibase-core contains vulnerable UI libraries.

Description

During our software builds we perform vulnerability checking using this: https://jeremylong.github.io/DependencyCheck/dependency-check-maven

It has highlighted the following vulnerabilities in the embedded UI libraries jquery and bootstrap (in liquibase/sdk/watch).

[ERROR] liquibase-core-3.6.3.jar: bootstrap.js: CVE-2018-14042, CVE-2019-8331, CVE-2018-14041, CVE-2018-14040
[ERROR] liquibase-core-3.6.3.jar: bootstrap.min.js: CVE-2018-14042, CVE-2019-8331, CVE-2018-14041, CVE-2018-14040
[ERROR] liquibase-core-3.6.3.jar: jquery-1.11.0.min.js: CVE-2015-9251, CVE-2019-11358

Would it be possible to either:

  • upgrade to the latest versions (but new vulnerabilities will always appear)

  • remove them from the jar

  • remove them from the jar and move to another optional jar

 

Each vulnerability can be found at https://nvd.nist.gov/ for example:
https://nvd.nist.gov/vuln/detail/CVE-2018-14042/

 

For anyone else that uses the dependency checker (>5.0.0) these suppressions will eliminate the errors.

 

Environment

production

Status

Assignee

Unassigned

Reporter

Mark Jeffrey

Labels

None

Affects versions

Priority

Major
Configure