Vulnerable dependencies #1033
Description
Hey,
we're enabling Xray scans for all our RPMs and it doesn't seem to like some jhove dependencies:
https://nvd.nist.gov/vuln/detail/CVE-2023-2976
https://nvd.nist.gov/vuln/detail/CVE-2024-25710
https://nvd.nist.gov/vuln/detail/CVE-2024-26308
https://nvd.nist.gov/vuln/detail/CVE-2020-8908
I'm not super familiar with java packaging, but the above components do seem to be used as some external dependencies:
vagrant@almalinux ~/github/jhove/jhove-latest (integration)
$ strings resources/packs/pack-JHOVE\ External\ Modules | grep guava
META-INF/maven/com.google.guava/PK
META-INF/maven/com.google.guava/guava/PK
META-INF/maven/com.google.guava/failureaccess/PK
META-INF/maven/com.google.guava/listenablefuture/PK
META-INF/maven/com.google.guava/guava/pom.properties%
META-INF/maven/com.google.guava/guava/pom.xml
META-INF/maven/com.google.guava/failureaccess/pom.properties
META-INF/maven/com.google.guava/failureaccess/pom.xml
META-INF/maven/com.google.guava/listenablefuture/pom.xml
META-INF/maven/com.google.guava/listenablefuture/pom.properties%
META-INF/maven/com.google.guava/PK
META-INF/maven/com.google.guava/guava/PK
META-INF/maven/com.google.guava/failureaccess/PK
META-INF/maven/com.google.guava/listenablefuture/PK
META-INF/maven/com.google.guava/guava/pom.propertiesPK
META-INF/maven/com.google.guava/guava/pom.xmlPK
META-INF/maven/com.google.guava/failureaccess/pom.propertiesPK
META-INF/maven/com.google.guava/failureaccess/pom.xmlPK
META-INF/maven/com.google.guava/listenablefuture/pom.xmlPK
META-INF/maven/com.google.guava/listenablefuture/pom.propertiesPK
vagrant@almalinux ~/github/jhove/jhove-latest (integration)
$ strings resources/packs/pack-JHOVE\ External\ Modules | grep commons-compress
META-INF/maven/org.apache.commons/commons-compress/PK
META-INF/maven/org.apache.commons/commons-compress/pom.xml
META-INF/maven/org.apache.commons/commons-compress/pom.propertiesK,*
META-INF/maven/org.apache.commons/commons-compress/PK
META-INF/maven/org.apache.commons/commons-compress/pom.xmlPK
META-INF/maven/org.apache.commons/commons-compress/pom.propertiesPK
Can those be updated to the fixed versions?
Cheers, Juho