Help
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Copilot Lvl 3
Message 1 of 4

Security Alerts

We tried putting a few entries in pom.xml which have known vulnerabilities, but Github shows alerts for only a few of them.  For e.g., Commons Collections 3.2.1 has a known vulnerability. But the alert is not shown for this.

 

Please advise if the alerts are for selective jars or it covers all CVE vulnerabilities.

3 Replies
Highlighted
Community Manager
Message 2 of 4

Re: Security Alerts

Hi @mshadab-adeptia,

 

Thanks for being here! 

 

GitHub uses the following sources to track vulnerabilities in packages from supported languages:

 

For more information, see "About maintainer security advisories."


Best,
AndreaG

Mark helpful posts with Accept as Solution to help other users locate important info. Don't forget to give Kudos for great content!

Highlighted
Copilot Lvl 3
Message 3 of 4

Re: Security Alerts

Hi @AndreaGriffiths11, Thanks for your response. 

 

In all the sources used to track vulnerabilities, there are some vulnerabilities which are not getting caught. And those vulnerabilities have been mentioned in the MITRE CVE tool. Is there some automated way to ensure that all reported vulnerabilities are caught? Or another option is to manually check all of the jars files one by one.

 

For e.g. activemq-all(v5.7.0) and commons-collections(v3.2.1) have known vulnerability issues, but it doesn't give alerts for these jars.

https://www.cvedetails.com/cve/CVE-2017-15708/

https://www.cvedetails.com/cve/CVE-2019-0222/

Ground Controller Lvl 1
Message 4 of 4

Re: Security Alerts

I got the exactly same question, because I wondered why there is no alert in my project,

which is a small project just for showing vulnerabilities in code and i also use activemq-all 5.7 and javax.servlet 3.1.1

 

there are definitely vulnerabilities in the NIST Database, because the owasp dependency check finds them