You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi @binfalse , hope you are well.
As you may remember, we make use of Bives in https://github.com/seek4science/seek . We've recently been reviewing our docker containers for security issues with trivy, and some critical issues were shown related to BiVeS; with com.fasterxml.jackson.core:jackson-databind:jar:2.3.3, and log4j:log4j:jar:1.2.17:compile.
Trivy is easy to install, and you can try yourself within the BiVeS directory with
trivy fs --severity CRITICAL .
I've found it is appears easy to fix, and stems back to the jCOMODI jar, and it's dependency on and old version of jena. It's difficult to submit as a pull request, as the fix is spread across several repositories, but I found once I updated jena for that package, it built fine and the tests pass. my change was
You would then need to update BiVeS-Core to use the new version of jCOMODI, and then next the packages that rely on BiVeS-Core (which is why it's difficult to provide a PR).
The final step was to update BiVeS itself to use logj4 2, which is easy with a little log4j wrapper library. I also found I needed to include log4j-slf4j-impl for the tests to pass - which I didn't entirely understand so you might want to double check. The changes I made to that pom.xml was
Hi @binfalse , hope you are well.
As you may remember, we make use of Bives in https://github.com/seek4science/seek . We've recently been reviewing our docker containers for security issues with trivy, and some critical issues were shown related to BiVeS; with com.fasterxml.jackson.core:jackson-databind:jar:2.3.3, and log4j:log4j:jar:1.2.17:compile.
Trivy is easy to install, and you can try yourself within the BiVeS directory with
trivy fs --severity CRITICAL .
I've found it is appears easy to fix, and stems back to the
jCOMODI
jar, and it's dependency on and old version ofjena
. It's difficult to submit as a pull request, as the fix is spread across several repositories, but I found once I updated jena for that package, it built fine and the tests pass. my change wasYou would then need to update
BiVeS-Core
to use the new version ofjCOMODI
, and then next the packages that rely onBiVeS-Core
(which is why it's difficult to provide a PR).The final step was to update BiVeS itself to use logj4 2, which is easy with a little log4j wrapper library. I also found I needed to include
log4j-slf4j-impl
for the tests to pass - which I didn't entirely understand so you might want to double check. The changes I made to that pom.xml wasThe text was updated successfully, but these errors were encountered: