thomasredlin
thomasredlin
Like in the examples, we use a suppression rule that suppresses all vulnerablities below a CVSS score of 7. Our company policy demands that we handle every vulnerability by upgrading...
In main POM and flexmark-docx-converter POM, there are dependencies to Log4j 1.2.17: https://github.com/vsch/flexmark-java/blob/8142f8fb9b15031b99940bddaac6ff466949585d/flexmark-docx-converter/pom.xml#L104-L108 https://github.com/vsch/flexmark-java/blob/8142f8fb9b15031b99940bddaac6ff466949585d/flexmark/pom.xml#L75-L80 There a several known _critical_ security vulnerabilities as can be seen here: * https://mvnrepository.com/artifact/log4j/log4j/1.2.17 * https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Alog4j&cpe_version=cpe%3A%2F%3Aapache%3Alog4j%3A1.2.17...
At the moment the project has multiple dependencies to `org.ini4j` in version `0.5.1`. This library is vulnerable to [CVE-2022-41404](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-41404) with a CVSSv3 Base Score of **HIGH (7.5)**. > An issue...