Skip to content
This repository was archived by the owner on Apr 15, 2024. It is now read-only.

ISSUE-2732: [Security] org.inferred:freebuilder:1.14.9 dependency causes Bookkeeper to be flagged for jQuery vulnerabilities #378

Closed
sijie opened this issue Jun 9, 2021 · 0 comments
Closed

ISSUE-2732: [Security] org.inferred:freebuilder:1.14.9 dependency causes Bookkeeper to be flagged for jQuery vulnerabilities #378

sijie opened this issue Jun 9, 2021 · 0 comments
Labels
type/bug

Comments

@sijie
Copy link
Member

sijie commented Jun 9, 2021

Original Issue: apache#2732

BUG REPORT

The org.inferred:freebuilder:1.14.9 dependency causes Bookkeeper to be flagged for jQuery vulnerabilities.
This happens in the Sonatype IQ vulnerability scanner which will also scan embedded js files. For example, it find jQuery in the path org/inferred/freebuilder/shaded/org/openjdk/tools/javadoc/internal/doclets/formats/html/resources/jquery/external/jquery jquery-1.10.2.js inside the freebuilder jar file.

Expected behavior

Bookkeeper shouldn't expose freebuilder as a dependency at all. It's an annotation processor which should be defined as optional dependency in maven and with compileOnly in gradle.
@sijie sijie added the type/bug label Jun 9, 2021
@sijie sijie closed this as completed Jun 27, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sijie