In my android project, I am using dependencyCheckAnalyze gradle command to check dependency vulnerability.
I am currently seeing this error message through Circle CI and give me build failure.
One or more dependencies were identified with known vulnerabilities in 'one of the modules in my android project':
guava-28.1-android.jar (pkg:maven/com.google.guava/guava@28.1-android, cpe:2.3:a:google:guava:28.1:*:*:*:*:*:*:*) : CVE-2020-8908
jsoup-1.13.1.jar (pkg:maven/org.jsoup/jsoup@1.13.1, cpe:2.3:a:jsoup:jsoup:1.13.1:*:*:*:*:*:*:*) : CVE-2021-37714
kotlin-analysis-intellij-1.4.32.jar\META-INF/maven/com.google.protobuf/protobuf-java/pom.xml (pkg:maven/com.google.protobuf/protobuf-java@2.6.1, cpe:2.3:a:google:protobuf-java:2.6.1:*:*:*:*:*:*:*) : CVE-2021-22569
kotlin-analysis-intellij-1.4.32.jar\META-INF/maven/log4j/log4j/pom.xml (pkg:maven/org.jetbrains.intellij.deps/log4j@1.2.17.1, cpe:2.3:a:apache:log4j:1.2.17.1:*:*:*:*:*:*:*) : CVE-2020-9488, CVE-2022-23307
work-runtime-2.5.0.aar: inspector.jar\META-INF/maven/com.google.protobuf/protobuf-javalite/pom.xml (pkg:maven/com.google.protobuf/protobuf-javalite@3.10.0, cpe:2.3:a:google:protobuf-java:3.10.0:*:*:*:*:*:*:*) : CVE-2021-22569
Dependency-Analyze Failure:
One or more dependencies were identified with vulnerabilities that have a CVSS score greater than '10.0': CVE-2022-23307
I think this might be mainly because of log4j (transitive) dependency.
Does anybody have any idea what causes this error and how I can fix this build failure?