0

My project is importing: implementation 'org.springframework.boot:spring-boot-starter-mail:3.0.6'

My SonarQube OWASP Dependency Scan is reporting vulnerabilities:

app.jar: jakarta.mail-1.0.0.jar (shaded: org.eclipse.angus:angus-core:1.0.0) pkg:maven/org.eclipse.angus/angus-core@1.0.0 HIGH 1 9

app.jar: jakarta.mail-1.0.0.jar (shaded: org.eclipse.angus:angus-mail:1.0.0) pkg:maven/org.eclipse.angus/angus-mail@1.0.0 HIGH 1 9 app.jar: nimbus-jose-jwt-9.22.jar (shaded: net.minidev:json-smart:2.4.8) cpe:2.3:a:json-

smart_project:json-smart:2.4.8:::::::* cpe:2.3:a:json-smart_project:json-smart-v2:2.4.8:::::::* pkg:maven/net.minidev/json-smart@2.4.8 HIGH 1 High 31

The CVE for these: https://nvd.nist.gov/vuln/detail/CVE-2021-44549 https://nvd.nist.gov/vuln/detail/CVE-2023-1370

https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.angus/angus-mail@1.0.0?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1

Possible to exclude org.eclipse.angus:angus-mail ?

How can I resolve these?

Thank you!

galfstad
  • 1

1 Answers1

0

I suggest you continue your cartoon and do not remove the module from the project. If such a problem existed, this point would be written in the maven repository. But now there is no such thing in maven repository of this project. Also if you see the source code of Spring boot starter mail, there is a dependency of org.eclipse.angus:jakarta.mail in the code, but there is no vulnerability report in the maven repository. Also you can follow vulnerability reports of spring boot here

Soheil Babadi
  • 562
  • 2
  • 4
  • 15