OWASP dependency vulnerability check failure

[wenqiglantz]

I ran OWASP dependency vulnerability check on my app, which uses Pact, specifically the following dependency lib.

<dependency>
   <groupId>au.com.dius.pact.consumer</groupId>
   <artifactId>junit5</artifactId>
   <version>4.2.6</version>
</dependency>

The dependency vulnerability check showed the following results, complaining about two dependency libs within au.com.dius.pact.consumer:junit5:4.2.6, any suggestion on how this can be fixed?

[wenqiglantz]

Update: I found out that by upgrading tika-core to version 1.26, the vulnerability check passes for tika-core jar! But for alpn-api, there is no new version since 2016, so this jar remains a vulnerability concern. Suggest to at least upgrade tika-core to version 1.26 in the next version for au.com.dius.pact.consumer:junit5.

[uglyog]

There is not much I can do about alpn-api, that is a transitive dependency of io.ktor:ktor-server-netty. You can try add an exclusion and see if Pact-JVM still works without it (should be ok if you are not using the KTor mock server).

The other option is to raise an issue at https://github.com/ktorio/ktor

[uglyog]

Looks like there is already a issue for it: ktorio/ktor#1307

[uglyog]

4.2.8 is released