Hi, I was running owasp-dependency-check <https://owasp.org/www-project-dependency-check/> in a java application based on flink-1.13.0 (scala 2.12). scala 2.12.7 was getting flagged for this <https://ossindex.sonatype.org/vulnerability/bd61dd10-4348-45cd-a09e-094e9d588715?component-type=maven&component-name=org.scala-lang.scala-library&utm_source=dependency-check&utm_medium=integration&utm_content=6.1.6> .
Relevant Dependency for this - FO] +- org.apache.flink:flink-streaming-java_2.12:jar:1.13.0:provided [INFO] | +- org.apache.flink:flink-file-sink-common:jar:1.13.0:provided [INFO] | +- org.apache.flink:flink-runtime_2.12:jar:1.13.0:compile [INFO] | | +- org.apache.flink:flink-queryable-state-client-java:jar:1.13.0:compile [INFO] | | +- org.apache.flink:flink-hadoop-fs:jar:1.13.0:compile [INFO] | | +- commons-io:commons-io:jar:2.7:compile [INFO] | | +- org.apache.flink:flink-shaded-netty:jar:4.1.49.Final-13.0:compile [INFO] | | +- org.apache.flink:flink-shaded-jackson:jar:2.12.1-13.0:compile [INFO] | | +- org.apache.flink:flink-shaded-zookeeper-3:jar:3.4.14-13.0:compile [INFO] | | +- org.javassist:javassist:jar:3.24.0-GA:compile [INFO] | | +- org.scala-lang:scala-library:jar:2.12.7:compile Can anyone suggest if flink app is vulnerable to this or can safely be ignored? Thanks
