I’m using the release 1.0.5 of Akka Persistence Cassandra and Slick 3.3.3. There’s dependencies that are flagged with high vulnerabilities for these releases. The following dependent jars contain high vulnerabilities:
akka persistence cassandra → io.netty:netty-codec:jar:4.1.52.Final
slick → com.zaxxer:HikariCP:jar:3.2.0
:
Are there plans to address this?
The following are maven dependency tree traces to illustrate the dependency graph.
[INFO] ± com.typesafe.akka:akka-persistence-cassandra_2.13:jar:1.0.5:compile
[INFO] | - com.lightbend.akka:akka-stream-alpakka-cassandra_2.13:jar:2.0.2:compile
[INFO] | ± com.datastax.oss:java-driver-core:jar:4.6.1:compile
[INFO] | | ± com.datastax.oss:native-protocol:jar:1.4.10:compile
[INFO] | | ± com.datastax.oss:java-driver-shaded-guava:jar:25.1-jre:compile
[INFO] | | ± com.github.jnr:jnr-posix:jar:3.0.50:compile
[INFO] | | ± org.javatuples:javatuples:jar:1.2:compile
[INFO] | | ± io.dropwizard.metrics:metrics-core:jar:4.0.5:compile
[INFO] | | ± org.hdrhistogram:HdrHistogram:jar:2.1.11:compile
[INFO] | | - com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
[INFO] | - io.netty:netty-handler:jar:4.1.52.Final:compile
[INFO] | ± io.netty:netty-common:jar:4.1.52.Final:compile
[INFO] | ± io.netty:netty-resolver:jar:4.1.52.Final:compile
[INFO] | ± io.netty:netty-buffer:jar:4.1.52.Final:compile
[INFO] | ± io.netty:netty-transport:jar:4.1.52.Final:compile
[INFO] | - io.netty:netty-codec:jar:4.1.52.Final:compile
[INFO] ± com.typesafe.slick:slick-hikaricp_2.13:jar:3.3.3:compile
[INFO] | - com.zaxxer:HikariCP:jar:3.2.0:compile
Thanks!