WhiteSource Bolt Issue #486

I recently found an issue that is from a dependency that I added for MFA authentication.

The issue was created by a GitHub app bot for WhiteSource Bolt. I think that this is a CI app for open source projects, but I’m not sure why moqui is using it and how it decided to create this issue.

The issue is about a java library called JCommander. It’s a dependency to a dependency that I added for calculating one time passwords with TOTP. The fix is as simple as changing a dependancy in JCommander from http to https.

The actual build.xml file for the framework directory is here:

    // dev.samstevens.totp:totp depends on com.google.zxing:javase which depends on com.beust:jcommander, but an older version with a CVE, so specify latest to fix
    compile 'com.beust:jcommander:1.81'

Basically, the dependancy that I added depends on com.google.zxing:javase which depends on com.beust:jcommander:1.81, however the issue says that the vulnerability is in jcommander version < 1.75 and the security vulnerability is because apparently the totp library is using 1.72.

This is pretty weird, and I haven’t dealt with the gradle package manager much. Does anyone have any tips or suggestions on how to solve this?

Thanks for bringing this up, I forgot to close that issue after fixing it in this commit:

I just closed the issue to wrap that up. You referenced the dependency I added, and I’m guessing that confusing part was that the issue was still open. It was created automatically by Whitesource after the initial merge which was using the earlier version via dependency from the ‘samstevens’ TOTP library, and was no longer valid after the line was added to use a newer version of jcommander.