I recently found an issue that is from a dependency that I added for MFA authentication.
The issue was created by a GitHub app bot for WhiteSource Bolt. I think that this is a CI app for open source projects, but I’m not sure why moqui is using it and how it decided to create this issue.
The issue is about a java library called JCommander. It’s a dependency to a dependency that I added for calculating one time passwords with TOTP. The fix is as simple as changing a dependancy in JCommander from
The actual build.xml file for the framework directory is here:
// dev.samstevens.totp:totp depends on com.google.zxing:javase which depends on com.beust:jcommander, but an older version with a CVE, so specify latest to fix compile 'com.beust:jcommander:1.81'
Basically, the dependancy that I added depends on
com.google.zxing:javase which depends on
com.beust:jcommander:1.81, however the issue says that the vulnerability is in jcommander version < 1.75 and the security vulnerability is because apparently the totp library is using 1.72.
This is pretty weird, and I haven’t dealt with the gradle package manager much. Does anyone have any tips or suggestions on how to solve this?