Dependencies causes CVEs in your execution path #87
Description
I found you are using a dependency with CVE. I found the buggy methods of the CVE in the program execution path of your project. To prevent potential security risks it may cause, I suggest a version update. Here is the detailed information:
-
Vulnerable Dependency: org.apache.uima : uimaj-core : 2.6.0
-
Call Chain to Buggy Methods:
-
Some files in your project call the library method org.apache.uima.cas.impl.XmiCasDeserializer.deserialize(java.io.InputStream,org.apache.uima.cas.CAS), which can reach the buggy method of CVE-2017-15691.
- Files in your project:
src/main/java/cz/brmlab/yodaqa/pipeline/AnswerHitlistDeserialize.java - One of the possible call chain:
org.apache.uima.cas.impl.XmiCasDeserializer.deserialize(java.io.InputStream,org.apache.uima.cas.CAS) org.apache.uima.cas.impl.XmiCasDeserializer.deserialize(java.io.InputStream,org.apache.uima.cas.CAS,boolean,org.apache.uima.cas.impl.XmiSerializationSharedData,int) [buggy method] - Files in your project:
-
-
Update suggestion: version 2.10.4
2.10.4 is a safe version without CVEs. From 2.6.0 to 2.10.4, 31 of the APIs (called by 115 times in your project) were modified.