Our vulnerability scanner is flagging a vulnerability in org.codehaus.plexus:plexus-utils, and it looks like it is being pulled in transitively via this library.
https://github.com/Flagsmith/flagsmith-java-client/blob/main/pom.xml#L105-L109
> ./gradlew :dependencyInsight --dependency org.codehaus.plexus:plexus-utils --configuration compileClasspath
org.codehaus.plexus:plexus-utils:3.2.1
\--- org.apache.maven:maven-artifact:3.6.3
+--- compileClasspath (requested org.apache.maven:maven-artifact:{strictly 3.6.3})
\--- com.flagsmith:flagsmith-java-client:8.1.1
+--- compileClasspath
Two questions:
- Is this library required for run time?
- Is the expectation that consumers pin this version to a newer one?
I also suspect its flagging what is possibly a false positive, but of course, since the scanner flags it people are complaining.
Our vulnerability scanner is flagging a vulnerability in
org.codehaus.plexus:plexus-utils, and it looks like it is being pulled in transitively via this library.https://github.com/Flagsmith/flagsmith-java-client/blob/main/pom.xml#L105-L109
Two questions:
I also suspect its flagging what is possibly a false positive, but of course, since the scanner flags it people are complaining.