Skip to content

chore: upgrade appsec kit to 4.0.2 [skip ci] (#8766) (CP: 25.0)#8767

Open
vaadin-bot wants to merge 1 commit into25.0from
cherry-pick-8766-to-25.0-1776247650275
Open

chore: upgrade appsec kit to 4.0.2 [skip ci] (#8766) (CP: 25.0)#8767
vaadin-bot wants to merge 1 commit into25.0from
cherry-pick-8766-to-25.0-1776247650275

Conversation

@vaadin-bot
Copy link
Copy Markdown
Contributor

@vaadin-bot vaadin-bot commented Apr 15, 2026

This PR cherry-picks changes from the original PR #8766 to branch 25.0.

Original PR description

No description provided in the original PR.

utafrali
utafrali approved these changes Apr 15, 2026
View reviewed changes
Copy link
Copy Markdown

@utafrali utafrali left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Routine maintenance PR: bumps appsec-kit-starter from 4.0.1 to 4.0.2 and adds a CVE false-positive whitelist entry for plexus-utils 3.6.1. The changes are minimal and low-risk; the only minor point is that the whitelist description uses uncertain language for a security-sensitive decision.

Comment thread scripts/generateAndCheckSBOM.js
description: 'This is from a tool we use to generate the sbom.'
},
'pkg:maven/org.codehaus.plexus/[email protected]' : {
cves: ['CVE-2025-67030'],
Copy link
Copy Markdown

@utafrali utafrali Apr 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The phrase "should have the fix" is uncertain language for a security whitelist entry that suppresses a CVE alert. If the advisory at GHSA-6fmv-xxpf-w3cw confirms that 3.6.1 is a fixed version, tighten this to something like "FP: version 3.6.1 includes the fix per GHSA-6fmv-xxpf-w3cw (patched in 3.6.1+)." This makes the rationale verifiable rather than speculative, which is important for audit trails on CVE suppressions.

@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 15, 2026

Dependencies Report

  • 🚫 Vulnerabilities:

    • Vulnerabilities in: pkg:maven/org.apache.tomcat.embed/[email protected] [CVE-2026-34500, CVE-2026-34486, CVE-2026-34483, CVE-2026-34487, BIT-tomcat-2026-34500, BIT-tomcat-2026-34486, BIT-tomcat-2026-34483, BIT-tomcat-2026-34487] (osv-bomber,osv-scan,owasp)
      · cpe:2.3:a:apache:tomcat::::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone14::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone15::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone16::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone17::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone18::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone19::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone20::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone21::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone22::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone23::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone24::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone25::::::
      · cpe:2.3:a:apache:tomcat:11.0.0:milestone26::::::
      · cpe:2.3:a:apache:tomcat:9.0.116:::::::*
      · cpe:2.3:a:apache:tomcat:10.1.53:::::::*
      · cpe:2.3:a:apache:tomcat:11.0.20:::::::*
      ·
    • Vulnerabilities in: pkg:maven/tools.jackson.core/[email protected] [GHSA-2m67-wjpj-xhg9] (osv-bomber)
      ·
    • Vulnerabilities in: pkg:npm/[email protected] [CVE-2026-39365, CVE-2026-39363, CVE-2026-39364] (osv-bomber,oss-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:npm/[email protected] [GHSA-5c6j-r48x-rmvq, CVE-2026-34043] (osv-bomber,oss-bomber,osv-scan)
      ·
    • Vulnerabilities in: pkg:npm/[email protected] [CVE-2025-64756] (oss-bomber)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.tomcat/[email protected] [BIT-tomcat-2026-34500, CVE-2026-34500, BIT-tomcat-2026-34486, CVE-2026-34486, BIT-tomcat-2026-34483, CVE-2026-34483, BIT-tomcat-2026-34487, CVE-2026-34487] (osv-scan)
      ·
    • Vulnerabilities in: pkg:maven/org.apache.tomcat/[email protected] [BIT-tomcat-2026-34500, CVE-2026-34500, BIT-tomcat-2026-34486, CVE-2026-34486, BIT-tomcat-2026-34483, CVE-2026-34483, BIT-tomcat-2026-34487, CVE-2026-34487] (osv-scan)
      ·

  • 🟠 Known Vulnerabilities:

    • Vulnerabilities in: pkg:maven/me.friwi/jcef-api@jcef-ca49ada%2Bcef-135.0.20%2Bge7de5c3%2Bchromium-135.0.7049.85 [CVE-2024-21639, CVE-2024-21640, CVE-2024-9410] (owasp)
      👌 Wait for the update from the jcefmaven community. Meanwhile the swing-kit is supposed to be used with fixed websites and not to browse the internet, we have a check for that, so the only possible attacker would be the same person that created the swing application, aka our customer devs. so this vulnerability is not classified by us as critical issue
      · cpe:2.3:a:chromiumembedded:chromium_embedded_framework::::::::
      · cpe:2.3:a:ada:ada::::::::
    • Vulnerabilities in: pkg:maven/org.codehaus.plexus/[email protected] [CVE-2025-67030] (owasp)
      👌 FP: based on GHSA-6fmv-xxpf-w3cw, version 3.6.1 should have the fix.
      · cpe:2.3:a:codehaus-plexus:plexus-utils::::::::

  • 📔 No Core License Issues

  • 📔 No License Issues

  • 🟠 Changes in 25.0-SNAPSHOT since V25.0.8

    • 1 packages removed (1 external, 0 vaadin)
    • 43 packages modified (41 external, 2 vaadin)
    • 857 packages same (631 external, 226 vaadin)

[Click for more Details]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@utafrali utafrali utafrali approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vaadin-bot @utafrali @ZheSun88