Channels
lincheck
kobweb
koalaql
gsoc
kotlin-foundation
decouple
compose-android
hiring-french
benchmarks
china
philippines
ohio-kotlin-users
vankotlin
dublin
canada
nigeria
rhein-main
kodex
hacktoberfest
truth
portugal
romania
argentina
sg-user-group
korean
helsinki
functional
oldenburg
cambodia
vietnam
hungary
colorado
panamá
turkey
kotlin-samples
eclipse
kotlin-by-example
wwdc
denmark
thailand
build-tools
coimbatore
sofl-user-group
kotlintlv
udacityindia
quasar
spanish
kotlinbot
dckotlin
ge-kotlin
vim
croatia
javafx
kotlin-multiplatform-contest
osgi
brikk
revolver
tricity-kotlin-user-group
russian_feed
munich
estatik
karg
kotlintest
french
kotlin-in-action
gui
uae
georgia
kotlinlondon
polish
german-lang
kdbc
kotlin-asia
tampa
brazil
kotlin-logging
nepal
redux-kotlin
reduks
austria
armenia
spacemacs
android-databinding
hamburg
budapest
switzerland
minnesota
jadx
hexagon
boston
malaysia
istanbulcoders
aem
codingame
cucumber-bdd
newname
room
ass
atm17
kakao
cincinnati-user-group
arabic
emacs
karlsruhe
fluid-libraries
amsterdam
libgdx
books
ai
vuejs
talking-kotlin
codemash-precompiler
dsl
kotlingforbeginners
stuttgart
cork
kotlin-szeged
utah
jhipster-kotlin
hibernate
jpa
strikt
macedonia
kovenant
kotlin-fuel
kotlinacademy
prozis-android-backup
reductor
funktionale
realworldkotlin
events
google-io
graviton-browser
scotland
spring-security
domain-driven-design
connect-audit-events
bayarea
pinoy
uk
javalin
re
server
kgen-doc-tools
tempe
pakistan
swiss-user-group
kubed
effectivekotlin
refactoring-to-kotlin
cloudfoundry
kprompt
jshdq
alexa
minutest
code-coverage
geospatial
jasync-sql
russian-kotlinasfirst
juul-libraries
lanark
wimix_sentry
pdx
databinding
slovak
austin
androidgithubprojects
data2viz
introduce-yourself
cobalt
korlibs
script
new-zealand
stlouis
linkeddata
kroto-plus
libkgd
zircon
big-data
pocketgitclient
mirror
moonbean
kong
hamkrest
kaskade
effective-kotlin
arkenv
knote
testing
oolong
hackathons
mu
kotlinx-files
pyhsikal
build
coursera
trójmiasto
anko
speaking
kohesive
vienna
communities
kotson
klock
korim
kotrix
kobalt
korte
arrow-meta
algolialibraries
codeforces
koans
result
ktcc
seattle
japanese
forum
uniflow
korio
jackson-kotlin
koin-dev
helios
io
kash_shell
graphql
kafka
kaal
kotlinx-html
freenode
leakcanary
lambdaworld_cadiz
intellij-tricks
kotlin-csv
bulgaria
kbuild
kloudformation
mpapt
100daysofcode
kmdc
package-search
terminal
kmongo
kotlin-pakistan
inkremental
motionlayout
navigation-architecture-component
strife-discord-lib
general-advice
unkonf
awesome-kotlin
tallinn
machinelearningbawas
leedskotlinusergroup
stayhungrystayfoolish
kotest-contributors
edinburgh
skrape-it
anime
moldova
losangeles
testtestest
kotlin-pune
knbt
godot-kotlin
practical-functional-programming
tensorflow
swagger-gradle-codegen
bazel
100daysofkotlin
fuchsia
rxjava
texas
dev-core
clikt
cli
hyderabad
vkug
kinta
detekt-hint
kotlinultimatechallenge
spotify-mobius
pattern-matching
kotlin-plugin
mumbai
mvrx
cyprus
kotlin-spark
lottie
kontent
metro-detroit
kotlin-beam
kotlick
hoplite
cryptography
androidx
kotlinforbeginners
sudan
appintro
tunisia
kotlin-roadmap
kotlin-mumbai
collaborations
pbandk
competitive-programming
scrimage
kotlindl
fp-in-kotlin
python
memes
rocksdb
docs-revamped
jdbi
rsocket
meetkotlin
hikari-cp
firebase
proguard
popkorn
kmm-español
npm-publish
failgood
rpi-pico
kalasim
swing
forkhandles
compose-ui-showcase
kug-torino
web-mpp
students
kondor-json
deprecated
reports
kotlin-sap
carrat-dev
compose-hiring
carrat
carrat-feed
competitivecoding
jobsworldwide
kotlin-data-storage
skia-wasm-interop-temp
tegal
kotlin-website
couchbase
tgbotapi
videos
java-to-kotlin-refactoring
event21-community-content
twitter-feed
androidx-xprocessing
embedded-kotlin
san-diego
atrium
snake
javadevelopers
klaxon
bangladesh
androidthings
lets-have-fun
training
ecuador
new-mexico
montreal
fb-internal-demo
monsterpuzzle
internships
webrtc
arksemdevteam
image-processing
myndocs-oauth2-server
otpisani
love
rethink
chile
kotlintest-devs
beepiz-libraries
korau
uuid
spin
lychee
ktp
debugging
miami
atlanta
scrcast
kotlinprogrammers
corda
swarm
kotlinmad
india
krawler
fritz2
phoenix
nodejs
stacks
lithuania
dutch
kraph
indonesia
cscenter-course-2016
czech
greece
ukrainian
kotlinconf
teamcity
colombia
cn
nyc
graphkool
uruguay
kweb
singapore
turkiye
graphic
jxadapter
karachi
hongkong
oceania
kotlin-serbia
madrid
spain
kotlinsu
norway
latvia
southafrica
morocco
dfw
algeria
peru
israel
kotlin-latam
barcelona
mexico
sweden
vancouver
belgium
iran
australia
london
bydgoszcz
k2-early-adopters
exposed
meta
spek
confetti
naming
dokka
gamedev
rx
intellij-plugins
compose-mp
language-proposals
hiring
stdlib
coroutines
kodein
codereview
announcements
mockk
scripting
koin
ios
feed
serialization
spring
eap
test
kontributors
random
korge
compiler
detekt
redux
library-development
javascript
tornadofx
kotless
ktlint
kvision
moko
kug-leads
fosdem
refreshversions
hire-me
orbit-mvi
language-evolution
graphql-kotlin
arrow
android-studio
flow
grpc
compose
chucker
ktor
russian
ksp
kotest
reaktive
education
touchlab-tools
mvikotlin
apollo-kotlin
doodle
intellij
kotlinx-datetime
framework-elide
reflect
compose-desktop
jvm-ir-backend-feedback
komapper
gradle
glance
ballast
android-architecture
kgraphql
compose-web
science
ktfmt
chicago
android
micronaut
100daysofkotlin-2021
github-workflows-kt
python-contributors
mathematics
kotlin-inject
compose-wear
splitties
squarelibraries
compose-ios
decompose
realm
dagger
arrow-contributors
kotlin-native
react
vertx
advent-of-code
webassembly
codingconventions
getting-started
kapt
stackoverflow
italian
berlin
opensource
multiplatform
datascience
http4k
Title
d
david dereba
05/24/2023, 9:14 PMHello, am trying to add h2 database gradle dependency to my ktor project but I get this error
Dependency maven:com.h2database:h2:2.1.214 is vulnerable
CVE-2022-45868 7.8 Cleartext Storage of Sensitive Information vulnerability with medium severity found
CVE-2022-45868 7.8 Cleartext Storage of Sensitive Information vulnerability with medium severity found
Results powered by Checkmarx(c)
c
Chris Lee
05/24/2023, 9:41 PMAnd?
a
Andrew O'Hara
05/24/2023, 11:34 PMThis has nothing to do with Ktor or Kotlin. I've noticed the vulnerability too, but the best place to report it would be on H2's Github Issues Page
The "error" is just a warning, and it's probably safe to continue using the dependency in your test modules.
d
david dereba
05/25/2023, 10:00 AMThank you for your feedback @Andrew O'Hara
a
andyg
05/30/2023, 9:19 AMCVE-2022-45868 has already been discussed in H2's Issues and the general consensus is that it is a "false" vulnerability. https://github.com/h2database/h2database/issues/3686#issuecomment-1333870398
d
david dereba
05/30/2023, 9:28 AMThank you for your message. I have investigated the vulnerability and I can confirm that it is a false positive. The vulnerability is based on the assumption that the password can be obtained by listing processes and their arguments. Thumbs up @andyg
a
Andrew O'Hara
05/30/2023, 3:46 PMOh man, that last comment by grandinj is quite something. I get it, but corporations have regular people in them too; they don't always have a say in what disqualifies a dependency,.
a
andyg
05/30/2023, 10:59 PMYes it is an unfortunate situation all around. I get his point as well, H2 is a free, open-source project getting by on volunteers (and a very high-quality one). Rebuffing a seemingly-arbitrary vulnerability against a faceless organization does seem like a bit of a waste of time and effort, perhaps it is better to just move forward...