Hello, am trying to add h2 database gradle dependency to my ktor project but I get this error Dependency mavencom.h2databaseh2:2.1.214 is vulnerable CVE-2022-45868 7.8 Cleartext Storage of Sensitive Information vulnerability with medium severity found CVE-2022-45868 7.8 Cleartext Storage of Sensitive Information vulnerability with medium severity found Results powered by Checkmarx(c)

And?

This has nothing to do with Ktor or Kotlin. I've noticed the vulnerability too, but the best place to report it would be on H2's Github Issues Page

Thank you for your feedback @Andrew O'Hara

CVE-2022-45868 has already been discussed in H2's Issues and the general consensus is that it is a "false" vulnerability. https://github.com/h2database/h2database/issues/3686#issuecomment-1333870398

Thank you for your message. I have investigated the vulnerability and I can confirm that it is a false positive. The vulnerability is based on the assumption that the password can be obtained by listing processes and their arguments. Thumbs up @andyg

Oh man, that last comment by grandinj is quite something. I get it, but corporations have regular people in them too; they don't always have a say in what disqualifies a dependency,.

Yes it is an unfortunate situation all around. I get his point as well, H2 is a free, open-source project getting by on volunteers (and a very high-quality one). Rebuffing a seemingly-arbitrary vulnerability against a faceless organization does seem like a bit of a waste of time and effort, perhaps it is better to just move forward...