Hello my people! We run an OWASP dependency analyz...
# ksp
Hello my people! We run an OWASP dependency analyzer. According to this analyzer, the KSP plugin and the room-ksp has a vulnerability:
Copy code
room-compiler-processing-2.4.3.jar (pkg:maven/androidx.room/room-compiler-processing@2.4.3, cpe:2.3:a:processing:processing:2.4.3:*:*:*:*:*:*:*) : CVE-2018-1000840
symbol-processing-1.7.10-1.0.6.jar (pkg:maven/com.google.devtools.ksp/symbol-processing@1.7.10-1.0.6, cpe:2.3:a:processing:processing:*:*:*:*:*:*:*) : CVE-2018-1000840
symbol-processing-api-1.7.10-1.0.6.jar (pkg:maven/com.google.devtools.ksp/symbol-processing-api@1.7.10-1.0.6, cpe:2.3:a:processing:processing:*:*:*:*:*:*:*) : CVE-2018-1000840
Am I correct that we can safely ignore this? I assume the generated code will not be affected by this. (we are building an Android application so we care mostly about runtime safety)
We are not using processing in our code, might be a transitive dependency. And yes generated code won’t be affected by this.