Welcome to the Inedo Forums! Check out the Forums Guide for help getting started.
If you are experiencing any issues with the forum software, please visit the Contact Form on our website and let us know!
Vulnerability checking on Maven packages
-
Currently running Version 2025.17 (Build 20) of ProGet.
Do we have something configured wrong, or does the vulnerability checking not work well for maven packages and the weird version sorting that these use?
For example, if I look at version 2.21.0 for com.fasterxml.jackson.core:jackson-databind, it shows a huge list of vulnerabilities for this version, but the vulnerability details show that these vulnerabilities are for versions that are older than 2.21.0.
2.21.0 doesn't seem to have any vulnerabilities itself, but due to the version sorting it seems to be getting associated with lots of old vulnerabilities.
Is there any way for us to resolve this issue, or is the vulnerability checking basically unusable for these maven packages?
