alpn-api vulnerability

[joan38]

This is more for https://github.com/eclipse/jetty.alpn.api but I can't open an issue there.

The latest version of the API is 1.1.3.v20160715:
https://mvnrepository.com/artifact/org.eclipse.jetty.alpn/alpn-api/1.1.3.v20160715
But it's flagged as vulnerable by https://github.com/jeremylong/DependencyCheck
I understand this is a false positive since I guess it's checking if the version number is greater or so.

Is there any solution to avoid this flagging? Like releasing a newer version?

See: http4s/blaze#235

Thanks

[joakime]

I enabled issues on that other repository ... https://github.com/eclipse/jetty.alpn.api/issues
Feel free to open the issue there (if you want).

I don't see how that is vulnerable, that jar is literally a simple Map and three interface declarations.

[sbordet]

@joakime I closed again the issues for eclipse/jetty.alpn.api, since it's going to be used less and less now that JDK 7 and 8 are going end of life.

@joan38 issue here has been responded in http4s/blaze#235 (comment).

@joan38 it's obvious it's a vulnerability tool mistake, so we won't issue another version of ALPN APIs just to workaround a bug in the vulnerability tool.

[joan38]

All good.
I've reported it on jeremylong/DependencyCheck#1515

Thanks guys.