Could you help upgrade the vulnerble dependency in click_framework? #14
Description
Hi, @tmendici , I'd like to report a vulnerability issue in click_framework:1.186.
Issue Description
I noticed that com.clickntap:click_framework:1.186 directly depends on com.cathive.sass:sass-java:4.0.0. As shown in the following dependency graph. However, com.cathive.sass:sass-java:4.0.0 sufferes from the vulnerabilites which the C library libsass(version:3.3.6) exposed, containing the following 13 CVEs:
CVE-2019-18797 , CVE-2019-18798, CVE-2019-18799, CVE-2018-20821 , CVE-2018-19838, CVE-2018-19839, CVE-2018-19837 , CVE-2018-11698, CVE-2018-11697, CVE-2018-11696 , CVE-2018-11695, CVE-2018-11694, CVE-2018-11694.
Dependency Graph between Java and Shared Libraries
Suggested Vulnerability Patch Versions/Solutions
com.cathive.sass:sass-java:4.0.0 has been unmaintained since 2016. AFAIK, io.bit3:jsass:5.10.4 depends on libsass(version:3.6.4) is security, may be a replacement solution.
Java build tools cannot report vulnerable C libraries, which may induce potential security issues to many downstream Java projects. Could you please check this vulnerable dependency?
Thanks for your help~
Best regards,
Helen Parr