Workflow failed: OWASP dependency check (daily) (#892)

[github-actions]

See OWASP dependency check (daily) #892.

[MilovdZee]

Has to do with CVE-2024-57699. This is a high-risk issue and so a patch is needed quickly. Please fix this.

[jeanbisutti]

@MilovdZee

json-smart is a transitive dependency: Application Insights -> Azure Identity -> msal4j -> json-smart

Our usage of the json-smart library doesn't accept any user input.

So, we don't think that the Application Insights Java agent can be impacted by this CVE.

We will update the more recent version in the next release.

[trask]

related: AzureAD/microsoft-authentication-library-for-java#905

[github-actions]

See OWASP dependency check (daily) #893.

[github-actions]

See OWASP dependency check (daily) #894.

[github-actions]

See OWASP dependency check (daily) #895.

[MilovdZee]

Thanks. Very annoying for us as I can't override our pipeline to accept this. So I can't deploy my service due to this. Even though there actually is no issue.
I'll investigate within the organization for a solution.
Thanks for the update anyway.

[github-actions]

See OWASP dependency check (daily) #896.

[gyula-kelemen]

@jeanbisutti
Now the CVE-2025-24970 also appeared in our trivy scan. Are you affected by this?
Your OWASP scan has not reported it yet, but you are on an affected version: #4077

(update: fix wrong mention)

[MilovdZee]

@gyula-kelemen I don't know anything about that

[gyula-kelemen]

@gyula-kelemen I don't know anything about that

Ahh, sorry wrong tag.

[github-actions]

See OWASP dependency check (daily) #897.

[github-actions]

See OWASP dependency check (daily) #898.

[github-actions]

See OWASP dependency check (daily) #899.

[github-actions]

See OWASP dependency check (daily) #900.

[github-actions]

See OWASP dependency check (daily) #901.

[github-actions]

See OWASP dependency check (daily) #902.

[github-actions]

See OWASP dependency check (daily) #903.

[github-actions]

See OWASP dependency check (daily) #904.

[github-actions]

See OWASP dependency check (daily) #905.

[MilovdZee]

There is a new version of json-smart. So it is very easy to fix. If not forced then I also see that Msal4j is updated. Probably for this but I did not check that. Also azure-identity seems to be updated.

[github-actions]

See OWASP dependency check (daily) #906.

[jeanbisutti]

@jeanbisutti Now the CVE-2025-24970 also appeared in our trivy scan. Are you affected by this? Your OWASP scan has not reported it yet, but you are on an affected version: #4077

(update: fix wrong mention)

@gyula-kelemen #4077 will be included in our next release

[github-actions]

See OWASP dependency check (daily) #907.

[github-actions]

See OWASP dependency check (daily) #908.

[github-actions]

See OWASP dependency check (daily) #909.

[github-actions]

See OWASP dependency check (daily) #910.