Security Vulnerabilities are reported for aaf/authz were from old repo. We are working on latest code that committed to the aaf repo.
This has been RESOLVED by updating the Version netty handler is not longer on the report, 4/25:
also "commons-beans-utils1.8.3", "org.apache.shiro:shiro-core:1.3.2"
httpcomponents resolved, but "common-beans-utils" and "shire-core" remain. HOWEVER:
These are ONLY used by Shiro Adapter. This Shiro Adapter is NOT used in any running AAF components or any part of CADI.
The Adapter is ONLY used by OTHER apps which are using Shiro (and thus the vulnerability is on those apps, not AAF)
THEREFORE, this is a false positive for AAF as a Service or Clients.
org.bouncycastle updated to latest version,
There are NO LONGER any Security issues related to Bouncy Castle.
The License is MIT, which is listed as a Policy violation, however.
Replacement of Bouncy Castle is not trivial. Cannot simply replace in short timeframe.
Is the License from MIT an unacceptable risk going forward?