Small question regarding a SpringBoot project please.
Currently with version 2.6.x, I am developing a very small web application storing data inside Cassandra.
Unfortunately, it seems from the dependency tree, it is carrying a vulnerable dependency:
native-protocol-1.5.0.jar (pkg:maven/com.datastax.oss/native-protocol@1.5.0, cpe:2.3:a:apache:cassandra:1.5.0:::::::*) : CVE-2020-13946
This is further confirmed with many static analysis scans, such as SonarQube, Black Duck, OWASP dependency etc...
It seems this is due to a dependency from Datastax team.
However, there are no public repos to raise a PR or an issue.
May I ask what should I do in order to fix this vulnerability please?
Thank you
It looks like a false positive to me with native-protocol 1.5.0 incorrectly being considered to be part of Apache Cassandra 1.5.
If you want some assurances from the maintainers, native-protocol is on GitHub as is Datastax's Java Driver for Cassandra which depends upon native-protocol.