When releasing to maven central a security report is created. I will post a report link here, but I do not know how long it will remain available. https://sbom.sonatype.com/report/T1-118f0f57da8c6b3097cc-7c5cd3c324b3e8-1709210263-9c8c29739af94ba6940236bcf4b9429f Here are the top two candidates, both transitive (probably Xtext): `pkg:maven/log4j/log4j@1.2.17` - [[CVE-2019-17571] CWE-502: Deserialization of Untrusted Data](https://ossindex.sonatype.org/vulnerability/CVE-2019-17571?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0) - [[CVE-2022-23305] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')](https://ossindex.sonatype.org/vulnerability/CVE-2022-23305?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0) - [[CVE-2022-23302] CWE-502: Deserialization of Untrusted Data](https://ossindex.sonatype.org/vulnerability/CVE-2022-23302?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0) - [[CVE-2022-23307] CWE-502: Deserialization of Untrusted Data](https://ossindex.sonatype.org/vulnerability/CVE-2022-23307?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0) - [[CVE-2021-4104] CWE-502: Deserialization of Untrusted Data](https://ossindex.sonatype.org/vulnerability/CVE-2021-4104?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0) - [[CVE-2023-26464] CWE-502: Deserialization of Untrusted Data](https://ossindex.sonatype.org/vulnerability/CVE-2023-26464?component-type=maven&component-name=log4j%2Flog4j&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0) `pkg:maven/com.google.guava/guava@31.0.1-jre` - [[CVE-2023-2976] CWE-552: Files or Directories Accessible to External Parties](https://ossindex.sonatype.org/vulnerability/CVE-2023-2976?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0) - [[CVE-2020-8908] CWE-379: Creation of Temporary File in Directory with Incorrect Permissions](https://ossindex.sonatype.org/vulnerability/CVE-2020-8908?component-type=maven&component-name=com.google.guava%2Fguava&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0)
When releasing to maven central a security report is created. I will post a report link here, but I do not know how long it will remain available.
https://sbom.sonatype.com/report/T1-118f0f57da8c6b3097cc-7c5cd3c324b3e8-1709210263-9c8c29739af94ba6940236bcf4b9429f
Here are the top two candidates, both transitive (probably Xtext):
pkg:maven/log4j/log4j@1.2.17- [CVE-2019-17571] CWE-502: Deserialization of Untrusted Data
- [CVE-2022-23305] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- [CVE-2022-23302] CWE-502: Deserialization of Untrusted Data
- [CVE-2022-23307] CWE-502: Deserialization of Untrusted Data
- [CVE-2021-4104] CWE-502: Deserialization of Untrusted Data
- [CVE-2023-26464] CWE-502: Deserialization of Untrusted Data
pkg:maven/com.google.guava/guava@31.0.1-jre- [CVE-2023-2976] CWE-552: Files or Directories Accessible to External Parties
- [CVE-2020-8908] CWE-379: Creation of Temporary File in Directory with Incorrect Permissions