Our product is using deep learning libraries for java. Twistlock security scan of the libraries shows high severity security vulnerabilities dependencies:
CVE Severity Fixed in version Package Path
CVE-2022-42003 7.5 high fixed in 2.14.0 com.fasterxml.jackson.core_jackson-databind_2.13.3 jackson-1.0.0-M2.1.jar
CVE-2022-42004 7.5 high fixed in 2.14.0 com.fasterxml.jackson.core_jackson-databind_2.13.3 jackson-1.0.0-M2.1.jar
CVE-2022-3509 7 high fixed in 3.21.7 com.google.protobuf_protobuf-java_3.21.2 protobuf-1.0.0-M2.1.jar
CVE-2022-3510 7 high fixed in 3.21.7 com.google.protobuf_protobuf-java_3.21.2 protobuf-1.0.0-M2.1.jar
Therefore, we cannot use these dependencies. Unfortunately we cannot find newer versions of the dependencies in Maven repository.
Is the any way to update the versions of jackson-databind and google-protobuf in those dependecies?
@azheludk could you please file an issue? We can look at resolving that pretty quickly.
@agibsonccc Any plans for a release? Is there a roadmap somewhere? I see that development is going fine, but an actual release has been a while ago.
It’s mainly been bottlenecked by a few features and some internal QA at some customers. I want to do a release here in a few weeks with that complete.
Honestly, a lot of the roadmap has mainly been focused on solidifying the internals and helping users accomplish goals with the framework. Nowadays the framework is mostly complete beyond adding new features like new activation functions and supporting new models for model import.
Over the last year or so much of the feature development has been driven by user issues and doing QA on the fundamental aspects of the framework like ensuring the basics work like save/load, training, performance is where it should be, there aren’t any surprises with things like memory usage.
That QA is done now and I am mainly focused on shipping a transformers rewrite needed for the growth of the project.
If you want guaranteed and supported releases plus other support for your use case you can reach out to us for a paid retainer here:Guarantee the success of your AI deployment with Deeplearning4J