fix: Nimbus JOSE + JWT is vulnerable to DoS attacks when processing deeply nested JSON #8

[astsiapanay]

azure-identity of the version 1.16.2 has affected library nimbus-jose-jwt:10.0.1. We need to force Core to use a patched version 0.10.2

[ai-dial-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 1 package(s) with unknown licenses.

See the Details below.

License Issues

settings.gradle

Package	Version	License	Issue Type
com.fasterxml.jackson.core:jackson-core	2.18.3	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
maven/com.azure:azure-core	1.55.4	🟢 5.4	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 9 binaries present in source code SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 96 existing vulnerabilities detected
maven/com.azure:azure-core-http-netty	1.15.12	🟢 5.4	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 9 binaries present in source code SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 96 existing vulnerabilities detected
maven/com.azure:azure-identity	1.16.2	🟢 5.4	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 9 binaries present in source code SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 96 existing vulnerabilities detected
maven/com.azure:azure-json	1.5.0	🟢 5.4	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 9 binaries present in source code SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 96 existing vulnerabilities detected
maven/com.azure:azure-xml	1.2.0	🟢 5.4	Details Check Score Reason Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Security-Policy 🟢 10 security policy file detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Binary-Artifacts 🟢 9 binaries present in source code SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities ⚠️ 0 96 existing vulnerabilities detected
maven/com.fasterxml.jackson.core:jackson-annotations	2.18.3	🟢 7.4	Details Check Score Reason Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Security-Policy 🟢 10 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Packaging 🟢 10 packaging workflow detected
maven/com.fasterxml.jackson.core:jackson-core	2.18.3	Unknown	Unknown
maven/com.fasterxml.jackson.core:jackson-databind	2.18.3	🟢 7.9	Details Check Score Reason Code-Review ⚠️ 2 Found 8/29 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 27 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 3 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected SAST 🟢 7 SAST tool detected but not run on all commits Vulnerabilities 🟢 9 1 existing vulnerabilities detected
maven/com.fasterxml.jackson.dataformat:jackson-dataformat-cbor	2.18.3	🟢 7.4	Details Check Score Reason Code-Review ⚠️ 1 Found 3/29 approved changesets -- score normalized to 1 Maintained 🟢 10 30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Security-Policy 🟢 10 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Pinned-Dependencies 🟢 10 all dependencies are pinned Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
maven/com.fasterxml.jackson.dataformat:jackson-dataformat-yaml	2.18.3	🟢 7.3	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 0 Found 0/29 approved changesets -- score normalized to 0 Maintained 🟢 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Binary-Artifacts 🟢 9 binaries present in source code Pinned-Dependencies 🟢 10 all dependencies are pinned Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
maven/com.fasterxml.jackson.datatype:jackson-datatype-jsr310	2.18.3	🟢 7.3	Details Check Score Reason Code-Review ⚠️ 0 Found 1/30 approved changesets -- score normalized to 0 Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 30 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing 🟢 10 project is fuzzed Binary-Artifacts 🟢 9 binaries present in source code License 🟢 10 license file detected Pinned-Dependencies 🟢 10 all dependencies are pinned Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
maven/com.fasterxml.jackson:jackson-bom	2.18.3	🟢 6.7	Details Check Score Reason Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 9 binaries present in source code Code-Review ⚠️ 0 Found 0/28 approved changesets -- score normalized to 0 Security-Policy 🟢 10 security policy file detected Pinned-Dependencies 🟢 10 all dependencies are pinned CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Packaging 🟢 10 packaging workflow detected
maven/com.microsoft.azure:msal4j	1.21.0	🟢 6.2	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ -1 No tokens found Dangerous-Workflow ⚠️ -1 no workflows found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ -1 no dependencies found CII-Best-Practices ⚠️ 2 badge detected: InProgress License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy ⚠️ 0 security policy file not detected Branch-Protection 🟢 8 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool is not run on all commits -- score normalized to 8 Vulnerabilities ⚠️ 0 88 existing vulnerabilities detected
maven/com.nimbusds:nimbus-jose-jwt	10.0.2	Unknown	Unknown
maven/com.nimbusds:oauth2-oidc-sdk	11.23	Unknown	Unknown
maven/io.netty:netty-resolver-dns-classes-macos	4.1.112.Final	🟢 7.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 26/30 approved changesets -- score normalized to 8 License 🟢 10 license file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Binary-Artifacts 🟢 9 binaries present in source code Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected Fuzzing 🟢 10 project is fuzzed SAST 🟢 10 SAST tool is run on all commits Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
maven/io.netty:netty-resolver-dns-native-macos	4.1.112.Final	🟢 7.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 26/30 approved changesets -- score normalized to 8 License 🟢 10 license file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Binary-Artifacts 🟢 9 binaries present in source code Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected Fuzzing 🟢 10 project is fuzzed SAST 🟢 10 SAST tool is run on all commits Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
maven/io.netty:netty-tcnative-boringssl-static	2.0.70.Final	🟢 6.8	Details Check Score Reason Code-Review ⚠️ 1 Found 5/30 approved changesets -- score normalized to 1 Maintained 🟢 10 30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 9 binaries present in source code CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
maven/io.netty:netty-tcnative-classes	2.0.70.Final	🟢 6.8	Details Check Score Reason Code-Review ⚠️ 1 Found 5/30 approved changesets -- score normalized to 1 Maintained 🟢 10 30 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 9 binaries present in source code CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. Security-Policy 🟢 10 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
maven/io.netty:netty-transport-classes-epoll	4.1.118.Final	🟢 7.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 26/30 approved changesets -- score normalized to 8 License 🟢 10 license file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Binary-Artifacts 🟢 9 binaries present in source code Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected Fuzzing 🟢 10 project is fuzzed SAST 🟢 10 SAST tool is run on all commits Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
maven/io.netty:netty-transport-classes-kqueue	4.1.118.Final	🟢 7.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 26/30 approved changesets -- score normalized to 8 License 🟢 10 license file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Binary-Artifacts 🟢 9 binaries present in source code Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected Fuzzing 🟢 10 project is fuzzed SAST 🟢 10 SAST tool is run on all commits Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
maven/io.netty:netty-transport-native-epoll	4.1.118.Final	🟢 7.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 26/30 approved changesets -- score normalized to 8 License 🟢 10 license file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Binary-Artifacts 🟢 9 binaries present in source code Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected Fuzzing 🟢 10 project is fuzzed SAST 🟢 10 SAST tool is run on all commits Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
maven/io.netty:netty-transport-native-kqueue	4.1.118.Final	🟢 7.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 14 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 26/30 approved changesets -- score normalized to 8 License 🟢 10 license file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Binary-Artifacts 🟢 9 binaries present in source code Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected Fuzzing 🟢 10 project is fuzzed SAST 🟢 10 SAST tool is run on all commits Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
maven/io.projectreactor.netty:reactor-netty-core	1.0.48	🟢 7.9	Details Check Score Reason Code-Review ⚠️ 0 Found 2/24 approved changesets -- score normalized to 0 Maintained 🟢 10 30 commit(s) and 23 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 9 binaries present in source code
maven/io.projectreactor.netty:reactor-netty-http	1.0.48	🟢 7.9	Details Check Score Reason Code-Review ⚠️ 0 Found 2/24 approved changesets -- score normalized to 0 Maintained 🟢 10 30 commit(s) and 23 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 License 🟢 10 license file detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Binary-Artifacts 🟢 9 binaries present in source code
maven/org.yaml:snakeyaml	2.3	Unknown	Unknown

Scanned Files

• settings.gradle