Why do we have to fix security vulnerabilities on the libraries that we use only in testing scope?
I've been trying to find the answer online but no luck so thought of asking here.
For example:
https://nvd.nist.gov/vuln/detail/CVE-2021-23463 I found this vulnerability but H2 was included as <scope>test</scope> in maven.
Testing code does not get shipped to production environment, so I was wondering why do we have to fix such vulnerabilities if it's only vulnerable in testing scope.
Thanks in advance!
Tests will likely be run by CI on your internal infrastructure. Or just on your developer machines. They will be run somewhere that is more or less internal to your infrastructure.
A vulnerability can be exploited in many ways, the one you mentioned is an XXE. A malicious xml file can be used to do stuff on the host that processes it. This might allow an internal unprivileged attacker (eg. a developer) to compromise CI that might have access to more valuable credentials. Or it might allow an external attacker to compromise a developer PC (by somehow providing malicious xml input), and then compromise CI from there, and so on.
You can see the point, you don't just want to protect your production environment. Sure, that might be the most important, but the way to protect it is to apply defense in depth, and mitigate risks for the whole infrastructure.