We are using xgboost 2.0.3 version. Blackduck scan is not able to figure out the version of c-ares and BoringSSL dependencies and as a result it’s pessimistically raising critical security issues.
How can one find out which version of these dependencies are used in xgboost 2.0.3 or any other version so that we can update the Blackduck scan reports?
Below code does not give any clue -
import xgboost as xgb
print(xgb.get_config())
{‘use_rmm’: False, ‘verbosity’: 1}