Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve CVEs identified for 3.1.0 release #115

Closed
AbhayChandel opened this issue Jul 5, 2019 · 8 comments
Closed

Resolve CVEs identified for 3.1.0 release #115

AbhayChandel opened this issue Jul 5, 2019 · 8 comments
Labels
security
Milestone
release:3.1.1

Comments

@AbhayChandel
Copy link
Contributor

AbhayChandel commented Jul 5, 2019
edited
Loading

Running dependency-check-maven plugin as part of build identifies CVEs of score 8 and higher. Need to fix them as part of this issue.

Note: As part of this fix enable failBuildOnCVSS property for build section.
@hohwille
Copy link
Member

hohwille commented Jul 5, 2019

Logback needs to be updated:

@hohwille hohwille added this to the release:3.1.1 milestone Jul 5, 2019
@hohwille
Copy link
Member

hohwille commented Jul 5, 2019

We are currently using logback classic 1.2.3. This is the latest official version:
https://repo1.maven.org/maven2/ch/qos/logback/logback-classic/

Further, we are not using remote logging in devon4j so this is more or less a false-positive.

@hohwille
Copy link
Member

hohwille commented Jul 8, 2019
edited
Loading

Here is the full list:

This was referenced Jul 8, 2019
Closed
Closed
@vapadwal vapadwal mentioned this issue Jul 30, 2019
Merged
hohwille pushed a commit that referenced this issue Aug 13, 2019
@vapadwal @hohwille
#115: Resolve CVEs identified (#131)
d29e574 
#123 jackson updated to 2.9.9.20190727
#122 guava updated to 28.0-jre
#118: avoid redundant version for jackson in archetype
@hohwille
Copy link
Member

Here is the latest dependency tree of our archetype after merging PR #131:

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ basic-server ---
[INFO] archetype.it:basic-server:war:1.0.0-SNAPSHOT
[INFO] +- archetype.it:basic-core:jar:1.0.0-SNAPSHOT:compile
[INFO] |  +- archetype.it:basic-api:jar:1.0.0-SNAPSHOT:compile
[INFO] |  |  +- org.springframework.data:spring-data-commons:jar:2.1.9.RELEASE:compile
[INFO] |  |  +- com.devonfw.java.modules:devon4j-rest:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.9.9:compile
[INFO] |  |  |  |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.9.9:compile
[INFO] |  |  |  |  \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.9.9:compile
[INFO] |  |  |  +- javax.ws.rs:javax.ws.rs-api:jar:2.1:compile
[INFO] |  |  |  +- com.devonfw.java.modules:devon4j-service:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  |  +- com.devonfw.java.modules:devon4j-json:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  |  +- net.sf.m-m-m:mmm-util-validation:jar:8.7.0:compile
[INFO] |  |  |  |  +- net.sf.m-m-m:mmm-util-pojopath:jar:8.7.0:compile
[INFO] |  |  |  |  |  \- net.sf.m-m-m:mmm-util-value:jar:8.7.0:compile
[INFO] |  |  |  |  |     +- net.sf.m-m-m:mmm-util-pojo:jar:8.7.0:compile
[INFO] |  |  |  |  |     |  +- net.sf.m-m-m:mmm-util-reflect:jar:8.7.0:compile
[INFO] |  |  |  |  |     |  \- net.sf.m-m-m:mmm-util-collection:jar:8.7.0:compile
[INFO] |  |  |  |  |     \- net.sf.m-m-m:mmm-util-math:jar:8.7.0:compile
[INFO] |  |  |  |  |        \- net.sf.m-m-m:mmm-util-lang:jar:8.7.0:compile
[INFO] |  |  |  |  \- net.sf.m-m-m:mmm-util-exception:jar:8.7.0:compile
[INFO] |  |  |  |     \- net.sf.m-m-m:mmm-util-nls:jar:8.7.0:compile
[INFO] |  |  |  |        +- net.sf.m-m-m:mmm-util-text:jar:8.7.0:compile
[INFO] |  |  |  |        +- net.sf.m-m-m:mmm-util-date:jar:8.7.0:compile
[INFO] |  |  |  |        |  \- net.sf.m-m-m:mmm-util-scanner:jar:8.7.0:compile
[INFO] |  |  |  |        \- net.sf.m-m-m:mmm-util-session:jar:8.7.0:compile
[INFO] |  |  |  \- org.glassfish.web:javax.el:jar:2.2.6:compile
[INFO] |  |  \- com.devonfw.java.modules:devon4j-logging:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |     +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] |  |     |  \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] |  |     +- org.slf4j:jcl-over-slf4j:jar:1.7.26:compile
[INFO] |  |     \- org.apache.httpcomponents:httpclient:jar:4.5.9:compile
[INFO] |  |        +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
[INFO] |  |        \- commons-codec:commons-codec:jar:1.11:compile
[INFO] |  +- com.devonfw.java.modules:devon4j-beanmapping:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  +- com.devonfw.java.modules:devon4j-basic:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  +- com.github.dozermapper:dozer-core:jar:6.4.1:compile
[INFO] |  |  |  +- commons-beanutils:commons-beanutils:jar:1.9.3:compile
[INFO] |  |  |  |  \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |  |  |  +- org.apache.commons:commons-lang3:jar:3.8.1:compile
[INFO] |  |  |  +- commons-io:commons-io:jar:2.5:compile
[INFO] |  |  |  \- org.objenesis:objenesis:jar:2.6:compile
[INFO] |  |  +- javax.xml.bind:jaxb-api:jar:2.3.1:compile
[INFO] |  |  \- org.glassfish.jaxb:jaxb-runtime:jar:2.3.1:compile
[INFO] |  |     +- org.glassfish.jaxb:txw2:jar:2.3.1:compile
[INFO] |  |     +- com.sun.istack:istack-commons-runtime:jar:3.0.7:compile
[INFO] |  |     +- org.jvnet.staxex:stax-ex:jar:1.8:compile
[INFO] |  |     \- com.sun.xml.fastinfoset:FastInfoset:jar:1.2.15:compile
[INFO] |  +- com.devonfw.java.modules:devon4j-security:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  +- org.springframework:spring-web:jar:5.1.8.RELEASE:compile
[INFO] |  |  +- org.springframework.security:spring-security-config:jar:5.1.5.RELEASE:compile
[INFO] |  |  |  \- org.springframework.security:spring-security-core:jar:5.1.5.RELEASE:compile
[INFO] |  |  +- org.springframework.security:spring-security-web:jar:5.1.5.RELEASE:compile
[INFO] |  |  +- javax.inject:javax.inject:jar:1:compile
[INFO] |  |  +- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] |  |  +- javax.activation:javax.activation-api:jar:1.2.0:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-databind:jar:2.9.9.2:compile
[INFO] |  |     +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile
[INFO] |  |     \- com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile
[INFO] |  +- com.devonfw.java.modules:devon4j-web:jar:3.1.1-SNAPSHOT:compile
[INFO] |  +- com.devonfw.java.starters:devon4j-starter-cxf-client-rest:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  +- com.devonfw.java.starters:devon4j-starter-cxf-client:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  |  \- com.devonfw.java.modules:devon4j-cxf-client:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  \- com.devonfw.java.modules:devon4j-cxf-client-rest:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |     \- org.apache.cxf:cxf-rt-rs-client:jar:3.2.5:compile
[INFO] |  +- com.devonfw.java.starters:devon4j-starter-cxf-client-ws:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  \- com.devonfw.java.modules:devon4j-cxf-client-ws:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |     +- org.apache.cxf:cxf-rt-frontend-jaxws:jar:3.2.5:compile
[INFO] |  |     |  +- xml-resolver:xml-resolver:jar:1.2:compile
[INFO] |  |     |  +- org.apache.cxf:cxf-rt-bindings-soap:jar:3.2.5:compile
[INFO] |  |     |  |  +- org.apache.cxf:cxf-rt-wsdl:jar:3.2.5:compile
[INFO] |  |     |  |  |  \- wsdl4j:wsdl4j:jar:1.6.3:compile
[INFO] |  |     |  |  \- org.apache.cxf:cxf-rt-databinding-jaxb:jar:3.2.5:compile
[INFO] |  |     |  +- org.apache.cxf:cxf-rt-bindings-xml:jar:3.2.5:compile
[INFO] |  |     |  +- org.apache.cxf:cxf-rt-frontend-simple:jar:3.2.5:compile
[INFO] |  |     |  \- org.apache.cxf:cxf-rt-ws-addr:jar:3.2.5:compile
[INFO] |  |     |     \- org.apache.cxf:cxf-rt-ws-policy:jar:3.2.5:compile
[INFO] |  |     |        \- org.apache.neethi:neethi:jar:3.1.1:compile
[INFO] |  |     +- javax.xml.ws:jaxws-api:jar:2.3.1:compile
[INFO] |  |     |  \- javax.xml.soap:javax.xml.soap-api:jar:1.4.0:compile
[INFO] |  |     \- javax.jws:javax.jws-api:jar:1.1:compile
[INFO] |  +- com.devonfw.java.starters:devon4j-starter-cxf-server-rest:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  +- com.devonfw.java.starters:devon4j-starter-cxf-server:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  |  \- com.devonfw.java.modules:devon4j-cxf-server:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  \- com.devonfw.java.modules:devon4j-cxf-server-rest:jar:3.1.1-SNAPSHOT:compile
[INFO] |  +- com.devonfw.java.starters:devon4j-starter-cxf-server-ws:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  \- com.devonfw.java.modules:devon4j-cxf-server-ws:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |     \- org.springframework.boot:spring-boot-starter-web-services:jar:2.1.6.RELEASE:compile
[INFO] |  |        +- com.sun.xml.messaging.saaj:saaj-impl:jar:1.5.0:compile
[INFO] |  |        |  \- org.jvnet.mimepull:mimepull:jar:1.9.11:compile
[INFO] |  |        +- org.springframework:spring-oxm:jar:5.1.8.RELEASE:compile
[INFO] |  |        \- org.springframework.ws:spring-ws-core:jar:3.0.7.RELEASE:compile
[INFO] |  |           \- org.springframework.ws:spring-xml:jar:3.0.7.RELEASE:compile
[INFO] |  +- com.devonfw.java.starters:devon4j-starter-spring-data-jpa:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  +- com.devonfw.java.modules:devon4j-jpa-spring-data:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  |  +- com.devonfw.java.modules:devon4j-jpa-basic:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  |  +- org.springframework.data:spring-data-jpa:jar:2.1.9.RELEASE:compile
[INFO] |  |  |  |  +- org.springframework:spring-orm:jar:5.1.8.RELEASE:compile
[INFO] |  |  |  |  \- org.aspectj:aspectjrt:jar:1.9.4:compile
[INFO] |  |  |  \- org.aspectj:aspectjweaver:jar:1.9.4:compile
[INFO] |  |  \- org.springframework.boot:spring-boot-starter-data-jpa:jar:2.1.6.RELEASE:compile
[INFO] |  |     +- org.springframework.boot:spring-boot-starter-aop:jar:2.1.6.RELEASE:compile
[INFO] |  |     +- javax.transaction:javax.transaction-api:jar:1.3:compile
[INFO] |  |     \- org.springframework:spring-aspects:jar:5.1.8.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-jdbc:jar:2.1.6.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter:jar:2.1.6.RELEASE:compile
[INFO] |  |  |  +- org.springframework.boot:spring-boot:jar:2.1.6.RELEASE:compile
[INFO] |  |  |  +- org.springframework.boot:spring-boot-autoconfigure:jar:2.1.6.RELEASE:compile
[INFO] |  |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.1.6.RELEASE:compile
[INFO] |  |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.11.2:compile
[INFO] |  |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.11.2:compile
[INFO] |  |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.26:compile
[INFO] |  |  |  \- org.yaml:snakeyaml:jar:1.23:runtime
[INFO] |  |  +- com.zaxxer:HikariCP:jar:3.2.0:compile
[INFO] |  |  \- org.springframework:spring-jdbc:jar:5.1.8.RELEASE:compile
[INFO] |  |     \- org.springframework:spring-tx:jar:5.1.8.RELEASE:compile
[INFO] |  +- javax.persistence:javax.persistence-api:jar:2.2:compile
[INFO] |  +- org.hibernate:hibernate-entitymanager:jar:5.3.10.Final:compile
[INFO] |  |  +- org.jboss.logging:jboss-logging:jar:3.3.2.Final:compile
[INFO] |  |  +- org.hibernate:hibernate-core:jar:5.3.10.Final:compile
[INFO] |  |  |  +- org.javassist:javassist:jar:3.23.2-GA:compile
[INFO] |  |  |  +- antlr:antlr:jar:2.7.7:compile
[INFO] |  |  |  \- org.jboss:jandex:jar:2.0.5.Final:compile
[INFO] |  |  +- org.dom4j:dom4j:jar:2.1.1:compile
[INFO] |  |  +- org.hibernate.common:hibernate-commons-annotations:jar:5.0.4.Final:compile
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.9.13:compile
[INFO] |  |  \- org.jboss.spec.javax.transaction:jboss-transaction-api_1.2_spec:jar:1.1.1.Final:compile
[INFO] |  +- com.querydsl:querydsl-jpa:jar:4.2.1:compile
[INFO] |  |  \- com.querydsl:querydsl-core:jar:4.2.1:compile
[INFO] |  |     +- com.google.guava:guava:jar:28.0-jre:compile
[INFO] |  |     |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  |     |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  |     |  +- org.checkerframework:checker-qual:jar:2.8.1:compile
[INFO] |  |     |  +- com.google.errorprone:error_prone_annotations:jar:2.3.2:compile
[INFO] |  |     |  +- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] |  |     |  \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.17:compile
[INFO] |  |     +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] |  |     +- com.mysema.commons:mysema-commons-lang:jar:0.2.4:compile
[INFO] |  |     \- com.infradna.tool:bridge-method-annotation:jar:1.13:compile
[INFO] |  +- org.hibernate.validator:hibernate-validator:jar:6.0.17.Final:compile
[INFO] |  |  +- javax.validation:validation-api:jar:2.0.1.Final:compile
[INFO] |  |  \- com.fasterxml:classmate:jar:1.4.0:compile
[INFO] |  +- javax.el:javax.el-api:jar:3.0.0:compile
[INFO] |  +- org.springframework:spring-webmvc:jar:5.1.8.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-beans:jar:5.1.8.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-context:jar:5.1.8.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-core:jar:5.1.8.RELEASE:compile
[INFO] |  |  |  \- org.springframework:spring-jcl:jar:5.1.8.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-expression:jar:5.1.8.RELEASE:compile
[INFO] |  +- com.h2database:h2:jar:1.4.199:compile
[INFO] |  +- org.flywaydb:flyway-core:jar:5.2.4:compile
[INFO] |  +- org.apache.cxf:cxf-rt-rs-service-description:jar:3.2.5:compile
[INFO] |  |  \- org.apache.cxf:cxf-rt-frontend-jaxrs:jar:3.2.5:compile
[INFO] |  |     +- org.apache.cxf:cxf-core:jar:3.2.5:compile
[INFO] |  |     |  +- com.fasterxml.woodstox:woodstox-core:jar:5.0.3:compile
[INFO] |  |     |  |  \- org.codehaus.woodstox:stax2-api:jar:3.1.4:compile
[INFO] |  |     |  \- org.apache.ws.xmlschema:xmlschema-core:jar:2.2.3:compile
[INFO] |  |     \- org.apache.cxf:cxf-rt-transports-http:jar:3.2.5:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-actuator:jar:2.1.6.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-actuator-autoconfigure:jar:2.1.6.RELEASE:compile
[INFO] |  |  |  +- org.springframework.boot:spring-boot-actuator:jar:2.1.6.RELEASE:compile
[INFO] |  |  |  \- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.9:compile
[INFO] |  |  \- io.micrometer:micrometer-core:jar:1.1.5:compile
[INFO] |  |     +- org.hdrhistogram:HdrHistogram:jar:2.1.9:compile
[INFO] |  |     \- org.latencyutils:LatencyUtils:jar:2.0.3:compile
[INFO] |  +- org.springframework:spring-aop:jar:5.1.8.RELEASE:compile
[INFO] |  +- cglib:cglib:jar:3.2.5:compile
[INFO] |  |  +- org.ow2.asm:asm:jar:6.0_ALPHA:compile
[INFO] |  |  \- org.apache.ant:ant:jar:1.9.6:compile
[INFO] |  |     \- org.apache.ant:ant-launcher:jar:1.9.6:compile
[INFO] |  +- net.logstash.logback:logstash-logback-encoder:jar:5.2:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-web:jar:2.1.6.RELEASE:compile
[INFO] |  |  \- org.springframework.boot:spring-boot-starter-json:jar:2.1.6.RELEASE:compile
[INFO] |  |     +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.9:compile
[INFO] |  |     \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.9:compile
[INFO] |  \- org.springframework.boot:spring-boot-starter-tomcat:jar:2.1.6.RELEASE:compile
[INFO] |     +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.21:compile
[INFO] |     +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.21:compile
[INFO] |     \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.21:compile
[INFO] +- junit:junit:jar:4.12:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] \- org.slf4j:slf4j-api:jar:1.7.26:compile

@hohwille
Copy link
Member

Here the same for the batch module:

[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ app-with-batch-server ---
[INFO] archetype.it:app-with-batch-server:war:1.0.0-SNAPSHOT
[INFO] +- archetype.it:app-with-batch-core:jar:1.0.0-SNAPSHOT:compile
[INFO] |  +- archetype.it:app-with-batch-api:jar:1.0.0-SNAPSHOT:compile
[INFO] |  |  +- org.springframework.data:spring-data-commons:jar:2.1.9.RELEASE:compile
[INFO] |  |  +- com.devonfw.java.modules:devon4j-rest:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.9.9:compile
[INFO] |  |  |  |  +- com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.9.9:compile
[INFO] |  |  |  |  \- com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.9.9:compile
[INFO] |  |  |  +- javax.ws.rs:javax.ws.rs-api:jar:2.1:compile
[INFO] |  |  |  +- com.devonfw.java.modules:devon4j-service:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  |  +- com.devonfw.java.modules:devon4j-json:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  |  +- net.sf.m-m-m:mmm-util-validation:jar:8.7.0:compile
[INFO] |  |  |  |  +- net.sf.m-m-m:mmm-util-pojopath:jar:8.7.0:compile
[INFO] |  |  |  |  |  \- net.sf.m-m-m:mmm-util-value:jar:8.7.0:compile
[INFO] |  |  |  |  |     +- net.sf.m-m-m:mmm-util-pojo:jar:8.7.0:compile
[INFO] |  |  |  |  |     |  +- net.sf.m-m-m:mmm-util-reflect:jar:8.7.0:compile
[INFO] |  |  |  |  |     |  \- net.sf.m-m-m:mmm-util-collection:jar:8.7.0:compile
[INFO] |  |  |  |  |     \- net.sf.m-m-m:mmm-util-math:jar:8.7.0:compile
[INFO] |  |  |  |  |        \- net.sf.m-m-m:mmm-util-lang:jar:8.7.0:compile
[INFO] |  |  |  |  \- net.sf.m-m-m:mmm-util-exception:jar:8.7.0:compile
[INFO] |  |  |  |     \- net.sf.m-m-m:mmm-util-nls:jar:8.7.0:compile
[INFO] |  |  |  |        +- net.sf.m-m-m:mmm-util-text:jar:8.7.0:compile
[INFO] |  |  |  |        +- net.sf.m-m-m:mmm-util-date:jar:8.7.0:compile
[INFO] |  |  |  |        |  \- net.sf.m-m-m:mmm-util-scanner:jar:8.7.0:compile
[INFO] |  |  |  |        \- net.sf.m-m-m:mmm-util-session:jar:8.7.0:compile
[INFO] |  |  |  \- org.glassfish.web:javax.el:jar:2.2.6:compile
[INFO] |  |  \- com.devonfw.java.modules:devon4j-logging:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |     +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] |  |     |  \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] |  |     +- org.slf4j:jcl-over-slf4j:jar:1.7.26:compile
[INFO] |  |     \- org.apache.httpcomponents:httpclient:jar:4.5.9:compile
[INFO] |  |        +- org.apache.httpcomponents:httpcore:jar:4.4.11:compile
[INFO] |  |        \- commons-codec:commons-codec:jar:1.11:compile
[INFO] |  +- com.devonfw.java.modules:devon4j-beanmapping:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  +- com.devonfw.java.modules:devon4j-basic:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  +- com.github.dozermapper:dozer-core:jar:6.4.1:compile
[INFO] |  |  |  +- commons-beanutils:commons-beanutils:jar:1.9.3:compile
[INFO] |  |  |  |  \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] |  |  |  +- org.apache.commons:commons-lang3:jar:3.8.1:compile
[INFO] |  |  |  +- commons-io:commons-io:jar:2.5:compile
[INFO] |  |  |  \- org.objenesis:objenesis:jar:2.6:compile
[INFO] |  |  +- javax.xml.bind:jaxb-api:jar:2.3.1:compile
[INFO] |  |  \- org.glassfish.jaxb:jaxb-runtime:jar:2.3.1:compile
[INFO] |  |     +- org.glassfish.jaxb:txw2:jar:2.3.1:compile
[INFO] |  |     +- com.sun.istack:istack-commons-runtime:jar:3.0.7:compile
[INFO] |  |     +- org.jvnet.staxex:stax-ex:jar:1.8:compile
[INFO] |  |     \- com.sun.xml.fastinfoset:FastInfoset:jar:1.2.15:compile
[INFO] |  +- com.devonfw.java.modules:devon4j-security:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  +- org.springframework:spring-web:jar:5.1.8.RELEASE:compile
[INFO] |  |  +- org.springframework.security:spring-security-config:jar:5.1.5.RELEASE:compile
[INFO] |  |  |  \- org.springframework.security:spring-security-core:jar:5.1.5.RELEASE:compile
[INFO] |  |  +- org.springframework.security:spring-security-web:jar:5.1.5.RELEASE:compile
[INFO] |  |  +- javax.inject:javax.inject:jar:1:compile
[INFO] |  |  +- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] |  |  +- javax.activation:javax.activation-api:jar:1.2.0:compile
[INFO] |  |  \- com.fasterxml.jackson.core:jackson-databind:jar:2.9.9.2:compile
[INFO] |  |     +- com.fasterxml.jackson.core:jackson-annotations:jar:2.9.0:compile
[INFO] |  |     \- com.fasterxml.jackson.core:jackson-core:jar:2.9.9:compile
[INFO] |  +- com.devonfw.java.modules:devon4j-web:jar:3.1.1-SNAPSHOT:compile
[INFO] |  +- com.devonfw.java.starters:devon4j-starter-cxf-client-rest:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  +- com.devonfw.java.starters:devon4j-starter-cxf-client:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  |  \- com.devonfw.java.modules:devon4j-cxf-client:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  \- com.devonfw.java.modules:devon4j-cxf-client-rest:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |     \- org.apache.cxf:cxf-rt-rs-client:jar:3.2.5:compile
[INFO] |  +- com.devonfw.java.starters:devon4j-starter-cxf-client-ws:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  \- com.devonfw.java.modules:devon4j-cxf-client-ws:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |     +- org.apache.cxf:cxf-rt-frontend-jaxws:jar:3.2.5:compile
[INFO] |  |     |  +- xml-resolver:xml-resolver:jar:1.2:compile
[INFO] |  |     |  +- org.apache.cxf:cxf-rt-bindings-soap:jar:3.2.5:compile
[INFO] |  |     |  |  +- org.apache.cxf:cxf-rt-wsdl:jar:3.2.5:compile
[INFO] |  |     |  |  |  \- wsdl4j:wsdl4j:jar:1.6.3:compile
[INFO] |  |     |  |  \- org.apache.cxf:cxf-rt-databinding-jaxb:jar:3.2.5:compile
[INFO] |  |     |  +- org.apache.cxf:cxf-rt-bindings-xml:jar:3.2.5:compile
[INFO] |  |     |  +- org.apache.cxf:cxf-rt-frontend-simple:jar:3.2.5:compile
[INFO] |  |     |  \- org.apache.cxf:cxf-rt-ws-addr:jar:3.2.5:compile
[INFO] |  |     |     \- org.apache.cxf:cxf-rt-ws-policy:jar:3.2.5:compile
[INFO] |  |     |        \- org.apache.neethi:neethi:jar:3.1.1:compile
[INFO] |  |     +- javax.xml.ws:jaxws-api:jar:2.3.1:compile
[INFO] |  |     |  \- javax.xml.soap:javax.xml.soap-api:jar:1.4.0:compile
[INFO] |  |     \- javax.jws:javax.jws-api:jar:1.1:compile
[INFO] |  +- com.devonfw.java.starters:devon4j-starter-cxf-server-rest:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  +- com.devonfw.java.starters:devon4j-starter-cxf-server:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  |  \- com.devonfw.java.modules:devon4j-cxf-server:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  \- com.devonfw.java.modules:devon4j-cxf-server-rest:jar:3.1.1-SNAPSHOT:compile
[INFO] |  +- com.devonfw.java.starters:devon4j-starter-cxf-server-ws:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  \- com.devonfw.java.modules:devon4j-cxf-server-ws:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |     \- org.springframework.boot:spring-boot-starter-web-services:jar:2.1.6.RELEASE:compile
[INFO] |  |        +- com.sun.xml.messaging.saaj:saaj-impl:jar:1.5.0:compile
[INFO] |  |        |  \- org.jvnet.mimepull:mimepull:jar:1.9.11:compile
[INFO] |  |        +- org.springframework:spring-oxm:jar:5.1.8.RELEASE:compile
[INFO] |  |        \- org.springframework.ws:spring-ws-core:jar:3.0.7.RELEASE:compile
[INFO] |  |           \- org.springframework.ws:spring-xml:jar:3.0.7.RELEASE:compile
[INFO] |  +- com.devonfw.java.starters:devon4j-starter-spring-data-jpa:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  +- com.devonfw.java.modules:devon4j-jpa-spring-data:jar:3.1.1-SNAPSHOT:compile
[INFO] |  |  |  +- org.springframework.data:spring-data-jpa:jar:2.1.9.RELEASE:compile
[INFO] |  |  |  |  +- org.springframework:spring-orm:jar:5.1.8.RELEASE:compile
[INFO] |  |  |  |  \- org.aspectj:aspectjrt:jar:1.9.4:compile
[INFO] |  |  |  \- org.aspectj:aspectjweaver:jar:1.9.4:compile
[INFO] |  |  \- org.springframework.boot:spring-boot-starter-data-jpa:jar:2.1.6.RELEASE:compile
[INFO] |  |     +- org.springframework.boot:spring-boot-starter-aop:jar:2.1.6.RELEASE:compile
[INFO] |  |     +- javax.transaction:javax.transaction-api:jar:1.3:compile
[INFO] |  |     \- org.springframework:spring-aspects:jar:5.1.8.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-jdbc:jar:2.1.6.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter:jar:2.1.6.RELEASE:compile
[INFO] |  |  |  +- org.springframework.boot:spring-boot:jar:2.1.6.RELEASE:compile
[INFO] |  |  |  +- org.springframework.boot:spring-boot-autoconfigure:jar:2.1.6.RELEASE:compile
[INFO] |  |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.1.6.RELEASE:compile
[INFO] |  |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.11.2:compile
[INFO] |  |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.11.2:compile
[INFO] |  |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.26:compile
[INFO] |  |  |  \- org.yaml:snakeyaml:jar:1.23:runtime
[INFO] |  |  +- com.zaxxer:HikariCP:jar:3.2.0:compile
[INFO] |  |  \- org.springframework:spring-jdbc:jar:5.1.8.RELEASE:compile
[INFO] |  |     \- org.springframework:spring-tx:jar:5.1.8.RELEASE:compile
[INFO] |  +- javax.persistence:javax.persistence-api:jar:2.2:compile
[INFO] |  +- org.hibernate:hibernate-entitymanager:jar:5.3.10.Final:compile
[INFO] |  |  +- org.jboss.logging:jboss-logging:jar:3.3.2.Final:compile
[INFO] |  |  +- org.hibernate:hibernate-core:jar:5.3.10.Final:compile
[INFO] |  |  |  +- org.javassist:javassist:jar:3.23.2-GA:compile
[INFO] |  |  |  +- antlr:antlr:jar:2.7.7:compile
[INFO] |  |  |  \- org.jboss:jandex:jar:2.0.5.Final:compile
[INFO] |  |  +- org.dom4j:dom4j:jar:2.1.1:compile
[INFO] |  |  +- org.hibernate.common:hibernate-commons-annotations:jar:5.0.4.Final:compile
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.9.13:compile
[INFO] |  |  \- org.jboss.spec.javax.transaction:jboss-transaction-api_1.2_spec:jar:1.1.1.Final:compile
[INFO] |  +- com.querydsl:querydsl-jpa:jar:4.2.1:compile
[INFO] |  |  \- com.querydsl:querydsl-core:jar:4.2.1:compile
[INFO] |  |     +- com.google.guava:guava:jar:28.0-jre:compile
[INFO] |  |     |  +- com.google.guava:failureaccess:jar:1.0.1:compile
[INFO] |  |     |  +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile
[INFO] |  |     |  +- org.checkerframework:checker-qual:jar:2.8.1:compile
[INFO] |  |     |  +- com.google.errorprone:error_prone_annotations:jar:2.3.2:compile
[INFO] |  |     |  +- com.google.j2objc:j2objc-annotations:jar:1.3:compile
[INFO] |  |     |  \- org.codehaus.mojo:animal-sniffer-annotations:jar:1.17:compile
[INFO] |  |     +- com.google.code.findbugs:jsr305:jar:1.3.9:compile
[INFO] |  |     +- com.mysema.commons:mysema-commons-lang:jar:0.2.4:compile
[INFO] |  |     \- com.infradna.tool:bridge-method-annotation:jar:1.13:compile
[INFO] |  +- org.hibernate.validator:hibernate-validator:jar:6.0.17.Final:compile
[INFO] |  |  +- javax.validation:validation-api:jar:2.0.1.Final:compile
[INFO] |  |  \- com.fasterxml:classmate:jar:1.4.0:compile
[INFO] |  +- javax.el:javax.el-api:jar:3.0.0:compile
[INFO] |  +- org.springframework:spring-webmvc:jar:5.1.8.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-beans:jar:5.1.8.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-context:jar:5.1.8.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-core:jar:5.1.8.RELEASE:compile
[INFO] |  |  |  \- org.springframework:spring-jcl:jar:5.1.8.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-expression:jar:5.1.8.RELEASE:compile
[INFO] |  +- mysql:mysql-connector-java:jar:8.0.16:compile
[INFO] |  +- org.flywaydb:flyway-core:jar:5.2.4:compile
[INFO] |  +- org.apache.cxf:cxf-rt-rs-service-description:jar:3.2.5:compile
[INFO] |  |  \- org.apache.cxf:cxf-rt-frontend-jaxrs:jar:3.2.5:compile
[INFO] |  |     +- org.apache.cxf:cxf-core:jar:3.2.5:compile
[INFO] |  |     |  +- com.fasterxml.woodstox:woodstox-core:jar:5.0.3:compile
[INFO] |  |     |  |  \- org.codehaus.woodstox:stax2-api:jar:3.1.4:compile
[INFO] |  |     |  \- org.apache.ws.xmlschema:xmlschema-core:jar:2.2.3:compile
[INFO] |  |     \- org.apache.cxf:cxf-rt-transports-http:jar:3.2.5:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-actuator:jar:2.1.6.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-actuator-autoconfigure:jar:2.1.6.RELEASE:compile
[INFO] |  |  |  +- org.springframework.boot:spring-boot-actuator:jar:2.1.6.RELEASE:compile
[INFO] |  |  |  \- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.9.9:compile
[INFO] |  |  \- io.micrometer:micrometer-core:jar:1.1.5:compile
[INFO] |  |     +- org.hdrhistogram:HdrHistogram:jar:2.1.9:compile
[INFO] |  |     \- org.latencyutils:LatencyUtils:jar:2.0.3:compile
[INFO] |  +- org.springframework:spring-aop:jar:5.1.8.RELEASE:compile
[INFO] |  +- cglib:cglib:jar:3.2.5:compile
[INFO] |  |  +- org.ow2.asm:asm:jar:6.0_ALPHA:compile
[INFO] |  |  \- org.apache.ant:ant:jar:1.9.6:compile
[INFO] |  |     \- org.apache.ant:ant-launcher:jar:1.9.6:compile
[INFO] |  +- net.logstash.logback:logstash-logback-encoder:jar:5.2:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-web:jar:2.1.6.RELEASE:compile
[INFO] |  |  \- org.springframework.boot:spring-boot-starter-json:jar:2.1.6.RELEASE:compile
[INFO] |  |     +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.9.9:compile
[INFO] |  |     \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.9.9:compile
[INFO] |  \- org.springframework.boot:spring-boot-starter-tomcat:jar:2.1.6.RELEASE:compile
[INFO] |     +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.21:compile
[INFO] |     +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.21:compile
[INFO] |     \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.21:compile
[INFO] +- archetype.it:app-with-batch-batch:jar:1.0.0-SNAPSHOT:compile
[INFO] |  \- com.devonfw.java.modules:devon4j-batch:jar:3.1.1-SNAPSHOT:compile
[INFO] |     +- com.devonfw.java.modules:devon4j-jpa-basic:jar:3.1.1-SNAPSHOT:compile
[INFO] |     +- org.springframework.batch:spring-batch-core:jar:4.1.2.RELEASE:compile
[INFO] |     |  +- javax.batch:javax.batch-api:jar:1.0:compile
[INFO] |     |  \- org.codehaus.jettison:jettison:jar:1.2:compile
[INFO] |     +- org.springframework.batch:spring-batch-infrastructure:jar:4.1.2.RELEASE:compile
[INFO] |     |  \- org.springframework.retry:spring-retry:jar:1.2.4.RELEASE:compile
[INFO] |     \- org.springframework.batch:spring-batch-integration:jar:4.1.2.RELEASE:compile
[INFO] |        +- org.springframework.integration:spring-integration-core:jar:5.1.6.RELEASE:compile
[INFO] |        |  \- io.projectreactor:reactor-core:jar:3.2.10.RELEASE:compile
[INFO] |        |     \- org.reactivestreams:reactive-streams:jar:1.0.2:compile
[INFO] |        \- org.springframework:spring-messaging:jar:5.1.8.RELEASE:compile
[INFO] +- junit:junit:jar:4.12:test
[INFO] |  \- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] \- org.slf4j:slf4j-api:jar:1.7.26:compile

@hohwille
Copy link
Member

Following "latest is greatest" approach, it would be a try to go for:

For logback only "alpha" versions are available. That does not seem to be a reasonable option.
For spring-batch there also seems no fix in sight so far.

@vapadwal
Copy link
Member

I have tried using spring-security-core - 5.1.6.RELEASE , but this is also failing on vulnerabilities

spring-security-core-5.1.6.RELEASE.jar (pkg:maven/org.springframework.security/spring-security-core@5.1.6.RELEASE, cpe:2.3:a:pivotal_software:spring_security:5.1.6.release:*
::::::) : CVE-2018-1258

[ERROR] One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '8.0':
[ERROR]
[ERROR] spring-security-core-5.1.6.RELEASE.jar: CVE-2018-1258

@hohwille
Copy link
Member

Release 3.1.1 has been published with jackson and guava versions without any current CVEs.
Rest remains open for further updates. Seems we have to wait till others are fixing their CVEs.

@hohwille hohwille modified the milestones: release:3.1.1, release:3.1.2 Sep 16, 2019
hohwille added a commit that referenced this issue Sep 27, 2019
@hohwille
Merge of 3.1.1 bugfixes into develop (#152)
ed806e9 
#115: Resolve CVEs identified (#131)
#123 jackson updated to 2.9.9.20190727
#122 guava updated to 28.0-jre
#118: avoid redundant version for jackson in archetype
@hohwille hohwille modified the milestones: release:3.1.2, release:3.1.1 Feb 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
release:3.1.1
Development

No branches or pull requests
3 participants
@hohwille @AbhayChandel @vapadwal