From 4cdb55e718d45c2e133e84a7d39a5af685d47c9d Mon Sep 17 00:00:00 2001
From: Chris Bono <cbono@vmware.com>
Date: Thu, 7 Dec 2023 03:56:37 -0600
Subject: [PATCH] Override logback version to 1.2.13 (#415)

This commit overrides the logback version in order to fix CVE-2023-6378.

See https://github.com/spring-cloud/spring-cloud-dataflow/issues/5593
---
 pom.xml | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/pom.xml b/pom.xml
index 104db207..af16638f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -61,6 +61,7 @@
 		<spring-boot.version>2.7.18</spring-boot.version>
 		<maven.compiler.source>${java.version}</maven.compiler.source>
 		<maven.compiler.target>${java.version}</maven.compiler.target>
+		<logback.version>1.2.13</logback.version>
 	</properties>
 
 	<modules>
@@ -102,6 +103,22 @@
 				<type>pom</type>
 				<scope>import</scope>
 			</dependency>
+			<!-- Override Logback provided by Spring Boot -->
+			<dependency>
+				<groupId>ch.qos.logback</groupId>
+				<artifactId>logback-core</artifactId>
+				<version>${logback.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>ch.qos.logback</groupId>
+				<artifactId>logback-classic</artifactId>
+				<version>${logback.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>ch.qos.logback</groupId>
+				<artifactId>logback-access</artifactId>
+				<version>${logback.version}</version>
+			</dependency>
 			<dependency>
 				<groupId>org.springframework.boot</groupId>
 				<artifactId>spring-boot-dependencies</artifactId>