Security scans findings #1101
Labels
dependencies
Dependency updates
on hold
Currently no progress possible
question
A question about this library or its usage
Comments
ST-DDT
added
on hold
|
Thanks for bringing this to our attention. The dependency is marked as optional runtime dependency. <dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
<version>4.1.0</version>
<scope>runtime</scope>
<exclusions>...</exclusions>
<optional>true</optional>
</dependency>So AFAIK unless you add them yourself it won't show up in the final application. Unfortunately, there isn't a patched version of the eureka client lib available, that uses a newer version of that library, so there isn't much we can do here. |
|
Thanks for the response. We will exclude all of those optional dependencies and scan again. I'll let you know the results. |
|
Thanks, there seemed to be problems on the Blackduck scan that were fixed and now the optional dependencies do not show up so we are good. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Blackduck source scans findings
On my company, while scanning our project we found a lot of vulnerabilities coming from this dependency using Blackduck source scan, some dating back to 2005 or older. At first we thought this was probably a false positive from blackduck but contacting them they told us they also see the problems.
The question
Is this correct? We are using the latest version released just a couple of weeks ago, doesn't make sense.
Stacktraces and logs
For instance, one of your direct dependencies is spring-cloud-starter-netflix-eureka-client 4.1.0, which looking at maven central it brings eureka-client 2.0.1 which in turns has commons-configuration
1.10 as a dependency, this one is very old (Oct 24, 2013) and one of its many vulnerabilities is log4shell coming from log4j 1.2.8
The text was updated successfully, but these errors were encountered: