Skip to content

[MS-39465] fix azure and core high vulnerabilities

VidyaDharani Lokam requested to merge az/vl-fix-high-vul into master

Reference issues:

Changes:

  • update os-core-common-spring6 to 0.27.0-rc1
  • update spring-boot to 3.2.5 to remediate spring-web vulnerability
  • update resteasy-guice to 4.7.9 remediate resteasy-client vulnerability
  • remove unused dependencies from core and azure pom.

mvn dependency:tree before changes:

[INFO] |  +- org.springframework:spring-web:jar:6.1.5:compile
[INFO] |  +- org.springframework.security:spring-security-core:jar:6.2.3:compile
[INFO] |  |  \- org.springframework.security:spring-security-crypto:jar:6.2.3:compile
[INFO] |  +- org.springframework.security:spring-security-web:jar:6.2.3:compile
[INFO] |  +- org.springframework.security:spring-security-config:jar:6.2.3:compile
[INFO] |  \- com.nimbusds:nimbus-jose-jwt:jar:7.9:compile

[INFO] +- org.jboss.resteasy:resteasy-guice:jar:3.6.2.Final:compile
[INFO] |  +- com.google.inject:guice:jar:4.1.0:compile
[INFO] |  |  +- javax.inject:javax.inject:jar:1:compile
[INFO] |  |  \- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  +- org.jboss.resteasy:resteasy-client:jar:3.6.2.Final:compile

mvn dependency:tree after changes in azure:

[INFO] |  +- org.springframework:spring-web:jar:6.1.6:compile
[INFO] |  +- org.springframework.security:spring-security-core:jar:6.2.4:compile
[INFO] |  |  \- org.springframework.security:spring-security-crypto:jar:6.2.4:compile
[INFO] |  +- org.springframework.security:spring-security-web:jar:6.2.4:compile
[INFO] |  +- org.springframework.security:spring-security-config:jar:6.2.4:compile
[INFO] |  \- com.nimbusds:nimbus-jose-jwt:jar:7.9:compile


[INFO] +- org.jboss.resteasy:resteasy-guice:jar:4.7.9.Final:compile
[INFO] |  +- com.google.inject:guice:jar:5.0.1:compile
[INFO] |  |  \- aopalliance:aopalliance:jar:1.0:compile
[INFO] |  +- org.jboss.resteasy:resteasy-core-spi:jar:4.7.9.Final:compile
[INFO] |  \- org.jboss.resteasy:resteasy-client:jar:4.7.9.Final:compile
[INFO] |     +- org.jboss.resteasy:resteasy-client-api:jar:4.7.9.Final:compile
Edited by VidyaDharani Lokam

Merge request reports