Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
exclude vulnerable indirect dep xalan
- a vulnerable xalan version (2.7.2; CVE-2022-34169) is brought in by the saml library we use: org.springframework.security.extensions:spring-security-saml2-core which has reached EOL (we are replacing it for develop branch, but not 74.5.x branch). So this xalan would not be bumped by spring-security-saml2-core anymore. - so to address this CVE scan result (CVE-2022-34169), exclude this indirect dep, like develop branch does: 061bee9 - note: excluding a dep of a library we use carries the risk of failure if we trigger a code path in the library that depends on the dep. The fact all tests are passing + the fact that this exclude has been applied in develop branch for more than 1 year give us enough confidence that this exclude would not introduce a failure. [#186948853]
- Loading branch information