Skip to content

Commit

Permalink
fix: exclude unused vulnerable transitive deps
Browse files Browse the repository at this point in the history 
- bcprov-jdk15on and bcprov-ext-jdk15on have been flagged with many
  CVEs: CVE-2020-15522, CVE-2020-0187, CVE-2020-26939, CVE-2023-33201
  for the latter, and CVE-2020-0187, CVE-2023-33201 for the former.
- these transitive deps are not used in UAA or in the library codepaths
  invoked by UAA, so excluding them to address these CVEs.
- following these 2 commits in the develop branch:
  8bdb525
  and 214e1cb
- gradle doc on the exclude statement: https://docs.gradle.org/current/userguide/dependency_downgrade_and_exclude.html#sec:excluding-transitive-deps
  • Loading branch information
@peterhaochen47
peterhaochen47 committed Nov 21, 2023
1 parent d7f16e9 commit f9b4586
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion server/build.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,9 @@ dependencies {
implementation(libraries.spingSamlEsapiDependencyVersion) {
transitive = false
}
implementation(libraries.springSecuritySaml)
implementation(libraries.springSecuritySaml) {
exclude(module: "bcprov-ext-jdk15on")
}
implementation(libraries.springSessionJdbc)

implementation(libraries.springSecurityOauth) {
Expand Down Expand Up @@ -100,6 +102,7 @@ dependencies {
configurations.all {
exclude(group: "org.beanshell", module: "bsh-core")
exclude(group: "org.apache-extras.beanshell", module: "bsh")
exclude(group: "org.bouncycastle", module: "bcprov-jdk15on")
}

jar {
Expand Down

0 comments on commit f9b4586

Please sign in to comment.