exclude vulnerable indirect dep xalan #2695
Conversation
|
We have created an issue in Pivotal Tracker to manage this: https://www.pivotaltracker.com/story/show/186949072 The labels on this github issue will be updated when the story is started. |
|
Wouldn't the build fail if we actually needed this dependency? Seems pretty low-risk to me. I know Spring has a lot of potential for runtime errors that are surprising, but perhaps not for this type of issue. |
After reading this gradle doc, I got the impression that the failure might happen at runtime instead of build time. But in any case, if all our tests are passing, it's pretty good evidence that exclude works. Usually, we should use exclude very sparingly, in this case the direct dep (the saml extension lib) has reached EOL, so it can't be bumped, so our options are limited. |
Sure, wouldn't hurt to add that in addition to commit message. |
- a vulnerable xalan version (2.7.2; CVE-2022-34169) is brought in by the saml library we use: org.springframework.security.extensions:spring-security-saml2-core which has reached EOL (we are replacing it for develop branch, but not 74.5.x branch). So this xalan would not be bumped by spring-security-saml2-core anymore. - so to address this CVE scan result (CVE-2022-34169), exclude this indirect dep, like develop branch does: 061bee9 - note: excluding a dep of a library we use carries the risk of failure if we trigger a code path in the library that depends on the dep. The fact all tests are passing + the fact that this exclude has been applied in develop branch for more than 1 year give us enough confidence that this exclude would not introduce a failure. [#186948853]
peterhaochen47
force-pushed
the
pr/74.5.x/exclude-xalan-saml
branch
from
1986645
to
05bea28
Compare
[#186948853]