Check on Spring Boot dependency in arquillian-tests

[cherylking]

The io.spring.gradle:dependency-management-plugin which is used in the ci.gradle arquillian-tests here: https://github.com/OpenLiberty/ci.gradle/blob/main/src/test/resources/arquillian-tests/build.gradle#L11

may need updating. In the dependencies section of the build.gradle for the dependency-management-plugin, there is a dependency on io.spring.nohttp:nohttp-cli: https://github.com/spring-gradle-plugins/dependency-management-plugin/blob/main/build.gradle#L92

It turns out that version of io.spring.nohttp:nohttp-cli depends on org.springframework.boot:spring-boot-starter which in turn depends on org.springframework:spring-core, which is vulnerable to CVE-2022-22965.

I think if the dependency-management-plugin upgraded the io.spring.nohttp:nohttp-cli dependency, it may be resolved (but this is not owned by IBM).

[cherylking]

The io.spring.nohttp:nohttp-cli removed the dependency on spring-boot-starter as of version 0.0.5.RELEASE. However, the io.spring.gradle:dependency-management-plugin remains on version 0.0.2.RELEASE. Nothing can be done from our end to resolve this.