search

SAP / cf-java-logging-support

The Java Logging Support for Cloud Foundry supports the creation of structured log messages and the collection of request metrics
Apache License 2.0
77 stars 48 forks source link

There is a vulnerability in Spring Boot 2.0.6.RELEASE,upgrade recommended #113

Closed QiAnXinCodeSafe closed 2 years ago

QiAnXinCodeSafe commented 3 years ago

https://github.com/SAP/cf-java-logging-support/blob/25d1a578c2546f998f86fd124777f06f5bfdb6cb/cf-java-monitoring-custom-metrics-clients/cf-custom-metrics-clients-spring-boot/pom.xml#L15

CVE-2020-5421

Recommended upgrade version:2.1.17.RELEASE

KarstenSchnitter commented 3 years ago

Thanks for reporting this issue.

There is a trade-off with specifying the Spring Boot version: This dependency is defined in scope "provided", which means that the actual implementation is taken from the application using our library. So far, 2.0.6.RELEASE specifies the minimal version, with which the implementation was tested. Application developers should always use a safe version. If this dependency was upgraded to a very new version, it might create incompatibilities for legacy applications. What is your take on this?

KarstenSchnitter commented 2 years ago

Closing due to lack of response.