Closed Holdo closed 5 years ago
Also - and related - is it nescessary that xsuaa-spring-boot-starter
has a transitive dependency to spring-xsuaa-test
in scope compile (which in turn pulls in spring-security-jwt
?
@Holdo Thanks for reporting! will exclude the dependency to bouncy castle if possible!
@frzme I've also recognized that stupid dependency yesterday and fixed it already in master.
spring-boot-starter has no longer dependency to spring-security-jwt
- see https://github.com/SAP/cloud-security-xsuaa-integration/commit/7ab2630eb0101ce711f803e4edee0cfa87a67ff9
and spring-xsuaa-mock has no longer a dependency to spring-security-jwt
- see https://github.com/SAP/cloud-security-xsuaa-integration/commit/fe277f33734af72d7e81962734c0ef3de9d77ace
only spring-xsuaa-test has a dependency but this should be added with test scope and is uncritical. Still I've upgraded to the latest released version with https://github.com/SAP/cloud-security-xsuaa-integration/commit/f642e814fe66f2139043e0ffcff0d17bcbba2bdc
All of these changes will be available with the next released version 2.1.0
very soon.
Release 2.1.0 available on maven central
Please update version, 1.0.9.RELEASE has vulnerabilities.
https://github.com/SAP/cloud-security-xsuaa-integration/blob/18ffd34e99eadf0535c349a0b6f576eec86a79fe/spring-xsuaa-mock/pom.xml#L64
https://snyk.io/vuln/SNYK-JAVA-ORGBOUNCYCASTLE-32369 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000613