search

SAP / cloud-security-services-integration-library

Integration libraries and samples for authenticating users and clients bound to XSUAA authentication and authorization service or Identity authentication service.
Apache License 2.0
151 stars 135 forks source link

Whitesource issue in org.springframework.security:spring-security-web:jar:5.4.2 #488

Closed prateekprshr-nith closed 3 years ago

prateekprshr-nith commented 3 years ago

Hi Colleagues

org.springframework.security:spring-security-web:jar:5.4.2 has a whitesource vulnerability of 8.8 as described here. Upon analysis, we found that it comes from com.sap.cloud.security.xsuaa:xsuaa-spring-boot-starter:jar:2.8.8 as shown in the dependency tree below:

+- com.sap.cloud.security.xsuaa:xsuaa-spring-boot-starter:jar:2.8.8:compile
   +- org.springframework.boot:spring-boot-starter:jar:2.4.1:compile
   |  +- org.springframework.boot:spring-boot:jar:2.4.1:compile
   |  |  \- org.springframework:spring-context:jar:5.3.2:compile
   |  +- org.springframework.boot:spring-boot-autoconfigure:jar:2.4.1:compile
   |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.4.1:compile
   |  |  +- ch.qos.logback:logback-classic:jar:1.2.3:compile
   |  |  |  \- ch.qos.logback:logback-core:jar:1.2.3:compile
   |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.30:compile
   |  +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
   |  \- org.springframework:spring-core:jar:5.3.2:compile
   |     \- org.springframework:spring-jcl:jar:5.3.2:compile
   +- com.sap.cloud.security.xsuaa:spring-xsuaa:jar:2.8.8:compile
   |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3:compile
   |  |  \- org.apache.logging.log4j:log4j-api:jar:2.13.3:compile
   |  +- com.sap.cloud.security.xsuaa:api:jar:2.8.8:compile
   |  \- com.github.ben-manes.caffeine:caffeine:jar:2.8.8:compile
   +- org.springframework.boot:spring-boot-starter-security:jar:2.4.1:compile
   |  +- org.springframework:spring-aop:jar:5.3.2:compile
   |  |  \- org.springframework:spring-beans:jar:5.3.2:compile
   |  +- org.springframework.security:spring-security-config:jar:5.4.2:compile
   |  \- org.springframework.security:spring-security-web:jar:5.4.2:compile      <---- Please look here
   |     \- org.springframework:spring-expression:jar:5.3.2:compile

We request you to upgrade this dependency so that the whitesource vulnerability is no longer there.

Regards

liga-oz commented 3 years ago

Hi @prateekprshr-nith,

We have already updated spring-boot versions and since version 2.8.7 we use spring-boot-starter 2.4.3.

I would encourage you to check where the outdated version is coming from as it looks like maven is resolving older version as what we have defined in our POM. You can try to set the scope to provided for spring-boot-starter-security or check if maybe you have defined in your POM spring-boot-starter-parent with an older version.

Kind Regards, Liga

prateekprshr-nith commented 3 years ago

@liga-oz , Thank you for your quick response. I was able to find the specific version of spring-boot-started and updating it pulled the new version.