Closed krismarc closed 2 years ago
kevin-ortega
commented
2 years ago @krismarc all files in spec are only used to test the buildpack. You can delete these files locally and not affect the buildpack.
We will work on updating these files.
kevin-ortega
commented
2 years ago The spring-core files have been replaced with spring-core-5.3.20.jar.
https://github.com/cloudfoundry/ibm-websphere-liberty-buildpack/pull/544
krismarc
commented
2 years ago @kevin-ortega perfect, thank you :)
Dear @kevin-ortega and other maintainers,
there's high scored vulnerability found in spring framework. https://tanzu.vmware.com/security/cve-2022-22950
Is there any plan to upgrade those packages? This triggers Qualys sensors within our company so we can't keep the Buildpack files locally.
./liberty/spec/fixtures/framework_auto_reconfiguration_servlet_2/WEB-INF/lib/spring-core-3.2.3.RELEASE.jar ./liberty/spec/fixtures/framework_auto_reconfiguration_servlet_2_nested/nested/WEB-INF/lib/spring-core-3.2.3.RELEASE.jar ./liberty/spec/fixtures/framework_auto_reconfiguration_servlet_3/WEB-INF/lib/spring-core-3.2.3.RELEASE.jar ./liberty/spec/fixtures/framework_auto_reconfiguration_servlet_4/lib/spring-core-3.2.3.RELEASE.jar ./liberty/spec/fixtures/framework_auto_reconfiguration_servlet_5/spring_app.ear/lib/spring-core-3.2.3.RELEASE.jar ./liberty/spec/fixtures/framework_auto_reconfiguration_servlet_5/spring_app.war/WEB-INF/lib/spring-core-3.2.3.RELEASE.jar
Best regards, K.M.