Closed daust closed 2 years ago
The gradle task jriDownloadJasperLibraries
will first download the libraries, then copy them to the local lib directory. In this step, the spring libraries will be excluded:
// https://github.com/TIBCOSoftware/jasperreports/issues/241
// CVE-2021-22096 - Medium Severity Vulnerability, Vulnerable Library - spring-core-5.1.4.RELEASE.jar
// spring boot framework should not be required anyway
exclude "spring-core-*"
exclude "spring-beans-*"
the spring framework is required for recompiling the .jrxml file into .jasper. Thus, I will remove the vulnerable version from the jasper-lib download and always upgrade to the latest one through the gradle build. Currently, I have included: spring-core-5.3.15.jar, spring-beans-5.3.15.jar
In the past, I have always tried to make it as easy for developers as possible. One pitfall I wanted to avoid was that users built their report in JasperSoftStudio, deployed it onto the JRI-Integration, and it would break.
Thus, I tried to include all libraries that might be required. Sometimes, libraries get added that are just there for running some tests/samples, e.g. the Spring Boot libraries.
I never wanted to go through the hassle of understanding all dependencies, thus I included most of the libraries.
After the log4shell issue I am more reluctant to do so.
I have just come across the security warning here: https://github.com/TIBCOSoftware/jasperreports/issues/241
In the upcoming release (and forward) I will remove all references to spring boot. If you should need them, you can add those libraries back yourself.