search

esanchezros / quickfixj-spring-boot-starter

Spring Boot Starter for QuickFIX/J
Apache License 2.0
126 stars 57 forks source link

https://advisory.checkmarx.net/advisory/vulnerability/CVE-2021-42550/ #89

Closed jcorderop closed 2 years ago

jcorderop commented 2 years ago

hi

Trying to use:

io.allune quickfixj-spring-boot-starter 2.12.0

I saw it has those vulnerabilities: https://advisory.checkmarx.net/advisory/vulnerability/CVE-2021-42550/ https://advisory.checkmarx.net/advisory/vulnerability/CVE-2022-22965/ ...

I wanted to double-check with you if you knew about it.

esanchezros commented 2 years ago

Hi @jcorderop, thanks for reporting.

The quickfixj spring boot starter inherits from the spring-boot-starter-parent artifact, which itself inherits from the spring-boot-dependencies artifact. This latter artifact is the Spring Boot BOM, which is just a Maven POM file with a large dependencyManagement section. This library only sets the version for quickfixj and uses a couple other libraries for testing.

You can override any of these by adding the version of the library you want to use, i. e.

<dependency>
    <groupId>ch.qos.logback</groupId>
    <artifactId>logback-core</artifactId>
    <version>1.2.11</version>
</dependency>

I agree that this Spring Boot starter needs an upgrade of its parent and be available on higher JDKs. I'll create separate tickets to address these issues separately.

Thanks

esanchezros commented 2 years ago

Fixed on 2.13.0