etienne-sf
commented
1 year ago Hello,
It seems that this list is not only about the dependencies used by the project, but all the managed dependencies that come from the spring-boot-starter-parent maven parent.
Only the first one has an impact as a vulnerability, as the other vulnerabilities are on dependencies that are not used by the plugin or the runtime: the CVE-2022-42003 one : it's a Jackson issue. And Jackson is used to serialize output queries, and deserialize the server response.
I'll update the spring-boot-starter-parent to the last release (currently 3.0.0).
Only one vulnerability remains.
I'll also see if can get rid of these unused managed dependencies, that display vulnerabilities on non used dependencies.
Etienne
Could these Vulnerabilities be fixed? https://mvnrepository.com/artifact/com.graphql-java-generator/graphql-java-client-dependencies/1.18.8
CVE-2022-42003 CVE-2022-41853 CVE-2022-38752 CVE-2022-38751 CVE-2022-38749 CVE-2022-25857
[ERROR] Failed to execute goal com.graphql-java-generator:graphql-maven-plugin:1.18.7:generateClientCode (default) on project app: Execution default of goal com.graphql-java-generator:graphql-maven-plugin:1.18.7:generateClientCode failed: Plugin com.graphql-java-generator:graphql-maven-plugin:1.18.7 or one of its dependencies could not be resolved: Failed to collect dependencies at com.graphql-java-generator:graphql-maven-plugin:jar:1.18.7 -> com.graphql-java-generator:graphql-maven-plugin-logic:jar:1.18.7 -> com.graphql-java-generator:graphql-java-client-runtime:jar:1.18.7 -> com.graphql-java-generator:graphql-java-client-dependencies:pom:1.18.7 -> org.springframework.boot:spring-boot-starter-webflux:jar:2.4.4 -> org.springframework.boot:spring-boot-starter:jar:2.4.4 -> org.springframework.boot:spring-boot-starter-logging:jar:2.4.4 -> org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3: Failed to read artifact descriptor for org.apache.logging.log4j:log4j-to-slf4j:jar:2.13.3: Could not find artifact org.apache.logging.log4j:log4j:pom:2.13.3