ST-DDT
commented
2 months ago Thanks for bringing this to our attention.
The dependency is marked as optional runtime dependency.
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
<version>4.1.0</version>
<scope>runtime</scope>
<exclusions>...</exclusions>
<optional>true</optional>
</dependency>So AFAIK unless you add them yourself it won't show up in the final application.
Unfortunately, there isn't a patched version of the eureka client lib available, that uses a newer version of that library, so there isn't much we can do here. Could you please report this to the eureka client lib, so they can fix that?
dranzey-hub
Blackduck source scans findings
On my company, while scanning our project we found a lot of vulnerabilities coming from this dependency using Blackduck source scan, some dating back to 2005 or older. At first we thought this was probably a false positive from blackduck but contacting them they told us they also see the problems.
The question
Is this correct? We are using the latest version released just a couple of weeks ago, doesn't make sense.
Stacktraces and logs
For instance, one of your direct dependencies is spring-cloud-starter-netflix-eureka-client 4.1.0, which looking at maven central it brings eureka-client 2.0.1 which in turns has commons-configuration 1.10 as a dependency, this one is very old (Oct 24, 2013) and one of its many vulnerabilities is log4shell coming from log4j 1.2.8