snyk-bot commented 4 years ago

Snyk has created this PR to fix one or more vulnerable packages in the `maven` dependencies of this project.

Changes included in this PR

Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
- pom.xml

Vulnerabilities that will be fixed

With an upgrade:

Priority Score (*)	Issue	Upgrade	Breaking Change	Exploit Maturity
704/1000 Why? Has a fix available, CVSS 9.8	Arbitrary Code Execution SNYK-JAVA-CHQOSLOGBACK-31407		Yes	No Known Exploit
509/1000 Why? Has a fix available, CVSS 5.9	Deserialization of Untrusted Data SNYK-JAVA-COMGOOGLEGUAVA-32236	`org.mitre:openid-connect-client:` `1.3.2 -> 1.3.3`	No	No Known Exploit
399/1000 Why? Has a fix available, CVSS 3.7	Information Exposure SNYK-JAVA-COMMONSCODEC-561518		No	No Known Exploit
649/1000 Why? Has a fix available, CVSS 8.7	Elliptic Curve Key Disclosure SNYK-JAVA-COMNIMBUSDS-30205	`com.mesosphere:marathon-client:` `0.6.2 -> 0.6.3`	No	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Invalid Elliptic Curve Attack SNYK-JAVA-COMNIMBUSDS-31558	`com.mesosphere:marathon-client:` `0.6.2 -> 0.6.3`	No	No Known Exploit
529/1000 Why? Has a fix available, CVSS 6.3	Improper Check for Unusual or Exceptional Conditions SNYK-JAVA-COMNIMBUSDS-536068	`com.mesosphere:marathon-client:` `0.6.2 -> 0.6.3`	No	No Known Exploit
655/1000 Why? Has a fix available, CVSS 8.6	HTTP Request Smuggling SNYK-JAVA-IOUNDERTOW-1012559		Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Directory Traversal SNYK-JAVA-IOUNDERTOW-32074		Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JAVA-IOUNDERTOW-32442		Yes	No Known Exploit
704/1000 Why? Has a fix available, CVSS 9.8	Information Exposure SNYK-JAVA-IOUNDERTOW-451626		Yes	No Known Exploit
589/1000 Why? Has a fix available, CVSS 7.5	Information Exposure SNYK-JAVA-IOUNDERTOW-460241		Yes	No Known Exploit
454/1000 Why? Has a fix available, CVSS 4.8	Information Exposure SNYK-JAVA-IOUNDERTOW-471684		Yes	No Known Exploit
454/1000 Why? Has a fix available, CVSS 4.8	Security Bypass SNYK-JAVA-IOUNDERTOW-567266		Yes	No Known Exploit
801/1000 Why? Mature exploit, Has a fix available, CVSS 8.3	Arbitrary File Upload SNYK-JAVA-IOUNDERTOW-567770		Yes	Mature
589/1000 Why? Has a fix available, CVSS 7.5	Denial of Service (DoS) SNYK-JAVA-IOUNDERTOW-568918		Yes	No Known Exploit
605/1000 Why? Has a fix available, CVSS 7.6	HTTP Request Smuggling SNYK-JAVA-IOUNDERTOW-570455		Yes	No Known Exploit
539/1000 Why? Has a fix available, CVSS 6.5	File Handler Leak SNYK-JAVA-IOUNDERTOW-72304		Yes	No Known Exploit
529/1000 Why? Has a fix available, CVSS 6.3	Privilege Escalation SNYK-JAVA-MYSQL-174574		Yes	No Known Exploit
654/1000 Why? Has a fix available, CVSS 8.8	Access Control Bypass SNYK-JAVA-MYSQL-451464		Yes	No Known Exploit
399/1000 Why? Has a fix available, CVSS 3.7	Arbitrary Code Injection SNYK-JAVA-ORGAPACHEANT-1015405		No	No Known Exploit
539/1000 Why? Has a fix available, CVSS 6.5	Insecure Default SNYK-JAVA-ORGAPACHEANT-569130		No	No Known Exploit
704/1000 Why? Has a fix available, CVSS 9.8	Deserialization of Untrusted Data SNYK-JAVA-ORGAPACHEIGNITE-32200	`org.apache.ignite:ignite-slf4j:` `2.3.0 -> 2.8.1` `org.apache.ignite:ignite-spring:` `2.3.0 -> 2.8.1`	No	No Known Exploit
704/1000 Why? Has a fix available, CVSS 9.8	Deserialization of Untrusted Data SNYK-JAVA-ORGAPACHEIGNITE-32428	`org.apache.ignite:ignite-slf4j:` `2.3.0 -> 2.8.1` `org.apache.ignite:ignite-spring:` `2.3.0 -> 2.8.1`	No	No Known Exploit
454/1000 Why? Has a fix available, CVSS 4.8	Denial of Service (DoS) SNYK-JAVA-ORGAPACHEIGNITE-456561	`org.apache.ignite:ignite-slf4j:` `2.3.0 -> 2.8.1` `org.apache.ignite:ignite-spring:` `2.3.0 -> 2.8.1`	No	No Known Exploit
669/1000 Why? Has a fix available, CVSS 9.1	Incorrect Authorization SNYK-JAVA-ORGAPACHEIGNITE-571662	`org.apache.ignite:ignite-slf4j:` `2.3.0 -> 2.8.1` `org.apache.ignite:ignite-spring:` `2.3.0 -> 2.8.1`	No	No Known Exploit
369/1000 Why? Has a fix available, CVSS 3.1	Session Fixation SNYK-JAVA-ORGAPACHETOMCATEMBED-538488		Yes	No Known Exploit
604/1000 Why? Has a fix available, CVSS 7.8	Privilege Escalation SNYK-JAVA-ORGAPACHETOMCATEMBED-538490		Yes	No Known Exploit
791/1000 Why? Mature exploit, Has a fix available, CVSS 8.1	Remote Code Execution (RCE) SNYK-JAVA-ORGAPACHETOMCATEMBED-570072		Yes	Mature
479/1000 Why? Has a fix available, CVSS 5.3	Denial of Service (DoS) SNYK-JAVA-ORGAPACHETOMCATEMBED-584427		Yes	No Known Exploit
479/1000 Why? Has a fix available, CVSS 5.3	Improper Input Validation SNYK-JAVA-ORGHIBERNATE-568162		Yes	No Known Exploit
550/1000 Why? Has a fix available, CVSS 6.5	Cross-site Scripting (XSS) SNYK-JAVA-ORGHIBERNATE-569100		Yes	No Known Exploit
619/1000 Why? Has a fix available, CVSS 8.1	SQL Injection SNYK-JAVA-ORGHIBERNATE-584563		Yes	No Known Exploit
619/1000 Why? Has a fix available, CVSS 8.1	Man-in-the-Middle (MitM) SNYK-JAVA-ORGPOSTGRESQL-173997		No	No Known Exploit
635/1000 Why? Has a fix available, CVSS 8.2	XML External Entity (XXE) Injection SNYK-JAVA-ORGPOSTGRESQL-571481		No	No Known Exploit
591/1000 Why? Proof of Concept exploit, Has a fix available, CVSS 5.4	Open Redirect SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITYOAUTH-174830		No	Proof of Concept
495/1000 Why? Has a fix available, CVSS 5.4	Denial of Service (DoS) SNYK-JAVA-ORGYAML-537645		Yes	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Vulnerabilities that could not be fixed

Upgrade:
- Could not upgrade mysql:mysql-connector-java@5.1.47 to mysql:mysql-connector-java@8.0.16; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.liquibase:liquibase-core@3.5.5 to org.liquibase:liquibase-core@3.8.1; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.postgresql:postgresql@9.4.1212.jre7 to org.postgresql:postgresql@42.2.13; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.boot:spring-boot-starter-actuator@1.5.21.RELEASE to org.springframework.boot:spring-boot-starter-actuator@2.3.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.boot:spring-boot-starter-cache@1.5.21.RELEASE to org.springframework.boot:spring-boot-starter-cache@2.3.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.boot:spring-boot-starter-data-jpa@1.5.21.RELEASE to org.springframework.boot:spring-boot-starter-data-jpa@2.3.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.boot:spring-boot-starter-hateoas@1.5.21.RELEASE to org.springframework.boot:spring-boot-starter-hateoas@2.3.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.boot:spring-boot-starter-jta-bitronix@1.5.21.RELEASE to org.springframework.boot:spring-boot-starter-jta-bitronix@2.3.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.boot:spring-boot-starter-security@1.5.21.RELEASE to org.springframework.boot:spring-boot-starter-security@2.3.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.boot:spring-boot-starter-undertow@1.5.21.RELEASE to org.springframework.boot:spring-boot-starter-undertow@2.3.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.boot:spring-boot-starter-validation@1.5.21.RELEASE to org.springframework.boot:spring-boot-starter-validation@2.3.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.boot:spring-boot-starter-web@1.5.21.RELEASE to org.springframework.boot:spring-boot-starter-web@2.3.0.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom
- Could not upgrade org.springframework.security.oauth:spring-security-oauth2@2.0.17.RELEASE to org.springframework.security.oauth:spring-security-oauth2@2.4.1.RELEASE; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/1.5.21.RELEASE/spring-boot-dependencies-1.5.21.RELEASE.pom

Check the changes in this PR to ensure they won't cause issues with your project.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information: 🧐 View latest project report

🛠 Adjust project settings

sonarcloud[bot] commented 4 years ago

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities (and 0 Security Hotspots to review)
0 Code Smells

No Coverage information
0.0% Duplication

The version of Java (1.8.0_252) you have used to run this analysis is deprecated and we will stop accepting it accepting it soon.Please update to at least Java 11. Read more here

codecov-io commented 4 years ago

Codecov Report

Merging #411 (b8b53cd) into master (13415f3) will not change coverage. The diff coverage is n/a.

@@            Coverage Diff            @@
##             master     #411   +/-   ##
=========================================
  Coverage     57.31%   57.31%           
  Complexity     1093     1093           
=========================================
  Files           227      227           
  Lines          7197     7197           
  Branches        474      474           
=========================================
  Hits           4125     4125           
  Misses         2889     2889           
  Partials        183      183

Flag	Coverage Δ	Complexity Δ
integration	`7.08% <ø> (ø)`	`0.00 <ø> (ø)`
unittests	`53.41% <ø> (ø)`	`0.00 <ø> (ø)`

Flags with carried forward coverage won't be shown. Click here to find out more.

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update 13415f3...b8b53cd. Read the comment docs.

sonarcloud[bot] commented 3 years ago

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells