spring-beans vulnerability CVE-2022-22965

[giorgioscia]

Hi there,

Unable to use test-extensions within my org as it has dependency on vulnerable version of spring-beans CVE-2022-22965. Is there any plan to upgrade in the near future?

Many thanks! :)

[1] SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751 [2] CVE-2022-22965

[Chessray]

There should be no risk of this vulnerability affecting your project as this is merely a testing support library. The dependencies are consciously kept on a low minimum version in order to allow maximum compatibility. My best suggestion is that you try to adjust the project configuration so that the transitive dependency gets replaced by a different one or find a way within your organization to ignore this for testing purposes.

[giorgioscia]

Unfortunately to use an external artifact within the org, it has to go through automated sign-off and it's failing due to the vulnerability

[Chessray]

In that case, why don't you copy the code into your own repo and use a later Spring version as dependency? The test extensions module is very small and unlikely to receive many changes over the years, so should be easy enough to maintain.

[filiphr]

@giorgioscia usually in a Spring project you would use the Spring Boot dependency management or the Spring Framework BOM. This means that irregardless of what a dependency is using it would take the version that you want.

On a side note @Chessray, should we perhaps make the dependency as provided? If you are using this library you would for sure have spring-beans available. If you do not then there is no point in using the extension anyways :). What do you think? Maybe do this in a separate issue?