pszymczyk
commented
5 years ago Hi @msymons
Many thanks for clear pointing what we can improve, I will check coming days, is it easy to bump libs and replace http-builder with suggested replacement.
Open msymons opened 5 years ago
pszymczyk
commented
5 years ago Hi @msymons
Many thanks for clear pointing what we can improve, I will check coming days, is it easy to bump libs and replace http-builder with suggested replacement.
The use of embedded-consul 2.0.0 causes third-party threat analyzers (such as dependency-track) to generate threat alerts due to CVE threats in dependencies and transitive dependencies. slf4j-api and groovy-all should be trivial to update.
Note that one or more of the identified might not actually be relevent to embedded-consul.... but they still give rise to alerts!
slf4j-api
Update to 1.7.26 to resolve critical threat CVE-2018-8088 CVSS 3.0 score = 9.8
groovy-all
Update to a version after 2.4.7 (the version currently used) to resolve CVE-2016-6814 CVSS 3.0 score = 9.8
http-builder
The version used (0.7.1) introduces threats transitively: commons-collections 3.2.1 CVE-2017-15708 xercesimpl 2.9.1 CVE-2013-4002
It looks like http-builder is no longer maintained. I am not a developer, but would HttpBuilder-NG be a suitable alternative?