Open vkochnev opened 4 months ago
Spring Cloud Contract uses commons-beanutils which is extremely old and depends on even more outdated and moreover vulnerable commons-collections library, there is also no evidence that common-beanutils will be updated any time soon.
commons-beanutils
commons-collections
common-beanutils
The use of the aforementioned library is quite limited and should be easy to rewrite without use of this library. I actually found only one usage: https://github.com/spring-cloud/spring-cloud-contract/blob/d771b76c333508a85e1bc672f46b0b5ab2dae1f4/spring-cloud-contract-verifier/src/main/java/org/springframework/cloud/contract/verifier/builder/JsonBodyVerificationBuilder.java#L303
Also there are several usages of commons-collections in one file: https://github.com/spring-cloud/spring-cloud-contract/blob/d771b76c333508a85e1bc672f46b0b5ab2dae1f4/spring-cloud-contract-verifier/src/main/java/org/springframework/cloud/contract/verifier/converter/YamlToContracts.java#L43 Which can be replaced with Spring specific implementations or commons-collections4 if it's not possible.
commons-collections4
Spring Cloud Contract uses
commons-beanutilswhich is extremely old and depends on even more outdated and moreover vulnerablecommons-collectionslibrary, there is also no evidence thatcommon-beanutilswill be updated any time soon.The use of the aforementioned library is quite limited and should be easy to rewrite without use of this library. I actually found only one usage: https://github.com/spring-cloud/spring-cloud-contract/blob/d771b76c333508a85e1bc672f46b0b5ab2dae1f4/spring-cloud-contract-verifier/src/main/java/org/springframework/cloud/contract/verifier/builder/JsonBodyVerificationBuilder.java#L303
Also there are several usages of
commons-collectionsin one file: https://github.com/spring-cloud/spring-cloud-contract/blob/d771b76c333508a85e1bc672f46b0b5ab2dae1f4/spring-cloud-contract-verifier/src/main/java/org/springframework/cloud/contract/verifier/converter/YamlToContracts.java#L43 Which can be replaced with Spring specific implementations orcommons-collections4if it's not possible.