spring-beans vulnerability CVE-2022-22965 #97
Comments
|
There should be no risk of this vulnerability affecting your project as this is merely a testing support library. The dependencies are consciously kept on a low minimum version in order to allow maximum compatibility. My best suggestion is that you try to adjust the project configuration so that the transitive dependency gets replaced by a different one or find a way within your organization to ignore this for testing purposes. |
|
Unfortunately to use an external artifact within the org, it has to go through automated sign-off and it's failing due to the vulnerability |
|
In that case, why don't you copy the code into your own repo and use a later Spring version as dependency? The test extensions module is very small and unlikely to receive many changes over the years, so should be easy enough to maintain. |
|
@giorgioscia usually in a Spring project you would use the Spring Boot dependency management or the Spring Framework BOM. This means that irregardless of what a dependency is using it would take the version that you want. On a side note @Chessray, should we perhaps make the dependency as provided? If you are using this library you would for sure have spring-beans available. If you do not then there is no point in using the extension anyways :). What do you think? Maybe do this in a separate issue? |
Hi there,
Unable to use test-extensions within my org as it has dependency on vulnerable version of spring-beans CVE-2022-22965. Is there any plan to upgrade in the near future?
Many thanks! :)
[1] SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751
[2] CVE-2022-22965
The text was updated successfully, but these errors were encountered: