Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Vulnerable dependency needs to be updated.

See original GitHub issue

I am using org.springframework.cloud:spring-cloud-starter-sleuth:jar:2.1.1.RELEASE. We are using BlackDuck product and it revealed that one of the indirect dependency has security issues. image

This is dependency tree.

[INFO] +- org.springframework.cloud:spring-cloud-starter-sleuth:jar:2.1.1.RELEASE:compile
[INFO] |  +- org.springframework.cloud:spring-cloud-starter:jar:2.0.0.RELEASE:compile
[INFO] |  |  +- org.springframework.cloud:spring-cloud-context:jar:2.0.0.RELEASE:compile
[INFO] |  |  |  \- org.springframework.security:spring-security-crypto:jar:5.0.6.RELEASE:compile
[INFO] |  |  +- org.springframework.cloud:spring-cloud-commons:jar:2.0.0.RELEASE:compile
[INFO] |  |  \- org.springframework.security:spring-security-rsa:jar:1.0.5.RELEASE:compile
[INFO] |  |     \- org.bouncycastle:bcpkix-jdk15on:jar:1.56:compile
[INFO] |  |        \- org.bouncycastle:bcprov-jdk15on:jar:1.56:compile

The version 1.60 of bcpkix-jdk15on was suggested to be used.

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:7 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
Usha3012commented, Jun 19, 2019

Hi, I am also facing similar type of issue as mention by @ghsatpute while using PACT as CDC

0reactions
marcingrzejszczakcommented, Jun 19, 2019

We will bump the deps, don’t worry

Read more comments on GitHub >

github_iconTop Results From Across the Web

What are Vulnerable Dependencies?
When a security vulnerability is found in a third-party dependency, and a new version with a fix is released, it is the responsibility...
Read more >
Vulnerable Dependency Management Cheat Sheet
Step 1: Update the version of the dependency in the project on a testing environment. Step 2: Prior to running the tests, 2...
Read more >
Viewing and updating Dependabot alerts - GitHub Docs
When Dependabot tells you that your repository uses a vulnerable dependency, you need to determine what the vulnerable functions are and check whether...
Read more >
Vulnerabilities in Dependencies: What You Need to Know
Here's what you need to know about the vulnerabilities in dependencies, third party components and open source.
Read more >
Upgrade or patch vulnerable application dependencies
To see an example of the risks a vulnerable open source component introduces to our running application, we're going to exploit one of...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Trace headers not available in Tomcat access log

Next page

Unable to wire TopicConnectionFactory Beans, since they get wrapped by LazyConnectionFactory