Fixing ch.qos.logback vulnerability by updating dependency from 1.5.1…

…2 to 1.5.15
SuppieRK · Dec 29, 2024 · 949f243 · 949f243
1 parent e097276
commit 949f243
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -14,13 +14,13 @@ This version does not allow setting most of the local cache properties in favor
 <dependency>
   <groupId>io.github.suppierk</groupId>
   <artifactId>spring-boot-multilevel-cache-starter</artifactId>
-  <version>3.4.1.0</version>
+  <version>3.4.1.1</version>
 </dependency>
 ```
 
 ### Gradle
 ```groovy
-implementation 'io.github.suppierk:spring-boot-multilevel-cache-starter:3.4.1.0'
+implementation 'io.github.suppierk:spring-boot-multilevel-cache-starter:3.4.1.1'
 ```
 
 ## Use cases

diff --git a/build.gradle b/build.gradle
@@ -56,9 +56,25 @@ dependencyManagement {
 }
 
 dependencies {
-	implementation 'org.springframework.boot:spring-boot-starter-cache'
-	implementation 'org.springframework.boot:spring-boot-starter-data-redis'
-	implementation 'org.springframework.boot:spring-boot-actuator'
+	implementation('org.springframework.boot:spring-boot-starter-cache') {
+		exclude group: 'ch.qos.logback', module: 'logback-core'
+		exclude group: 'ch.qos.logback', module: 'logback-classic'
+	}
+	implementation('org.springframework.boot:spring-boot-starter-data-redis') {
+		exclude group: 'ch.qos.logback', module: 'logback-core'
+		exclude group: 'ch.qos.logback', module: 'logback-classic'
+	}
+	implementation('org.springframework.boot:spring-boot-actuator') {
+		exclude group: 'ch.qos.logback', module: 'logback-core'
+		exclude group: 'ch.qos.logback', module: 'logback-classic'
+	}
+
+	// Vulnerability found:
+	// https://ossindex.sonatype.org/vulnerability/CVE-2024-12801?component-type=maven&component-name=ch.qos.logback%2Flogback-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0
+	// https://ossindex.sonatype.org/vulnerability/CVE-2024-12798?component-type=maven&component-name=ch.qos.logback%2Flogback-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0
+	// https://mvnrepository.com/artifact/ch.qos.logback/logback-core
+	implementation group: 'ch.qos.logback', name: 'logback-core', version: '1.5.15'
+	implementation group: 'ch.qos.logback', name: 'logback-classic', version: '1.5.15'
 
 	implementation 'io.micrometer:micrometer-core'
 
@@ -71,10 +87,16 @@ dependencies {
 
 	compileOnly 'org.projectlombok:lombok'
 
-	annotationProcessor 'org.springframework.boot:spring-boot-configuration-processor'
+	annotationProcessor('org.springframework.boot:spring-boot-configuration-processor') {
+		exclude group: 'ch.qos.logback', module: 'logback-core'
+		exclude group: 'ch.qos.logback', module: 'logback-classic'
+	}
 	annotationProcessor 'org.projectlombok:lombok'
 
-	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+	testImplementation('org.springframework.boot:spring-boot-starter-test') {
+		exclude group: 'ch.qos.logback', module: 'logback-core'
+		exclude group: 'ch.qos.logback', module: 'logback-classic'
+	}
 	testImplementation 'org.awaitility:awaitility'
 
 	testImplementation 'org.testcontainers:junit-jupiter'

diff --git a/gradle.properties b/gradle.properties
@@ -27,7 +27,7 @@ SONATYPE_AUTOMATIC_RELEASE=true
 
 GROUP=io.github.suppierk
 POM_ARTIFACT_ID=spring-boot-multilevel-cache-starter
-VERSION_NAME=3.4.1.0
+VERSION_NAME=3.4.1.1
 POM_PACKAGING=jar
 
 POM_NAME=Spring Boot Multilevel Cache Starter