From 949f24302d912c371f05a75b1666b690a6eea230 Mon Sep 17 00:00:00 2001
From: Roman Khlebnov <suppie.rk@gmail.com>
Date: Sun, 29 Dec 2024 03:59:50 +0100
Subject: [PATCH] Fixing ch.qos.logback vulnerability by updating dependency
 from 1.5.12 to 1.5.15

---
 README.md         |  4 ++--
 build.gradle      | 32 +++++++++++++++++++++++++++-----
 gradle.properties |  2 +-
 3 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 84770ec..37c9ac9 100644
--- a/README.md
+++ b/README.md
@@ -14,13 +14,13 @@ This version does not allow setting most of the local cache properties in favor
 <dependency>
   <groupId>io.github.suppierk</groupId>
   <artifactId>spring-boot-multilevel-cache-starter</artifactId>
-  <version>3.4.1.0</version>
+  <version>3.4.1.1</version>
 </dependency>
 ```
 
 ### Gradle
 ```groovy
-implementation 'io.github.suppierk:spring-boot-multilevel-cache-starter:3.4.1.0'
+implementation 'io.github.suppierk:spring-boot-multilevel-cache-starter:3.4.1.1'
 ```
 
 ## Use cases
diff --git a/build.gradle b/build.gradle
index 2d5e404..58361d0 100644
--- a/build.gradle
+++ b/build.gradle
@@ -56,9 +56,25 @@ dependencyManagement {
 }
 
 dependencies {
-	implementation 'org.springframework.boot:spring-boot-starter-cache'
-	implementation 'org.springframework.boot:spring-boot-starter-data-redis'
-	implementation 'org.springframework.boot:spring-boot-actuator'
+	implementation('org.springframework.boot:spring-boot-starter-cache') {
+		exclude group: 'ch.qos.logback', module: 'logback-core'
+		exclude group: 'ch.qos.logback', module: 'logback-classic'
+	}
+	implementation('org.springframework.boot:spring-boot-starter-data-redis') {
+		exclude group: 'ch.qos.logback', module: 'logback-core'
+		exclude group: 'ch.qos.logback', module: 'logback-classic'
+	}
+	implementation('org.springframework.boot:spring-boot-actuator') {
+		exclude group: 'ch.qos.logback', module: 'logback-core'
+		exclude group: 'ch.qos.logback', module: 'logback-classic'
+	}
+
+	// Vulnerability found:
+	// https://ossindex.sonatype.org/vulnerability/CVE-2024-12801?component-type=maven&component-name=ch.qos.logback%2Flogback-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0
+	// https://ossindex.sonatype.org/vulnerability/CVE-2024-12798?component-type=maven&component-name=ch.qos.logback%2Flogback-core&utm_source=ossindex-client&utm_medium=integration&utm_content=1.7.0
+	// https://mvnrepository.com/artifact/ch.qos.logback/logback-core
+	implementation group: 'ch.qos.logback', name: 'logback-core', version: '1.5.15'
+	implementation group: 'ch.qos.logback', name: 'logback-classic', version: '1.5.15'
 
 	implementation 'io.micrometer:micrometer-core'
 
@@ -71,10 +87,16 @@ dependencies {
 
 	compileOnly 'org.projectlombok:lombok'
 
-	annotationProcessor 'org.springframework.boot:spring-boot-configuration-processor'
+	annotationProcessor('org.springframework.boot:spring-boot-configuration-processor') {
+		exclude group: 'ch.qos.logback', module: 'logback-core'
+		exclude group: 'ch.qos.logback', module: 'logback-classic'
+	}
 	annotationProcessor 'org.projectlombok:lombok'
 
-	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+	testImplementation('org.springframework.boot:spring-boot-starter-test') {
+		exclude group: 'ch.qos.logback', module: 'logback-core'
+		exclude group: 'ch.qos.logback', module: 'logback-classic'
+	}
 	testImplementation 'org.awaitility:awaitility'
 
 	testImplementation 'org.testcontainers:junit-jupiter'
diff --git a/gradle.properties b/gradle.properties
index 3d45643..52ab584 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -27,7 +27,7 @@ SONATYPE_AUTOMATIC_RELEASE=true
 
 GROUP=io.github.suppierk
 POM_ARTIFACT_ID=spring-boot-multilevel-cache-starter
-VERSION_NAME=3.4.1.0
+VERSION_NAME=3.4.1.1
 POM_PACKAGING=jar
 
 POM_NAME=Spring Boot Multilevel Cache Starter