jmeter icon indicating copy to clipboard operation
jmeter copied to clipboard
verified publisher icon apache

jmeter ships with a vulnerable version of spring

Open asfimport opened this issue 3 years ago • 1 comments

Ren (Bug 66011): jmeter references a vulnerable version of the sprint framework. My customer blocks access to all vulnerable versions of spring thus making it imposible for me to run jmeter from within the jmeter-maven-plugin (which downloads all jmeter dependencies automagically). When will there be a release using a safe version of spring framework (>= 5.3.18)

Regards René

Severity: major OS: All

asfimport avatar Apr 12 '22 15:04 asfimport

@FSchumacher (migrated from Bugzilla): JMeter itself does not need Spring and is not bundled with it.

It is probably a dependency from ActiveMQ (which we include for testing JMS). If you are on Java 9+ you can replace the bad jars following the documentation of the jmeter maven plugins site: https://github.com/jmeter-maven-plugin/jmeter-maven-plugin/wiki/Adding-Excluding-libraries-to-from-the-classpath

Questions on the usage of jmeter maven plugin, are better asked on their forums.

asfimport avatar Apr 12 '22 16:04 asfimport