Library Show "Attack Complexity: HIGH", "Attack Vector: NETWORK" And "Integrity Impact: HIGH"

[DXSpring]

Cx8fd408ac-dd80 8.1 Inclusion of Functionality from Untrusted Control Sphere vulnerability pending CVSS allocation

I Search About Error: https://devhub.checkmarx.com/cve-details/Cx8fd408ac-dd80/?utm_source=jetbrains&utm_medium=referral&utm_campaign=idea

[immortaly007]

The issue comes from the dependency on google xzing 3.4.0, a QR code library, which depends on the vulnerable library (JCommander). Google xzing has an update available in which this issue is resolved, and (at least for my use case) didn't cause any issues.

There is a pull request for this repo doing similar dependency updates.

I added the following to my build.gradle.kts below the line importing this totp library to resolve the issue:

    // Add xzing 3.5.3 to override the (security vulnerable) dependency of totp-spring-boot-starter above
    implementation("com.google.zxing:javase:3.5.3")