spring-cloud
spring-cloud-starter-contract-stub-runner defines outdated sonatype sisu-inject-plexus version with vulnerability
Hi, it seems that the spring-cloud-starter-contract-stub-runner has a transitive dependency on plexus-utils:3.0.18. This version of plexus-utils seems to be vulnerable: https://avd.aquasec.com/nvd/2022/cve-2022-4244/
From what I can tell, this dependency comes from the following:
- org.sonatype.sisu » sisu-inject-plexus
- It depends on version:
2.6.0, which is from 2015 ⚠ - The project has seemingly instead moved to: org.eclipse.sisu » org.eclipse.sisu.plexus
https://github.com/spring-cloud/spring-cloud-contract/blob/f320eb67513232250ee7fab69bd54940eb04974f/spring-cloud-contract-starters/spring-cloud-starter-contract-stub-runner/pom.xml#L80-L83
- Could you investigate and update the version of
sisu plexus? - Maybe it's even possible to remove the dependency on
sisu-inject-plexusentirely?
Thanks in advance! 😄
This is kind of unfortunate given 5.0.x is out now
I tried upgrading contract to 0.3.5
https://mvnrepository.com/artifact/org.eclipse.sisu/org.eclipse.sisu.plexus/0.3.5
But that results in conflicts with maven-resolver-api which uses 0.9.0.M4. We can upgrade to 0.9.0.M4 and the build passes but...
- This is a breaking change no matter what we do
- 0.9.0.M4 is a milestone
@marcingrzejszczak any thoughts on this?
I haven't seen that library yet used directly in the pom. It's a transitive dependency of some other maven dependency (maven-embdder). When i removed it all the tests passed but i haven't checked the samples. I completely don't recall why I agreed that lib 🤷♂️
@juboe-kion if you exclude sisu-inject-plexus does that mitigate the issue for you?