SpringBoot Vulnerability

Hi,
I am using “spring-boot-starter-camunda:8.2.0” and can be seen there is some vulnerability which got caught during security scan.So, how can be override the dependency version as I am unable to do using <artifactId.version></artifactId.version>.

I can see it exist in depedency hierarchy.

image

TIA

If you are using maven then you can just list the version you want as dependency in your pom because this version takes precedence over the versions imported by dependencies. And you can also exclude packages from dependencies.

Hi @yadav1990 - you can also open an issue on the repo for that package. You are running 8.2.0 and there is a newer version available (8.2.2) - are you able to update to 8.2.2, and is there still an issue with that version?

Hi, in version 8.5.9, I encountered the error mentioned above. How can I resolve this issue?

@Sina_Mehrad - please open new topics for questions like this; this topic is over a year old!

To answer your question, that version of spring-zeebe is community maintained, so I would start with opening a GitHub issue if there isn’t one already: GitHub - camunda-community-hub/spring-zeebe: Easily use the Zeebe Java Client in your Spring or Spring Boot projects

You are welcome to submit a PR that updates/corrects the dependency that was identified in the CVE!

1 Like