Hi, I think my post will help: <https://blog.dragonslayer.me/archives/161>
Although this post is written in Chinese, please check the code snippet in the post, I think it's easy to understand. In the post I tried to exclude log4j2 in the war, but you may change that to whatever you want. 在2022年10月19日星期三 UTC+8 15:18:07<Otto Myyrä> 写道: > Hi. > > Due to a recent problem with apache-commons-text (CVE-2022-42889) we were > trying to replace the commons-text-1.8 java library in our cas 6.1 > deployment. I can get the non-vulnerable 1.10 version to be included in the > build with an implementation clause in build.gradle, but the build still > insists on copying also the vulnerable 1.8 version into the resulting war > file. > > If I use the exclude group functionality to prevent the 1.8 from being > used, then the build fails because it can't find the 1.8 version. > > How can I get the commons-text-1.10 to replace the commons-text-1.8 so > that the 1.8 is not included in the built war file? Or is this even > practical and I should be trying some completely different approach? > > BR, > Otto Myyrä > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/68ef95ed-5aa3-4ce4-a7e1-c482c33531fen%40apereo.org.
