Hi, I think my post will help: <https://blog.dragonslayer.me/archives/161>
Although this post is written in Chinese, please check the code snippet in the post, I think it's easy to understand. In the post I tried to exclude log4j2 in the war, but you may change that to whatever you want. 在2022年10月19日星期三 UTC+8 15:18:07<Otto Myyrä> 写道: > Hi. > > Due to a recent problem with apache-commons-text (CVE-2022-42889) we were > trying to replace the commons-text-1.8 java library in our cas 6.1 > deployment. I can get the non-vulnerable 1.10 version to be included in the > build with an implementation clause in build.gradle, but the build still > insists on copying also the vulnerable 1.8 version into the resulting war > file. > > If I use the exclude group functionality to prevent the 1.8 from being > used, then the build fails because it can't find the 1.8 version. > > How can I get the commons-text-1.10 to replace the commons-text-1.8 so > that the 1.8 is not included in the built war file? Or is this even > practical and I should be trying some completely different approach? > > BR, > Otto Myyrä > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/68ef95ed-5aa3-4ce4-a7e1-c482c33531fen%40apereo.org.
