Aman-Mittal commented on code in PR #5426:
URL: https://github.com/apache/fineract/pull/5426#discussion_r2749584030
##########
buildSrc/src/main/groovy/org.apache.fineract.dependencies.gradle:
##########
@@ -279,5 +279,9 @@ dependencyManagement {
dependency 'io.netty:netty-codec-http:4.1.129.Final'
// Force lz4-java version: CVE-2025-12183
dependency 'at.yawk.lz4:lz4-java:1.10.1'
+ // Force tomcat-embed-core version: CVE-2025-24813
Review Comment:
this is due to org.springframework.boot:spring-boot-starter-tomcat
dependency which still resolves vulnerable components of tomcat.
Adding this will force springboot to use them instead as its default version
you can cross verify this via
./gradlew :fineract-provider:dependencyInsight \
--dependency tomcat-embed-core \
--configuration runtimeClasspath
`
amanmittal@pop-os:~/IdeaProjects/fineract$ ./gradlew
:fineract-provider:dependencyInsight \
--dependency tomcat-embed-core \
--configuration runtimeClasspath
> Configure project :
matching ref: COMMIT - 84540d9b931ee14a4cb7479bc779ee32bb271d26
ref configuration: COMMIT - pattern: null
version:
${describe.tag.version.major}.${describe.tag.version.minor.next}.0-SNAPSHOT
describeTagPattern: .*(\d+\.\d+\.\d+).*
describeTagFirstParent: false
project version: 0.1.0-SNAPSHOT
> Task :fineract-provider:dependencyInsight
org.apache.tomcat.embed:tomcat-embed-core:10.1.47 (selected by rule)
Variant runtime:
| Attribute Name | Provided | Requested |
|--------------------------------|--------------|--------------|
| org.gradle.status | release | |
| org.gradle.category | library | library |
| org.gradle.libraryelements | jar | jar |
| org.gradle.usage | java-runtime | java-runtime |
| org.gradle.dependency.bundling | | external |
| org.gradle.jvm.environment | | standard-jvm |
| org.gradle.jvm.version | | 21 |
org.apache.tomcat.embed:tomcat-embed-core:10.1.47
\--- org.apache.tomcat.embed:tomcat-embed-websocket:10.1.47
\--- **org.springframework.boot:spring-boot-starter-tomcat:3.5.6
(requested org.apache.tomcat.embed:tomcat-embed-websocket:10.1.46)** Spring
Boot requests 10.1.46, but it is overridden to 10.1.47.
+--- org.springframework.boot:spring-boot-starter-web:3.5.6
| +--- runtimeClasspath (requested
org.springframework.boot:spring-boot-starter-web)
| +--- project :fineract-investor (requested
org.springframework.boot:spring-boot-starter-web)
| | \--- runtimeClasspath
| +--- project :fineract-progressive-loan (requested
org.springframework.boot:spring-boot-starter-web)
| | \--- runtimeClasspath
| +--- project :fineract-loan (requested
org.springframework.boot:spring-boot-starter-web)
| | +--- runtimeClasspath
| | +--- project :fineract-investor (*)
| | \--- project :fineract-progressive-loan (*)
| +--- project :fineract-savings (requested
org.springframework.boot:spring-boot-starter-web)
| | \--- runtimeClasspath
| +--- project :fineract-cob (requested
org.springframework.boot:spring-boot-starter-web)
| | +--- runtimeClasspath
| | +--- project :fineract-investor (*)
| | +--- project :fineract-loan (*)
| | \--- project :fineract-savings (*)
| +--- project :fineract-branch (requested
org.springframework.boot:spring-boot-starter-web)
| | \--- runtimeClasspath
| +--- project :fineract-accounting (requested
org.springframework.boot:spring-boot-starter-web)
| | +--- runtimeClasspath
| | +--- project :fineract-investor (*)
| | +--- project :fineract-progressive-loan (*)
| | +--- project :fineract-loan (*)
| | +--- project :fineract-savings (*)
| | \--- project :fineract-branch (*)
| +--- project :fineract-rates (requested
org.springframework.boot:spring-boot-starter-web)
| | +--- runtimeClasspath
| | +--- project :fineract-loan (*)
| | \--- project :fineract-savings (*)
| +--- project :fineract-charge (requested
org.springframework.boot:spring-boot-starter-web)
| | +--- runtimeClasspath
| | +--- project :fineract-investor (*)
| | +--- project :fineract-progressive-loan (*)
| | +--- project :fineract-loan (*)
| | +--- project :fineract-savings (*)
| | \--- project :fineract-accounting (*)
| +--- project :fineract-document (requested
org.springframework.boot:spring-boot-starter-web)
| | \--- runtimeClasspath
| +--- project :fineract-report (requested
org.springframework.boot:spring-boot-starter-web)
| | \--- runtimeClasspath
| +--- project :fineract-tax (requested
org.springframework.boot:spring-boot-starter-web)
| | +--- runtimeClasspath
| | +--- project :fineract-loan (*)
| | +--- project :fineract-savings (*)
| | \--- project :fineract-charge (*)
| +--- project :fineract-loan-origination (requested
org.springframework.boot:spring-boot-starter-web)
| | \--- runtimeClasspath
| +--- project :fineract-core (requested
org.springframework.boot:spring-boot-starter-web)
| | +--- runtimeClasspath
| | +--- project :fineract-investor (*)
| | +--- project :fineract-progressive-loan (*)
| | +--- project :fineract-loan (*)
| | +--- project :fineract-savings (*)
| | +--- project :fineract-cob (*)
| | +--- project :fineract-branch (*)
| | +--- project :fineract-accounting (*)
| | +--- project :fineract-rates (*)
| | +--- project :fineract-charge (*)
| | +--- project :fineract-document (*)
| | +--- project :fineract-report (*)
| | +--- project :fineract-tax (*)
| | \--- project :fineract-loan-origination (*)
| \---
org.springframework.boot:spring-boot-starter-oauth2-authorization-server:3.5.6
| \--- runtimeClasspath (requested
org.springframework.boot:spring-boot-starter-oauth2-authorization-server)
\--- org.springframework.boot:spring-boot-starter-jersey:3.5.6
+--- runtimeClasspath (requested
org.springframework.boot:spring-boot-starter-jersey)
+--- project :fineract-cob (requested
org.springframework.boot:spring-boot-starter-jersey) (*)
\--- project :fineract-core (requested
org.springframework.boot:spring-boot-starter-jersey) (*)
org.apache.tomcat.embed:tomcat-embed-core:10.1.46 -> 10.1.47
\--- org.springframework.boot:spring-boot-starter-tomcat:3.5.6
+--- org.springframework.boot:spring-boot-starter-web:3.5.6
| +--- runtimeClasspath (requested
org.springframework.boot:spring-boot-starter-web)
| +--- project :fineract-investor (requested
org.springframework.boot:spring-boot-starter-web)
| | \--- runtimeClasspath
| +--- project :fineract-progressive-loan (requested
org.springframework.boot:spring-boot-starter-web)
| | \--- runtimeClasspath
| +--- project :fineract-loan (requested
org.springframework.boot:spring-boot-starter-web)
| | +--- runtimeClasspath
| | +--- project :fineract-investor (*)
| | \--- project :fineract-progressive-loan (*)
| +--- project :fineract-savings (requested
org.springframework.boot:spring-boot-starter-web)
| | \--- runtimeClasspath
| +--- project :fineract-cob (requested
org.springframework.boot:spring-boot-starter-web)
| | +--- runtimeClasspath
| | +--- project :fineract-investor (*)
| | +--- project :fineract-loan (*)
| | \--- project :fineract-savings (*)
| +--- project :fineract-branch (requested
org.springframework.boot:spring-boot-starter-web)
| | \--- runtimeClasspath
| +--- project :fineract-accounting (requested
org.springframework.boot:spring-boot-starter-web)
| | +--- runtimeClasspath
| | +--- project :fineract-investor (*)
| | +--- project :fineract-progressive-loan (*)
| | +--- project :fineract-loan (*)
| | +--- project :fineract-savings (*)
| | \--- project :fineract-branch (*)
| +--- project :fineract-rates (requested
org.springframework.boot:spring-boot-starter-web)
| | +--- runtimeClasspath
| | +--- project :fineract-loan (*)
| | \--- project :fineract-savings (*)
| +--- project :fineract-charge (requested
org.springframework.boot:spring-boot-starter-web)
| | +--- runtimeClasspath
| | +--- project :fineract-investor (*)
| | +--- project :fineract-progressive-loan (*)
| | +--- project :fineract-loan (*)
| | +--- project :fineract-savings (*)
| | \--- project :fineract-accounting (*)
| +--- project :fineract-document (requested
org.springframework.boot:spring-boot-starter-web)
| | \--- runtimeClasspath
| +--- project :fineract-report (requested
org.springframework.boot:spring-boot-starter-web)
| | \--- runtimeClasspath
| +--- project :fineract-tax (requested
org.springframework.boot:spring-boot-starter-web)
| | +--- runtimeClasspath
| | +--- project :fineract-loan (*)
| | +--- project :fineract-savings (*)
| | \--- project :fineract-charge (*)
| +--- project :fineract-loan-origination (requested
org.springframework.boot:spring-boot-starter-web)
| | \--- runtimeClasspath
| +--- project :fineract-core (requested
org.springframework.boot:spring-boot-starter-web)
| | +--- runtimeClasspath
| | +--- project :fineract-investor (*)
| | +--- project :fineract-progressive-loan (*)
| | +--- project :fineract-loan (*)
| | +--- project :fineract-savings (*)
| | +--- project :fineract-cob (*)
| | +--- project :fineract-branch (*)
| | +--- project :fineract-accounting (*)
| | +--- project :fineract-rates (*)
| | +--- project :fineract-charge (*)
| | +--- project :fineract-document (*)
| | +--- project :fineract-report (*)
| | +--- project :fineract-tax (*)
| | \--- project :fineract-loan-origination (*)
| \---
org.springframework.boot:spring-boot-starter-oauth2-authorization-server:3.5.6
| \--- runtimeClasspath (requested
org.springframework.boot:spring-boot-starter-oauth2-authorization-server)
\--- org.springframework.boot:spring-boot-starter-jersey:3.5.6
+--- runtimeClasspath (requested
org.springframework.boot:spring-boot-starter-jersey)
+--- project :fineract-cob (requested
org.springframework.boot:spring-boot-starter-jersey) (*)
\--- project :fineract-core (requested
org.springframework.boot:spring-boot-starter-jersey) (*)
(*) - Indicates repeated occurrences of a transitive dependency subtree.
Gradle expands transitive dependency subtrees only once per project; repeat
occurrences only display the root of the subtree, followed by this annotation.
A web-based, searchable dependency report is available by adding the --scan
option.
[Incubating] Problems report is available at:
file:///home/amanmittal/IdeaProjects/fineract/build/reports/problems/problems-report.html
Deprecated Gradle features were used in this build, making it incompatible
with Gradle 9.0.
You can use '--warning-mode all' to show the individual deprecation warnings
and determine if they come from your own scripts or plugins.
For more on this, please refer to
https://docs.gradle.org/8.14.3/userguide/command_line_interface.html#sec:command_line_warnings
in the Gradle documentation.
BUILD SUCCESSFUL in 3s
9 actionable tasks: 1 executed, 8 up-to-date
`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
