ChinchuAjith opened a new pull request, #6748:
URL: https://github.com/apache/incubator-kie-drools/pull/6748
This PR resolves four critical and high-severity CVEs in Jetty by upgrading
from version 11.0.24 to 12.0.33.
WireMock 3.13.2 ships a separate artifact — `wiremock-jetty12` — which pulls
Jetty 12.0.33 instead of 11.x. Switching to this artifact resolves all four
CVEs.
**Changes Done**
- Added version.org.eclipse.jetty=12.0.33`
- wiremock : 3.13.0 -> 3.13.2`
- Added `jetty-bom:12.0.33` in dependencyManagement
- Added explicit dependency management other Jetty artifacts:**
This explicit management was necessary because wiremock-jetty12:3.13.2
brings in mixed Jetty versions (12.1.7 for core, 12.0.30 for EE10), causing
NoSuchMethodError at runtime.
**Replaced wiremock with wiremock-jetty12:**
- Changed from `<artifactId>wiremock</artifactId>` to
`<artifactId>wiremock-jetty12</artifactId>`
- Added exclusion for `jetty-jakarta-servlet-api` to avoid conflicts
**Impact**
- All Jetty artifacts now resolve to version 12.0.33
- All four CVEs are resolved
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
