Skip to content

fix(deps): patch osv-scan dependency vulnerabilities#110

Closed
seonghobae wants to merge 1 commit into
mainfrom
feat/osv-dep-vuln-fix
Closed

fix(deps): patch osv-scan dependency vulnerabilities#110
seonghobae wants to merge 1 commit into
mainfrom
feat/osv-dep-vuln-fix

Conversation

@seonghobae

Copy link
Copy Markdown
Collaborator

Summary

Patches OSV-confirmed dependency vulnerabilities in pom.xml so osv-scan passes across clearfolio PRs. Minimal, idiomatic Spring Boot fix: bump the parent, drop an unused heavy dependency, and override three BOM version properties — no <dependencyManagement> block needed.

Confirmed CVEs cleared

Remove unused Tika (tika-parsers-standard-package 3.2.2 — zero source usage) — 7 CVEs, incl. the only CRITICAL:

  • bcprov-jdk18on CVE-2025-14813 (CRITICAL)
  • bcpkix-jdk18on, commons-io 2.7, commons-lang3 3.17.0, junrar 7.5.5

Bump spring-boot-starter-parent 3.5.0 → 3.5.14:

  • spring-boot CVE-2026-40973 (raises managed floors for logback/reactor-netty/assertj/base spring/jackson/netty)

Override BOM properties to force transitive floors:

  • netty.version=4.1.135.Final — clears all 18 netty CVEs (reachable via the live webflux/reactor-netty HTTP server — the largest real exposure)
  • jackson-bom.version=2.21.4 — jackson-databind CVE-2026-54512 / 54513 / 54514, jackson-core GHSA-72hv-8253-57qq (jackson-databind is a direct dep, used in ApiErrorResponse.java)
  • spring-framework.version=6.2.18 — spring-core CVE-2025-41249, spring-web CVE-2025-41234, spring-webflux CVEs

Verification

mvn -DskipTests compile succeeds. mvn dependency:tree confirms:

  • No org.apache.tika / org.bouncycastle / junrar / commons-io:2.7 artifacts remain
  • Every io.netty:* module is 4.1.135.Final
  • jackson-databind is 2.21.4
  • spring-core / spring-web / spring-webflux are 6.2.18
  • spring-boot is 3.5.14

osv-scanner was rate-limited (HTTP 429) resolving the parent POM from Maven Central, so the authoritative transitive-version verification is the mvn dependency:tree above (BUILD SUCCESS).

Residual (cannot fix)

  • jackson-databind CVE-2026-54515 (MODERATE) — no published fix for the 2.19+ line. Accept/suppress and track upstream.

🤖 Generated with Claude Code

Resolve OSV-confirmed dependency vulnerabilities in pom.xml so osv-scan
passes across clearfolio PRs. Verified via `mvn dependency:tree` (BUILD
SUCCESS) since osv-scanner itself 429s on Maven Central during parent/BOM
resolution and cannot resolve transitive versions.

Changes:
- Bump spring-boot-starter-parent 3.5.0 -> 3.5.14 (fixes spring-boot
  CVE-2026-40973; raises managed floors for logback/reactor-netty/assertj/
  base spring-framework/jackson/netty).
- Remove unused org.apache.tika:tika-parsers-standard-package 3.2.2 (zero
  source usage). Eliminates the only CRITICAL, bcprov-jdk18on
  CVE-2025-14813, plus bcpkix-jdk18on, commons-io 2.7, commons-lang3
  3.17.0, and junrar 7.5.5 findings — 7 CVEs and a large parser attack
  surface.
- Override three spring-boot-dependencies BOM properties to force
  transitive floors:
    netty.version=4.1.135.Final       -> clears all 18 netty CVEs
    jackson-bom.version=2.21.4         -> clears jackson-databind
                                         CVE-2026-54512/54513/54514 and
                                         jackson-core GHSA-72hv-8253-57qq
    spring-framework.version=6.2.18    -> clears spring-core CVE-2025-41249,
                                         spring-web CVE-2025-41234, and
                                         spring-webflux CVEs

Verified (mvn dependency:tree): no tika/bouncycastle/junrar/commons-io:2.7
remain; every io.netty:* is 4.1.135.Final; jackson-databind 2.21.4;
spring-core/web/webflux 6.2.18; spring-boot 3.5.14. `mvn -DskipTests
compile` succeeds.

Residual: jackson-databind CVE-2026-54515 (MODERATE) has no published fix
for the 2.19+ line — accept/suppress and track upstream.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017RkKdtHRLG4wSLh6PVsp8J
@seonghobae

Copy link
Copy Markdown
Collaborator Author

현재 main이 이 PR의 보안 변경을 더 최신 버전으로 완전히 대체했습니다.

  • Spring Boot: 제안 3.5.14 → main 3.5.16
  • Jackson: 제안 2.21.4 → main 2.22.1
  • 취약한 broad Tika parser 패키지는 main에서도 제거됨
  • 최신 Trivy 기본 브랜치 체크와 Dependabot Medium+ 목록에 실제 미해결 항목 없음

브랜치는 main과 충돌하고 제안 버전이 더 오래되므로 병합하면 보안 버전이 후퇴합니다. 중복 보안 PR로 종료합니다.

@seonghobae seonghobae closed this Jul 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant