Vulnerability in Dependencies of Cloud SDK commons-lang3 #872
Description
Describe the Bug
We are currently using the Cloud SDK library (version 5.20.0), and during a recent WhiteSource scan, a vulnerability was identified in a transitive dependency: commons-lang3 version 3.17.0.
As we are already on the latest available Cloud SDK version, could you please let us know if there is a planned release that addresses this vulnerability? If so, we would appreciate it if you could share the expected timeline for its availability.
For reference, this issue was initially reported on 13th July 2025.
Steps to Reproduce
Update the parent pom.xml with the below cloud sdk bom version it will list down the vulnerability mentioned above.
<com.sap.cloud.sdk.sdk-bom.version>5.20.0</com.sap.cloud.sdk.sdk-bom.version>Expected Behavior
We have a window of 60 days only, from 13th of July. Else will have compliance issue with the product.
Screenshots
No response
Used Versions
- Java and Maven version via
mvn --version: 21.0.8 / Maven - 3.9.9 - SAP Cloud SDK version: 5.20.0
- Spring Boot or CAP version: 3.5.3 / 3.10.3
Dependency tree via mvn dependency:tree
[INFO] +- com.sap.cloud.sdk.datamodel:odata-core:jar:5.20.0:compile
[INFO] | +- com.sap.cloud.sdk.datamodel:odata-client:jar:5.20.0:compile
[INFO] | +- com.sap.cloud.sdk.cloudplatform:connectivity-apache-httpclient4:jar:5.20.0:compile
[INFO] | +- com.sap.cloud.sdk.datamodel:fluent-result:jar:5.20.0:compile
[INFO] | \- org.apache.commons:commons-lang3:jar:3.17.0:compile
Code Examples
// Your code hereStack Trace
No response
Log File
Log file
...Affected Development Phase
Getting Started
Impact
No Impact
Timeline
No response