-
Notifications
You must be signed in to change notification settings - Fork 68
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix dependency vulnerabilities of the configuration-server in v2.2.0 #1553
Labels
Comments
heiko-holz
pushed a commit
to heiko-holz/inspectit-ocelot
that referenced
this issue
Dec 9, 2022
heiko-holz
changed the title
Update dependencies to fix vulnerabilities for v2.2.0
Fix dependency vulnerabilities in v2.2.0
Dec 9, 2022
heiko-holz
pushed a commit
to heiko-holz/inspectit-ocelot
that referenced
this issue
Dec 9, 2022
heiko-holz
pushed a commit
to heiko-holz/inspectit-ocelot
that referenced
this issue
Dec 9, 2022
heiko-holz
pushed a commit
to heiko-holz/inspectit-ocelot
that referenced
this issue
Dec 9, 2022
heiko-holz
pushed a commit
to heiko-holz/inspectit-ocelot
that referenced
this issue
Dec 9, 2022
heiko-holz
pushed a commit
to heiko-holz/inspectit-ocelot
that referenced
this issue
Dec 9, 2022
heiko-holz
pushed a commit
to heiko-holz/inspectit-ocelot
that referenced
this issue
Dec 9, 2022
heiko-holz
pushed a commit
to heiko-holz/inspectit-ocelot
that referenced
this issue
Dec 14, 2022
heiko-holz
pushed a commit
to heiko-holz/inspectit-ocelot
that referenced
this issue
Dec 14, 2022
heiko-holz
pushed a commit
to heiko-holz/inspectit-ocelot
that referenced
this issue
Dec 14, 2022
heiko-holz
pushed a commit
to heiko-holz/inspectit-ocelot
that referenced
this issue
Dec 21, 2022
quandor
added a commit
that referenced
this issue
Dec 21, 2022
* fix(dependencies): upgrade snakeyaml, logback, and jacksondatabind [#1553] * fix(dependencies): adjust spring-boot-test version [#1553] * fix(dependencies): adjust spring-beans version in configuration-server [#1553] * fix(dependencies): fix dependencies for configdocsgenerator [#1553] * fix(dependencies): upgrade snakeyaml, logback, and jacksondatabind [#1553] * fix(dependencies): adjust spring-beans version in configuration-server [#1553] * fix(dependencies): add owasp dependency check plugin * fix(dependencies): upgrade commons-text to v1.10 [#1553] * fix(dependencies): increase CycloneDX BOM schemaVersion to v1.4 [#1553] * fix(dependencies): upgrade gson [#1533] * fix(dependencies): upgrade jackson-databind [#1553] * fix(dependencies): upgrade spring-boot and spring in configserver [#1533] * fix(dependencies): migrate from SpringFox to openapi [#1533] * Allow anonymous access to Swagger file * Some Dependency upgrades * No jacksonDatabindVersion necessary anymore * Help if configuration server ui does not start * Noch mehr Verbesserungen * Weitere kleine Verbesserung * Correct THIRD-PARTY-LICENSES.txt * Example values included for API-Documentation * Explains why some paths are excluded from security * Removes unused dependency * Removes unnecessary version info Version depends on versions from included projects * Fixes failing test A version upgrade of Mockito caused this. Newer versions do know the return type of java.time.Duration and return 0s instead of null. Hence the assert broke. Since the author did not understand the reason to use a mock, we switched to a real object instead. * Unify jUnit and mockito version At least for some projects * Reintroduces prematurely removed version info. But aligned via properties with other projects. * Removes unused gradle.properties in module directory * Reverts an unintentional change * Removes spring-boot-managed dependency versions * Removes TODO after discussing * No version for REST-Api * fix(swagger): sort schemas alphabetically in swagger-ui [#1553] * Comment about how dependency versions are resolved * Uses current version of OWASP plugin Co-Authored-By: Jochen Just <jochen.just@novatec-gmbh.de>
heiko-holz
changed the title
Fix dependency vulnerabilities in v2.2.0
Fix dependency vulnerabilities of the configuration-server in v2.2.0
Dec 22, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The
configuration-server
of the current release (v2.2.0
) has varioussecurity-high
andrisk
in its dependencies, e.g.,In this issue, these dependencies (also transitively) need to be updated so that we do not have any vulnerabilities in the configuration server.
The text was updated successfully, but these errors were encountered: