Ehcache - OWASP Dependency Check issues [SWS-1033] #1102
We have recently updated to Spring Boot 2.0.4 (currently the latest version) and our automatic testing has detected a big increase of issue count while checking dependencies (Jenkins Plugin for "OWASP Dependency Check").
!Screen Shot 2018-08-28 at 18.33.57.png|width=484,height=362!
The main "troublemaker" seems to be the Ehcache library that is available as a dependency in the current version of the Spring WS-Security (3.0.3).
Could you please have a look at the library, and give us a hint if it is secure to exclude it?
Backported to: 2.4.3
The text was updated successfully, but these errors were encountered:
Petr Dvorak commented
Hello, we managed to work around the issue with following Maven exclusions:
<dependency> <groupId>org.springframework.ws</groupId> <artifactId>spring-ws-security</artifactId> <exclusions> <exclusion> <artifactId>ehcache</artifactId> <groupId>net.sf.ehcache</groupId> </exclusion> <exclusion> <artifactId>geronimo-javamail_1.4_mail</artifactId> <groupId>org.apache.geronimo.javamail</groupId> </exclusion> </exclusions> </dependency>
Greg Turnquist commented
I'm introducing SpringBasedX509UserCache, which lets users migrate away from EhCache and toward Spring Framework's cache abstraction.
EhCacheBasedX509UserCache is deprecated, meaning in a future, major release, we'll be able to remove EhCache from the list of dependencies. For now, if you're not using it, you can simply exclude it as a dependency.