Ehcache - OWASP Dependency Check issues [SWS-1033]

[gregturn]

Petr Dvorak opened SWS-1033 and commented

We have recently updated to Spring Boot 2.0.4 (currently the latest version) and our automatic testing has detected a big increase of issue count while checking dependencies (Jenkins Plugin for "OWASP Dependency Check").

!Screen Shot 2018-08-28 at 18.33.57.png|width=484,height=362!

The main "troublemaker" seems to be the Ehcache library that is available as a dependency in the current version of the Spring WS-Security (3.0.3).

!image.png|width=468,height=253!

Could you please have a look at the library, and give us a hint if it is secure to exclude it?

---

Affects: 3.0.3

Attachments:

• Dependency-Check Report.htm (1.09 MB)
• image.png (70.52 kB)
• Screen Shot 2018-08-28 at 18.33.57.png (131.28 kB)

Referenced from: commits 40c8447, 738eb70

Backported to: 2.4.3

[gregturn]

Petr Dvorak commented

Hello, we managed to work around the issue with following Maven exclusions:

<dependency>
    <groupId>org.springframework.ws</groupId>
    <artifactId>spring-ws-security</artifactId>
    <exclusions>
        <exclusion>
            <artifactId>ehcache</artifactId>
            <groupId>net.sf.ehcache</groupId>
        </exclusion>
        <exclusion>
            <artifactId>geronimo-javamail_1.4_mail</artifactId>
            <groupId>org.apache.geronimo.javamail</groupId>
        </exclusion>
    </exclusions>
</dependency>

[gregturn]

Greg Turnquist commented

I'm introducing SpringBasedX509UserCache, which lets users migrate away from EhCache and toward Spring Framework's cache abstraction.

EhCacheBasedX509UserCache is deprecated, meaning in a future, major release, we'll be able to remove EhCache from the list of dependencies. For now, if you're not using it, you can simply exclude it as a dependency.

[gregturn]

Petr Dvorak commented

Greg Turnquist Thank you, Greg.