0

I have spring-boot-starter in my POM and versions are automatically resolved by Camden dependency management system.

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>Camden.SR6</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

  <dependencies>    
    <!-- Spring Boot -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter</artifactId>
    </dependency>
 </dependencies>

This gives me version 1.4.3.RELEASE of spring-boot-starter.

One of the jars spring boot starter includes automatically in the maven dependencies is logback-classic: 1.1.18

ch.qos.logback_logback-core version 1.1.8 has a vulnerability because of which I want to switch over to logback version 1.2 This vulnerability is explained in the link below

https://nvd.nist.gov/vuln/detail/CVE-2017-5929

Now, is there a way to override the logback version to 1.2 from what spring-boot-starter automatically resolves it to so that I am not exposed to this vulnerability ?

Hary
  • 1,127
  • 4
  • 24
  • 51
  • Take a look https://stackoverflow.com/q/9119055/1032167 – varren Oct 15 '17 at 19:41
  • It depends. If you use the `spring-boot-starter-parent` as the `parent` of your project it is as easy as defining the version you want in the `properties` section else add it in the `dependencyManagement` section to override the other versions set. – M. Deinum Oct 16 '17 at 09:13

2 Answers2

3

Based on your pom file, you can achieve this by excluding the dependency of 1.1.8 first then add the dependency of 1.2.0.
For example:

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter</artifactId>
    <exclusions>
        <exclusion>
            <groupId>ch.qos.logback</groupId>
            <artifactId>logback-classic</artifactId>
        </exclusion>
    </exclusions>
</dependency>

<dependency>
    <groupId>ch.qos.logback</groupId>
    <artifactId>logback-classic</artifactId>
    <version>1.2.0</version>
</dependency>
LHCHIN
  • 3,679
  • 2
  • 16
  • 34
1

add properties tag in pom like this 

<properties>
        <maven.compiler.source>1.8</maven.compiler.source>
        <maven.compiler.target>1.8</maven.compiler.target>
        <start-class>org.roshan.Application</start-class>
        <hibernate.version>5.2.10.Final</hibernate.version>
        <liquibase.version>3.5.3</liquibase.version>
        <liquibase-hibernate5.version>3.6.0</liquibase-hibernate5.version>
        <httpcore.version>4.4.5</httpcore.version>
        <httpclient.version>4.5.3</httpclient.version>
        <docker-maven-plugin.version>0.4.13</docker-maven-plugin.version>
    </properties>
ali akbar azizkhani
  • 2,213
  • 5
  • 31
  • 48
  • I am using Camden for dependency management. I am not using static properties like this – Hary Oct 15 '17 at 21:06
  • you can override parent dependency version with add static properties for example default hibernate maybe is 5.2.3 but i change that to 5.2.10. test it and i used this in my project and work correct – ali akbar azizkhani Oct 16 '17 at 11:17
  • The problem is that I the library version i am trying to override is one of the transitive dependencies of spring-boot-starter. So I am not sure if such static properties would override the version for such transitive dependencies resolved by Camden – Hary Oct 16 '17 at 15:40
  • are u test it ? – ali akbar azizkhani Oct 16 '17 at 16:23