0

I have update the dependency spring-cloud-stream to resolve the vulnerability issues in spring-cloud-function-context which is the child compile dependency of:

         <dependency>
            <groupId>org.springframework.cloud</groupId>
            <artifactId>spring-cloud-stream</artifactId>
            <version>3.2.3</version>
        </dependency>

But it does not update the spring-cloud-function-context. And this dependency I am not using explicitly in my pom.xml

Is there any way to do that.

Sarthak Garg
  • 1
  • 3

1 Answers1

0

You shouldn't be managing dependency manually and instead let Spring dependency management mechanism do that. So all you need is to upgrade BOM dependency for spring-cloud which will ensure all compatible dependencies.

<dependencyManagement>
      <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>2021.0.2</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

Also, unless you are using spring-cloud-function-web, you are not affected by this vulnerability anyway

Oleg Zhurakousky
  • 5,820
  • 16
  • 17
  • But this is giving error in many other dependencies if I update like this dependencies.dependency.version' for org.springframework.cloud:spring-cloud-sleuth-core:jar is missing. @ line 75, column 21, 'dependencies.dependency.version' for org.springframework.cloud:spring-cloud-starter-netflix-turbine:jar is missing. @ line 43, column 15 'dependencies.dependency.version' for org.springframework.cloud:spring-cloud-starter-netflix-zuul:jar is missing. @ line 40, column 21, Kindly please suggest If I am missing something – Sarthak Garg May 11 '22 at 12:22
  • I don't know or see your project, so I can't speculate as to what that other problem may be. In any event, you can always explicitly declare `spring-cloud-function-context` version even if you are not explicitly using it. – Oleg Zhurakousky May 11 '22 at 13:23
  • The Netflix projects are no longer part of the release train. Sleuth is, but maybe not that module. If recommend using the starters – spencergibb May 11 '22 at 15:57