CVE-2016-9878 Spring grade plugin

Dear Team,

I need help regarding a vulnerability detected in spring-boot-gradle-plugin 3.2.0 - 3.2.2.

When running the dependencycheck, a vulnerability with CVE-2016-9878 named dependency-management-plugin-1.1.4.jar is detected.

We are using org.springframework.boot’ version '3.2.2… and we don’t know what we can update to mitigate this vulnerability or categorize it as a false positive.

I’m not sure why you asking this here.

Gradle does not provide a dependency check, so you need to consult whatever dependency check tool you use on how to mark it as false-positive if you want to do that.

If you think this is something to be fixed in the Spring Boot Gradle Plugin, this is also not the right place, but you should report it to the Spring Boot Gralde Plugin maintainers, probably through their bugtracker.

Having said that, if you get this vulnerability, because you are actually using the Spring Dependency Management plugin, there is a simple solution, do not use it. It is an obsolete relict from times when Gradle did not have built-in BOM support, by now does more harm than good, and even its maintainer recommends not to use it anymore, but instead the built-in BOM support using platform(...).