I am using gradle wrapper to build my spring boot applications. We recently integrated an SCA tool to find open source vulnerabilities in our code. The tool (whitesource in our case) scans the gradle distribution folder too (.gradle/wrapper/dists/gradle-6.6.1-bin/du4tvj86lhti6iga1v8h7pckb/gradle-6.6.1/lib/plugins/). Here it is complaining about two jars that are identified as high priority vulnerabilities:
- snakeyaml-1.17.jar
- google-oauth-client-1.25.0.jar
When I run ./gradlew dependencies in the project, the snakeyaml dependency is present but the version is 1.26 (as opposed to 1.17 that seems to have the vulnerability). I can see that the jar is present in the gradle distribution plugins folder. The google-oauth-client dependency is not present in the project at all.
Is there a way I can exclude/replace these dependencies in the gradle distribution plugins folder?