I am trying to use version 4.1.100.Final for the netty-codec-http library as the OWASP dependency checker marks the netty* dependancies as HIGH. It is pulled out by amazon s3 dependency. Here is my build.gradle file. I am using gradle 8.3 and jdk11.
plugins {
id 'java'
id 'org.springframework.boot' version '2.7.16'
id 'io.spring.dependency-management' version '1.0.15.RELEASE'
id "org.owasp.dependencycheck" version "8.2.1"
}
group = 'com.test'
version = '0.0.1-SNAPSHOT'
java {
sourceCompatibility = '11'
}
repositories {
mavenCentral()
}
configurations.all {
resolutionStrategy {
force 'io.netty:netty-codec-http:4.1.100.Final'
}
}
dependencies {
implementation 'org.springframework.boot:spring-boot-starter'
testImplementation 'org.springframework.boot:spring-boot-starter-test'
implementation platform("software.amazon.awssdk:bom:2.21.0")
implementation "software.amazon.awssdk:sdk-core"
implementation "software.amazon.awssdk:s3"
implementation "software.amazon.awssdk:route53"
implementation "software.amazon.awssdk:route53resolver"
}
tasks.named('test') {
useJUnitPlatform()
}
I have followed this link to setup AWS on gradle.
The dependency checker still shows the 4.1.97.Final version and marks it as HIGH. I am using the following command to generate the OWASP report:
./gradlew dependencyCheckAnalyze