I am using Gradle 5.1.1 version to compile my spring boot applications in a docker container.
I am using JFROG as an artifactory to store all the artifact . It runs a JFROG artifact scan which is causing the issue .
Gradle 5.1.1 comes with a common-collection-3.2.2.jar in lib folder and bcprov-jdk15on-1.60.jar in lib/plugin folder . These JAR is causing the JFROG XRAY issue
These are vulnerabilities which is causing my build to fail
XRAY scan should pass
XRAY scan is failing with the vulnerabilities attached
Can you please let me know
- Is there any we can upgrade these 2 jar in gradle-5.1.1.
- I have tried directly replacing the jar with the upgraded version but then it is not able to compile my code.
Please let me know , as this issue is blocker.
JARS in which vulnerabilities are fixed in below version
Can you please let us know how can we update the pre existing jar in gradle package i.e. gradle-5.1.1-all.zip
NOTE: I want the jar to be updated in gradle package inside lib folder .
“summary”: “The AdminUI in HPE Operations Manager (OM) before 9.21.130 on Linux, Unix, and Solaris allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.”
“description”: “HPE Discovery and Dependency Mapping Inventory (DDMi) 9.30, 9.31, 9.32, 9.32 update 1, 9.32 update 2, and 9.32 update 3 allows remote authenticated users to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.”,