TechQA.

feign client transitive dependency vulnerability issue apache commons fileupload 1.4 in gradle

1k views Asked by At

In one of the project, I am using spring cloud starter openfeign 3.1.2 which is internally using apache commons fileupload 1.4. Blackduck is raising vulnerability issue with apache commons fileupload 1.4, so I need to use apache commons fileupload 1.5. How can I use spring cloud starter openfeign 3.1.2 with apache commons fileupload 1.5. or is there any version of spring cloud starter openfeign which is using apache commons fileupload version 1.5 ?

implementation "org.springframework.cloud:spring-cloud-starter-openfeign:3.1.2"

apache-commons-fileupload transitive-dependency openfeign blackduck
Original Q&A
1

There are 1 answers

0
cyberbrain On

Gradle allows you to override versions of transitive dependencies as constraints. But it doesn't check if those new versions also actually work with your direct dependency, this is up to you as developer or maintainer.

An example how to override a version is given in the gradle userguide: (here the groovy variant, I adapted it to your scenario, but you better check and adapt it further)

dependencies {
    implementation 'org.springframework.cloud:spring-cloud-starter-openfeign'
    constraints {
        implementation('org.springframework.cloud:spring-cloud-starter-openfeign:3.1.2') {
            because 'previous versions have a bug impacting this application'
        }
        implementation('commons-fileupload:commons-fileupload:1.5') {
            because 'version 1.4 pulled from spring-cloud-starter-openfeign has vulnerabilities'
        }
    }
}

Related Questions in APACHE-COMMONS-FILEUPLOAD

Related Questions in TRANSITIVE-DEPENDENCY

Related Questions in OPENFEIGN

Related Questions in BLACKDUCK

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions