Skip to content

fix(deps): patch osv-scan dependency vulnerabilities#110

Open
seonghobae wants to merge 1 commit into
mainfrom
feat/osv-dep-vuln-fix
Open

fix(deps): patch osv-scan dependency vulnerabilities#110
seonghobae wants to merge 1 commit into
mainfrom
feat/osv-dep-vuln-fix

Conversation

@seonghobae

Copy link
Copy Markdown
Collaborator

Summary

Patches OSV-confirmed dependency vulnerabilities in pom.xml so osv-scan passes across clearfolio PRs. Minimal, idiomatic Spring Boot fix: bump the parent, drop an unused heavy dependency, and override three BOM version properties — no <dependencyManagement> block needed.

Confirmed CVEs cleared

Remove unused Tika (tika-parsers-standard-package 3.2.2 — zero source usage) — 7 CVEs, incl. the only CRITICAL:

  • bcprov-jdk18on CVE-2025-14813 (CRITICAL)
  • bcpkix-jdk18on, commons-io 2.7, commons-lang3 3.17.0, junrar 7.5.5

Bump spring-boot-starter-parent 3.5.0 → 3.5.14:

  • spring-boot CVE-2026-40973 (raises managed floors for logback/reactor-netty/assertj/base spring/jackson/netty)

Override BOM properties to force transitive floors:

  • netty.version=4.1.135.Final — clears all 18 netty CVEs (reachable via the live webflux/reactor-netty HTTP server — the largest real exposure)
  • jackson-bom.version=2.21.4 — jackson-databind CVE-2026-54512 / 54513 / 54514, jackson-core GHSA-72hv-8253-57qq (jackson-databind is a direct dep, used in ApiErrorResponse.java)
  • spring-framework.version=6.2.18 — spring-core CVE-2025-41249, spring-web CVE-2025-41234, spring-webflux CVEs

Verification

mvn -DskipTests compile succeeds. mvn dependency:tree confirms:

  • No org.apache.tika / org.bouncycastle / junrar / commons-io:2.7 artifacts remain
  • Every io.netty:* module is 4.1.135.Final
  • jackson-databind is 2.21.4
  • spring-core / spring-web / spring-webflux are 6.2.18
  • spring-boot is 3.5.14

osv-scanner was rate-limited (HTTP 429) resolving the parent POM from Maven Central, so the authoritative transitive-version verification is the mvn dependency:tree above (BUILD SUCCESS).

Residual (cannot fix)

  • jackson-databind CVE-2026-54515 (MODERATE) — no published fix for the 2.19+ line. Accept/suppress and track upstream.

🤖 Generated with Claude Code

Resolve OSV-confirmed dependency vulnerabilities in pom.xml so osv-scan
passes across clearfolio PRs. Verified via `mvn dependency:tree` (BUILD
SUCCESS) since osv-scanner itself 429s on Maven Central during parent/BOM
resolution and cannot resolve transitive versions.

Changes:
- Bump spring-boot-starter-parent 3.5.0 -> 3.5.14 (fixes spring-boot
  CVE-2026-40973; raises managed floors for logback/reactor-netty/assertj/
  base spring-framework/jackson/netty).
- Remove unused org.apache.tika:tika-parsers-standard-package 3.2.2 (zero
  source usage). Eliminates the only CRITICAL, bcprov-jdk18on
  CVE-2025-14813, plus bcpkix-jdk18on, commons-io 2.7, commons-lang3
  3.17.0, and junrar 7.5.5 findings — 7 CVEs and a large parser attack
  surface.
- Override three spring-boot-dependencies BOM properties to force
  transitive floors:
    netty.version=4.1.135.Final       -> clears all 18 netty CVEs
    jackson-bom.version=2.21.4         -> clears jackson-databind
                                         CVE-2026-54512/54513/54514 and
                                         jackson-core GHSA-72hv-8253-57qq
    spring-framework.version=6.2.18    -> clears spring-core CVE-2025-41249,
                                         spring-web CVE-2025-41234, and
                                         spring-webflux CVEs

Verified (mvn dependency:tree): no tika/bouncycastle/junrar/commons-io:2.7
remain; every io.netty:* is 4.1.135.Final; jackson-databind 2.21.4;
spring-core/web/webflux 6.2.18; spring-boot 3.5.14. `mvn -DskipTests
compile` succeeds.

Residual: jackson-databind CVE-2026-54515 (MODERATE) has no published fix
for the 2.19+ line — accept/suppress and track upstream.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017RkKdtHRLG4wSLh6PVsp8J
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant