I'm kinda new in the Gradle world. As part of a security audit we are having, we were told the following dependency in one of your Gradle projects:
compile(group: 'org.springframework.boot', name: 'spring-boot-starter-thymeleaf', version: '1.5.8.RELEASE')
is using the transitive dependency for Groovy 2.4.7, but since that version has some security vulnerabilities ( https://nvd.nist.gov/vuln/detail/CVE-2016-6497 ), we need to override the Groovy version for a newer one.
This is the dependency tree for that section:
org.springframework.boot.spring-boot-starter-thymeleaf-1.4.1.RELEASE ( /opt/whitehat/satellite/applications/9400/src/10280/pom.xml [line 36, column 15] )
- nz.net.ultraq.thymeleaf.thymeleaf-layout-dialect-1.4.0 ( /opt/whitehat/satellite/applications/9400/src/10280/pom.xml [line 36, column 15] )
- org.codehaus.groovy.groovy-2.4.7
How to override the Groovy version from 2.4.7 to a higher version?
I have tried the following but it's not working:
compile(group: 'org.springframework.boot', name: 'spring-boot-starter-thymeleaf', version: '1.5.8.RELEASE') {
exclude(module: 'groovy')
}
compile group: 'org.codehaus.groovy', name: 'groovy-all', version: '2.4.12'
If it is because of security concerns, I'd use a resolution strategy to make sure noone accidentally adds this version to any configuration like this:
configurations.all {
resolutionStrategy {
dependencySubstitution {
substitute module('org.codehaus.groovy:groovy:2.4.7') with module('org.codehaus.groovy:groovy:2.4.12')
}
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.