如何修复Spring pom.xml文件中的这些警告?
如何修复Spring pom.xml文件中的这些警告?
提问于 2022-09-12 02:53:21
我正在尝试创建一个Spring项目。当我修改一些依赖项并使用Maven重新加载项目时,就会发生以下警告。
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.7.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.hank</groupId>
<artifactId>springboot-mall</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>springboot-mall</name>
<description>springboot-mall</description>
<properties>
<java.version>11</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<scope>runtime</scope>
<version>8.0.22</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>警告
Warning:(20, 3) Provides transitive vulnerable dependency ch.qos.logback:logback-classic:1.2.3 CVE-2021-42550 6.6 Deserialization of Untrusted Data vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(20, 3) Provides transitive vulnerable dependency ch.qos.logback:logback-core:1.2.3 CVE-2021-42550 6.6 Deserialization of Untrusted Data vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(20, 3) Provides transitive vulnerable dependency org.springframework:spring-beans:5.2.12.RELEASE CVE-2022-22965 9.8 Improper Control of Generation of Code ('Code Injection') vulnerability pending CVSS allocation CVE-2022-22970 5.3 Allocation of Resources Without Limits or Throttling vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(20, 3) Provides transitive vulnerable dependency org.springframework:spring-context:5.2.12.RELEASE CVE-2022-22968 5.3 Improper Handling of Case Sensitivity vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(20, 3) Provides transitive vulnerable dependency org.springframework:spring-core:5.2.12.RELEASE CVE-2021-22060 4.3 Improper Output Neutralization for Logs vulnerability pending CVSS allocation CVE-2021-22096 4.3 Improper Output Neutralization for Logs vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency com.fasterxml.jackson.core:jackson-databind:2.11.3 Cxced0c06c-935c 5.9 Uncontrolled Resource Consumption vulnerability pending CVSS allocation CVE-2020-36518 7.5 Out-of-bounds Write vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency org.apache.tomcat.embed:tomcat-embed-core:9.0.41 CVE-2021-25329 7.0 Deserialization of Untrusted Data vulnerability pending CVSS allocation CVE-2021-25122 7.5 Exposure of Sensitive Information to an Unauthorized Actor vulnerability pending CVSS allocation CVE-2021-33037 5.3 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') vulnerability pending CVSS allocation CVE-2021-41079 7.5 Improper Input Validation vulnerability pending CVSS allocation CVE-2021-30639 7.5 Improper Handling of Exceptional Conditions vulnerability pending CVSS allocation CVE-2021-30640 6.5 Improper Encoding or Escaping of Output vulnerability pending CVSS allocation CVE-2022-23181 7.0 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency org.glassfish:jakarta.el:3.0.3 CVE-2021-28170 5.3 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency org.apache.tomcat.embed:tomcat-embed-websocket:9.0.41 CVE-2021-42340 7.5 Missing Release of Resource after Effective Lifetime vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency org.springframework:spring-web:5.2.12.RELEASE CVE-2016-1000027 9.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation CVE-2021-22118 7.8 Improper Privilege Management vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency org.springframework:spring-webmvc:5.2.12.RELEASE CVE-2016-1000027 9.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(24, 3) Provides transitive vulnerable dependency org.springframework:spring-expression:5.2.12.RELEASE CVE-2022-22950 6.5 Allocation of Resources Without Limits or Throttling vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(29, 3) Dependency com.h2database:h2:1.4.200 is vulnerable CVE-2018-14335 6.5 Improper Link Resolution Before File Access ('Link Following') vulnerability pending CVSS allocation CVE-2021-42392 9.8 Deserialization of Untrusted Data vulnerability pending CVSS allocation CVE-2021-23463 9.1 Improper Restriction of XML External Entity Reference vulnerability pending CVSS allocation CVE-2022-23221 9.8 Improper Control of Generation of Code ('Code Injection') vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(34, 3) Dependency mysql:mysql-connector-java:8.0.22 is vulnerable CVE-2021-2471 5.9 Improper Restriction of XML External Entity Reference vulnerability with medium severity found CVE-2022-21363 6.6 Improper Input Validation vulnerability pending CVSS allocation Results powered by Checkmarx(c)
Warning:(40, 3) Provides transitive vulnerable dependency net.minidev:json-smart:2.3 CVE-2021-27568 9.1 Improper Check for Unusual or Exceptional Conditions vulnerability pending CVSS allocation CVE-2021-31684 7.5 Out-of-bounds Write vulnerability pending CVSS allocation Results powered by Checkmarx(c) 这些信息到底是什么意思?这似乎是安全问题,但我不知道如何解决。我已经尝试谷歌警告,但没有任何信息可参考。
回答 2
Stack Overflow用户
发布于 2022-09-12 03:41:44
这些消息告诉您,您使用的依赖项具有一些已知的vurnerabilities (直接或传递到其他依赖项)。
例如,spring版本2.3.7.RELEASE,您可以在maven存储库网站上查看此依赖项的已知vurnerabilities列表。
因此,您要么升级依赖版本,要么检查已知vurnerabilities的缓解,以获得更多的详细信息。
Stack Overflow用户
发布于 2022-09-13 09:51:39
试试这个,
<dependency>
<groupId>org.foo.bar</groupId>
<artifactId>foo-bar</artifactId>
</dependency>而不是
<dependency>
<groupId>org.foo.bar</groupId>
<artifactId>foo-bar</artifactId>
<version>1.3.56</version>
</dependency>页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/73684037
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号