Looking to see if commons-compress library can be updated from 1.25.0 to 1.26.2 in the spring-boot/spring-boot-project/spring-boot-tools/spring-boot-loader-tools/build.gradle file.
I know it says in the DO NOT Raise an Issue about managed dependencies that I don't need to do this, but it looks like commons compress released the 1.26.0 version without the 2 direct vulnerabilities on Feb 19th. 1.25.0 link for reference
Could I raise the PR, or help solve the problem? Thanks.
Comment From: philwebb
Unfortunately upgrading commons-compress isn't as simple as it fist appears due to compatibility issues. Luckily, the CVEs are a false positive for us since we don't use commons-compress with untrusted input.
I'm going to mark this as a duplicate of #39368. Once that issue is fixed, we can consider an upgrade for Spring Boot 3.4.
Comment From: qwertychouskie
Is there a recommended workaround in the meantime? Is it safe to override the dependency using constraints in Gradle, or will that break some functionality? Even if the attacks are not possible with the way Spring uses the library, it still causes noisy warnings in our monitoring tool, which makes other warnings less likely to be spotted as quickly as possible.
Comment From: wilkinsona
Is it safe to override the dependency using constraints in Gradle
Yes, that should be fine from Spring Boot's own perspective. You'll only know for sure by trying it and seeing if things work as expected in your application as it'll depend on whether or not anything else on the classpath is using Commons Compress and whether it's affected by the incompatibilities.