Dear colleagues,
As org.springframework.security:spring-security-oauth2-jose:jar:5.1.7 brings in com.nimbusds:nimbus-jose-jwt:jar:6.0.2, which has the vulnerability https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17195, can you please upgrade the dependency com.nimbusds:nimbus-jose-jwt to 7.9 which doesn’t have this vulnerability? Or at least let us know if org.springframework.security:spring-security-oauth2-jose:jar:5.1.7 is compatible with 7.9 version of com.nimbusds:nimbus-jose-jwt:jar?
Kind regards, Sachin
Comment From: jzheaux
Yes, Spring Security 5.1.7 is compatible with Nimbus JOSE 7.9.
Comment From: artem-smotrakov
By the way, how about adding a dependency checker to catch such issues? For example, we can add OWASP Dependency Check to the CI/CD pipeline, or use depandabot (or similar tool). If it's okay, I can try to integrate a preferred tool.
@jzheaux What do you think?
Comment From: jzheaux
Declined for reasons explained in https://github.com/spring-projects/spring-security/pull/7817#issuecomment-592217298
Comment From: jzheaux
@artem-smotrakov, I appreciate the idea. We've recently changed the project to use Gradle's version constraints in order to get the latest dependencies possible with each build. I imagine that this will address the majority of issues since a new version typically accompanies a CVE announcement for any given dependency.