During the security scan of my project this library got caught as a security vulnerability (Unpatched Library CVE-2021-36090,CVE-2021-35517,CVE-2021-35516,CVE-2021-35515)
Comment From: snicoll
@sreyasvpariyath Spring Boot does not provide dependency management for Apache Commons Compress.
Comment From: wilkinsona
However, we do use it in a few places. We already upgraded to 1.21 in this commit. Even without that upgrade, the 4 CVEs listed above would be false positives as it's never used with untrusted input.
Comment From: sreyasvpariyath
Thanks a lot for the response, due to some other external dependency, I can not upgrade my project to 2.6.x at the moment. Since it is a child dependency I am not sure it is possible to upgrade its version from my build.gradle file, is it .? I could not find a reference.
Comment From: bclozel
I think that what Stéphane and Andy meant is that: * if your application depends on this commons-compress version, this is not due to Spring Boot directly as we don't manage this dependency. Another 3rd party dependency is probably bringing that to your application classpath. * other parts of Spring Boot use this dependency, but we recently upgraded already and the related feature never parses untrusted input
In your case, you should use your build system to track down where this dependency is coming from:
# with gradle
$ gradle -q dependencyInsight --dependency commons-compress
# with maven
$ ./mvnw dependency:tree
Comment From: snicoll
We're going to upgrade our internal use of it regardless. Please note however that us doing so isn't going to fix what you've described. Please follow-up with Brian's advise.
Comment From: sreyasvpariyath
@bclozel I could not find commons-compress in my dependency tree,
gradle -q dependencyInsight --dependency commons-compress
No dependencies matching given input were found in configuration ':compileClasspath'
however when I run
gradlew buildEnvironment
I am getting the following output
+--- org.springframework.boot:org.springframework.boot.gradle.plugin:2.4.6
| \--- org.springframework.boot:spring-boot-gradle-plugin:2.4.6
| +--- org.springframework.boot:spring-boot-buildpack-platform:2.4.6
| | +--- com.fasterxml.jackson.core:jackson-databind:2.11.4
| | | +--- com.fasterxml.jackson.core:jackson-annotations:2.11.4
| | | \--- com.fasterxml.jackson.core:jackson-core:2.11.4
| | +--- com.fasterxml.jackson.module:jackson-module-parameter-names:2.11.4
| | | +--- com.fasterxml.jackson.core:jackson-core:2.11.4
| | | \--- com.fasterxml.jackson.core:jackson-databind:2.11.4 (*)
| | +--- net.java.dev.jna:jna-platform:5.5.0
| | | \--- net.java.dev.jna:jna:5.5.0
| | +--- **org.apache.commons:commons-compress:1.20**
| | +--- org.apache.httpcomponents:httpclient:4.5.13
| | | +--- org.apache.httpcomponents:httpcore:4.4.13
| | | +--- commons-logging:commons-logging:1.2
| | | \--- commons-codec:commons-codec:1.11
| | \--- org.springframework:spring-core:5.3.7
| | \--- org.springframework:spring-jcl:5.3.7
| +--- org.springframework.boot:spring-boot-loader-tools:2.4.6
| | +--- org.apache.commons:commons-compress:1.20
| | \--- org.springframework:spring-core:5.3.7 (*)
| +--- io.spring.gradle:dependency-management-plugin:1.0.11.RELEASE
| +--- **org.apache.commons:commons-compress:1.20**
| \--- org.springframework:spring-core:5.3.7 (*)
\--- io.spring.dependency-management:io.spring.dependency-management.gradle.plugin:1.0.11.RELEASE
\--- io.spring.gradle:dependency-management-plugin:1.0.11.RELEASE
Comment From: bclozel
@sreyasvpariyath this shows that this library doesn't ship with your application JAR but is used by the Spring Boot build plugins. So this points to Andy's comment exactly and this issue takes care of it.