As per the Prisma scan, json-smart - 2.4.8 is having vulnerabilities and trying to upgrade json-smart - 2.4.9, but the spring boot - 3.0.5 is referring only json-smart - 2.4.8, even tried to exclude the 2.4.8 and adding the 2.4.9 externally, still it's not working..
Please suggest me for the resolution. ( Spring boot 3.0.5 + json-smart - 2.4.9)
Comment From: wilkinsona
Spring Boot 3.0.5 uses 2.4.10 by default. If you need some help identifying why your application is using 2.4.8, please follow up on Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements.
Comment From: cnareshjavadev
Hi @wilkinsona, Thank you for your suggestion.
We have followed the same and updated accordingly in pom.xml, But still Prisma cloud scan report referring the older version of json-smart - 2.4.7 & 2.4.8 versions somehow. We are unable to find from where prisma scan is detecting the older version.
Below is the git repo details of our service pom.xmls. Please verify and help us how to resolve the issue. https://github.com/cnareshjavadev/snakeyamlNJsonsmatIssues
Comment From: wilkinsona
Sorry, but this isn't the right place to get help with Prisma. As far as I can tell, it's wrong and 2.4.10 is being used. Here's Maven's dependency tree output showing only 2.4.10:
[INFO] --- maven-dependency-plugin:3.3.0:tree (default-cli) @ utilityService1 ---
[INFO] com.test.utilityService1:utilityService1:jar:4.2.3-SNAPSHOT
[INFO] +- net.sourceforge.htmlunit:neko-htmlunit:jar:2.61.0:compile
[INFO] | \- xerces:xercesImpl:jar:2.12.2:compile
[INFO] +- org.springframework.boot:spring-boot-starter-validation:jar:3.0.5:compile
[INFO] | +- org.springframework.boot:spring-boot-starter:jar:3.0.5:compile
[INFO] | | +- org.springframework.boot:spring-boot:jar:3.0.5:compile
[INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:3.0.5:compile
[INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:3.0.5:compile
[INFO] | | | +- ch.qos.logback:logback-classic:jar:1.4.6:compile
[INFO] | | | | \- ch.qos.logback:logback-core:jar:1.4.6:compile
[INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.1:compile
[INFO] | | | | \- org.apache.logging.log4j:log4j-api:jar:2.17.1:compile
[INFO] | | | \- org.slf4j:jul-to-slf4j:jar:2.0.7:compile
[INFO] | | +- jakarta.annotation:jakarta.annotation-api:jar:2.1.1:compile
[INFO] | | \- org.springframework:spring-core:jar:6.0.7:compile
[INFO] | | \- org.springframework:spring-jcl:jar:6.0.7:compile
[INFO] | +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.58:compile
[INFO] | \- org.hibernate.validator:hibernate-validator:jar:8.0.0.Final:compile
[INFO] | +- jakarta.validation:jakarta.validation-api:jar:3.0.2:compile
[INFO] | +- org.jboss.logging:jboss-logging:jar:3.5.0.Final:compile
[INFO] | \- com.fasterxml:classmate:jar:1.5.1:compile
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:3.0.5:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-json:jar:3.0.5:compile
[INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.14.2:compile
[INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.14.2:compile
[INFO] | | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.14.2:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-tomcat:jar:3.0.5:compile
[INFO] | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.58:compile
[INFO] | | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.58:compile
[INFO] | +- org.springframework:spring-web:jar:6.0.7:compile
[INFO] | | +- org.springframework:spring-beans:jar:6.0.7:compile
[INFO] | | \- io.micrometer:micrometer-observation:jar:1.10.5:compile
[INFO] | | \- io.micrometer:micrometer-commons:jar:1.10.5:compile
[INFO] | \- org.springframework:spring-webmvc:jar:6.0.7:compile
[INFO] | +- org.springframework:spring-context:jar:6.0.7:compile
[INFO] | \- org.springframework:spring-expression:jar:6.0.7:compile
[INFO] +- org.springframework.boot:spring-boot-starter-security:jar:3.0.5:compile
[INFO] | +- org.springframework:spring-aop:jar:6.0.7:compile
[INFO] | +- org.springframework.security:spring-security-config:jar:6.0.2:compile
[INFO] | | \- org.springframework.security:spring-security-core:jar:6.0.2:compile
[INFO] | | \- org.springframework.security:spring-security-crypto:jar:6.0.2:compile
[INFO] | \- org.springframework.security:spring-security-web:jar:6.0.2:compile
[INFO] +- commons-fileupload:commons-fileupload:jar:1.5:compile
[INFO] +- commons-io:commons-io:jar:2.7:compile
[INFO] +- org.owasp.esapi:esapi:jar:2.3.0.0:compile
[INFO] | +- com.io7m.xom:xom:jar:1.2.10:compile
[INFO] | +- commons-beanutils:commons-beanutils:jar:1.9.4:compile
[INFO] | | +- commons-logging:commons-logging:jar:1.2:compile
[INFO] | | \- commons-collections:commons-collections:jar:3.2.2:compile
[INFO] | +- commons-configuration:commons-configuration:jar:1.10:compile
[INFO] | +- commons-lang:commons-lang:jar:2.6:compile
[INFO] | +- org.apache.commons:commons-collections4:jar:4.2:compile
[INFO] | +- org.owasp.antisamy:antisamy:jar:1.6.7:compile
[INFO] | | +- org.apache.httpcomponents.client5:httpclient5:jar:5.1.4:compile
[INFO] | | | \- org.apache.httpcomponents.core5:httpcore5-h2:jar:5.1.5:compile
[INFO] | | +- org.apache.httpcomponents.core5:httpcore5:jar:5.1.5:compile
[INFO] | | +- org.apache.xmlgraphics:batik-css:jar:1.14:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-shared-resources:jar:1.14:compile
[INFO] | | | +- org.apache.xmlgraphics:batik-util:jar:1.14:compile
[INFO] | | | | +- org.apache.xmlgraphics:batik-constants:jar:1.14:compile
[INFO] | | | | \- org.apache.xmlgraphics:batik-i18n:jar:1.14:compile
[INFO] | | | \- org.apache.xmlgraphics:xmlgraphics-commons:jar:2.6:compile
[INFO] | | \- xml-apis:xml-apis-ext:jar:1.3.04:compile
[INFO] | +- org.slf4j:slf4j-api:jar:2.0.7:compile
[INFO] | \- xml-apis:xml-apis:jar:1.4.01:compile
[INFO] +- redis.clients:jedis:jar:4.4.0-m1:compile
[INFO] | +- org.apache.commons:commons-pool2:jar:2.11.1:compile
[INFO] | \- com.google.code.gson:gson:jar:2.9.1:compile
[INFO] +- org.springframework.data:spring-data-redis:jar:3.0.4:compile
[INFO] | +- org.springframework.data:spring-data-keyvalue:jar:3.0.4:compile
[INFO] | | \- org.springframework.data:spring-data-commons:jar:3.0.4:compile
[INFO] | +- org.springframework:spring-tx:jar:6.0.7:compile
[INFO] | +- org.springframework:spring-oxm:jar:6.0.7:compile
[INFO] | \- org.springframework:spring-context-support:jar:6.0.7:compile
[INFO] +- org.springframework.boot:spring-boot-starter-data-jpa:jar:3.0.5:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-aop:jar:3.0.5:compile
[INFO] | | \- org.aspectj:aspectjweaver:jar:1.9.19:compile
[INFO] | +- org.springframework.boot:spring-boot-starter-jdbc:jar:3.0.5:compile
[INFO] | | +- com.zaxxer:HikariCP:jar:5.0.1:compile
[INFO] | | \- org.springframework:spring-jdbc:jar:6.0.7:compile
[INFO] | +- org.hibernate.orm:hibernate-core:jar:6.1.7.Final:compile
[INFO] | | +- jakarta.persistence:jakarta.persistence-api:jar:3.1.0:compile
[INFO] | | +- jakarta.transaction:jakarta.transaction-api:jar:2.0.1:compile
[INFO] | | +- org.hibernate.common:hibernate-commons-annotations:jar:6.0.6.Final:runtime
[INFO] | | +- org.jboss:jandex:jar:2.4.2.Final:runtime
[INFO] | | +- net.bytebuddy:byte-buddy:jar:1.12.23:runtime
[INFO] | | +- jakarta.xml.bind:jakarta.xml.bind-api:jar:4.0.0:runtime
[INFO] | | | \- jakarta.activation:jakarta.activation-api:jar:2.1.1:runtime
[INFO] | | +- org.glassfish.jaxb:jaxb-runtime:jar:4.0.2:runtime
[INFO] | | | \- org.glassfish.jaxb:jaxb-core:jar:4.0.2:runtime
[INFO] | | | +- org.eclipse.angus:angus-activation:jar:2.0.0:runtime
[INFO] | | | +- org.glassfish.jaxb:txw2:jar:4.0.2:runtime
[INFO] | | | \- com.sun.istack:istack-commons-runtime:jar:4.1.1:runtime
[INFO] | | +- jakarta.inject:jakarta.inject-api:jar:2.0.0:runtime
[INFO] | | \- org.antlr:antlr4-runtime:jar:4.10.1:runtime
[INFO] | +- org.springframework.data:spring-data-jpa:jar:3.0.4:compile
[INFO] | | \- org.springframework:spring-orm:jar:6.0.7:compile
[INFO] | \- org.springframework:spring-aspects:jar:6.0.7:compile
[INFO] +- junit:junit:jar:4.13.2:test
[INFO] | \- org.hamcrest:hamcrest-core:jar:2.2:test
[INFO] | \- org.hamcrest:hamcrest:jar:2.2:test
[INFO] +- org.json:json:jar:20080701:compile
[INFO] +- org.postgresql:postgresql:jar:42.5.4:runtime
[INFO] | \- org.checkerframework:checker-qual:jar:3.5.0:runtime
[INFO] +- com.auth0:java-jwt:jar:3.18.3:compile
[INFO] | \- com.fasterxml.jackson.core:jackson-databind:jar:2.14.2:compile
[INFO] +- com.auth0:jwks-rsa:jar:0.20.1:compile
[INFO] | \- com.google.guava:guava:jar:30.0-jre:runtime
[INFO] | +- com.google.guava:failureaccess:jar:1.0.1:runtime
[INFO] | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:runtime
[INFO] | +- com.google.code.findbugs:jsr305:jar:3.0.2:runtime
[INFO] | +- com.google.errorprone:error_prone_annotations:jar:2.3.4:runtime
[INFO] | \- com.google.j2objc:j2objc-annotations:jar:1.3:runtime
[INFO] +- com.azure.spring:azure-spring-boot-starter-storage:jar:3.12.0:compile
[INFO] | +- com.azure.spring:azure-spring-boot:jar:3.12.0:compile
[INFO] | | +- javax.validation:validation-api:jar:2.0.1.Final:compile
[INFO] | | \- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] | \- com.azure:azure-storage-file-share:jar:12.11.3:compile
[INFO] +- com.azure.spring:azure-spring-boot-starter-keyvault-secrets:jar:3.12.0:compile
[INFO] | \- com.azure:azure-security-keyvault-secrets:jar:4.3.6:compile
[INFO] +- com.azure:azure-identity:jar:1.4.3:compile
[INFO] | +- com.azure:azure-core:jar:1.24.1:compile
[INFO] | | +- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:jar:2.14.2:compile
[INFO] | | | +- org.codehaus.woodstox:stax2-api:jar:4.2.1:compile
[INFO] | | | \- com.fasterxml.woodstox:woodstox-core:jar:6.5.0:compile
[INFO] | | +- io.projectreactor:reactor-core:jar:3.5.4:compile
[INFO] | | | \- org.reactivestreams:reactive-streams:jar:1.0.4:compile
[INFO] | | \- io.netty:netty-tcnative-boringssl-static:jar:2.0.54.Final:compile
[INFO] | | +- io.netty:netty-tcnative-classes:jar:2.0.54.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-x86_64:2.0.54.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:linux-aarch_64:2.0.54.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-x86_64:2.0.54.Final:compile
[INFO] | | +- io.netty:netty-tcnative-boringssl-static:jar:osx-aarch_64:2.0.54.Final:compile
[INFO] | | \- io.netty:netty-tcnative-boringssl-static:jar:windows-x86_64:2.0.54.Final:compile
[INFO] | +- com.azure:azure-core-http-netty:jar:1.11.6:compile
[INFO] | | +- io.netty:netty-handler:jar:4.1.86.Final:compile
[INFO] | | | +- io.netty:netty-common:jar:4.1.86.Final:compile
[INFO] | | | +- io.netty:netty-resolver:jar:4.1.86.Final:compile
[INFO] | | | +- io.netty:netty-transport:jar:4.1.86.Final:compile
[INFO] | | | \- io.netty:netty-codec:jar:4.1.86.Final:compile
[INFO] | | +- io.netty:netty-handler-proxy:jar:4.1.86.Final:compile
[INFO] | | | \- io.netty:netty-codec-socks:jar:4.1.86.Final:compile
[INFO] | | +- io.netty:netty-buffer:jar:4.1.86.Final:compile
[INFO] | | +- io.netty:netty-codec-http:jar:4.1.86.Final:compile
[INFO] | | +- io.netty:netty-codec-http2:jar:4.1.86.Final:compile
[INFO] | | +- io.netty:netty-transport-native-unix-common:jar:4.1.86.Final:compile
[INFO] | | +- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.86.Final:compile
[INFO] | | | \- io.netty:netty-transport-classes-epoll:jar:4.1.86.Final:compile
[INFO] | | +- io.netty:netty-transport-native-kqueue:jar:osx-x86_64:4.1.86.Final:compile
[INFO] | | | \- io.netty:netty-transport-classes-kqueue:jar:4.1.86.Final:compile
[INFO] | | \- io.projectreactor.netty:reactor-netty-http:jar:1.1.5:compile
[INFO] | | +- io.netty:netty-resolver-dns:jar:4.1.86.Final:compile
[INFO] | | | \- io.netty:netty-codec-dns:jar:4.1.86.Final:compile
[INFO] | | +- io.netty:netty-resolver-dns-native-macos:jar:osx-x86_64:4.1.86.Final:compile
[INFO] | | | \- io.netty:netty-resolver-dns-classes-macos:jar:4.1.86.Final:compile
[INFO] | | \- io.projectreactor.netty:reactor-netty-core:jar:1.1.5:compile
[INFO] | +- com.microsoft.azure:msal4j:jar:1.11.0:compile
[INFO] | | \- com.nimbusds:oauth2-oidc-sdk:jar:9.7:compile
[INFO] | | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile
[INFO] | | +- com.nimbusds:content-type:jar:2.1:compile
[INFO] | | +- com.nimbusds:lang-tag:jar:1.5:compile
[INFO] | | \- com.nimbusds:nimbus-jose-jwt:jar:9.9.3:compile
[INFO] | +- com.microsoft.azure:msal4j-persistence-extension:jar:1.1.0:compile
[INFO] | | \- net.java.dev.jna:jna:jar:5.5.0:compile
[INFO] | \- net.java.dev.jna:jna-platform:jar:5.6.0:compile
[INFO] +- net.minidev:json-smart:jar:2.4.10:compile
[INFO] | \- net.minidev:accessors-smart:jar:2.4.9:compile
[INFO] | \- org.ow2.asm:asm:jar:9.3:compile
[INFO] +- com.azure:azure-storage-blob:jar:12.14.3:compile
[INFO] | +- com.azure:azure-storage-common:jar:12.14.2:compile
[INFO] | \- com.azure:azure-storage-internal-avro:jar:12.1.3:compile
[INFO] +- com.sendgrid:sendgrid-java:jar:4.9.3:compile
[INFO] | +- com.sendgrid:java-http-client:jar:4.5.0:compile
[INFO] | | +- org.apache.httpcomponents:httpcore:jar:4.4.16:compile
[INFO] | | \- org.apache.httpcomponents:httpclient:jar:4.5.14:compile
[INFO] | | \- commons-codec:commons-codec:jar:1.15:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-core:jar:2.14.2:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.14.2:compile
[INFO] | \- org.bouncycastle:bcprov-jdk15on:jar:1.70:compile
[INFO] +- org.projectlombok:lombok:jar:1.18.26:provided
[INFO] +- jakarta.servlet:jakarta.servlet-api:jar:6.0.0:provided
[INFO] \- org.yaml:snakeyaml:jar:2.0:compile
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 10.250 s
[INFO] Finished at: 2023-04-20T08:30:41+01:00
[INFO] ------------------------------------------------------------------------