You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The io.spring.nohttp:nohttp-cli removed the dependency on spring-boot-starter as of version 0.0.5.RELEASE. However, the io.spring.gradle:dependency-management-plugin remains on version 0.0.2.RELEASE. Nothing can be done from our end to resolve this.
The io.spring.gradle:dependency-management-plugin which is used in the ci.gradle arquillian-tests here: https://github.com/OpenLiberty/ci.gradle/blob/main/src/test/resources/arquillian-tests/build.gradle#L11
may need updating. In the dependencies section of the build.gradle for the dependency-management-plugin, there is a dependency on io.spring.nohttp:nohttp-cli:
https://github.com/spring-gradle-plugins/dependency-management-plugin/blob/main/build.gradle#L92
It turns out that version of io.spring.nohttp:nohttp-cli depends on org.springframework.boot:spring-boot-starter which in turn depends on org.springframework:spring-core, which is vulnerable to CVE-2022-22965.
I think if the dependency-management-plugin upgraded the io.spring.nohttp:nohttp-cli dependency, it may be resolved (but this is not owned by IBM).
The text was updated successfully, but these errors were encountered: