Merge pull request #297 from bci-oss/bugfix/fix-security-issues

Exclude exlcude com.google.protobuf lib
eclipse-tractusx · Oct 10, 2024 · 9571b46 · 9571b46
2 parents cb40753 + 7b32065
commit 9571b46
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 7 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,12 +4,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## 0.5.0-RC1
+## 0.5.0-RC2
 ### Added
 ### fixed
 - Update spring framework to version 6.1.6
 - Update commons-io to version 2.17.0
 - Update lombock to version 1.18.34
+- exlcude com.google.protobuf lib because of CVE https://avd.aquasec.com/nvd/2024/cve-2024-7254
 
 ## 0.4.0
 ### Added

diff --git a/pom.xml b/pom.xml
@@ -155,11 +155,6 @@
 				<artifactId>vavr</artifactId>
 				<version>${vavr.version}</version>
 			</dependency>
-			<dependency>
-				<groupId>commons-io</groupId>
-				<artifactId>commons-io</artifactId>
-				<version>${commons-io.version}</version>
-			</dependency>
 			<dependency>
 				<groupId>com.google.code.findbugs</groupId>
 				<artifactId>jsr305</artifactId>
@@ -341,6 +336,18 @@
 				<groupId>org.eclipse.esmf</groupId>
 				<artifactId>esmf-aspect-model-aas-generator</artifactId>
 				<version>${samm.sdk.version}</version>
+				<exclusions>
+					<!-- excluded because of CVE https://avd.aquasec.com/nvd/2024/cve-2024-47554/-->
+					<exclusion>
+						<groupId>commons-io</groupId>
+						<artifactId>commons-io</artifactId>
+					</exclusion>
+				</exclusions>
+			</dependency>
+			<dependency>
+				<groupId>commons-io</groupId>
+				<artifactId>commons-io</artifactId>
+				<version>${commons-io.version}</version>
 			</dependency>
          <dependency>
             <groupId>org.apache.commons</groupId>
@@ -356,13 +363,20 @@
 				<groupId>org.apache.jena</groupId>
 				<artifactId>jena-arq</artifactId>
 				<version>${jena.version}</version>
+				<exclusions>
+					<!-- Exclusion of commons-fileupload is required because of CVE https://avd.aquasec.com/nvd/2024/cve-2024-7254-->
+					<exclusion>
+						<groupId>com.google.protobuf</groupId>
+						<artifactId>protobuf-java</artifactId>
+					</exclusion>
+				</exclusions>
 			</dependency>
 			<dependency>
 				<groupId>org.apache.jena</groupId>
 				<artifactId>jena-fuseki-main</artifactId>
 				<version>${jena.version}</version>
 				<exclusions>
-					<!-- Exclusion of commons-fileupload is required because of CV https://avd.aquasec.com/nvd/2023/cve-2023-24998-->
+					<!-- Exclusion of commons-fileupload is required because of CVE https://avd.aquasec.com/nvd/2023/cve-2023-24998-->
 					<exclusion>
 						<groupId>commons-fileupload</groupId>
 						<artifactId>commons-fileupload</artifactId>