Describe the bug In Spring Cloud Config Server 4.3.0, a Trivy scan reports 16 CVEs in transitive dependencies. Out of these, 15 are fixable with newer versions.
This poses a major blocker for organisations relying on SCA tools and could lead to compliance issues.
Attached below is a summary from Trivy highlighting the affected dependencies and available fixed versions. (Full report can be provided if needed.)
Is there a plan or timeline for upgrading these dependencies in upcoming releases? Is there anything I can do to help with this?
Comment From: ryanjbaxter
Most of these are transitive dependencies. For example guava, google-oauth-client are brought in my our use of google-api-services-iam. Updating that version to ones that would include the newer versions would be a breaking change because it would require upgrading to a new major version and we can't do that in a minor release. In our next major we have upgraded this specific dependency https://github.com/spring-cloud/spring-cloud-config/blob/main/pom.xml#L33C4-L33C27
The spring related dependencies will be upgraded in the next release.
It would be interesting to run this same analysis on 5.0.0-M1.
Comment From: arjavdongaonkar
Thanks for the clarification. I ran the same scan on 5.0.0-M1, and the Trivy report came out clean (0 CVEs detected on both the base image and the built JAR). Looks good from our side, we’ll continue monitoring upcoming releases for dependency updates. Please let me know if I can be of any help!