[FOLIO-3638] spring-module-core EntityJsonSchemaGenerator mbknor Created: 09/Nov/22 Updated: 15/Oct/23 |
|
| Status: | Open |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | P3 |
| Reporter: | Julian Ladisch | Assignee: | Jeremy Huff |
| Resolution: | Unresolved | Votes: | 0 |
| Labels: | security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Sprint: | |
| Development Team: | Other dev |
| RCA Group: | Related dependency upgrade |
| Description |
|
is not used as a runtime dependency but used at build time only: Therefore it should be in a separate artifact and not included into spring-domain runtime artifact. EntityJsonSchemaGenerator uses com.kjetland:mbknor-jackson-jsonschema_2.12 that bloats the runtime: [INFO] +- com.kjetland:mbknor-jackson-jsonschema_2.12:jar:1.0.39:compile [INFO] | +- org.scala-lang:scala-library:jar:2.12.10:compile [INFO] | +- org.jetbrains.kotlin:kotlin-scripting-compiler-embeddable:jar:1.3.50:compile [INFO] | | +- org.jetbrains.kotlin:kotlin-scripting-compiler-impl-embeddable:jar:1.3.50:runtime [INFO] | | | +- org.jetbrains.kotlin:kotlin-scripting-common:jar:1.6.21:runtime [INFO] | | | +- org.jetbrains.kotlin:kotlin-scripting-jvm:jar:1.6.21:runtime [INFO] | | | | \- org.jetbrains.kotlin:kotlin-script-runtime:jar:1.6.21:runtime [INFO] | | | \- org.jetbrains.kotlinx:kotlinx-coroutines-core:jar:1.6.4:runtime [INFO] | | \- org.jetbrains.kotlin:kotlin-stdlib:jar:1.6.21:runtime [INFO] | | +- org.jetbrains.kotlin:kotlin-stdlib-common:jar:1.6.21:runtime [INFO] | | \- org.jetbrains:annotations:jar:13.0:runtime [INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.4.2:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.4:compile [INFO] | | \- com.fasterxml.jackson.core:jackson-core:jar:2.13.4:compile [INFO] | +- javax.validation:validation-api:jar:2.0.1.Final:compile [INFO] | +- org.slf4j:slf4j-api:jar:1.7.36:compile [INFO] | \- io.github.classgraph:classgraph:jar:4.8.21:compile com.kjetland:mbknor-jackson-jsonschema_2.12 is no longer maintained and out of support: kotlin-stdlib:1.6.21 has an Improper Locking and an Information Exposure vulnerability: |
| Comments |
| Comment by William Welling [ 09/Nov/22 ] |
|
Thanks for the issue reporting. |
| Comment by Ann-Marie Breaux (Inactive) [ 10/Nov/22 ] |
|
Hi Julian Ladisch and William Welling Which dev team should this bug belong to? |
| Comment by William Welling [ 21/Nov/22 ] |
|
Hi Ann-Marie Breaux, developers at A&M can handle this issue. Likely able to use maven profiles to accomplish this or possible scope of dependency. |
| Comment by Ann-Marie Breaux (Inactive) [ 21/Nov/22 ] |
|
Yay! I made it "other dev" and it drops out of my filter! |
| Comment by Julian Ladisch [ 06/Apr/23 ] |
|
William Welling, Jeremy Huff: When will this issue been addressed? |