Conversation
…vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGASSERTJ-15102413 - https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-15062482
There was a problem hiding this comment.
Pull request overview
This PR updates Maven dependencies to fix two security vulnerabilities identified by Snyk: an XML External Entity (XXE) Injection vulnerability in assertj-guava and an External Initialization of Trusted Variables vulnerability in logback. The changes include upgrading assertj-guava from 3.4.0 to 3.27.7 and logback from 1.2.6 to 1.5.25, along with minor XML formatting improvements.
Changes:
- Upgrade assertj-guava from 3.4.0 to 3.27.7 to fix XXE injection vulnerability (SNYK-JAVA-ORGASSERTJ-15102413)
- Upgrade logback-classic and logback-core from 1.2.6 to 1.5.25 to fix external initialization vulnerability (SNYK-JAVA-CHQOSLOGBACK-15062482)
- Update XML formatting for Eclipse m2e lifecycle-mapping configuration (self-closing tags)
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| pom.xml | Updates logback version property to 1.5.25 and improves XML formatting for Eclipse lifecycle-mapping configuration |
| testing-modules/assertion-libraries/pom.xml | Updates assertj-guava version property to 3.27.7 |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <!-- logging --> | ||
| <org.slf4j.version>1.7.32</org.slf4j.version> | ||
| <logback.version>1.2.6</logback.version> | ||
| <logback.version>1.5.25</logback.version> |
There was a problem hiding this comment.
Logback 1.5.x requires Java 11 or higher, but this project is configured to use Java 1.8 (see line 1454 where java.version is set to 1.8). Additionally, Logback 1.5.x requires SLF4J 2.0+, but this project is using SLF4J 1.7.32 (see line 1447). This version upgrade will cause build failures and runtime compatibility issues. Consider either:
- Upgrading to Logback 1.4.x (which supports Java 8 and SLF4J 1.7.x) to address security vulnerabilities while maintaining compatibility, or
- Upgrading the entire project to Java 11+ and SLF4J 2.0+ as part of a larger migration effort
| <logback.version>1.5.25</logback.version> | |
| <logback.version>1.4.14</logback.version> |
| <properties> | ||
| <truth.version>0.32</truth.version> | ||
| <assertj-guava.version>3.4.0</assertj-guava.version> | ||
| <assertj-guava.version>3.27.7</assertj-guava.version> |
There was a problem hiding this comment.
AssertJ Guava 3.27.x requires Java 11 or higher, but this project is configured to use Java 1.8 (see line 1454 in the root pom.xml where java.version is set to 1.8). This version upgrade will cause build failures. Consider either:
- Upgrading to a version of assertj-guava that supports Java 8 while addressing the XXE vulnerability (if available), or
- Upgrading the testing-modules/assertion-libraries module to use Java 11+ separately from the main project
Snyk has created this PR to fix 2 vulnerabilities in the maven dependencies of this project.
Snyk changed the following file(s):
pom.xmltesting-modules/assertion-libraries/pom.xmlVulnerabilities that will be fixed with an upgrade:
SNYK-JAVA-ORGASSERTJ-15102413
3.4.0->3.27.7No Known ExploitSNYK-JAVA-CHQOSLOGBACK-15062482
1.2.6->1.5.25ch.qos.logback:logback-core:
1.2.6->1.5.25No Known ExploitImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 XML External Entity (XXE) Injection