Dependency Remediation Plan #1
Description
Remediation Plan Overview
The table presented below outlines a remediation plan based on the findings from our recent Software Composition Analysis (SCA) scan. We have identified several dependencies within this project that require attention to ensure compliance, security, and optimal performance.
Key Highlights:
- Dependencies: The table lists dependencies under review for upgrade and remediation.
- Current vs. Target Versions: Each dependency is accompanied by its current version and the recommended target version.
- Status: The status column indicates whether the upgrade is pending, failed, or completed.
- Location: The location of each dependency within the project structure is specified.
Action Items:
- Review Dependencies: Please take a moment to review the dependencies listed in the table.
- Plan Upgrades: For each dependency, consider the implications of upgrading to the target version. This may involve testing the new versions in a staging environment to ensure that existing functionality is not adversely affected.
| Dependency | Version (Advisories) | Recommended (Advisories) |
|---|---|---|
| cn.hutool:hutool-all | 🔴 5.8.10 (2) | 5.8.41 (0) |
| com.alibaba:fastjson | 🔴 1.2.24 (1) | 1.2.83_noneautotype (0) |
| com.fasterxml.jackson.core:jackson-core | 🟠 2.9.8 (2) | 2.20.1 (0) |
| com.fasterxml.jackson.core:jackson-databind | 🔴 2.9.8 (53) | 2.20.1 (0) |
| com.google.guava:guava | 🟠 23.0 (3) | 23.6.1-jre (3) |
| com.jayway.jsonpath:json-path | 🟠 2.2.0 (1) | 2.10.0 (0) |
| ↳ net.minidev:json-smart | 🟠 2.2.1 (2) | 2.6.0 (0) |
| com.monitorjbl:xlsx-streamer | 🔴 2.0.0 (1) | 2.2.0 (0) |
| com.squareup.okhttp:okhttp | 🟢 2.5.0 (0) | 2.7.5 (0) |
| ↳ com.squareup.okio:okio | 🟠 1.6.0 (1) | 1.17.6 (0) |
| com.thoughtworks.xstream:xstream | 🟠 1.4.20 (1) | 1.4.21 (0) |
| commons-beanutils:commons-beanutils | 🔴 1.9.4 (1) | 1.11.0 (0) |
| commons-collections:commons-collections | 🔴 3.1 (2) | 3.2.2 (0) |
| commons-httpclient:commons-httpclient | 🟢 3.1 (1) | 3.1-jenkins-3 (1) |
| commons-io:commons-io | 🟠 2.5 (2) | 2.21.0 (0) |
| commons-lang:commons-lang | 🟠 2.4 (1) | 2.6 (1) |
| commons-net:commons-net | 🟠 3.6 (1) | 3.12.0 (0) |
| io.springfox:springfox-swagger-ui | 🔴 2.9.2 (1) | 2.10.5 (0) |
| junit:junit | 🟠 4.12 (1) | 4.13-beta-3 (1) |
| mysql:mysql-connector-java | 🔴 8.0.12 (5) | 8.0.30 (1) |
| ↳ com.google.protobuf:protobuf-java | 🟠 2.6.0 (3) | 2.6.1 (3) |
| org.apache.httpcomponents:httpclient | 🟠 4.5.12 (1) | 4.5.14 (0) |
| org.apache.logging.log4j:log4j-core | 🔴 2.9.1 (5) | 2.25.2 (0) |
| org.apache.poi:poi-ooxml | 🟠 3.9 (1) | 3.17 (1) |
| ↳ dom4j:dom4j | 🔴 1.6.1 (2) | 1.6.1 (2) |
| ↳ org.apache.poi:poi-ooxml-schemas | 🟢 3.9 (0) | 3.17 (0) |
| ↳ org.apache.xmlbeans:xmlbeans | 🔴 2.3.0 (1) | 2.6.0 (1) |
| org.apache.poi:poi | 🟠 3.10-FINAL (6) | 3.17 (1) |
| org.apache.shiro:shiro-core | 🔴 1.2.4 (9) | 1.13.0 (0) |
| org.apache.velocity:velocity | 🔴 1.7 (1) | 1.7-beta1 (1) |
| org.dom4j:dom4j | 🔴 2.1.0 (2) | 2.2.0 (0) |
| org.jdom:jdom2 | 🟠 2.0.6 (1) | 2.0.6.1 (0) |
| org.jolokia:jolokia-core | 🔴 1.6.0 (1) | 1.7.2 (0) |
| org.jsoup:jsoup | 🟠 1.10.2 (2) | 1.21.2 (0) |
| org.mybatis.spring.boot:mybatis-spring-boot-starter | 🟢 1.3.2 (0) | 1.3.5 (0) |
| ↳ org.mybatis:mybatis | 🔴 3.4.6 (1) | 3.5.19 (0) |
| org.postgresql:postgresql | 🔴 42.3.1 (6) | 42.7.8 (0) |
| org.springframework.boot:spring-boot-starter-actuator | 🟢 1.5.1.RELEASE (0) | 1.5.22.RELEASE (0) |
| ↳ org.springframework.boot:spring-boot-actuator | 🟠 1.5.1.RELEASE (1) | 1.5.22.RELEASE (1) |
| org.springframework.boot:spring-boot-starter-thymeleaf | 🟢 1.5.1.RELEASE (0) | 1.5.22.RELEASE (0) |
| ↳ nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect | 🟢 1.4.0 (0) | 1.4.0 (0) |
| ↳ org.codehaus.groovy:groovy | 🔴 2.4.7 (2) | 2.6.0-alpha-4 (0) |
| ↳ org.thymeleaf:thymeleaf-spring4 | 🟢 2.1.5.RELEASE (0) | 2.1.6.RELEASE (0) |
| ↳ org.thymeleaf:thymeleaf | 🟢 2.1.5.RELEASE (0) | 2.1.6.RELEASE (0) |
| ↳ ognl:ognl | 🟠 3.0.8 (1) | 3.4.8 (0) |
| org.springframework.boot:spring-boot-starter-web | 🔴 1.5.1.RELEASE (1) | 1.5.22.RELEASE (1) |
| ↳ org.hibernate:hibernate-validator | 🟠 5.3.4.Final (4) | 5.4.3.Final (3) |
| ↳ org.springframework.boot:spring-boot-starter-tomcat | 🟢 1.5.1.RELEASE (0) | 1.5.22.RELEASE (0) |
| ↳ org.apache.tomcat.embed:tomcat-embed-core | 🔴 8.5.11 (37) | 8.5.100 (11) |
| ↳ org.apache.tomcat.embed:tomcat-embed-websocket | 🟠 8.5.11 (1) | 8.5.100 (0) |
| ↳ org.springframework.boot:spring-boot-starter | 🟢 1.5.1.RELEASE (0) | 1.5.22.RELEASE (0) |
| ↳ org.springframework.boot:spring-boot-autoconfigure | 🟠 1.5.1.RELEASE (1) | 1.5.22.RELEASE (1) |
| ↳ org.springframework.boot:spring-boot-starter-logging | 🟢 1.5.1.RELEASE (0) | 1.5.22.RELEASE (0) |
| ↳ ch.qos.logback:logback-classic | 🔴 1.1.9 (2) | 1.5.20 (0) |
| ↳ ch.qos.logback:logback-core | 🔴 1.1.9 (6) | 1.4.14 (3) |
| ↳ org.springframework.boot:spring-boot | 🔴 1.5.1.RELEASE (3) | 1.5.22.RELEASE (2) |
| ↳ org.springframework:spring-web | 🔴 4.3.6.RELEASE (7) | 4.3.30.RELEASE (6) |
| ↳ org.springframework:spring-webmvc | 🔴 4.3.6.RELEASE (2) | 4.3.30.RELEASE (2) |
| org.springframework.cloud:spring-cloud-starter-netflix-eureka-client | 🟢 1.4.0.RELEASE (0) | 1.4.7.RELEASE (0) |
| ↳ com.netflix.eureka:eureka-client | 🟢 1.4.11 (0) | 1.10.18 (0) |
| ↳ com.netflix.netflix-commons:netflix-eventbus | 🟢 0.3.0 (0) | 0.3.0 (0) |
| ↳ com.netflix.netflix-commons:netflix-infix | 🟢 0.3.0 (0) | 0.3.0 (0) |
| ↳ com.google.code.gson:gson | 🔴 2.8.0 (1) | 2.13.2 (0) |
| ↳ org.codehaus.jettison:jettison | 🟠 1.3.7 (5) | 1.5.4 (0) |
| ↳ org.springframework.cloud:spring-cloud-starter-netflix-archaius | 🟢 1.4.0.RELEASE (0) | 1.4.7.RELEASE (0) |
| ↳ commons-configuration:commons-configuration | 🟢 1.8 (1) | 1.10 (1) |
| ↳ org.springframework.cloud:spring-cloud-starter-netflix-ribbon | 🟢 1.4.0.RELEASE (0) | 1.4.7.RELEASE (0) |
| ↳ com.netflix.ribbon:ribbon | 🟢 2.2.0 (0) | 2.7.18 (0) |
| ↳ io.reactivex:rxnetty | 🟢 0.4.9 (0) | 0.5.1 (0) |
| ↳ io.netty:netty-codec-http | 🔴 4.0.27.Final (6) | 4.2.7.Final (0) |
| ↳ io.netty:netty-codec | 🟠 4.0.27.Final (3) | 4.2.7.Final (0) |
| ↳ io.netty:netty-handler | 🟠 4.0.27.Final (3) | 4.2.7.Final (0) |
| ↳ io.netty:netty-transport-native-epoll | 🟢 4.0.27.Final (0) | 4.2.7.Final (0) |
| ↳ io.netty:netty-common | 🟠 4.0.27.Final (2) | 4.2.7.Final (0) |
| ↳ org.springframework.cloud:spring-cloud-starter | 🟢 1.1.3.RELEASE (0) | 1.3.6.RELEASE (0) |
| ↳ org.springframework.cloud:spring-cloud-context | 🟢 1.1.3.RELEASE (0) | 1.3.6.RELEASE (0) |
| ↳ org.springframework.security:spring-security-crypto | 🟠 4.2.1.RELEASE (1) | 4.2.20.RELEASE (1) |
| ↳ org.springframework.security:spring-security-rsa | 🟢 1.0.3.RELEASE (0) | 1.1.5 (0) |
| ↳ org.bouncycastle:bcpkix-jdk15on | 🟢 1.55 (1) | 1.70 (1) |
| ↳ org.bouncycastle:bcprov-jdk15on | 🟠 1.55 (17) | 1.70 (4) |
| org.springframework.data:spring-data-commons | 🟠 1.13.11.RELEASE (1) | 1.13.23.RELEASE (0) |
| org.springframework.security:spring-security-web | 🔴 4.2.12.RELEASE (3) | 4.2.20.RELEASE (3) |
| ↳ org.springframework.security:spring-security-core | 🔴 4.2.1.RELEASE (8) | 4.2.20.RELEASE (3) |
| ↳ org.springframework:spring-beans | 🔴 4.3.6.RELEASE (2) | 4.3.30.RELEASE (2) |
| ↳ org.springframework:spring-context | 🟠 4.3.6.RELEASE (3) | 4.3.30.RELEASE (3) |
| ↳ org.springframework:spring-core | 🟠 4.3.6.RELEASE (6) | 4.3.30.RELEASE (0) |
| org.springframework:spring-expression | 🟠 4.3.16.RELEASE (4) | 4.3.30.RELEASE (4) |
| org.yaml:snakeyaml | 🔴 1.21 (8) | 1.33 (1) |
I will start working on this plan shortly; however, you can prompt me to take action immediately or suggest changes. For example:
Upgrade to target version:
@00felix upgrade org.group:artifact
or
Upgrade to specific version:
@00felix upgrade org.group:artifact@version
Set JDK version:
@00felix settings set jdk {version} (e.g., @00felix settings set jdk 17 to switch to Java 17 for compatibility requirements)
In response, I will create a remediation and generate a pull request for your review.