@@ -35,6 +35,22 @@ subprojects {
3535 testRuntimeOnly(libs. junit. platform. launcher)
3636 testImplementation(libs. mockito. core)
3737 testImplementation(libs. mockito. junit. jupiter)
38+
39+ // Security constraints
40+ constraints {
41+ implementation(" ch.qos.logback:logback-core:1.5.15"
42+ because(" versions below 1.5.15 have security vulnerabilities - see dependabot #7, #6"
43+ }
44+ implementation(" ch.qos.logback:logback-classic:1.5.15"
45+ because(" versions below 1.5.15 have security vulnerabilities - see dependabot #7, #6"
46+ }
47+ implementation(" org.springframework:spring-web:6.2.8"
48+ because(" versions below 6.2.8 have security vulnerabilities including CVE-2024-38820 - see dependabot #12"
49+ }
50+ implementation(" org.apache.tomcat.embed:tomcat-embed-core:10.1.42"
51+ because(" versions below 10.1.42 have security vulnerabilities including CVE-2024-56337 - see dependabot #13"
52+ }
53+ }
3854 }
3955
4056 jacoco {
@@ -80,23 +96,4 @@ subprojects {
8096 ruleSets = [" $rootDir /ruleset.xml"
8197 }
8298
83- // Needed for security. See:
84- // - https://github.com/getyourguide/openapi-validation-java/security/dependabot/7
85- // - https://github.com/getyourguide/openapi-validation-java/security/dependabot/6
86- // Hopefully with spring-boot 3.4.2+ this won't be needed anymore and can be removed.
87- configurations. configureEach {
88- resolutionStrategy. eachDependency {details ->
89- if (details. requested. group == ' ch.qos.logback'
90- && (details. requested. name == ' logback-core' || details. requested. name == ' logback-classic'
91- ) {
92- def parse = { String v -> v. tokenize(' .' . collect { it. padLeft(3 , ' 0' . join() }
93- def current = parse(details. requested. version)
94- def minimum = parse(' 1.5.15'
95- if (current < minimum) {
96- details. useVersion ' 1.5.15'
97- details. because ' Security requirement: forcing logback version'
98- }
99- }
100- }
101- }
10299}
0 commit comments