Skip to content

Commit 2087d4b

Browse files
velovelo
authored
Fix for vunerabilities reported by snky (OpenFeign#1121)
* Fix for HTTP Request Smuggling Vulnerable module: io.netty:netty-codec-http Introduced through: io.reactivex:rxnetty-http@0.5.2 and io.reactivex:rxnetty-spectator-http@0.5.2 Exploit maturity: No known exploit * Fix for Deserialization of Untrusted Data Vulnerable module: com.google.guava:guava Introduced through: com.netflix.ribbon:ribbon-core@2.3.0 and com.netflix.ribbon:ribbon-loadbalancer@2.3.0 Exploit maturity: No known exploit https://app.snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-32236
1 parent ad8c919 commit 2087d4b

File tree

3 files changed

+30
-8
lines changed

3 files changed

+30
-8
lines changed

benchmark/pom.xml

Lines changed: 13 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -27,15 +27,22 @@
2727
<name>Feign Benchmark (JMH)</name>
2828

2929
<properties>
30-
<jmh.version>1.20</jmh.version>
31-
<!-- override default bytecode version for src/main from parent pom -->
32-
<main.java.version>1.8</main.java.version>
33-
<main.signature.artifact>java18</main.signature.artifact>
30+
<jmh.version>1.22</jmh.version>
3431
<main.basedir>${project.basedir}/..</main.basedir>
35-
<maven.compiler.source>1.8</maven.compiler.source>
36-
<maven.compiler.target>1.8</maven.compiler.target>
3732
</properties>
3833

34+
<dependencyManagement>
35+
<dependencies>
36+
<dependency>
37+
<groupId>io.netty</groupId>
38+
<artifactId>netty-bom</artifactId>
39+
<version>4.1.43.Final</version>
40+
<type>pom</type>
41+
<scope>import</scope>
42+
</dependency>
43+
</dependencies>
44+
</dependencyManagement>
45+
3946
<dependencies>
4047
<dependency>
4148
<groupId>${project.groupId}</groupId>
@@ -84,7 +91,6 @@
8491
<dependency>
8592
<groupId>io.netty</groupId>
8693
<artifactId>netty-buffer</artifactId>
87-
<version>4.1.5.Final</version>
8894
<scope>compile</scope>
8995
</dependency>
9096
<dependency>
@@ -107,7 +113,6 @@
107113
<groupId>org.slf4j</groupId>
108114
<artifactId>slf4j-nop</artifactId>
109115
</dependency>
110-
111116
</dependencies>
112117

113118
<build>

hystrix/pom.xml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,12 @@
4444
<artifactId>hystrix-core</artifactId>
4545
<version>1.5.18</version>
4646
</dependency>
47+
48+
<dependency>
49+
<groupId>com.google.guava</groupId>
50+
<artifactId>guava</artifactId>
51+
<version>24.1.1-jre</version>
52+
</dependency>
4753
</dependencies>
4854
</dependencyManagement>
4955

ribbon/pom.xml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,6 +32,16 @@
3232
<ribbon-version>2.3.0</ribbon-version>
3333
</properties>
3434

35+
<dependencyManagement>
36+
<dependencies>
37+
<dependency>
38+
<groupId>com.google.guava</groupId>
39+
<artifactId>guava</artifactId>
40+
<version>24.1.1-jre</version>
41+
</dependency>
42+
</dependencies>
43+
</dependencyManagement>
44+
3545
<dependencies>
3646
<dependency>
3747
<groupId>${project.groupId}</groupId>
@@ -63,4 +73,5 @@
6373
<scope>test</scope>
6474
</dependency>
6575
</dependencies>
76+
6677
</project>

0 commit comments

Comments
 (0)