Skip to content

Create maven_dep_tree.txt #35

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bandarisantosh wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Create maven_dep_tree.txt #35

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
213 changes: 213 additions & 0 deletions maven_dep_tree.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,213 @@
com.finfare.cloud:cloud-common:jar:1.5.1-SNAPSHOT
+- com.finfare:cache:jar:0.0.2-SNAPSHOT:compile
+- org.springframework.boot:spring-boot-starter-web:jar:2.7.14:compile
| +- org.springframework.boot:spring-boot-starter:jar:2.7.14:compile
| | +- org.springframework.boot:spring-boot:jar:2.7.14:compile
Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 5 lists a dependency (org.springframework.boot:spring-boot) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 3.3.11 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 5 lists a dependency (org.springframework.boot:spring-boot) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 3.3.11 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

| | +- org.springframework.boot:spring-boot-autoconfigure:jar:2.7.14:compile
| | +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.14:compile
| | | +- ch.qos.logback:logback-classic:jar:1.2.12:compile
Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 8 lists a dependency (ch.qos.logback:logback-classic) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 1.2.13 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 8 lists a dependency (ch.qos.logback:logback-classic) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 1.2.13 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

| | | | \- ch.qos.logback:logback-core:jar:1.2.12:compile
Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 9 lists a dependency (ch.qos.logback:logback-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 1.2.13 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 9 lists a dependency (ch.qos.logback:logback-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 1.2.13 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 9 lists a dependency (ch.qos.logback:logback-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 1.2.13 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 9 lists a dependency (ch.qos.logback:logback-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 1.2.13 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

| | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile
| | | | \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile
| | | \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
| | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
| | \- org.yaml:snakeyaml:jar:2.0:compile
| +- org.springframework.boot:spring-boot-starter-json:jar:2.7.14:compile
| | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.13.5:compile
| | \- com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.13.5:compile
| +- org.springframework.boot:spring-boot-starter-tomcat:jar:2.7.14:compile
| | +- org.apache.tomcat.embed:tomcat-embed-core:jar:9.0.80:compile
Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium severity vulnerability introduced by a package you're using:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known Medium severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

Affected versions of org.apache.tomcat.embed:tomcat-embed-core and org.apache.tomcat:tomcat are vulnerable to Improper Input Validation. The vulnerability in Apache Tomcat involves a Denial of Service due to improper input validation in HTTP/2 requests, where if the request surpasses configured header limits, the corresponding HTTP/2 stream remains unreset until after all headers have been processed.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 9.0.86 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 9.0.98 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 9.0.106 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical severity vulnerability may affect your project—review required:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known Critical severity vulnerability.

ℹ️ Why this matters

Affected versions of org.apache.tomcat.embed:tomcat-embed-core and org.apache.tomcat:tomcat-catalina are vulnerable to Deserialization of Untrusted Data / Path Equivalence. This can lead to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.

References: GHSA, CVE

To resolve this comment:
Check if you have enabled write for the default servlet (disabled by default) and have support for partial PUT (enabled by default).
In addition to these conditions - a malicious user is able to view security sensitive files and/or inject content into files if -
1. a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads.
2. attacker knowledge of the names of security sensitive files being uploaded.
3. the security sensitive files also being uploaded via partial PUT.

A malicious user is able to perform remote code execution if -
1. application is using Tomcats file based session persistence with the default storage location.
2. application included a library that may be leveraged in a deserialization attack..
  • If you're affected, upgrade this dependency to at least version 9.0.99 at maven_dep_tree.txt.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability may affect your project—review required:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of org.apache.tomcat.embed:tomcat-embed-core, org.apache.tomcat:tomcat- catalina, and org.apache.tomcat:tomcat-embed-core are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. Apache Tomcat is susceptible to a TOCTOU race condition vulnerability. This occurs when running on a case insensitive file system with the default servlet write enabled, potentially allowing attackers to exploit misconfiguration or race conditions if the system property sun.io.useCanonCaches is not correctly set. Specific mitigations are necessary based on the Java version used, and failure to implement these could lead to unauthorized file writes or other security risks.

References: GHSA, CVE

To resolve this comment:
Check if you run Tomcat on Windows and you do not explicitly set the system property sun.io.useCanonCaches to false (see advisory for more detailed mitigation).

  • If you're affected, upgrade this dependency to at least version 9.0.98 at maven_dep_tree.txt.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability introduced by a package you're using:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

Affected versions of org.apache.tomcat.embed:tomcat-embed-core and org.apache.tomcat:tomcat-coyote are vulnerable to Improper Handling of Exceptional Conditions / Uncontrolled Resource Consumption.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 9.0.90 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability introduced by a package you're using:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

Affected versions of org.apache.tomcat:tomcat-catalina are vulnerable to Improper Input Validation / Inconsistent Interpretation Of Http Requests ('Http Request/Response Smuggling'). The vulnerability arises from the improper parsing of HTTP trailer headers, leading to the potential treatment of a single request as multiple requests, thereby enabling request smuggling, particularly when operating behind a reverse proxy.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 9.0.83 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 9.0.106 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical severity vulnerability may affect your project—review required:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known Critical severity vulnerability.

ℹ️ Why this matters

Affected versions of org.apache.tomcat.embed:tomcat-embed-core and org.apache.tomcat:tomcat-catalina are vulnerable to Deserialization of Untrusted Data / Path Equivalence. This can lead to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.

References: GHSA, CVE

To resolve this comment:
Check if you have enabled write for the default servlet (disabled by default) and have support for partial PUT (enabled by default).
In addition to these conditions - a malicious user is able to view security sensitive files and/or inject content into files if -
1. a target URL for security sensitive uploads that is a sub-directory of a target URL for public uploads.
2. attacker knowledge of the names of security sensitive files being uploaded.
3. the security sensitive files also being uploaded via partial PUT.

A malicious user is able to perform remote code execution if -
1. application is using Tomcats file based session persistence with the default storage location.
2. application included a library that may be leveraged in a deserialization attack..
  • If you're affected, upgrade this dependency to at least version 9.0.99 at maven_dep_tree.txt.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability may affect your project—review required:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known High severity vulnerability.

ℹ️ Why this matters

Affected versions of org.apache.tomcat.embed:tomcat-embed-core, org.apache.tomcat:tomcat- catalina, and org.apache.tomcat:tomcat-embed-core are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. Apache Tomcat is susceptible to a TOCTOU race condition vulnerability. This occurs when running on a case insensitive file system with the default servlet write enabled, potentially allowing attackers to exploit misconfiguration or race conditions if the system property sun.io.useCanonCaches is not correctly set. Specific mitigations are necessary based on the Java version used, and failure to implement these could lead to unauthorized file writes or other security risks.

References: GHSA, CVE

To resolve this comment:
Check if you run Tomcat on Windows and you do not explicitly set the system property sun.io.useCanonCaches to false (see advisory for more detailed mitigation).

  • If you're affected, upgrade this dependency to at least version 9.0.98 at maven_dep_tree.txt.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium severity vulnerability introduced by a package you're using:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known Medium severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

Affected versions of org.apache.tomcat.embed:tomcat-embed-core and org.apache.tomcat:tomcat are vulnerable to Improper Input Validation. The vulnerability in Apache Tomcat involves a Denial of Service due to improper input validation in HTTP/2 requests, where if the request surpasses configured header limits, the corresponding HTTP/2 stream remains unreset until after all headers have been processed.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 9.0.86 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 9.0.98 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability introduced by a package you're using:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

Affected versions of org.apache.tomcat.embed:tomcat-embed-core and org.apache.tomcat:tomcat-coyote are vulnerable to Improper Handling of Exceptional Conditions / Uncontrolled Resource Consumption.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 9.0.90 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability introduced by a package you're using:
Line 19 lists a dependency (org.apache.tomcat.embed:tomcat-embed-core) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

Affected versions of org.apache.tomcat:tomcat-catalina are vulnerable to Improper Input Validation / Inconsistent Interpretation Of Http Requests ('Http Request/Response Smuggling'). The vulnerability arises from the improper parsing of HTTP trailer headers, leading to the potential treatment of a single request as multiple requests, thereby enabling request smuggling, particularly when operating behind a reverse proxy.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 9.0.83 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

| | \- org.apache.tomcat.embed:tomcat-embed-websocket:jar:9.0.78:compile
| +- org.springframework:spring-web:jar:5.3.29:compile
Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 21 lists a dependency (org.springframework:spring-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 5.3.34 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 21 lists a dependency (org.springframework:spring-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 5.3.32 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 21 lists a dependency (org.springframework:spring-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 5.3.33 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical severity vulnerability may affect your project—review required:
Line 21 lists a dependency (org.springframework:spring-web) with a known Critical severity vulnerability.

ℹ️ Why this matters

org.springframework:spring-web versions before 6.0.0 are vulnerable to Deserialization Of Untrusted Data. The readRemoteInvocation method in HttpInvokerServiceExporter.class doesn't properly validate untrusted objects prior to deserialization. An attacker can exploit this by sending malicious requests with crafted objects, leading to arbitrary code execution on the vulnerable system.

References: GHSA, CVE

To resolve this comment:
Check if you rely on Java deserialization for untrusted data.

  • If you're affected, upgrade this dependency to at least version 6.0.0 at maven_dep_tree.txt.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 21 lists a dependency (org.springframework:spring-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 5.3.32 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 21 lists a dependency (org.springframework:spring-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 5.3.34 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical severity vulnerability may affect your project—review required:
Line 21 lists a dependency (org.springframework:spring-web) with a known Critical severity vulnerability.

ℹ️ Why this matters

org.springframework:spring-web versions before 6.0.0 are vulnerable to Deserialization Of Untrusted Data. The readRemoteInvocation method in HttpInvokerServiceExporter.class doesn't properly validate untrusted objects prior to deserialization. An attacker can exploit this by sending malicious requests with crafted objects, leading to arbitrary code execution on the vulnerable system.

References: GHSA, CVE

To resolve this comment:
Check if you rely on Java deserialization for untrusted data.

  • If you're affected, upgrade this dependency to at least version 6.0.0 at maven_dep_tree.txt.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 21 lists a dependency (org.springframework:spring-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 5.3.33 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

| | \- org.springframework:spring-beans:jar:5.3.22:compile
| \- org.springframework:spring-webmvc:jar:5.3.29:compile
Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 23 lists a dependency (org.springframework:spring-webmvc) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 6.1.14 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 23 lists a dependency (org.springframework:spring-webmvc) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 6.1.13 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 23 lists a dependency (org.springframework:spring-webmvc) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 6.1.14 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 23 lists a dependency (org.springframework:spring-webmvc) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 6.1.13 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

| +- org.springframework:spring-context:jar:5.3.29:compile
| \- org.springframework:spring-expression:jar:5.3.29:compile
+- org.springframework.boot:spring-boot-configuration-processor:jar:2.7.14:compile
+- org.springframework.boot:spring-boot-starter-validation:jar:2.7.14:compile
| +- org.apache.tomcat.embed:tomcat-embed-el:jar:9.0.78:compile
| \- org.hibernate.validator:hibernate-validator:jar:6.2.5.Final:compile
| +- org.jboss.logging:jboss-logging:jar:3.4.3.Final:compile
| \- com.fasterxml:classmate:jar:1.5.1:compile
+- org.springframework.boot:spring-boot-starter-data-jpa:jar:2.7.14:compile
| +- org.springframework.boot:spring-boot-starter-aop:jar:2.7.14:compile
| +- org.springframework.boot:spring-boot-starter-jdbc:jar:2.7.14:compile
| | +- com.zaxxer:HikariCP:jar:4.0.3:compile
| | \- org.springframework:spring-jdbc:jar:5.3.29:compile
| +- jakarta.transaction:jakarta.transaction-api:jar:1.3.3:compile
| +- org.hibernate:hibernate-core:jar:5.6.15.Final:compile
| | +- net.bytebuddy:byte-buddy:jar:1.12.23:compile
| | +- antlr:antlr:jar:2.7.7:compile
| | +- org.jboss:jandex:jar:2.4.2.Final:compile
| | +- org.hibernate.common:hibernate-commons-annotations:jar:5.1.2.Final:compile
| | \- org.glassfish.jaxb:jaxb-runtime:jar:2.3.8:compile
| | +- org.glassfish.jaxb:txw2:jar:2.3.8:compile
| | +- com.sun.istack:istack-commons-runtime:jar:3.0.12:compile
| | \- com.sun.activation:jakarta.activation:jar:1.2.2:runtime
| +- org.springframework.data:spring-data-jpa:jar:2.7.14:compile
| | +- org.springframework.data:spring-data-commons:jar:2.7.14:compile
| | +- org.springframework:spring-orm:jar:5.3.29:compile
| | +- org.springframework:spring-tx:jar:5.3.29:compile
| | \- org.slf4j:slf4j-api:jar:1.7.36:compile
| \- org.springframework:spring-aspects:jar:5.3.29:compile
+- org.springframework.retry:spring-retry:jar:1.3.4:compile
+- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.5:compile
| +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.5:compile
| +- com.fasterxml.jackson.core:jackson-core:jar:2.13.5:compile
| \- com.fasterxml.jackson.core:jackson-databind:jar:2.13.5:compile
+- io.jsonwebtoken:jjwt:jar:0.9.1:compile
+- software.amazon.awssdk:pinpoint:jar:2.17.97:compile
| +- software.amazon.awssdk:aws-json-protocol:jar:2.17.97:compile
| | +- software.amazon.awssdk:third-party-jackson-core:jar:2.17.97:compile
| | \- software.amazon.awssdk:json-utils:jar:2.17.97:compile
| +- software.amazon.awssdk:protocol-core:jar:2.17.97:compile
| +- software.amazon.awssdk:sdk-core:jar:2.17.97:compile
| | \- org.reactivestreams:reactive-streams:jar:1.0.4:compile
| +- software.amazon.awssdk:auth:jar:2.17.97:compile
| | \- software.amazon.eventstream:eventstream:jar:1.0.1:compile
| +- software.amazon.awssdk:http-client-spi:jar:2.17.97:compile
| +- software.amazon.awssdk:regions:jar:2.17.97:compile
| +- software.amazon.awssdk:annotations:jar:2.17.97:compile
| +- software.amazon.awssdk:utils:jar:2.17.97:compile
| +- software.amazon.awssdk:aws-core:jar:2.17.97:compile
| +- software.amazon.awssdk:metrics-spi:jar:2.17.97:compile
| +- software.amazon.awssdk:apache-client:jar:2.17.97:runtime
| \- software.amazon.awssdk:netty-nio-client:jar:2.17.97:runtime
| +- io.netty:netty-codec-http:jar:4.1.94.Final:compile
| +- io.netty:netty-codec-http2:jar:4.1.94.Final:compile
Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability introduced by a package you're using:
Line 77 lists a dependency (io.netty:netty-codec-http2) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

Affected versions of io.netty:netty-codec-http2 are vulnerable to Uncontrolled Resource Consumption. The vulnerability arises when a client issues frequent RST frames, potentially leading to server overload and facilitating a DDoS attack by imposing a significant load on the remote system.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 4.1.100.Final at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability introduced by a package you're using:
Line 77 lists a dependency (io.netty:netty-codec-http2) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

Affected versions of io.netty:netty-codec-http2 are vulnerable to Uncontrolled Resource Consumption. The vulnerability arises when a client issues frequent RST frames, potentially leading to server overload and facilitating a DDoS attack by imposing a significant load on the remote system.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 4.1.100.Final at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

| +- io.netty:netty-codec:jar:4.1.94.Final:compile
| +- io.netty:netty-transport:jar:4.1.94.Final:compile
| | \- io.netty:netty-resolver:jar:4.1.94.Final:compile
| +- io.netty:netty-common:jar:4.1.94.Final:compile
Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium severity issue identified in one of your dependencies:
Line 81 lists a dependency (io.netty:netty-common) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 4.1.115.Final at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium severity issue identified in one of your dependencies:
Line 81 lists a dependency (io.netty:netty-common) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 4.1.115.Final at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

| +- io.netty:netty-buffer:jar:4.1.94.Final:compile
| +- io.netty:netty-handler:jar:4.1.94.Final:compile
Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 83 lists a dependency (io.netty:netty-handler) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 4.1.118.Final at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 83 lists a dependency (io.netty:netty-handler) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 4.1.118.Final at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

| | \- io.netty:netty-transport-native-unix-common:jar:4.1.94.Final:compile
| +- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.94.Final:compile
| | \- io.netty:netty-transport-classes-epoll:jar:4.1.94.Final:compile
| \- com.typesafe.netty:netty-reactive-streams-http:jar:2.0.5:runtime
| \- com.typesafe.netty:netty-reactive-streams:jar:2.0.5:runtime
+- software.amazon.awssdk:s3:jar:2.17.97:compile
| +- software.amazon.awssdk:aws-xml-protocol:jar:2.17.97:compile
| | \- software.amazon.awssdk:aws-query-protocol:jar:2.17.97:compile
| +- software.amazon.awssdk:arns:jar:2.17.97:compile
| \- software.amazon.awssdk:profiles:jar:2.17.97:compile
+- software.amazon.awssdk:kms:jar:2.17.97:compile
+- com.amazonaws:aws-java-sdk-secretsmanager:jar:1.12.173:compile
| +- com.amazonaws:aws-java-sdk-core:jar:1.12.173:compile
| | +- commons-logging:commons-logging:jar:1.1.3:compile
| | +- software.amazon.ion:ion-java:jar:1.0.2:compile
Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 98 lists a dependency (software.amazon.ion:ion-java) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency as soon as a patched version is available.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 98 lists a dependency (software.amazon.ion:ion-java) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency as soon as a patched version is available.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

| | +- com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:jar:2.13.5:compile
| | \- joda-time:joda-time:jar:2.8.1:compile
| \- com.amazonaws:jmespath-java:jar:1.12.173:compile
+- org.springframework.boot:spring-boot-starter-test:jar:2.7.14:test
| +- org.springframework.boot:spring-boot-test:jar:2.7.14:test
| +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.7.14:test
| +- com.jayway.jsonpath:json-path:jar:2.7.0:test
Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium severity issue identified in one of your dependencies:
Line 105 lists a dependency (com.jayway.jsonpath:json-path) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 2.9.0 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium severity issue identified in one of your dependencies:
Line 105 lists a dependency (com.jayway.jsonpath:json-path) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 2.9.0 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

| | \- net.minidev:json-smart:jar:2.4.11:test
| | \- net.minidev:accessors-smart:jar:2.4.11:test
| | \- org.ow2.asm:asm:jar:9.3:test
| +- jakarta.xml.bind:jakarta.xml.bind-api:jar:2.3.3:compile
| | \- jakarta.activation:jakarta.activation-api:jar:1.2.2:compile
| +- org.assertj:assertj-core:jar:3.22.0:test
| +- org.hamcrest:hamcrest:jar:2.2:test
| +- org.junit.jupiter:junit-jupiter:jar:5.8.2:test
| | +- org.junit.jupiter:junit-jupiter-api:jar:5.8.2:test
| | | +- org.opentest4j:opentest4j:jar:1.2.0:test
| | | +- org.junit.platform:junit-platform-commons:jar:1.8.2:test
| | | \- org.apiguardian:apiguardian-api:jar:1.1.2:test
| | +- org.junit.jupiter:junit-jupiter-params:jar:5.8.2:test
| | \- org.junit.jupiter:junit-jupiter-engine:jar:5.8.2:test
| | \- org.junit.platform:junit-platform-engine:jar:1.8.2:test
| +- org.mockito:mockito-core:jar:4.5.1:test
| | +- net.bytebuddy:byte-buddy-agent:jar:1.12.23:test
| | \- org.objenesis:objenesis:jar:3.2:test
| +- org.mockito:mockito-junit-jupiter:jar:4.5.1:test
| +- org.skyscreamer:jsonassert:jar:1.5.1:test
| +- org.springframework:spring-core:jar:5.3.29:compile
| | \- org.springframework:spring-jcl:jar:5.3.29:compile
| +- org.springframework:spring-test:jar:5.3.29:test
| \- org.xmlunit:xmlunit-core:jar:2.9.1:test
+- org.json:json:jar:20230227:compile
Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability introduced by a package you're using:
Line 130 lists a dependency (org.json:json) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

Affected versions of org.json:json are vulnerable to a denial of service (DoS) attack.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 20231013 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability introduced by a package you're using:
Line 130 lists a dependency (org.json:json) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

Affected versions of org.json:json are vulnerable to a denial of service (DoS) attack.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 20231013 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

+- com.sun.mail:javax.mail:jar:1.6.2:compile
| \- javax.activation:activation:jar:1.1:compile
+- org.apache.commons:commons-lang3:jar:3.12.0:compile
+- org.apache.commons:commons-collections4:jar:4.4:compile
+- org.glassfish.jersey.ext:jersey-bean-validation:jar:3.0.4:compile
| +- jakarta.inject:jakarta.inject-api:jar:2.0.0:compile
| +- org.glassfish.jersey.core:jersey-common:jar:2.35:compile
| | +- org.glassfish.hk2.external:jakarta.inject:jar:2.6.1:compile
| | \- org.glassfish.hk2:osgi-resource-locator:jar:1.0.3:compile
| +- org.glassfish.jersey.core:jersey-server:jar:2.35:compile
| | \- org.glassfish.jersey.core:jersey-client:jar:2.35:compile
| +- jakarta.validation:jakarta.validation-api:jar:2.0.2:compile
| +- jakarta.el:jakarta.el-api:jar:4.0.0:compile
| +- org.glassfish:jakarta.el:jar:3.0.4:compile
| \- jakarta.ws.rs:jakarta.ws.rs-api:jar:2.1.6:compile
+- org.modelmapper:modelmapper:jar:3.1.0:compile
+- org.aspectj:aspectjrt:jar:1.9.19:compile
+- org.aspectj:aspectjweaver:jar:1.9.19:compile
+- org.springframework.boot:spring-boot-starter-freemarker:jar:2.7.14:compile
| +- org.freemarker:freemarker:jar:2.3.32:compile
| \- org.springframework:spring-context-support:jar:5.3.29:compile
+- org.apache.commons:commons-csv:jar:1.8:compile
+- org.springframework.boot:spring-boot-starter-webflux:jar:2.7.14:compile
| +- org.springframework.boot:spring-boot-starter-reactor-netty:jar:2.7.14:compile
| | \- io.projectreactor.netty:reactor-netty-http:jar:1.0.34:compile
Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 155 lists a dependency (io.projectreactor.netty:reactor-netty-http) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 1.0.39 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 155 lists a dependency (io.projectreactor.netty:reactor-netty-http) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 1.0.39 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

| | +- io.netty:netty-resolver-dns:jar:4.1.94.Final:compile
| | | \- io.netty:netty-codec-dns:jar:4.1.94.Final:compile
| | +- io.netty:netty-resolver-dns-native-macos:jar:osx-x86_64:4.1.94.Final:compile
| | | \- io.netty:netty-resolver-dns-classes-macos:jar:4.1.94.Final:compile
| | \- io.projectreactor.netty:reactor-netty-core:jar:1.0.34:compile
Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 160 lists a dependency (io.projectreactor.netty:reactor-netty-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 1.0.39 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 160 lists a dependency (io.projectreactor.netty:reactor-netty-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 1.0.39 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

| | \- io.netty:netty-handler-proxy:jar:4.1.94.Final:compile
| | \- io.netty:netty-codec-socks:jar:4.1.94.Final:compile
| \- org.springframework:spring-webflux:jar:5.3.29:compile
Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 163 lists a dependency (org.springframework:spring-webflux) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 6.1.13 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 163 lists a dependency (org.springframework:spring-webflux) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 6.1.14 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 163 lists a dependency (org.springframework:spring-webflux) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 6.1.13 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 163 lists a dependency (org.springframework:spring-webflux) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 6.1.14 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

| \- io.projectreactor:reactor-core:jar:3.4.31:compile
+- org.springframework.cloud:spring-cloud-starter-openfeign:jar:3.1.3:compile
| +- org.springframework.cloud:spring-cloud-starter:jar:3.1.3:compile
| | +- org.springframework.cloud:spring-cloud-context:jar:3.1.3:compile
| | \- org.springframework.security:spring-security-rsa:jar:1.0.10.RELEASE:compile
| | \- org.bouncycastle:bcpkix-jdk15on:jar:1.68:compile
| +- org.springframework.cloud:spring-cloud-openfeign-core:jar:3.1.3:compile
| | \- io.github.openfeign.form:feign-form-spring:jar:3.8.0:compile
| | \- io.github.openfeign.form:feign-form:jar:3.8.0:compile
| +- org.springframework.cloud:spring-cloud-commons:jar:3.1.3:compile
| | \- org.springframework.security:spring-security-crypto:jar:5.7.10:compile
Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 174 lists a dependency (org.springframework.security:spring-security-crypto) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 5.7.16 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 174 lists a dependency (org.springframework.security:spring-security-crypto) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 5.7.16 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

| +- io.github.openfeign:feign-core:jar:11.8:compile
| \- io.github.openfeign:feign-slf4j:jar:11.8:compile
+- io.github.openfeign:feign-httpclient:jar:11.8:compile
+- org.springframework.cloud:spring-cloud-starter-sleuth:jar:3.1.3:compile
| +- org.springframework.cloud:spring-cloud-sleuth-autoconfigure:jar:3.1.3:compile
| | \- org.springframework.cloud:spring-cloud-sleuth-instrumentation:jar:3.1.3:compile
| | \- org.springframework.cloud:spring-cloud-sleuth-api:jar:3.1.3:compile
| \- org.springframework.cloud:spring-cloud-sleuth-brave:jar:3.1.3:compile
| +- io.zipkin.brave:brave:jar:5.13.9:compile
| +- io.zipkin.brave:brave-context-slf4j:jar:5.13.9:compile
| +- io.zipkin.brave:brave-instrumentation-messaging:jar:5.13.9:compile
| +- io.zipkin.brave:brave-instrumentation-rpc:jar:5.13.9:compile
| +- io.zipkin.brave:brave-instrumentation-spring-rabbit:jar:5.13.9:compile
| +- io.zipkin.brave:brave-instrumentation-kafka-clients:jar:5.13.9:compile
| +- io.zipkin.brave:brave-instrumentation-kafka-streams:jar:5.13.9:compile
| +- io.zipkin.brave:brave-instrumentation-httpclient:jar:5.13.9:compile
| | \- io.zipkin.brave:brave-instrumentation-http:jar:5.13.9:compile
| +- io.zipkin.brave:brave-instrumentation-httpasyncclient:jar:5.13.9:compile
| +- io.zipkin.brave:brave-instrumentation-jms:jar:5.13.9:compile
| +- io.zipkin.brave:brave-instrumentation-mongodb:jar:5.13.9:compile
| +- io.zipkin.aws:brave-propagation-aws:jar:0.21.3:compile
| \- io.zipkin.reporter2:zipkin-reporter-metrics-micrometer:jar:2.16.3:compile
| \- io.zipkin.reporter2:zipkin-reporter:jar:2.16.3:compile
| \- io.zipkin.zipkin2:zipkin:jar:2.23.2:compile
+- org.springframework.boot:spring-boot-starter-security:jar:2.7.14:compile
| +- org.springframework:spring-aop:jar:5.3.29:compile
| +- org.springframework.security:spring-security-config:jar:5.7.10:compile
| | \- org.springframework.security:spring-security-core:jar:5.7.10:compile
Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 202 lists a dependency (org.springframework.security:spring-security-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 5.7.12 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity issue identified in one of your dependencies:
Line 202 lists a dependency (org.springframework.security:spring-security-core) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 5.7.12 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

| \- org.springframework.security:spring-security-web:jar:5.7.10:compile
Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical severity issue identified in one of your dependencies:
Line 203 lists a dependency (org.springframework.security:spring-security-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 5.7.13 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical severity issue identified in one of your dependencies:
Line 203 lists a dependency (org.springframework.security:spring-security-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 5.7.13 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical severity issue identified in one of your dependencies:
Line 203 lists a dependency (org.springframework.security:spring-security-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 5.7.13 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

Copy link

@private-semgrep-app private-semgrep-app bot Jun 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical severity issue identified in one of your dependencies:
Line 203 lists a dependency (org.springframework.security:spring-security-web) with a known vulnerability. Your code doesn't use the vulnerable functionality (making it unreachable), but this dependency could pose a potential risk in the future.

To resolve this comment:
Upgrade this dependency to at least version 5.7.13 at maven_dep_tree.txt.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Your security policy comments on findings when they are unreachable — contact your Semgrep admin to update this. You can view more details on this finding in the Semgrep AppSec Platform here.

+- org.apache.httpcomponents:httpclient:jar:4.5.14:compile
| +- org.apache.httpcomponents:httpcore:jar:4.4.16:compile
| \- commons-codec:commons-codec:jar:1.15:compile
+- jakarta.persistence:jakarta.persistence-api:jar:2.2.3:compile
+- org.reflections:reflections:jar:0.9.12:compile
| \- org.javassist:javassist:jar:3.26.0-GA:compile
+- com.amazonaws:elasticache-java-cluster-client:jar:1.2.2:compile
+- org.mockito:mockito-inline:jar:4.5.1:test
+- javax.validation:validation-api:jar:2.0.1.Final:compile
\- org.projectlombok:lombok:jar:1.18.26:provided