xstream, woodstox and guava dependencies vulnerabilities

[trcoelho]

Describe the bug
Either
com.google.guava:guava:jar:19.0
com.thoughtworks.xstream:xstream:jar:1.4.19
com.fasterxml.woodstox:woodstox-core:jar:6.2.1

dependencies got vulnerabilities in versions.

https://mvnrepository.com/artifact/com.thoughtworks.xstream/xstream/1.4.19
https://mvnrepository.com/artifact/com.google.guava/guava/19.0
https://mvnrepository.com/artifact/com.fasterxml.woodstox/woodstox-core/6.2.1

Is there any plan to update these on next versions?

Thank you.

[trcoelho]

Hello, any updates on this?

Thanks.

[OlgaMaciaszek]

Hello @trcoelho, thanks for creating the issue. As you can read in https://spring.io/security-policy#vulnerable-dependency-versions

we do not consider it a vulnerability in Spring when Spring defines a vulnerable dependency version,
because developers can override these versions

Moreover, these are all transitive dependencies. To give you more details, guava is brought about by MockServer Java Client, which is already set to the current version - we can upgrade it here if there's an upgrade in that project; xstream comes from Netflix/eureka, which is also not our repo, however, we collaborate with that team extensively, so I have created a PR with the upgrade: Netflix/eureka#1552 - once they merge it and release it, we can upgrade it here. We get the version of woodstox from jackson-dataformat-xml and we get the version of that from Boot, but Boot is currently at the highest version for the major-minor line and a swap to another one won't be done in a patch release.