我们正在使用Springorg.springframework.boot" version '2.7.5',我们发现了一些bouncycastle漏洞,这些漏洞在我们的项目中只有传递依赖性。
我们想指定最新版本的 bouncycastle,因为它在这里描述覆盖依赖版本与弹簧引导
ext['bouncycastle.version'] = '1.72'
尝试这个后仍然破产,它显示了旧的依赖性。知道缺少什么吗?
面向bouncycastle的依赖项见解
gradlew dependencyInsight --dependency bouncycastle --configuration compileClasspath
结果
org.bouncycastle:bcpkix-jdk15on:1.69
--- org.springframework.security:spring-security-rsa:1.0.11.RELEASE
+--- org.springframework.cloud:spring-cloud-dependencies:2021.0.4
| --- compileClasspath
--- org.springframework.cloud:spring-cloud-starter:3.1.4
+--- org.springframework.cloud:spring-cloud-dependencies:2021.0.4 (*)
--- org.springframework.cloud:spring-cloud-starter-sleuth:3.1.4
+--- compileClasspath (requested org.springframework.cloud:spring-cloud-starter-sleuth)
--- org.springframework.cloud:spring-cloud-dependencies:2021.0.4 (*)
我可以通过使用 gradle 约束来解决这个问题
implementation 'org.springframework.cloud:spring-cloud-starter-sleuth'
constraints {
implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
implementation 'org.bouncycastle:bcpkix-jdk15on:1.70'
implementation 'org.bouncycastle:bcutil-jdk15on:1.70'
}
或者通过排除它并手动添加所需的依赖项
configurations.all {
exclude group:"org.bouncycastle", module: "bcprov-jdk15on"
exclude group:"org.bouncycastle", module: "bcutil-jdk15on"
exclude group:"org.bouncycastle", module: "bcpkix-jdk15on"
}
implementation 'org.bouncycastle:bcprov-jdk18on:1.72'
implementation 'org.bouncycastle:bcpkix-jdk18on:1.72'
implementation 'org.bouncycastle:bcutil-jdk18on:1.72'