[SWS-1033] Ehcache - OWASP Dependency Check issues Created: 28/Aug/18  Updated: 13/Sep/18  Resolved: 13/Sep/18

Status: Closed
Project: Spring Web Services
Component/s: Security
Affects Version/s: 3.0.3
Fix Version/s: 2.4.3, 3.0.4

Type: Improvement Priority: Major
Reporter: Petr Dvorak Assignee: Greg Turnquist
Resolution: Complete Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: HTML File Dependency-Check Report.htm     PNG File Screen Shot 2018-08-28 at 18.33.57.png     PNG File image.png    

 Description   

We have recently updated to Spring Boot 2.0.4 (currently the latest version) and our automatic testing has detected a big increase of issue count while checking dependencies (Jenkins Plugin for "OWASP Dependency Check").

The main "troublemaker" seems to be the Ehcache library that is available as a dependency in the current version of the Spring WS-Security (3.0.3).

Could you please have a look at the library, and give us a hint if it is secure to exclude it?



 Comments   
Comment by Petr Dvorak [ 31/Aug/18 ]

Hello, we managed to work around the issue with following Maven exclusions:

<dependency>
    <groupId>org.springframework.ws</groupId>
    <artifactId>spring-ws-security</artifactId>
    <exclusions>
        <exclusion>
            <artifactId>ehcache</artifactId>
            <groupId>net.sf.ehcache</groupId>
        </exclusion>
        <exclusion>
            <artifactId>geronimo-javamail_1.4_mail</artifactId>
            <groupId>org.apache.geronimo.javamail</groupId>
        </exclusion>
    </exclusions>
</dependency>
Comment by Greg Turnquist [ 12/Sep/18 ]

I'm introducing SpringBasedX509UserCache, which lets users migrate away from EhCache and toward Spring Framework's cache abstraction.

EhCacheBasedX509UserCache is deprecated, meaning in a future, major release, we'll be able to remove EhCache from the list of dependencies. For now, if you're not using it, you can simply exclude it as a dependency.

Comment by Petr Dvorak [ 13/Sep/18 ]

Greg Turnquist Thank you, Greg.

Generated at Tue Feb 25 19:09:54 UTC 2020 using Jira 7.13.8#713008-sha1:1606a5c1e7006e1ab135aac81f7a9566b2dbc3a6.