[SWS-1033] Ehcache - OWASP Dependency Check issues Created: 28/Aug/18 Updated: 13/Sep/18 Resolved: 13/Sep/18
|Project:||Spring Web Services|
|Fix Version/s:||2.4.3, 3.0.4|
|Reporter:||Petr Dvorak||Assignee:||Greg Turnquist|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Attachments:||Dependency-Check Report.htm Screen Shot 2018-08-28 at 18.33.57.png image.png|
We have recently updated to Spring Boot 2.0.4 (currently the latest version) and our automatic testing has detected a big increase of issue count while checking dependencies (Jenkins Plugin for "OWASP Dependency Check").
The main "troublemaker" seems to be the Ehcache library that is available as a dependency in the current version of the Spring WS-Security (3.0.3).
Could you please have a look at the library, and give us a hint if it is secure to exclude it?
|Comment by Petr Dvorak [ 31/Aug/18 ]|
Hello, we managed to work around the issue with following Maven exclusions:
|Comment by Greg Turnquist [ 12/Sep/18 ]|
I'm introducing SpringBasedX509UserCache, which lets users migrate away from EhCache and toward Spring Framework's cache abstraction.
EhCacheBasedX509UserCache is deprecated, meaning in a future, major release, we'll be able to remove EhCache from the list of dependencies. For now, if you're not using it, you can simply exclude it as a dependency.
|Comment by Petr Dvorak [ 13/Sep/18 ]|
Greg Turnquist Thank you, Greg.