Skip to content

Dependency Audit #33

Open
Open
Dependency Audit#33
@00felix-app

Description

@00felix-app
00felix-app
bot
opened on Mar 24, 2026

Dependency Audit Overview

The table presented below outlines a dependency audit based on the findings from our recent Software Composition Analysis (SCA) scan. We have identified several dependencies within this project that require attention to ensure compliance, security, and optimal performance.

Key Highlights:

  • Dependencies: The table lists dependencies under review for upgrade and remediation.
  • Current vs. Target Versions: Each dependency is accompanied by its current version and the recommended target version.
  • Status: The status column indicates whether the upgrade is pending, failed, or completed.
  • Location: The location of each dependency within the project structure is specified.
  • ⚠️ Client-Server Dependencies: Some dependencies require version compatibility with your server infrastructure.

Action Items:

  1. Review Dependencies: Please take a moment to review the dependencies listed in the table.
  2. Plan Upgrades: For each dependency, consider the implications of upgrading to the target version. This may involve testing the new versions in a staging environment to ensure that existing functionality is not adversely affected.
  3. ⚠️ Client-Server Dependencies: Check the warnings below for dependencies that require version compatibility between client and server.

Dependency Health Overview

The following table shows dependencies that are currently not vulnerable but whose current version was published more than 6 months ago. These dependencies may become vulnerable in the future due to lack of maintenance.

Risk Level indicates maintenance risk based on how long the dependency has been unmaintained (older = higher risk):

Dependency Version Last Upgrade Risk Level
com.squareup.okhttp:okhttp 2.5.0 2015-08-26 🔴 HIGH
org.springframework.boot:spring-boot-starter-thymeleaf 1.5.1.RELEASE 2017-01-30 🔴 HIGH
org.springframework.boot:spring-boot-starter-actuator 1.5.1.RELEASE 2017-01-30 🔴 HIGH
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client 1.4.0.RELEASE 2017-11-20 🔴 HIGH
org.mybatis.spring.boot:mybatis-spring-boot-starter 1.3.2 2018-03-14 🔴 HIGH

Security Vulnerabilities

The following table shows dependencies with security vulnerabilities that require attention:

Dependency Version (Advisories) Recommended (Advisories)
cn.hutool:hutool-all 🔴 5.8.10 (2 / 0) 🟢 5.8.21 (0)
com.alibaba:fastjson 🔴 1.2.24 (1 / 0) 🔴 1.2.31 (1)
com.fasterxml.jackson.core:jackson-core 🔴 2.9.8 (2 / 0) 🟢 2.15.0 (0)
com.fasterxml.jackson.core:jackson-databind 🔴 2.9.8 (53 / 0) 🟢 2.12.7.1 (0)
com.google.guava:guava 🟠 23.0 (3 / 0) 🟢 32.0.0-android (0)
com.jayway.jsonpath:json-path 🟠 2.2.0 (1 / 3) 🟢 2.9.0 (0)
  ↳ net.minidev:json-smart 🟠 2.2.1 (2 / 0) 🟢 2.4.9 (0)
com.monitorjbl:xlsx-streamer 🔴 2.0.0 (1 / 0) 🟢 2.1.0 (0)
com.squareup.okhttp:okhttp 🟢 2.5.0 (0 / 1) 🟢 2.7.5 (0)
  ↳ com.squareup.okio:okio 🟠 1.6.0 (1 / 0) 🟢 1.17.6 (0)
com.thoughtworks.xstream:xstream 🔴 1.4.20 (1 / 0) 🟢 1.4.21 (0)
commons-beanutils:commons-beanutils 🔴 1.9.4 (1 / 0) 🟢 1.11.0 (0)
commons-collections:commons-collections 🔴 3.1 (2 / 0) 🟢 3.2.2 (0)
commons-httpclient:commons-httpclient 🟢 3.1 (1 / 0) 🟢 20020423 (1)
commons-io:commons-io 🟠 2.5 (2 / 0) 🟢 2.14.0 (0)
commons-lang:commons-lang 🟠 2.4 (1 / 0) 🟠 2.6 (1)
commons-net:commons-net 🟠 3.6 (1 / 0) 🟢 3.9.0 (0)
io.springfox:springfox-swagger-ui 🔴 2.9.2 (1 / 0) 🟢 2.10.0 (0)
junit:junit 🟠 4.12 (1 / 0) 🟢 4.13.1 (0)
mysql:mysql-connector-java 🔴 8.0.12 (5 / 9) 🔴 8.0.30 (1)
  ↳ com.google.protobuf:protobuf-java 🟠 2.6.0 (4 / 0) 🟢 3.25.5 (0)
org.apache.httpcomponents:httpclient 🟠 4.5.12 (1 / 0) 🟢 4.5.13 (0)
org.apache.logging.log4j:log4j-core 🔴 2.9.1 (5 / 0) 🟢 2.12.4 (0)
org.apache.poi:poi-ooxml 🟠 3.9 (1 / 4) 🟢 5.4.0 (0)
  ↳ dom4j:dom4j 🔴 1.6.1 (2 / 0) 🔴 1.6.1 (2)
  ↳ org.apache.poi:poi-ooxml-schemas 🟢 3.9 (0 / 1) 🟢 4.1.2 (0)
    ↳ org.apache.xmlbeans:xmlbeans 🔴 2.3.0 (1 / 0) 🟢 3.0.0 (0)
org.apache.poi:poi 🟠 3.10-FINAL (6 / 0) 🟢 4.1.1 (0)
org.apache.shiro:shiro-core 🔴 1.2.4 (9 / 0) 🟢 1.13.0 (0)
org.apache.velocity:velocity 🔴 1.7 (1 / 0) n/a
org.dom4j:dom4j 🔴 2.1.0 (3 / 0) 🟢 2.1.4 (1)
org.jdom:jdom2 🟠 2.0.6 (1 / 0) 🟢 2.0.6.1 (0)
org.jolokia:jolokia-core 🔴 1.6.0 (1 / 0) 🟢 1.6.1 (0)
org.jsoup:jsoup 🟠 1.10.2 (2 / 0) 🟢 1.15.3 (0)
org.mybatis.spring.boot:mybatis-spring-boot-starter 🟢 1.3.2 (0 / 1) 🟢 1.3.2 (0)
  ↳ org.mybatis:mybatis 🔴 3.4.6 (1 / 0) 🟢 3.5.6 (0)
org.postgresql:postgresql 🔴 42.3.1 (7 / 0) 🟢 42.3.9 (0)
org.springframework.boot:spring-boot-starter-actuator 🟢 1.5.1.RELEASE (0 / 1) 🟢 4.1.0-M3 (0)
  ↳ org.springframework.boot:spring-boot-actuator 🟠 1.5.1.RELEASE (1 / 0) 🟢 2.7.18 (0)
org.springframework.boot:spring-boot-starter-thymeleaf 🟢 1.5.1.RELEASE (0 / 3) 🟢 4.1.0-M3 (0)
  ↳ nz.net.ultraq.thymeleaf:thymeleaf-layout-dialect 🟢 1.4.0 (0 / 2) 🟢 1.4.0 (0)
    ↳ org.codehaus.groovy:groovy 🔴 2.4.7 (2 / 0) 🟢 2.4.21 (0)
  ↳ org.thymeleaf:thymeleaf-spring4 🟢 2.1.5.RELEASE (0 / 1) 🟢 3.0.15.RELEASE (0)
    ↳ org.thymeleaf:thymeleaf 🟢 2.1.5.RELEASE (0 / 1) 🟢 3.1.3.RELEASE (0)
      ↳ ognl:ognl 🟠 3.0.8 (1 / 0) 🟢 3.0.12 (0)
org.springframework.boot:spring-boot-starter-web 🔴 1.5.1.RELEASE (1 / 67) 🟢 2.5.12 (0)
  ↳ org.hibernate:hibernate-validator 🟠 5.3.4.Final (4 / 0) 🟢 6.2.0.Final (0)
  ↳ org.springframework.boot:spring-boot-starter-tomcat 🟢 1.5.1.RELEASE (0 / 41) 🟢 4.1.0-M3 (0)
    ↳ org.apache.tomcat.embed:tomcat-embed-core 🔴 8.5.11 (40 / 0) 🔴 8.5.100 (11)
    ↳ org.apache.tomcat.embed:tomcat-embed-websocket 🟠 8.5.11 (1 / 0) 🟢 8.5.99 (0)
  ↳ org.springframework.boot:spring-boot-starter 🟢 1.5.1.RELEASE (0 / 12) 🟢 4.1.0-M3 (0)
    ↳ org.springframework.boot:spring-boot-autoconfigure 🟠 1.5.1.RELEASE (1 / 0) 🟢 2.5.15 (0)
    ↳ org.springframework.boot:spring-boot-starter-logging 🟢 1.5.1.RELEASE (0 / 8) 🟢 4.1.0-M3 (0)
      ↳ ch.qos.logback:logback-classic 🔴 1.1.9 (2 / 8) 🟢 1.2.13 (0)
        ↳ ch.qos.logback:logback-core 🔴 1.1.9 (6 / 0) 🟢 1.3.16 (0)
    ↳ org.springframework.boot:spring-boot 🔴 1.5.1.RELEASE (3 / 0) 🟠 2.7.18 (1)
  ↳ org.springframework:spring-web 🔴 4.3.6.RELEASE (7 / 0) 🔴 4.3.6.RELEASE (7)
  ↳ org.springframework:spring-webmvc 🔴 4.3.6.RELEASE (2 / 0) 🟠 5.3.39 (4)
org.springframework.cloud:spring-cloud-starter-netflix-eureka-client 🟢 1.4.0.RELEASE (0 / 46) 🟢 5.0.1 (0)
  ↳ com.netflix.eureka:eureka-client 🟢 1.4.11 (0 / 12) 🟢 2.0.5 (0)
    ↳ com.netflix.netflix-commons:netflix-eventbus 🟢 0.3.0 (0 / 7) n/a
      ↳ com.netflix.netflix-commons:netflix-infix 🟢 0.3.0 (0 / 7) n/a
        ↳ com.google.code.gson:gson 🔴 2.8.0 (1 / 0) 🟢 2.8.9 (0)
        ↳ commons-jxpath:commons-jxpath 🔴 1.3 (6 / 0) 🔴 1.3 (6)
    ↳ org.codehaus.jettison:jettison 🟠 1.3.7 (5 / 0) 🟢 1.5.4 (0)
  ↳ org.springframework.cloud:spring-cloud-starter-netflix-archaius 🟢 1.4.0.RELEASE (0 / 1) 🟢 2.2.10.RELEASE (0)
    ↳ commons-configuration:commons-configuration 🟠 1.8 (1 / 0) 🟠 1.10 (1)
  ↳ org.springframework.cloud:spring-cloud-starter-netflix-ribbon 🟢 1.4.0.RELEASE (0 / 14) 🟢 2.2.10.RELEASE (0)
    ↳ com.netflix.ribbon:ribbon 🟢 2.2.0 (0 / 14) 🟢 2.7.18 (0)
      ↳ io.reactivex:rxnetty 🟢 0.4.9 (0 / 14) 🟢 0.5.1 (0)
        ↳ io.netty:netty-codec-http 🔴 4.0.27.Final (6 / 12) 🟢 4.1.125.Final (0)
          ↳ io.netty:netty-codec 🟠 4.0.27.Final (3 / 0) 🟢 4.1.125.Final (0)
          ↳ io.netty:netty-handler 🟠 4.0.27.Final (3 / 0) 🟠 4.1.94.Final (2)
        ↳ io.netty:netty-transport-native-epoll 🟢 4.0.27.Final (0 / 2) 🟢 5.0.0.Alpha2 (0)
          ↳ io.netty:netty-common 🟠 4.0.27.Final (2 / 0) 🟢 4.1.118.Final (0)
  ↳ org.springframework.cloud:spring-cloud-starter 🟢 1.1.3.RELEASE (0 / 19) 🟢 5.0.1 (0)
    ↳ org.springframework.cloud:spring-cloud-context 🟢 1.1.3.RELEASE (0 / 1) 🟢 1.1.3.RELEASE (0)
      ↳ org.springframework.security:spring-security-crypto 🟠 4.2.1.RELEASE (1 / 0) 🟠 5.7.14 (1)
    ↳ org.springframework.security:spring-security-rsa 🟢 1.0.3.RELEASE (0 / 18) 🟢 1.1.5 (0)
      ↳ org.bouncycastle:bcpkix-jdk15on 🟠 1.55 (1 / 18) 🟠 1.70 (1)
        ↳ org.bouncycastle:bcprov-jdk15on 🟠 1.55 (17 / 0) 🟠 1.70 (4)
org.springframework.data:spring-data-commons 🟠 1.13.11.RELEASE (1 / 0) 🟠 1.13.11.RELEASE (1)
org.springframework.security:spring-security-web 🔴 4.2.12.RELEASE (3 / 22) 🟢 5.7.13 (0)
  ↳ org.springframework.security:spring-security-core 🔴 4.2.1.RELEASE (8 / 0) 🟢 5.7.14 (0)
  ↳ org.springframework:spring-beans 🔴 4.3.6.RELEASE (2 / 0) 🟢 5.2.22.RELEASE (0)
  ↳ org.springframework:spring-context 🟠 4.3.6.RELEASE (3 / 0) 🟠 5.3.39 (2)
  ↳ org.springframework:spring-core 🟠 4.3.6.RELEASE (6 / 0) 🟢 4.3.20.RELEASE (0)
org.springframework:spring-expression 🟠 4.3.16.RELEASE (4 / 0) 🟢 5.3.39 (0)
org.yaml:snakeyaml 🔴 1.21 (8 / 0) 🟢 2.0 (0)

⚠️ Client-Server Dependencies Warning

The following dependencies require version compatibility between client and server:

Dependency Risk Level Description
pkg:maven/mysql/mysql-connector-java@8.0.12 🔴 HIGH The official JDBC driver for MySQL. The client driver version must be compatible with the MySQL server version to avoid protocol or authentication failures.
pkg:maven/commons-net/commons-net@3.6 🔴 HIGH Client library for network protocols (FTP, SMTP, etc.). Client must match server protocol version to avoid connection failures.
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.11 🔴 HIGH Embedded HTTP server core; client browsers and tools must use HTTP protocol versions compatible with the server runtime.
pkg:maven/com.netflix.eureka/eureka-client@1.4.11 🔴 HIGH A client for the Eureka service discovery server. The client version must match the server's API and protocol to ensure registration and heartbeat work correctly.
pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-eureka-client@1.4.0.RELEASE 🔴 HIGH Client for the Eureka service registry. Must match the Eureka server's API version to ensure proper service discovery and registration.
pkg:maven/org.jolokia/jolokia-core@1.6.0 🔴 HIGH JMX over HTTP agent (server) and client library. Client and server versions must match due to JSON/HTTP protocol changes.
pkg:maven/org.apache.tomcat.embed/tomcat-embed-websocket@8.5.11 🔴 HIGH Embedded WebSocket server; client browsers must use compatible WebSocket protocol version supported by the server.
pkg:maven/org.springframework.boot/spring-boot-starter@1.5.1.RELEASE 🔴 HIGH Core starter for Spring Boot applications, often embedding a web server. Server version must match the Spring Boot ecosystem.
pkg:maven/org.postgresql/postgresql@42.3.1 🔴 HIGH PostgreSQL JDBC driver. Client version must be compatible with the database server version to ensure correct protocol and feature support.
pkg:maven/org.springframework.boot/spring-boot@1.5.1.RELEASE 🟡 MEDIUM Framework for creating standalone Spring applications, often embedding a server. Major versions may introduce breaking changes to auto-configuration.
pkg:maven/org.springframework.boot/spring-boot-starter-tomcat@1.5.1.RELEASE 🟡 MEDIUM An embedded Tomcat server for Spring Boot. Risk is medium; server version must be compatible with the Servlet API and Spring Boot's auto-configuration.
pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-ribbon@1.4.0.RELEASE 🟡 MEDIUM This is a client-side load balancer for REST clients. It must be compatible with the service discovery server (e.g., Eureka) and the target microservices' API ver...
pkg:maven/org.springframework.cloud/spring-cloud-starter-netflix-archaius@1.4.0.RELEASE 🟡 MEDIUM Archaius is a configuration management client for Netflix OSS services. Client version must be compatible with the remote configuration server's API and data format.
pkg:maven/com.netflix.ribbon/ribbon@2.2.0 🟡 MEDIUM A client-side load balancer for REST services. It must be compatible with the service discovery mechanism and other Netflix OSS components.
pkg:maven/org.springframework.boot/spring-boot-starter-web@1.5.1.RELEASE 🟡 MEDIUM Includes embedded Tomcat server; ensure client HTTP libraries are compatible with server's HTTP/1.1 or HTTP/2 support.

I will start working on this plan shortly; however, you can prompt me to take action immediately or suggest changes. For example:

Upgrade to target version:
@00felix upgrade org.group:artifact

or

Upgrade to specific version:
@00felix upgrade org.group:artifact@version

Set JDK version:
@00felix settings set jdk {version} (e.g., @00felix settings set jdk 17 to switch to Java 17 for compatibility requirements)

In response, I will create a remediation and generate a pull request for your review.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions