Merge pull request #40 from DataDog/mborst/cc-vulns-runtime-fixes

mborst · web-flow · commit 66e625bddeaf · 2026-02-20T02:32:03.000-08:00
Fix CC runtime vuln deps (commons-io, lz4)
diff --git a/build.gradle b/build.gradle
@@ -115,6 +115,17 @@ subprojects {
       implementation("net.minidev:json-smart:2.5.0") {
         because("CVE-2023-1370 - transitive from json-path")
       }
+      implementation("commons-io:commons-io:2.14.0") {
+        because("CVE-2024-47554 - transitive from swagger-parser")
+      }
+    }
+  }
+
+  configurations.all {
+    resolutionStrategy {
+      dependencySubstitution {
+        substitute(module("org.lz4:lz4-java")).using(module("at.yawk.lz4:lz4-java:1.8.1"))
+      }
     }
   }
 

Original file line number	Diff line number	Diff line change
`@@ -115,6 +115,17 @@ subprojects {`
`115`	`115`	`implementation("net.minidev:json-smart:2.5.0") {`
`116`	`116`	`because("CVE-2023-1370 - transitive from json-path")`
`117`	`117`	`}`
	`118`	`+ implementation("commons-io:commons-io:2.14.0") {`
	`119`	`+ because("CVE-2024-47554 - transitive from swagger-parser")`
	`120`	`+ }`
	`121`	`+ }`
	`122`	`+ }`
	`123`	`+`
	`124`	`+ configurations.all {`
	`125`	`+ resolutionStrategy {`
	`126`	`+ dependencySubstitution {`
	`127`	`+ substitute(module("org.lz4:lz4-java")).using(module("at.yawk.lz4:lz4-java:1.8.1"))`
	`128`	`+ }`
`118`	`129`	`}`
`119`	`130`	`}`
`120`	`131`