Skip to content

DATAGO-109272: upgrade Bouncy Castle to 1.79 #283

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bol444 wants to merge 1 commit into from
Closed

DATAGO-109272: upgrade Bouncy Castle to 1.79 #283

bol444 wants to merge 1 commit into from

Conversation

@bol444
Copy link
Collaborator

@bol444 bol444 commented Nov 5, 2025
edited
Loading

What is the purpose of this change?

Vulnerability fix: CVE-2025-8916 - upgrade Bouncy Castle to 1.79 by overriding bcprov-jdk18on version in parent POM dependencyManagement

How was this change implemented?

updated pom file

Note: The vulnerable Bouncy Castle library is a transitive dependency brought in by spring-security-rsa:1.1.3, but the newest version of spring-security-rsa:1.1.5 still uses Bouncy Castle 1.78:

Screenshot 2025-11-05 at 3 57 49 PM

How was this change tested?

make sure all ITs pass and dependency tree check

before the fix:

Screenshot 2025-11-05 at 3 52 29 PM

after the fix:

Screenshot 2025-11-05 at 4 23 56 PM

Is there anything the reviewers should focus on/be aware of?

No

@sonarqube-solacecloud
Copy link

sonarqube-solacecloud bot commented Nov 5, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

@bol444 bol444 requested a review from moodiRealist November 6, 2025 12:30
@bol444
Copy link
Collaborator Author

bol444 commented Nov 6, 2025

decided to exclude this vulnerability for now, the details documented here: https://sol-jira.atlassian.net/browse/DATAGO-109272

@bol444 bol444 closed this Nov 6, 2025
@bol444
Copy link
Collaborator Author

bol444 commented Nov 6, 2025

decided to exclude this vulnerability for now, the details documented here: https://sol-jira.atlassian.net/browse/DATAGO-109272

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@moodiRealist moodiRealist Awaiting requested review from moodiRealist

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bol444