Support for Apigee Edge version 1.3.4 dependency updates to reduce the number of vulnerabilities

[spjohn85]

@ssvaidyanathan - We are using the 1.3.4 version of this deploy tool and when we download the dependencies, we are running into lot of violations for dependent pom files. Are there any plans to migrate them to latest versions to reduce the violations ?

I can help provide a report of violations from our customer environment if needed to private email address, but its quite a lot.

[ssvaidyanathan]

@spjohn85 - pls do send it to ssvaidyanathan@google.com

[spjohn85]

@ssvaidyanathan - I did share this over email. Do you have any thoughts on how to resolve them ?

[ssvaidyanathan]

@spjohn85 - am still working on this. Been busy with a few other deliverables.
Feel free to submit a PR if you can update the pom dependencies and then am happy to merge that as well.

[ssvaidyanathan]

@spjohn85 - can you pls confirm the sheet you sent with all the vulnerabilities is for the latest plugin? The versions you sent are not matching being used. Check this link for the pom dependencies. I want to be sure am working on the right codebase for fixing the versions

[spjohn85]

@ssvaidyanathan - Yes, its this version. The report might have contained the poms of config-maven-plugin (1.5.5) as well since we are using both the tools.

[ssvaidyanathan]

@spjohn85 - if I update a branch in this repo, will you be able to run a report pointing to that and see if it made any difference?

[spjohn85]

@ssvaidyanathan - If it can be downloaded from maven repository then I can get the report for new version. Its due to the process set currently, I cannot manually run them.

[udayjoshi88]

@ssvaidyanathan not sure if this is fixed or not. we still see vulnerabilities highlighted at https://mvnrepository.com/artifact/io.apigee.build-tools.enterprise4g/apigee-edge-maven-plugin/1.3.4 for <spring.version>5.3.27</spring.version>

[ssvaidyanathan]

Ack - will work on it as it involves more changes to the code itself.