Search code examples
javamavenjunitdependencies

Java - Maven rest-assured library has warning transitive vulnerable dependency commons-codec:commons-codec:1.11

Problem

Adding dependency rest-assured gives this warning:


Provides transitive vulnerable dependency commons-codec:commons-codec:1.11
  • IDE: Intellij - 222.4554.10
  • Build tool: Maven
  • Jar with error: rest-assured
  • Warning: 'Cxeb68d52e-5509 3.7 Exposure of Sensitive Information to an Unauthorized Actor vulnerability pending CVSS allocation'
<dependency>
            <groupId>io.rest-assured</groupId>
            <artifactId>rest-assured</artifactId>
            <version>5.3.0</version>
            <scope>test</scope>
</dependency>

pom.xml

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>artifactId</artifactId>
    <version>1.0-SNAPSHOT</version>

    <properties>
        <maven.compiler.source>17</maven.compiler.source>
        <maven.compiler.target>17</maven.compiler.target>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    </properties>

    <dependencies>
        <dependency>
            <groupId>io.rest-assured</groupId>
            <artifactId>rest-assured</artifactId>
            <version>5.3.0</version>
            <scope>test</scope>
        </dependency>

        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>4.13.2</version>
            <scope>test</scope>
        </dependency>

    </dependencies>

</project>

Questions

  • How can I remove this warning
  • What are this warning in general means?
Solution

    • The rest-assured dependency you are using is providing a transitive dependency on commons-codec:commons-codec:1.11, which has a known security vulnerability. The warning is indicating that there's a potential risk of exposing sensitive information to unauthorized actors due to this vulnerability.

    • To remove this warning, you can either exclude the vulnerable dependency from the rest-assured dependency or add the latest version of commons-codec as a separate dependency

    <dependency>
    <groupId>io.rest-assured</groupId>
    <artifactId>rest-assured</artifactId>
    <version>5.3.0</version>
    <scope>test</scope>
    <exclusions>
        <exclusion>
            <groupId>commons-codec</groupId>
            <artifactId>commons-codec</artifactId>
        </exclusion>
    </exclusions>
</dependency>

    OR

    <dependency>
    <groupId>commons-codec</groupId>
    <artifactId>commons-codec</artifactId>
    <version>1.15</version>
</dependency>