CODEWITHSUNDEEP
apache-commons-fileuploadtransitive-dependencyopenfeignblackduck
Kamlesh A
Kamlesh A

Reputation: 21

feign client transitive dependency vulnerability issue apache commons fileupload 1.4 in gradle

In one of the project, I am using spring cloud starter openfeign 3.1.2 which is internally using apache commons fileupload 1.4. Blackduck is raising vulnerability issue with apache commons fileupload 1.4, so I need to use apache commons fileupload 1.5. How can I use spring cloud starter openfeign 3.1.2 with apache commons fileupload 1.5. or is there any version of spring cloud starter openfeign which is using apache commons fileupload version 1.5 ?

implementation "org.springframework.cloud:spring-cloud-starter-openfeign:3.1.2"

Upvotes: 2

Views: 2064

Answers (3)

Abhijith jana
Abhijith jana

Reputation: 11

if your using spring boot then you set max-request-size,or max-file-size

spring:      
  servlet:
    multipart:
      max-request-size: 20MB
      max-file-size: 20MB

or

@Configuration
public class FileUploadConfig {

    @Bean
    public ServletFileUpload servletFileUpload() {
        DiskFileItemFactory factory = new DiskFileItemFactory();
        ServletFileUpload upload = new ServletFileUpload(factory);
        
        // Set the maximum number of file parts per request
        upload.setFileCountMax(3);  // Adjust this number based on your requirements
        
        return upload;
    }
}

hope this will fix

apache-commons-fileupload

Upvotes: 1

Sepideh
Sepideh

Reputation: 61

The warning indicates that the spring-cloud-starter-openfeign dependency transitively pulls in commons-fileupload:1.5, which has a potential Denial-of-Service (DoS) vulnerability. This vulnerability allows an attacker to send a large number of file uploads, overwhelming your application's resources.

Add the following exclusion to your pom.xml file:

<dependency>
    <groupId>org.springframework.cloud</groupId>
    <artifactId>spring-cloud-starter-openfeign</artifactId>
    <version>4.1.2</version>
    <exclusions>
        <exclusion>
            <groupId>commons-fileupload</groupId>
            <artifactId>commons-fileupload</artifactId>
        </exclusion>
    </exclusions>
</dependency>

Upvotes: 1

cyberbrain
cyberbrain

Reputation: 5075

Gradle allows you to override versions of transitive dependencies as constraints. But it doesn't check if those new versions also actually work with your direct dependency, this is up to you as developer or maintainer.

An example how to override a version is given in the gradle userguide: (here the groovy variant, I adapted it to your scenario, but you better check and adapt it further)

dependencies {
    implementation 'org.springframework.cloud:spring-cloud-starter-openfeign'
    constraints {
        implementation('org.springframework.cloud:spring-cloud-starter-openfeign:3.1.2') {
            because 'previous versions have a bug impacting this application'
        }
        implementation('commons-fileupload:commons-fileupload:1.5') {
            because 'version 1.4 pulled from spring-cloud-starter-openfeign has vulnerabilities'
        }
    }
}

Upvotes: 0

Related Questions