As part of security scan this vulnerability is shown with commons-codec 1.11 (which needs to be upgraded with 1.13), but this dependency is pulled down by aws-sdk:ssm -> httpclient -> commons-codec
i am looking for work-around, i understand the proper fix needs to be done by aws-sdk:ssm
is there a way to resolve it ? i already upgraded latest aws-sdk, but it is still using old version
implementation platform('software.amazon.awssdk:bom:2.17.230')
implementation 'software.amazon.awssdk:regions'
implementation 'software.amazon.awssdk:ssm'
CodePudding user response:
Use strictly version
option to override the version present in the final package
implementation('commons-codec:commons-codec') {
version {
strictly '1.15'
}
}
after this config, the final package zip contains codec 1.15, not 1.11 which was referenced in httpClient, it worked without any issues, but it will break if there is any breaking changes between the versions
Ref: https://docs.gradle.org/current/userguide/dependency_downgrade_and_exclude.html