Skip to content

Spring bot master db#467

Merged
vaibhav-db merged 9 commits intofinos:spring-bot-masterfrom
deutschebank:spring-bot-master-db
Oct 29, 2025
Merged

Spring bot master db#467
vaibhav-db merged 9 commits intofinos:spring-bot-masterfrom
deutschebank:spring-bot-master-db

Conversation

@vaibhav-db
Copy link
Copy Markdown
Contributor

@vaibhav-db vaibhav-db commented Sep 9, 2025

No description provided.

pranav-biyani-db and others added 4 commits July 7, 2025 14:55
@pranav-biyani-db
SYMPHONYP-1365-Adding-Comment
383d9e5
@vaibhav-db
Pull request finos#80: Spring bot master
922cabd 
Merge in SYMPHONYP/symphony-java-toolkit from spring-bot-master to spring-bot-master-db

* commit '7280971b267cf799f9676a4cb1f146cd94736055':
  Update allow-list.xml
@vaibhav-db
SYMPHONYP-1371 vulnerability in springbot framework
c519fb1
@pranav-biyani-db
SYMPHONYP-1398-Migrating-Spring-version-to-3.5.5
1adb1de
@vaibhav-db vaibhav-db requested a review from robmoffat September 9, 2025 11:57
@vaibhav-db
Copy link
Copy Markdown
Contributor Author

vaibhav-db commented Oct 17, 2025

dependency check:

claim-bot-10.0.2-SNAPSHOT.jar: icu4j-77.1.jar (pkg:maven/com.ibm.icu/icu4j@77.1, cpe:2.3:a:icu-project:international_components_for_unicode:77.1:::::::, cpe:2.3:a:unicode:international_components_for_unicode:77.1:::::::): CVE-2025-5222(7.0)
claim-bot-10.0.2-SNAPSHOT.jar: netty-transport-4.1.124.Final.jar (pkg:maven/io.netty/netty-transport@4.1.124.Final, cpe:2.3:a:netty:netty:4.1.124:::::::): CVE-2025-58056(2.9), CVE-2025-58057(6.9)
claim-bot-10.0.2-SNAPSHOT.jar: reactor-netty-core-1.2.9.jar (cpe:2.3:a:netty:netty:1.2.9:::::::): CVE-2021-43797(6.5), CVE-2024-29025(5.3), CVE-2019-16869(7.5), CVE-2015-2156(7.5), CVE-2021-37136(7.5), CVE-2021-37137(7.5), CVE-2025-25193(5.5), CVE-2019-20445(9.1), CVE-2019-20444(9.1), CVE-2021-21295(5.9), CVE-2023-34462(6.5), CVE-2024-47535(5.5), CVE-2021-21290(5.5), CVE-2023-44487(7.5), CVE-2014-3488(5.0), CVE-2022-24823(5.5), CVE-2022-41881(7.5), CVE-2021-21409(5.9), CVE-2025-55163(8.2), CVE-2025-58056(2.9), CVE-2025-58057(6.9)
custom-help-bot-10.0.2-SNAPSHOT.jar: icu4j-72.1.jar (pkg:maven/com.ibm.icu/icu4j@72.1, cpe:2.3:a:icu-project:international_components_for_unicode:72.1:::::::, cpe:2.3:a:unicode:international_components_for_unicode:72.1:::::::): CVE-2025-5222(7.0)
custom-help-bot-10.0.2-SNAPSHOT.jar: netty-transport-classes-epoll-4.1.124.Final.jar (pkg:maven/io.netty/netty-transport-classes-epoll@4.1.124.Final, cpe:2.3:a:netty:netty:4.1.124:::::::): CVE-2025-58056(2.9), CVE-2025-58057(6.9)
custom-help-bot-10.0.2-SNAPSHOT.jar: reactor-netty-http-1.2.9.jar (cpe:2.3:a:netty:netty:1.2.9:::::::): CVE-2021-43797(6.5), CVE-2024-29025(5.3), CVE-2019-16869(7.5), CVE-2015-2156(7.5), CVE-2021-37136(7.5), CVE-2021-37137(7.5), CVE-2025-25193(5.5), CVE-2019-20445(9.1), CVE-2019-20444(9.1), CVE-2021-21295(5.9), CVE-2023-34462(6.5), CVE-2024-47535(5.5), CVE-2021-21290(5.5), CVE-2023-44487(7.5), CVE-2014-3488(5.0), CVE-2022-24823(5.5), CVE-2022-41881(7.5), CVE-2021-21409(5.9), CVE-2025-55163(8.2), CVE-2025-58056(2.9), CVE-2025-58057(6.9)
demo-bot-10.0.2-SNAPSHOT.jar: netty-transport-classes-kqueue-4.1.124.Final.jar (pkg:maven/io.netty/netty-transport-classes-kqueue@4.1.124.Final, cpe:2.3:a:netty:netty:4.1.124:::::::): CVE-2025-58056(2.9), CVE-2025-58057(6.9)
rooms-bot-10.0.2-SNAPSHOT.jar: netty-transport-native-unix-common-4.1.124.Final.jar (pkg:maven/io.netty/netty-transport-native-unix-common@4.1.124.Final, cpe:2.3:a:netty:netty:4.1.124:::::::): CVE-2025-58056(2.9), CVE-2025-58057(6.9)
teams-chat-workflow-spring-boot-starter-10.0.2-SNAPSHOT.jar (pkg:maven/org.finos.springbot/teams-chat-workflow-spring-boot-starter@10.0.2-SNAPSHOT, cpe:2.3:a:microsoft:teams:10.0.2:snapshot::::::): CVE-2025-53783(7.5)

All the jar showing on dependency check in not vulnerable as per maven.

we have added in allow list

icu4j-77.1.jar this jar is non vulnerable, checked at maven site CVE-2025-5222 netty-transport-4.1.124.Final.jar this jar is non vulnerable, checked at maven site CVE-2025-58056 CVE-2025-58057 reactor-netty-core-1.2.9.jar this jar is non vulnerable, checked at maven site CVE-2021-43797 CVE-2024-29025 CVE-2019-16869 CVE-2015-2156 CVE-2021-37136 CVE-2021-37137 CVE-2025-25193 CVE-2019-20445 CVE-2019-20444 CVE-2021-21295 CVE-2023-34462 CVE-2024-47535 CVE-2021-21290 CVE-2023-44487 CVE-2014-3488 CVE-2022-24823 CVE-2022-41881 CVE-2021-21409 CVE-2025-55163 CVE-2025-58056 CVE-2025-58057 icu4j-72.1.jar this jar is non vulnerable, checked at maven site CVE-2025-5222 netty-transport-classes-epoll-4.1.124.Final.jar this jar is non vulnerable, checked at maven site CVE-2025-58056 CVE-2025-58057 reactor-netty-http-1.2.9.jar this jar is non vulnerable, checked at maven site CVE-2021-43797 CVE-2024-29025 CVE-2019-16869 CVE-2015-2156 CVE-2021-37136 CVE-2021-37137 CVE-2025-25193 CVE-2019-20445 CVE-2019-20444 CVE-2021-21295 CVE-2023-34462 CVE-2021-21290 CVE-2023-44487 CVE-2014-3488 CVE-2022-24823 CVE-2022-41881 CVE-2021-21409 CVE-2025-55163 CVE-2025-58056 CVE-2025-58057 netty-transport-classes-kqueue-4.1.124.Final.jar this jar is non vulnerable, checked at maven site CVE-2025-58056 CVE-2025-58057 netty-transport-native-unix-common-4.1.124.Final.jar this jar is non vulnerable, checked at maven site CVE-2025-58056 CVE-2025-58057 microsoft:teams this jar is non vulnerable, checked at maven site CVE-2025-53783

@vaibhav-db vaibhav-db merged commit 532c06a into finos:spring-bot-master Oct 29, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@robmoffat robmoffat robmoffat approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vaibhav-db @robmoffat @pranav-biyani-db