java - How to remediate vulnerable dependency used by another library which I used in my project?

Question

I am using Apache Maven 3.6.3 & Spring boot 1.5 without micro service Architecture. I am working on a task to remediate vulnerable dependencies currently present in the dependency tree of our project. logback-classic is one of those dependencies. I can change the version of top-level dependencies (in top level pom) but I am not able to upgrade its version from 1.11.1 to 1.2.3 for logback-dependency present in spring-boot-starter-web starter used in one of child POM.

I am able to exclude such versions as-

<dependencies>
   <dependency>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-web</artifactId>
     <version>2.2.0.RELEASE</version>
     <exclusions>
        <exclusion>
            <groupId>ch.qos.logback</groupId>
            <artifactId>logback-classic</artifactId>
        </exclusion>
     </exclusions>
</dependency>

However, I am not able to update the version of same dependency present in dependency tree of spring-boot-starter-web starter of one of JAR in project. I tried to provide update of version using < dependencyManagement > tag as-

<project>
   ......
   <dependencyManagement>
        <dependencies>
             <dependency>
                  <groupId>ch.qos.logback</groupId>
                  <artifactId>logback-classic</artifactId>
                  <version>1.2.3</version>
                  <type>pom</type>
                  <scope>import</scope>
             </dependency>
        </dependencies>
   </dependencyManagement>

   <dependencies>
      <dependency>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-web</artifactId>
         <version>2.2.0.RELEASE</version>
         <exclusions>
            <exclusion>
               <groupId>ch.quos.logback</groupId>
               <artifactId>logback-classic</artifactId>
            </exclusion>
         </exclusions>
      </dependency>
      ........
   </dependencies>

   ......
<project>

Note- In < dependencyManagement >, initially I tried without < type > & < scope > tags as well but anyhow I am only able to exclude vulnerable logback-classic dependency but I can't update this to 1.2.3 inside spring-boot-starter-web present in that particular child pom.

question from:https://stackoverflow.com/questions/65851138/how-to-remediate-vulnerable-dependency-used-by-another-library-which-i-used-in-m

Answer 1

The Library You Mentioned (Logback-classic) Has Many Compatability Problems Reported

As You Can See Here In The Related Issue On Its Repository

I Recommend That You Try Different Version Of Spring (Newer Ones) And Check The Result Search Around In The Github Issues For Versions And Updates You Might Find Something