The Blackduck scanning report is resulted in one of the high vulnerability.
The transitive dependency is navigated from org.springframework.boot:spring-boot-starter-webflux:jar:3.0.5 -> org.springframework.boot:spring-boot-starter-webflux:jar -> org.springframework.boot:spring-boot-starter-reactor-netty:jar -> finally ends up in netty-codec
Note: I changed the version to spring-boot-starter-webflux - 3.0.5 by adding the dependency
The short term recommendation provided is - upgrade netty-codec to 4.1.90.Final version. I added the netty-codec dependency in pom.xml
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-codec</artifactId>
<version>4.1.90.Final</version>
</dependency>
But , I am getting the error as "Some Enforcer rules have failed. ". The reason is shown in the following tree
Dependency convergence error for org.springframework.boot:spring-boot-starter-reactor-netty:jar:2.6.9:compile paths to dependency are:
+-org.springframework.boot:spring-boot-starter-webflux:jar:3.0.5:compile
+-org.springframework.boot:spring-boot-starter-reactor-netty:jar:2.6.9:compile
If any one know the solution to resolve the problem , please help me here
The problem is that the dependencies in the parent pom need to be overwritten. To do this the
dependencyManagementtag should be used as follows:and the ordinary dependency on io.netty:netty-codec:4.1.90.Final removed.
Of concern is the mixing of spring-boot-starter-parent:2.6.9 (Java 11 compatible) with spring-boot-starter-webflux:3.0.5 (not Java 11 compatible - requires Java 17). Are all your prod environments Java 17?. If not you should remove the version 3.0.5 from spring-boot-starter-webflux dependency.
If you have Java 17 environment the upgrade your starter to 3.0.5.