CVEs in the dependencies are in the execution path of your project #12
Description
Your project uses some dependencies with CVEs. I found that the buggy methods of the CVEs are in the program execution path of your project, which makes your project at risk. I have suggested some version updates. Here is the detailed information:
-
Vulnerable Dependency: mysql : mysql-connector-java : 5.1.35
-
Call Chain to Buggy Methods:
-
Some files in your project call the library method com.mysql.jdbc.NonRegisteringDriver.connect(java.lang.String,java.util.Properties), which can reach the buggy method of CVE-2017-3586.
- Files in your project:
dddlib-datasource-router/src/main/java/org/dayatang/mysql/jdbc/GeminiReplicationConnection.java - One of the possible call chain:
com.mysql.jdbc.NonRegisteringDriver.connect(java.lang.String,java.util.Properties) com.mysql.jdbc.ConnectionImpl.getInstance(java.lang.String,int,java.util.Properties,java.lang.String,java.lang.String) com.mysql.jdbc.ConnectionImpl.<init>(java.lang.String,int,java.util.Properties,java.lang.String,java.lang.String) com.mysql.jdbc.ConnectionImpl.createNewIO(boolean) com.mysql.jdbc.ConnectionImpl.connectOneTryOnly(boolean,java.util.Properties) com.mysql.jdbc.ConnectionImpl.coreConnect(java.util.Properties) com.mysql.jdbc.MysqlIO.doHandshake(java.lang.String,java.lang.String,java.lang.String) com.mysql.jdbc.MysqlIO.negotiateSSLConnection(java.lang.String,java.lang.String,java.lang.String,int) com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(com.mysql.jdbc.MysqlIO) com.mysql.jdbc.ExportControlled.getSSLSocketFactoryDefaultOrConfigured(com.mysql.jdbc.MysqlIO) [buggy method] - Files in your project:
-
-
Update suggestion: version 8.0.19
8.0.19 is a safe version without CVEs. From 5.1.35 to 8.0.19, 6 of the APIs (called by 10 times in your project) were removed.