importing brevo with gradle brings unwanted dependencies, with CVE reports

[mathieuruellan]

Hello,

I'm using brevo for a project of my company.

This is what i get when i'm importing brevo with api dependency, I don't get why my final app should have maven-core in runtime.

The other issue is theses deps have cve tickets, and if its' not a big problem with building tools, it shouldn't be bundled in a final running product. It blocks in the CI at the scan stage and could be a problem with our customer security audits.

Regards,

Mathieu Ruellan
Developer/Manager at MyScript

[sdtorresl]

Currently, the 1.0.0 version is having this vulnerability: the https://devhub.checkmarx.com/cve-details/CVE-2022-29599/

[FixTryane]

Same here. We just add the Brevo jdk to our project and we got 3 new CVEs reported by our CI analysis :

• maven-core-3.0.jar & maven-settings-3.0.jar : CVE-2021-26291
• threetenbp-1.3.5.jar : CVE-2024-23081
• threetenbp-1.3.5.jar : CVE-2024-23082

Did you plan to make a new release to update these dependencies ?

Regards,

François-Xavier CHASSAGNE
Tryane SAS

[rchristilaw]

Hello Brevo team, any update on this?

[AB-xdev]

This is the exact same problem as described in the old client lol

Anyway if someone is interested in a Java API client that doesn't bring unwanted dependencies, feel free to checkout our variant.

[micke-a]

👍 I was just about to raise a ticket for exactly this, can you get this sorted so people don't need to add exclusions please.

[micke-a]

I believe all you need to do is remove the maven-pgp-plugin "normal" dependency from pom.xml file, looks like this was included by mistake.