Blackduck source scans findings

On my company, while scanning our project we found a lot of vulnerabilities coming from this dependency using Blackduck source scan, some dating back to 2005 or older. At first we thought this was probably a false positive from blackduck but contacting them they told us they also see the problems.

The question

Is this correct? We are using the latest version released just a couple of weeks ago, doesn't make sense.

Stacktraces and logs

For instance, one of your direct dependencies is spring-cloud-starter-netflix-eureka-client 4.1.0, which looking at maven central it brings eureka-client 2.0.1 which in turns has commons-configuration
1.10 as a dependency, this one is very old (Oct 24, 2013) and one of its many vulnerabilities is log4shell coming from log4j 1.2.8

Thanks for bringing this to our attention.

The dependency is marked as optional runtime dependency.

<dependency>
      <groupId>org.springframework.cloud</groupId>
      <artifactId>spring-cloud-starter-netflix-eureka-client</artifactId>
      <version>4.1.0</version>
      <scope>runtime</scope>
      <exclusions>...</exclusions>
      <optional>true</optional>
</dependency>

So AFAIK unless you add them yourself it won't show up in the final application.

Unfortunately, there isn't a patched version of the eureka client lib available, that uses a newer version of that library, so there isn't much we can do here.
Could you please report this to the eureka client lib, so they can fix that?

Thanks for the response.

We will exclude all of those optional dependencies and scan again. I'll let you know the results.

Thanks, there seemed to be problems on the Blackduck scan that were fixed and now the optional dependencies do not show up so we are good.