Failed Sysdig Scan

I recently had my application scanned and some issues were found with these files. Devops wont deploy my application until this is resolved.
How can I get these things updated?
Many Thanks !!

Hi,

You need to analyze the source of these dependecnies.

Execute the gradlew dependencies task in your project and you’ll get the dependencies tree.

In order to add a dependency with a higher version to you project that will override the transitive dependency that came from somewhere else you may try to add the dependency explicitly, e.g.

implementation 'org.apache.xmlgraphics:fop:2.8'

Just keep in mind that replacing dependency version can cause backward compatibility problem, so you’ll need to test affected parts of your project carefully.

We’ll take a look, some of these dependencies come from the framework and we may update them on our side, but anyway you may always try raising the dependency version in the project.

Thank you so much for your response !!!
I will update these dependencies but what about the embedded tomcat?

It comes from Spring Boot dependencies. Try updating to the latest Jmix version. It depends on a newer Spring Boot that in turn has Tomcat 9.0.69 instead of 9.0.65. Maybe the 9.0.69 will work for you.

I was able to remove most of the vulnerabilities but the docker image is being flagged by this file
/opt/gradle/gradle-7.6/lib/plugins/jackson-databind-2.13.3.jar
is there anything I can do in the application build.gradle to update this? it seems like replacing this file directly makes gradle to crash. what can I do to resolve this issue?
thank you

I Did a gradle dependencies and it shows that the Report module uses it

even though I have updated it… it still shows up on the gradle plugin installation folder in /opt
Been trying for a few days to get this sysdig scan to pass… please help

This output means that actually v.2.14.1 is used in the application:

Are you sure this jackson-databind library is causing the test to fail?

Yes but devops is rejecting my application because if this file
/opt/gradle/gradle-7.6/lib/plugins/jackson-databind-2.13.3.jar
I think its not even on my project. Is this some temp file that gets stored on that directory?
any ideas how to update that file? Is there anything on my jmix app build.gradle i can do?

What is this directory /opt/gradle/gradle-7.6/lib/plugins and how does it relate to your Jmix project? Do you use this gradle inside the docker container somehow?

I believe so… I have very little knowledge on docker. Seems like this is the gradle installation in the container. What plugin is using it. I think changing the file breaks gradle.

1. Check again how many times does the jackson-databind dependency appear in the output of the ./gradlew dependencies command and what is the effective version for each appearance. It may be that this dependency is resolved with different versions for different configurations, e.g. for compileClasspath and for testCompileClasspath.
2. Next you’ll need to figure out why do you need Gradle inside the container and what exactly happens inside your container. Just in case, we use gradle 7.5.1 for building projects based on Jmix 1.4.x, not Gradle 7.6 that appears in your classpath.

would uninstalling gradle in that container fix it?
this jenkins thing pulls my sourcecode from github and runs
gradle -build -“repo credentials”
then sysdig scans for vulnerabilites
how would i run the gradle command on a ubutu server just from the sourcecode?

Confirmed that gradle had that file and the scan was rejecting it. I manually updated the file. it had nothing to do with my jmix application.

Thank you for all the help !! very appreciated.