Skip to content

MLE-12345 I will not rest until Black Duck is happy. #1802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 23, 2025
Merged

MLE-12345 I will not rest until Black Duck is happy. #1802

merged 1 commit into from
Jul 23, 2025
+3 −2

Conversation

rjrudin
Copy link
Contributor

@rjrudin rjrudin commented Jul 23, 2025

Avoids warnings on Spring 5.x

@Copilot Copilot AI review requested due to automatic review settings July 23, 2025 17:09
Copilot
Copilot AI reviewed Jul 23, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses Spring 5.x security vulnerabilities by modifying dependency exclusion strategies in the ml-development-tools build configuration. The change improves security posture by preventing transitive dependencies that could introduce vulnerabilities.

  • Updates dependency exclusion approach for marklogic-junit5 library
  • Enhances comment documentation to explain the security rationale

ml-development-tools/build.gradle
testImplementation ("com.marklogic:marklogic-junit5:1.5.0") {
exclude module: "marklogic-client-api"
transitive = false
Copy link
Preview

Copilot AI Jul 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting transitive = false excludes ALL transitive dependencies, which is more aggressive than the previous approach that only excluded marklogic-client-api. This could potentially break functionality if other required dependencies from marklogic-junit5 are needed. Consider using exclude group: to specifically target Spring dependencies instead.

Suggested change
transitive = false
exclude group: 'org.springframework'

Copilot uses AI. Check for mistakes.

@rjrudin rjrudin merged commit 56de795 into develop Jul 23, 2025
1 of 2 checks passed
@rjrudin rjrudin deleted the feature/one-more-black-duck branch July 23, 2025 17:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@BillFarber BillFarber BillFarber approved these changes

@anu3990 anu3990 Awaiting requested review from anu3990 anu3990 is a code owner

@stevebio stevebio Awaiting requested review from stevebio stevebio is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rjrudin @BillFarber