Hi guys, i couldnt figure out if someone had already answered this question but in the Devsecops security course, there is an issue. The owasp dependency checker is picking up a lot of vulnerabilities. This was solved in the course by increase the score for vulnerabilities that will fail the pipeline to 8 and upgrading the springboot starter in pom.xml to 2.3.5. I suspect that I have a lot of vulnerabililities because its been long since the course was recorded. Please what versions of what dependencies can I safely upgrade to without breaking the application. I currently have 12 pages of vulnerabilities
Also can an admin please provide me with an invite to the slack channel devsecops-k8s.slack.com
Hi @zayd.farouk
Are you trying this on the lab in the DevSecOps course?
If yes, There might be an issue where the Dependency-check plugin might be dated and needs an update, With that I guess a new version of NVD DB downloaded you might get a different vulnerability list.
I’ll check with the lab team on updating the relevant dependencies in the lab.
Regarding Slack, we have moved away from Slack to Discord and you can join us here.
Hello, Thanks for ur reply
the course im doing is the DevSecOps - Kubernetes DevOps & Security course. Im doing the follow along of the course demo on Dependency checks. thats where I ran into the issue. I have updated my springboot starter version to 2.3.5 just like in the demo but I am still getting a lot of vulnerabilities. this 2.3.5 is outdated by now so I was wondering what version I could uopdate it to reduce the vulnerabilities without breaking the application
I’ve shared this with the lab team. If you could share the Lab link that would help us in finding a fix.
