I have a Java 17 app that I am trying to mitigate CVE vulnerabilities for.
Most of them have been pretty straightforward. Typically it's just a matter of inserting a dependency in the pom.xml file that updates the version to one that has been fixed according to the CNARS report.
For example, if the report says the current version of 1.19 for the package org.apache.commons:commons-compress is generating a severe vulnerability that is fixed in 1.21, I just insert the following into the pom.xml file:
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.21.0</version>
</dependency>
But I'm kind of stuck on a vulnerability caused by a libsoup package.
The report says the current version of 2.62.3-7.el8_10 is fixed in 0:2.62.3-8.el8_10 and that the vulnerability was introduced in
LABEL org.opencontainers.image.description="ubi8-minimal with java 17
Doing something like this:
<dependency>
<groupId>libsoup</groupId>
<version>0:2.62.3-8.el8_10</version>
</dependency>
in the pom.xml file doesn't work because the repository can't even find anything with libsoup in the name or group.
Can anyone point me in the right direction?
Thank you.
That's because libsoup is not a maven artifact, but a package in Oracle's linux image distribution
https://security.snyk.io/vuln/SNYK-ORACLE8-LIBSOUP-10062725
How to fix?
Upgrade Oracle:8 libsoup to version 0:2.62.3-8.el8_10 or higher.
This issue was patched in ELSA-2025-4560.