Spring boot Camel ActiveMQ apache geronimo vulnerability

0
votes

I'm using Camel in Spring Boot to send messages to an ActiveMQ Artemis queue using camel-jms-starter, artemis-jms-client and camel-jms. The issue is that Jenkins has found vulnerability in nested dependency org.apache.geronimo.specs:geronimo-jms_2.0_spec. If I exclude it, it will not work. Is there a way to keep using Camel in Spring Boot to send message in ActiveMQ queue without Apache Geronimo JMS? These are my Camel dependencies for ActiveMQ:

    <dependency>
        <groupId>org.apache.camel</groupId>
        <artifactId>camel-jms</artifactId>
        <version>${camel.version}</version>
    </dependency>
    <dependency>
        <groupId>org.apache.activemq</groupId>
        <artifactId>artemis-jms-client</artifactId>
    </dependency>
    <dependency>
        <groupId>org.apache.camel</groupId>
        <artifactId>camel-jms-starter</artifactId>
        <version>${camel.version}</version>
    </dependency>

I do not use any configuration bean because Spring Boot does it automatically via properties

spring.artemis.mode=native
spring.artemis.host=localhost
spring.artemis.port=61616
spring.artemis.user=admin
spring.artemis.password=admin
1
javaspring-bootapache-camelactivemq-artemisgeronimo
Can you elaborate on the vulnerability that Jenkins found in org.apache.geronimo.specs:geronimo-jms_2.0_spec? What exactly did it report?Justin Bertram
It reports: Found dependencies with invalid/not allowed version: - org.apache.geronimo.specs:geronimo-jms_2.0_spec:1.0-alpha-2 Nothing moreStewe
That's not a "vulnerability" per se. Jenkins is just complaining that the version name doesn't conform to expectation.Justin Bertram

1 Answers

1
votes

You can explicitly exclude the Apache Geronimo dependency from artemis-jms-client, e.g.:

    <dependency>
        <groupId>org.apache.activemq</groupId>
        <artifactId>artemis-jms-client</artifactId>
        <exclusions>
            <exclusion>
               <groupId>org.apache.geronimo.specs</groupId>
               <artifactId>geronimo-jms_2.0_spec</artifactId>
            </exclusion>
        </exclusions>
    </dependency>

Then you can add a dependency on the Eclipse JMS API implementation, e.g.:

    <dependency>
       <groupId>jakarta.jms</groupId>
       <artifactId>jakarta.jms-api</artifactId>
       <version>2.0.3</version>
    </dependency>

That said, it is very strange that the Apache Geronimo JMS API would be flagged with a vulnerability since it is just an API. In other words, it's just Java interface and empty class definitions.