CVEs in the dependencies are in the execution path of your project

[CleWang]

Your project uses some dependencies with CVEs. I found that the buggy methods of the CVEs are in the program execution path of your project, which makes your project at risk. I have suggested some version updates. Here is the detailed information:

• Vulnerable Dependency: mysql : mysql-connector-java : 5.1.35

• Call Chain to Buggy Methods:

  • Some files in your project call the library method com.mysql.jdbc.NonRegisteringDriver.connect(java.lang.String,java.util.Properties), which can reach the buggy method of CVE-2017-3586.

    • Files in your project: dddlib-datasource-router/src/main/java/org/dayatang/mysql/jdbc/GeminiReplicationConnection.java
    • One of the possible call chain:

    com.mysql.jdbc.NonRegisteringDriver.connect(java.lang.String,java.util.Properties)
    com.mysql.jdbc.ConnectionImpl.getInstance(java.lang.String,int,java.util.Properties,java.lang.String,java.lang.String)
    com.mysql.jdbc.ConnectionImpl.<init>(java.lang.String,int,java.util.Properties,java.lang.String,java.lang.String)
    com.mysql.jdbc.ConnectionImpl.createNewIO(boolean)
    com.mysql.jdbc.ConnectionImpl.connectOneTryOnly(boolean,java.util.Properties)
    com.mysql.jdbc.ConnectionImpl.coreConnect(java.util.Properties)
    com.mysql.jdbc.MysqlIO.doHandshake(java.lang.String,java.lang.String,java.lang.String)
    com.mysql.jdbc.MysqlIO.negotiateSSLConnection(java.lang.String,java.lang.String,java.lang.String,int)
    com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(com.mysql.jdbc.MysqlIO)
    com.mysql.jdbc.ExportControlled.getSSLSocketFactoryDefaultOrConfigured(com.mysql.jdbc.MysqlIO) [buggy method]
    

• Update suggestion: version 8.0.19 8.0.19 is a safe version without CVEs. From 5.1.35 to 8.0.19, 6 of the APIs (called by 10 times in your project) were removed.