Look after the potential security issues caused by the dependencies scanned by socket-security in PR#101

[kateyang1998]

Please check the details:
#101

Especially:
Alert Package Note Source CI
Critical CVE maven/org.springframework.boot/spring-boot-starter-web@2.6.15
CVE: GHSA-36p3-wjmg-h94x Remote Code Execution in Spring Framework (CRITICAL)
Affected versions: < 5.2.20.RELEASE
Patched version: 5.2.20.RELEASE
local_repo/org/apache/axis2/axis2/2.0.0-SNAPSHOT/axis2-2.0.0-SNAPSHOT.pom
Critical CVE maven/org.apache.logging.log4j/log4j-core@2.14.1
CVE: GHSA-7rjr-3q55-vv33 Incomplete fix for Apache Log4j vulnerability (CRITICAL)
Affected versions: >= 2.13.0, < 2.16.0
Patched version: 2.16.0
local_repo/org/apache/axis2/axis2/1.8.0/axis2-1.8.0.pom
pom.xml

[yingbull]

let's review this on dogfish branch.

[yingbull]

With the dust settled on the updates @sebastian-j-ibanez can you check if this is still coming in transitive/etc and if we need to look at this or mitigate?

[sebastian-j-ibanez]

@yingbull We are no longer exposed to this CVE (directly nor transitively). Both log4j and Spring have been updated to patched versions.

This issue can be closed.

[yingbull]

Closing.