I'm using Camel in Spring Boot to send messages to an ActiveMQ Artemis queue using camel-jms-starter, artemis-jms-client and camel-jms. The issue is that Jenkins has found vulnerability in nested dependency org.apache.geronimo.specs:geronimo-jms_2.0_spec.
If I exclude it, it will not work.
Is there a way to keep using Camel in Spring Boot to send message in ActiveMQ queue without Apache Geronimo JMS?
These are my Camel dependencies for ActiveMQ:
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>camel-jms</artifactId>
<version>${camel.version}</version>
</dependency>
<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>artemis-jms-client</artifactId>
</dependency>
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>camel-jms-starter</artifactId>
<version>${camel.version}</version>
</dependency>
I do not use any configuration bean because Spring Boot does it automatically via properties
spring.artemis.mode=native
spring.artemis.host=localhost
spring.artemis.port=61616
spring.artemis.user=admin
spring.artemis.password=admin
You can explicitly exclude the Apache Geronimo dependency from
artemis-jms-client, e.g.:Then you can add a dependency on the Eclipse JMS API implementation, e.g.:
That said, it is very strange that the Apache Geronimo JMS API would be flagged with a vulnerability since it is just an API. In other words, it's just Java
interfaceand emptyclassdefinitions.