I'm new to Grails and I'm curious to know how do you manage CVEs and upgrades to fix them. I'm not even sure this is the right channel to ask this kind of questions. I'm packaging in a Docker container the application my team is developing and the security scanner we use (trivy) reports a few issues. All of those issues are in dependencies and are solved. Even if I'm still learning I'm available to help.

Grails uses gradle, so if it's a dependency of grails, you can swap the version via gradle / property overrdies from the spring boot dependency plugin

Thanks James.

We are using Grails 7.0.0-M3. I've already workaround most of the CVEs we are actually carrying in our final war file playing with gradle dependencies but I was curious what was the approach of the project as a whole.

The approach going forward will be more rapid releases to match the spring release schedule

The most "annoying" one is with the embedded Tomcat. I ended up removing from the war and deploying in a Tomcat

FYI: My company makes use of Undertow for that reason.

Since the grails-gradle-plugin applies https://docs.spring.io/dependency-management-plugin/docs/current/reference/html/#gradle.properties You can override versions in

gradle.properties

like this: tomcat.version=10.1.41 you can find the list of property names on https://docs.grails.org/snapshot/ref/Versions/Grails%20BOM.html

Thanks

I don’t know why slack notified your message only today

this looks to be the way for our project.