com.mysql.jdbc.NonRegisteringDriver.connect(java.lang.String,java.util.Properties)
com.mysql.jdbc.ConnectionImpl.getInstance(java.lang.String,int,java.util.Properties,java.lang.String,java.lang.String)
com.mysql.jdbc.ConnectionImpl.<init>(java.lang.String,int,java.util.Properties,java.lang.String,java.lang.String)
com.mysql.jdbc.ConnectionImpl.createNewIO(boolean)
com.mysql.jdbc.ConnectionImpl.connectOneTryOnly(boolean,java.util.Properties)
com.mysql.jdbc.ConnectionImpl.coreConnect(java.util.Properties)
com.mysql.jdbc.MysqlIO.doHandshake(java.lang.String,java.lang.String,java.lang.String)
com.mysql.jdbc.MysqlIO.negotiateSSLConnection(java.lang.String,java.lang.String,java.lang.String,int)
com.mysql.jdbc.ExportControlled.transformSocketToSSLSocket(com.mysql.jdbc.MysqlIO)
com.mysql.jdbc.ExportControlled.getSSLSocketFactoryDefaultOrConfigured(com.mysql.jdbc.MysqlIO) [buggy method]
Your project uses some dependencies with CVEs. I found that the buggy methods of the CVEs are in the program execution path of your project, which makes your project at risk. I have suggested some version updates. Here is the detailed information:
Vulnerable Dependency: mysql : mysql-connector-java : 5.1.35
Call Chain to Buggy Methods:
Some files in your project call the library method com.mysql.jdbc.NonRegisteringDriver.connect(java.lang.String,java.util.Properties), which can reach the buggy method of CVE-2017-3586.
dddlib-datasource-router/src/main/java/org/dayatang/mysql/jdbc/GeminiReplicationConnection.java
Update suggestion: version 8.0.19
8.0.19 is a safe version without CVEs. From 5.1.35 to 8.0.19, 6 of the APIs (called by 10 times in your project) were removed.