How to fix or avoid CVE-2018-14335 H2 Security Issue? - spring-boot

In my Spring Boot 2 Project, I use H2 in memory Database.
My Nexus IQ Security Scan alerting about CVE-2018-14335. I dont understand the cause of this, so I cant fix it. I also dont understand the Explanation by Nexus-IQ.
Webconsole is deactivated
Newest H2 Version is used
Spring Boot 2.6.6 is used
Can someone explain me in a easy language what exactly the problem is and or how to fix it in Spring Boot?

Related

Payara 5/6 and SpringFramework

I've come to the conclusion that the Spring Web MVC is not compatible with Payara 5 and 6. I have an application that uses Glassfish 3, Spring Web MVC, and EclipseLink JPA. I intend to upgrade the code to Java 17 and Jakarta EE. In the sake of kindness, it hasn't gone well. In all my efforts, it's been Spring's Web MVC that is causing the problems. Spring charges for support and that's not a viable option for me. Before I scrap it's use, let's pick your brain.
If anyone has implemented Spring Web MVC successfully with Payara 5 and/or 6, please share how you made it work.
My first step was to try Payara 6 for Jakarta EE. After creating a VERY small Hello World web app, I included Spring Web MVC jar and did the minimum to activate it's Dispatcher Servlet. I was never able to overcome the error CDI is not available.
Secondly, I backed off to Payara 5. In that attempt, it tries to instantiate a JPA EAO Bean that the app will use in all it's controllers to access the app's DB. The error here appears to be when it attempts to use FasterXML to read the persistence.xml file. That part of the app works fine when I create the EAO object with JUnit.
Rather than providing all the gory details, reviewing the artifacts from a successfully implemented app with help me tremendously.
Thank you for your help!
So after weeks of beating my head against a wall trying all kinds of things to get it working, I wrote to one of the SpringFramework developers, Juergen Hoeller. Here's his response....
Sorry to hear that there is so much trouble on Payara still. We also
have corresponding reports on GitHub:
https://github.com/spring-projects/spring-framework/issues/29718
https://github.com/spring-projects/spring-framework/issues/29743
Unfortunately neither of the two is an actual problem to be solved on
Spring's own side, as far as I can see.
With the CDI issue, it's Payara's CDI implementation not being able to
parse Java 17's new record types. Also, I wonder why Payara needs to
parse every single deployed class file if you are not actually using
CDI. It might be possible to turn that off, but at the very least,
Payara should defensively handle "unknown" types.
With the Hibernate issue, it's a problem with Hibernate 6 initializing
its Jackson configuration on Payara. There does not seem to be a StAX
provider available, and Hibernate insists on one being present for
Jackson.
Overall, this needs to be taken to Payara and Hibernate, we are not
aware of anything Spring can do better. Feel free to add further
comments to the GitHub issues in case there is anything we can do from
our side! Even if our focus is on Tomcat/Jetty these days, we of
course want Spring 6 to work fine on Payara as well.
Thanks for your efforts to try to make this work,
Juergen
So now, how do we get the attention of Oracle's Glassfish developers and Payara's developers to get this resolved???? In the meantime, I think I'll have to install Tomcat or some other free webserver. Thanks, Oracle.
This was reported against Hibernate before, but Glassfish/Payara simply have a broken classpath config. Also see https://hibernate.atlassian.net/browse/HHH-15556
Maybe try using Wildfly, which is also free ;)

Performance impact of Spring Sleuth

I read somewhere that Spring Sleuth has performance impact. Whatever I read over internet are old posts.
Does anyone know whether with new version of Spring Boot this issue is resolved or it is still there.

Spring boot + Activiti explorer

Is it possible to integrate activiti explorer maven plugin with activiti Spring boot app?, so that we can make use of activit-explorer to view deployed process in activit-spring boot engine.
I know we can use rest-api over spring boot to query process engine, but I want to know if it is possible to run the explorer over spring boot by adding it as a maven plugin during deployment?Or can we tweak the activit-explorer.war somehow to point to spring-boot activiti engine?
activiti-explorer.war is standalone webapp by itself. I've write some guideline on how to manually to embed activiti-explorer to you own app. http://blog.canang.com.my/2016/05/12/embedding-activiti-explorer-to-your-application/
Most probably step 5 in my blog is your solution.
btw, there's reason why the name is 'default'. I can't recall it atm
I thought of answering my own question so that it will be useful for other developers with similar requirement. If you want to make an eco-system where activiti-rest, explorer and your custom end points co-exist, please refer this thread from activit forum. I have tried this and is working fine. link to thread
I would like to give my observation here. In order to avoid getting into pulling source and trying to build myself, I achieved partial success, by installing the activit-explorer as part of the usual standalone installation.Started the standalone activiti-explorer using Apache-Tomcat but I configured the database for Activiti as same as (MYSQL in my case) I used in my spring-boot application to hit the common ground.
But apparently the activiti version in my spring boot app was 5.19.0.0 and that for activiti-explorer was 5.22.0.0, which created some misalignment for spring boot application startup to fail. I am hopeful that with matching versions it might succeed. When I get some more time on me I will try and update. Since then may be someone can use this route.

how to deploy Spring boot actuate application in external tomcat server

Im trying to just use the basic endpoints that comes with spring actuate and want to deploy in the external tomcat server without using spring boot. How to achieve this, could anyone help me please. Is there any configuration changes that I need to do. This website gives an idea but it uses older version of spring-boot-actuate. Also EndpointHandlerMapping and EndpointHandlerAdapter doesnt come with newer version of spring boot actuate.
Anyways I get 404 resource not found when deploying to the server.
Check out this question to see if it helps you. The Actuator component is a Spring Boot feature but you can use individual components within an existing application with the right build and configuration setups.

No log messages after Spring Boot upgrade

I have recently upgraded spring boot from 1.1.10 to 1.2.0. I did not specify version information for spring boot dependencies like spring mvc. So they also got upgraded.
After upgrade, I am not able to see any log information from spring.
I am able to see the sysout and syserr information of my code though.
Did any thing change in the latest relese ?
As per the changelog Spring Boot 1.2.0 changelog Spring Boot's default behavior is to not write any log files.
Sorry folks, I have a log4j.properties in my class path. That configuration file prevented entries from springframework packages. Not sure how it ended up there though. Probably 1.1.10 is not picking it up. Things might have changed with 1.2.0. Hence the problem. Once I deleted that file, every thing is working fine
Thank you for your time

Resources