I have spring boot project version 2.7.0.
I use the dependency-check and it reports CVE-2022-22976.
Do you know how I can solve it?
Spring security version is 5.7.1 while spring starter security version is 2.7.0.
It's a false positive that will be automatically suppressed with the upcoming release 7.1.1: https://github.com/jeremylong/DependencyCheck/issues/4563
Currently, the Spring Boot starter for Spring Security is mistaken with Spring Security itself.
Until then you'll need to suppress it manually with something like
<suppress base="true">
<notes><![CDATA[
FP per issue #4563
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework\.boot/spring-boot-starter-security#.*$</packageUrl>
<cpe>cpe:/a:vmware:spring_security</cpe>
</suppress>
Related
In start.spring.io, when Spring Boot 2.7.1 is selected it reports that Apache Camel "Requires Spring Boot >= 2.0.0.M1 and < 2.7.0-M1" (see screenshot below).
Is there a specific reason for this or where can I find more information on this?
The Camel team have not yet indicated that camel-spring-boot-starter supports Spring Boot 2.7. Until they're ready to support 2.7, the combination is disabled. Support for Spring Boot 2.7 seems to be part of Camel 3.18 which, at the time of writing, has not been released.
The spring published that:
I used spring 5.3.16, spring boot 2.2.10.RELEASE, spring cloud 2.2.10.RELEASE to use spring-cloud-netflix-zuul, so, can I just upgrade the spring version to 5.3.18, but don't upgrade other framwork?
Spring Boot 2.2.x is EOL and may contain other security fixes that affect you. Spring Boot 2.2.10.RELEASE use Spring Framework 5.2.9.RELEASE.
If you are using Spring Framework 5.3.x, this is not really a supported scenario irrespective of this CVE. You should be using Spring Framework 5.2.x. For that, we have released Spring Framework 5.2.20.
Of course, to be really safe you should upgrade to a supported version.
There is a vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2021-22047) discovered in spring-data-rest-webmvc which is only fixed in versions 3.4.14 and 3.5.6. Spring Boot 2.3.12 uses the version 3.3.9. Migrating to spring boot 2.4.x or above is not an option for us.
We would like to use spring-data-rest-webmvc:3.4.14, but we are not sure if it's compatible with spring boot 2.3.x.
Can we use them together?
Spring Data Rest version 3.4 and up use Spring Framework version 5.3.x.
Spring Boot 2.3 is build with Spring Framework 5.2.x.
Will it work, probably, but there are no garanties that it will keep working or work at all. Most like it will fail with some NoSuchMethodError or ClassNotFOundExceptions or other exotic expetions one gets when mixing modules/jars from different versions of a framework.
Spring Boot 2.3.12.RELEASE was released on 10th Jun 2021 and in July it's been removed from "spring initializr" page (https://start.spring.io/).
https://spring.io/blog/2021/06/10/spring-boot-2-3-12-release-available-now
My questions:
Is 2.3.x deprecated already?
If I want to generate a new Spring Boot project for version 2.3.12, how can I do it? It no longer can be done from "spring initializr" page.
Is 2.3.x deprecated already?
Yes. Spring Boot 2.3.x was removed from https://start.spring.io as 2.3.x reached the end of its open source support period on 15 May 2021.
If I want to generate a new Spring Boot project for version 2.3.12, how can I do it?
Ideally, you shouldn't. Any existing projects that are using Spring Boot 2.3.x should be updated to 2.4.x or 2.5.x as soon as possible and new projects should use 2.4.x or 2.5.x from the outset.
If you have to start a new project using an unsupported version of Spring Boot, you could generate the project and then modify the version in the pom.xml or build.gradle file to downgrade the version. This may get harder to do the longer the version has been out of support.
If you are using Spring Cloud, you can use start.spring.io's info endpoint to help with version mappings:
…
"spring-cloud": {
"2020.0.0": "Spring Boot >=2.4.0.M4 and <=2.4.0",
"2020.0.0-M3": "Spring Boot >=2.4.0.M1 and <=2.4.0.M1",
"2020.0.0-M4": "Spring Boot >=2.4.0.M2 and <=2.4.0-M3",
"2020.0.3": "Spring Boot >=2.4.1 and <2.5.4-SNAPSHOT",
"2020.0.4-SNAPSHOT": "Spring Boot >=2.5.4-SNAPSHOT",
"Hoxton.SR12": "Spring Boot >=2.2.0.RELEASE and <2.4.0.M1"
},
…
The above indicates that Spring Cloud Hoxton.SR12 should be used with Spring Boot 2.3.x (and 2.2.x).
Note that Spring Cloud Hoxton is also out of its OSS support period so you really should be looking to upgrade to Spring Boot 2.4.x or 2.5.x and Spring Cloud 2020.0.x.
Answer-1: Check #andy-wilkinson's answer.
Answer-2: You can use Spring-CLI
Steps:
Install Spring-CLI
Run following command
spring init --boot-version=2.3.12.RELEASE --dependencies=web,data-jpa
old-boot-project
For more on Spring-CLI. Please check official documents here
My project is built with Spring boot 1.5.10.release. We want to migrate to Apache Kafka® 2.3.0 from Apache Kafka 1.0.x.
We are currently using Spring-kafka 1.3.9.release and want to migrate to spring-kafka-2.3.0. Can we do this without changing the Spring boot version of 1.5.10.release?
I went through the Compatibility matrix but I don't see any relevant answer to my question
https://spring.io/projects/spring-kafka
No, you can't do that. Spring Kafka 2.x, as well Spring Boot 2.x, is based on Spring Framework 5.x and Java 8. You can't mix so critical versions in Spring Boot 1.5.x.
It is really better to rely on the Spring Boot dependencies management. That way you can be sure that all the artifacts brought by Spring Boot are tested together.