I'm trying to improve the security of my Gradle project by making use of its dependency verification feature.
Out of the box, Gradle can generate hashes for each of my declared dependencies, but the docs suggest that I explicitly specify hashes provided by the developer if at all possible.
I've been looking around the Springboot website, docs, and GitHub repository, but I can't find a place where these hashes are documented. Are they available?
The Spring Boot team doesn't appear to publish SHA-256 nor SHA-512 currently. For example, here are the contents for various projects:
https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-starter-web/2.4.3/
https://repo1.maven.org/maven2/org/springframework/boot/spring-boot/2.4.3/
https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-actuator/2.4.3/
Only SHA-1 can be found.
Related
I am trying to implement an API gateway which has java plugin support. Have analyzed Kong, APIMan, APIsix, of which APIsix seems to be the best fit. But when i am trying to see the java plugin support, the github for java plugin runner displays as "This project is currently considered experimental."
https://github.com/apache/apisix-java-plugin-runner
So wanted to check with community, if that plugin is experimental and is there any other way to use ApiSix for production with java plugins enabled.
Anymore options for java enabled plugin API gateways are also welcomed.
So I'll quote out the reply that I had received for the same question on the slack channel from one of the maintainers of the project, for reference.
In fact, from some information I’ve gathered, there are already some users using it in production environments.
I can’t give an answer about whether it should be marked as production-ready or not. Here are some facts.
the design pattern, API interface and custom development approach of this project has not changed significantly since its inception, and should not be a major upheaval in the future, as it follows some common gateway design approaches in the Java world.
it is currently used in a rather primitive way, requiring clone project source code, but in the Java world, mature projects should import dependencies and use them by defining GAV in the dependency file.
Based on this, I think it is now production-ready in terms of stability, but not enough on other levels.
Apache APISIX Slack channel has the same question, link: https://the-asf.slack.com/archives/CUC5MN17A/p1653908139962639
Back to this question: Java Plugin Runner is used in production by some community users.
Here's the thing, from what I know, It has been used in a production environment in China(You can refer to this from the community bio-weekly talk).
So I would suggest you can try it.
Also, the plugin is still relatively easy to suit and I think could be better customized to suit your needs.
I was trying to create a new Spring Boot project using start.spring.io. Searching for dependencies, I found that there was no AspectJ starter available. Has this dependency removed/deprecated from Spring Boot starters? Here is a screen shot:
I, however, was able to find the dependency on maven repositories website:
It was removed indeed. #jwenting explained in a nutshell why. This starer is required if you want to create your own aspect or if you want to use some advanced AOP mode.
Most users don't need it and whenever a library requires it, its starter brings it automatically. Having a dedicated entry was confusing as we saw a very large amount of users picking this up for no good reason.
Also, please keep in mind that start.spring.io is not an exhaustive list of what you can do with Spring. We're focusing on the getting started experience only and avoiding cases that could lead to confusion. This one is a good example of the latter.
it's an implicit dependency, meaning you don't have to include it because it's automatically pulled in by anything that needs it.
You can still add it explicitly, but there's no need to (and afaik it's never been needed).
I'm creating a library having sub-modules for internal purposes. In one of those sub-module, I am using a spring based dependency. In order to allow the library's client using different spring versions to use the library, I was thinking to provide 2 different versions of the same code with different dependency version compiled (one for Spring 1 and another for Spring 2) and publish the same to mavenLocal.
What is the best way to achieve this (or is there a better way to achieve this for the clients) ? I don't want to maintain another module with same code and just a different dependency version.
Is it good to have different versions of a dependency in the same project that will be used for creating multiple artifacts?
If it is ok to do that, how do I create artifacts with different versions and publish them to mavenLocal corresponding to each versioned artifact? (if you can provide the gradle script it'll be really helpful)
I am new to using gradle and it'll be really helpful if someone can guide me for this problem.
I'm using nexus2artifactory tool to migrate form nexus to artifactory (as tool's name obviously says) and am facing a strange behavior and was wondering if I'm doing something wrong.
I'm trying to migrate some maven repositories created on nexus which handle snapshots and which should be set with UNIQUE as "Maven Snapshot Version Behavior" (default when creating a maven repo in Artifactory) but after the migration all my snapshots repos are set with NON-UNIQUE which is quite annoying especially when using maven3 where the support for uniqueVersion tag was dropped.
Am I alone with this problem ? What can I do to migrate these repos differently ?
Thank you in advance for your kind explanation
The reason for this behaviour is that the nexus2artifactory tool is using the Artifactory REST API for creating the repositories.
The default value for snapshotVersionBehavior when working with the REST API is non-unique (for legacy reasons).
This should be fixed in the nexus2artifactory tool (and possibly also change the REST API defaults). In the meantime, if you need a quick fix, the following could be added to Artifactory.py:
jsn['snapshotVersionBehavior'] = 'unique'
while working on spring mvc 4, how to find the jar for offline project like the jar Spring Security Config,spring-security-web for spring 4 ... etc as thet are not available with default package of jars and I do not want to use maven at this time so where one can find the jar for spring 4
?
First of all, foregoing proper dependency management is a bad idea and will make development that much harder, especially when it comes to transitive dependency resolving.
However, if you really want to do it then you can download .jars straight from Maven Repository or any other online repo that hosts them.
If that fails then a Google search will give you some source to download them from.
Trying to avoid a dependency management tool that to with a framework like Spring which complements many other frameworks is a bad idea in the long run. It will be painful to upgrade the versions in future.
But if you still don't want to use maven/gradle kind of build tool, just use pom.xml/build.gradle just for onetime use and let maven/gradle download all the dependencies and copy all those jars in some folder of your code.
Again I strongly suggest to use a build tool, especially for Spring. Maven/Gradle are not that bad if you don't want to do crazy things!!