The Spring Boot 2.1.1 managed version of Jackson is 2.9.7 which is superseded by Jackson 2.9.8. Our build is reporting exploitable vulnerabilities related to the older Jackson version.
If this point change in the managed dependency version cannot be accommodated promptly by Spring, is there a property I can set to force the version bump in my build.gradle?
Yes there is and it is even documented:
To customize a managed version you set its corresponding property.
To customize Jackson, you can add the following to your build:
ext['jackson.version'] = '2.9.8'
Jackson 2.9.8 has been upgraded and will be available as of 2.0.8.RELEASE due next week.
Related
So in my organization we started to scan all our application for vurnerabilities and the scanner show up with lots of findings.
Some CVE are easy to be fix, but some require extra steps, and I wonder how to properly fix CVE in transitive dependency, expecially Spring Boot transitive dependency, since many in my application we use the spring boot starter dependency to pull all other spring framework related dependency.
For example one of my application still use Spring Boot version 2.6.2 and some of the CVE foundings include CVE-2022-22978 where I need to upgrade the spring-security-core dependency to a minimum version 5.6.9, it is better to upgrade the spring boot version to the latest 2.6.14 or just upgrade the spring-security-core dependency ? My concern on upgrading the spring boot version to the latest will somehow break my application and will cause a major change to the application.
How do we properly fix CVE issue on the transitive dependency while the direct dependency has not release their fix yet?
Is it safe just to upgrade specific transitive dependency? How do we know if the upgraded transitive dependency compatible with its direct dependency?
I have a project where we are using gradle:
and we have added the dependency of: implementation 'org.springframework.boot:spring-boot-starter-security:2.6.5'
This starter dependency brings the
spring-security-config:5.6.2 and
spring-security-web:5.6.2
But we need the spring-security-config and spring-security-web version to be 5.6.9 and we don't want to upgrade the starter dependency version as well.
I tried setting the ext['spring-security.version']='5.6.9'
But it didn't work.
Is there any other way we can achieve this?
We have a web service running on spring-boot 2.3 with spring-data-r2dbc, which is only available since spring-boot 2.3.
Recently we need to integrate with an existing elasticsearch 6.x cluster, which is not supported by the spring-data-elasticsearch 4.0 that comes with spring-boot 2.3.
I tried to explicitly declare dependency spring-data-elasticsearch 3.2.10 (which supports the 6.x es cluster), however I can see elasticsearch-rest-high-level-client 7.6.2 (this dependency is the root cause of spring-data-elasticsearch 4.0 not supporting 6.x es cluster any more) still loaded regardless of version 6.8.12 declared in spring-data-elasticsearch 3.2.10's pom.xml.
I am using gradle with io.spring.dependency-management and org.springframework.boot plugins. I am wondering how I can stay with spring-boot 2.3, while opting for spring-data-elasticsearch 3.2.10 properly?
========== EDIT ==========
I came across this post Why does Gradle downgrade my transitive dependencies in a Grails 3.1 application? and figured that it is because of io.spring.dependency-management gradle plugin enforcing the elasticsearch version to 7.6.2.
I changed it by ext["elasticsearch.version"] = 6.8.12 and now elasticsearch version is expected.
However, I am still not sure if overriding versions in this way will cause any unforeseen issue.
I don't have a gradle setup to test this, but with maven you need two things:
set the property for the Elasticsearch version and the dependency for Spring Data Elasticsearch:
<properties>
<elasticsearch.version>6.8.4</elasticsearch.version>
</properties>
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-elasticsearch</artifactId>
<version>3.2.10.RELEASE</version>
</dependency>
A first test with a sample program seems to be running ok, but there may be problems, because both spring-data-elasticsearch and spring-data-r2dbc depend on spring-data-commons now in different versions; you'll have to try.
While porting to Spring Boot 2.0.0.RC1 I noticed that it uses managed version 2.9.2 for jackson-core and jackson-databind and 2.9.0 for jackson-annotations.
Why do you use 2.9.0 for jackson-annotations and not 2.9.2?
According with their jackson-annotations documentation:
Annotations module will never contain changes in patch versions,
only .0 releases can have changes. We may still release patch versions, but
they will be identical to .0 versions, and only released for convenience
(developers can line up all Jackson components with same patch version number).
It can be found in: https://github.com/FasterXML/jackson-annotations/blob/master/release-notes/VERSION
We are using hibernate validator version 5.1.3.Final with spring version 4.1.6.RELEASE to validate the input data along with bean-io framework.
Now we are planning to upgrade the hibernate validator to latest version to improve the performance of the workflow.
Kindly provide the compatible version of spring framework version with latest hibernate validator.
Thanks,
Chethan
Hibernate Validator 6.0.x should be compatible with the version of Spring you are using and any further versions.
Just be careful about the dependencies as the groupId for Hibernate Validator has changed from org.hibernate:hibernate-validator to org.hibernate.validator:hibernate-validator. So be sure you don't have both dependencies in your classpath.
And be careful to use validation-api 2.0.0.Final with it. It's an explicit dependency so it shouldn't be an issue but you might have overridden it somewhere.