I noticed that I cannot create an issue on the spring-batch github and I could not create a topic on the Spring forum so I was redirected here.
I have this in my pom.xml file as explained on Spring.io's Batch tutorial
<dependency>
<groupId>org.springframework.batch</groupId>
<artifactId>spring-batch-core</artifactId>
<version>4.0.1.RELEASE</version>
</dependency>
And when I run the mvn dependency-check:check I see these issues
spring-tx-5.0.0.RELEASE.jar
CVE-2018-1199 - upgrade spring framework to latest 4.x
spring-batch-core-4.0.1.RELEASE.jar
CVE-2014-0225 - upgrade spring mvc - added it and latest 4.x
CVE-2015-5211 - upgrade springframework 4.x
CVE-2016-5007 - upgrade springframework 4.x
CVE-2014-3578 - upgrade springframework 4.x
CVE-2014-3625 - upgrade springframework 4.x
I ran mvn dependency:build-classpath -Dmdep.outputFile=cp.txt the offending jars above are located in my classpath. Then ran 'mvn dependency:tree` but did not see the offending jars.
mvn dependency:tree 2>&1 | egrep -i 'batch-core|spring-tx'
I tried googling some of the core CVEs which said to upgrade spring-mvc which I don't even have in my project but I explicitly defined it anyway. My spring version is set to the latest 4.x and even upgrading to 5.x still throws the vulnerability because spring-batch-core's latest version is still vulnerable.
Am I doing something wrong in my pom file?
To start, none of those CVEs apply directly to Spring Batch or the spring-batch-core jar file. They are all related to Spring Framework and Spring MVC. Also, every one of those CVEs has been mitigated in the specified patch versions.
If you have confirmed that your POM is bringing in the correct, non-vunlerable, version of Spring Framework, this is a case of a false positive and you'll need to configure whatever tool you're using to address this. If the artifact you are building as a result of the build process includes a vulnerable version of Spring Framework (or related components), then you do have an issue with your POM. We can help, but we need to see the POM in order to do so.
Related
I am developing an application for MULE ESB CommunityEdition (3.8.1 version).
I have included (provided by MULE) SPRING 4.1.6.RELEASE in project.
For persistence layer I set up Hibernate 4.3.11.FINAL.
My code is based on this idea (https://www.ricston.com/blog/jpa-mule/).
So basically i have included in the project (besides MULE dependencies):
hibernate-entitymanager (4.3.11.Final)
hibernate-core (4.3.11.Final)
hibernate-jpa-2.1-api (1.0.0.Final)
spring-orm (4.1.6.RELEASE)
And everything was working perfectly fine until i started to use Java 8 API...
Whatever I do: any lambda, stream or anything I am still getting error:
org.hibernate.jpa.boot.archive.spi.ArchiveException: Could not build ClassFile
What I did until now:
tried to add org.javassist dependency (in version from 3.18.0-GA to 3-22.0-GA) - nothing happened,
tried to exclude org.reflections.0.9.9 dependency (mule is including that in some its core dependencies): also nothing happened
I spent on this about 5 hours I am really close to give it up... I really need hibernate cause this project will include many db operations
What else Can i Try to do?
Problem solved!!
I was using mvn dependency:tree to check if there are any org.javassist dependencies in project.
And there weren't...
Then I checked the folder: {mule_home}/lib/opt and there was an old version of org.javassist library!
So: I downloaded latest org.javassist jar and I put it in the {mule_home}/lib/user folder.
Now it works like a charm :)
Please check if your Anypoint Studio is pointing correct JDK.
Check below
Preference> Installed JRE >> It should have JDK 1.8 checked.
I just started using SpringBoot 1.5.1. When I select the spring-cloud related dependencies from the Spring Initilzr and make a build for my application, I end up with SNAPSHOT dependencies for the following, among others
spring-cloud-aws-dependencies
spring-cloud-bus-dependencies
spring-cloud-commons
spring-cloud-config-server
spring-cloud-consul
Is this correct? My companies MAVEN repo does not allow SNAPSHOT files to be uploaded.
For some reason Initilzr prefers the Dalston snapshot release of spring-cloud to the current stable Camdem.SR5 release.
Just update your POM file and replace Dalston.BUILD-SNAPSHOT with Camden.SR5 for the spring-cloud-dependencies dependency management.
I upgraded my Fabric8 Spring Boot Camel pom.xml to use Camel 2.16.0 but not all components appear to be available in 2.16.0
I had to leave the following components at 2.15.3 as I get "Missing artifact" for the 2.16.0 versions:
camel-metrics
camel-jsonpath
camel-spring-boot
Are these not available in Camel 2.16.0?
I'm using Fabric8 version 2.2.46 and Spring Boot version 1.2.6.RELEASE.
I needed to delete my local Maven repository and rebuild.
Delete the artifacts (or the full local repo) from c:\Users\username.m2\repository by hand.
I'm trying to build a complete Spring Framework distribution for version 3.2.4.RELEASE without using maven (just the spring jars) and managed to manually get all jars except for spring-asm.
Spring-asm stops at version 3.1.4. Why is that?
I have older spring distributions up to 3.1.1 (those for which you had a zip file, not forced to use maven) and all have the same spring-asm jar inside, with the same version.
Why is there no spring-asm-3.2.4.RELEASE jar?
Here is from release notes for 3.2
we've eliminated the dedicated spring-asm jar in M2 in favor of including org.springframework.asm classes directly in spring-core
Is there a maven command that can analyze a given pom.xml and report if there are newer versions of plugins or dependencies.
For example suppose that the pom.xml depends on hibernate 4.1.6 and hibernate 4.1.7 is released is there a command that can analyze the pom.xml and print out something along the lines, you are using hibernate 4.1.6 and the latest version is 4.1.7?
Check Versions Maven Plugin goals version-display-* and versions-use-*