How to override version of libraries included automatically under spring-boot-starter - spring-boot

I have spring-boot-starter in my POM and versions are automatically resolved by Camden dependency management system.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>Camden.SR6</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<!-- Spring Boot -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
</dependency>
</dependencies>
This gives me version 1.4.3.RELEASE of spring-boot-starter.
One of the jars spring boot starter includes automatically in the maven dependencies is logback-classic: 1.1.18
ch.qos.logback_logback-core version 1.1.8 has a vulnerability because of which I want to switch over to logback version 1.2
This vulnerability is explained in the link below
https://nvd.nist.gov/vuln/detail/CVE-2017-5929
Now, is there a way to override the logback version to 1.2 from what spring-boot-starter automatically resolves it to so that I am not exposed to this vulnerability ?

Based on your pom file, you can achieve this by excluding the dependency of 1.1.8 first then add the dependency of 1.2.0.
For example:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
<exclusions>
<exclusion>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>1.2.0</version>
</dependency>

add properties tag in pom like this
<properties>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<start-class>org.roshan.Application</start-class>
<hibernate.version>5.2.10.Final</hibernate.version>
<liquibase.version>3.5.3</liquibase.version>
<liquibase-hibernate5.version>3.6.0</liquibase-hibernate5.version>
<httpcore.version>4.4.5</httpcore.version>
<httpclient.version>4.5.3</httpclient.version>
<docker-maven-plugin.version>0.4.13</docker-maven-plugin.version>
</properties>

Related

How to totally overwrite the version of spring boot starter?

The spring boot version in my parent module is v2.1.17.RELEASE
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>2.1.17.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
And then I introduced spring-boot-starter-security in the sub-module, and the specified version is 2.4.4, which overwrites the version in the parent module (v2.1.17.RELEASE).
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>2.4.4</version>
</dependency>
Then, I ran the mvn dependency:tree command and found that the version of spring-boot-starter-security in the sub-module was indeed 2.4.4, but the version of artifactId (such as spring-aop) referenced in spring-boot-starter-security was still the version 5.1.x, which correspond to v2.1.17.RELEASE version of spring-boot-starter-security instead of the version 5.3.x which correspond to v2.4.4 version of spring-boot-starter-security
Hi please check this example
<properties>
<dependencies.version>2.1.17.RELEASE</dependencies.version>
<security.version>2.4.4</security.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>${dependencies.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>${security.version}</version>
</dependency>
</dependencies>
</dependencyManagement>

How to remove spring boot dependency using dependencyManagement?

In my pom file i have the following:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>2.1.2.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
I use this because the project already have a parent pom.
I want to remove some of its dependencies such as:
<dependency>
<groupId>org.elasticsearch</groupId>
<artifactId>elasticsearch</artifactId>
<version>6.4.3</version>
</dependency>
How do I do this?
spring-boot-dependencies does not add any dependency. It mostly consists out of a giant <dependencyManagement> block containing managed versions for several libraries. This allows you to use versions of libraries that are known to work properly with the given version of Spring boot.
That means that you no longer have to add the <version> to each dependency you define.
It also means that if you have a dependency upon elasticsearch, it certainly doesn't come from spring-boot-dependencies.
If your goal is to override one of the versions, you can, by manually adding <version> to your dependency.
Otherwise, you can usually exclude a dependency by using <exclusions>:
<dependency>
<groupId>com.xyz</groupId>
<artifactId>artifact-abc</artifactId>
<exclusions>
<exclusion>
<groupId>org.elasticsearch</groupId>
<artifactId>elasticsearch</artifactId>
</exclusion>
</exclusions>
</dependency>

Spring Boot 2 fails starting due to Hystrix?

I started investigating to migrate a Spring Boot application from 1.5.x to 2.
This appliication has a dependency to hystrix, which does not be compatible to Spring Boot 2 yet.
When I have the following in my pom:
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-hystrix</artifactId>
<version>1.4.4.RELEASE</version>
</dependency>
I get the following error when starting the application:
java.lang.NoSuchMethodError: org.springframework.boot.builder.SpringApplicationBuilder.<init>([Ljava/lang/Object;)V
at org.springframework.cloud.bootstrap.BootstrapApplicationListener.bootstrapServiceContext(BootstrapApplicationListener.java:125)
Anybody has experienced the same?
Is there a solution yet?
I have faced similar issue while integrating hystrix for my spring boot microservice that uses spring boot 2.0.x.
Instead of
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-hystrix</artifactId>
<version>${spring-hystrix.version}</version>
</dependency>
I have moved to
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-hystrix</artifactId>
<version>${spring-hystrix.version}</version>
</dependency>
Spring boot 2.0.x application starts fine with the spring-cloud-starter-netflix-hystrix dependency without this issue.
For SpringBoot 2.0 version artifactID has been changed. Old dependency is
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-hystrix</artifactId>
<version>${spring-hystrix.version}</version>
</dependency>
Use this new updated dependency with latest version
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-hystrix</artifactId>
<version>2.2.8.RELEASE</version>
</dependency>
for recent release version you can check MVNrepository
After a bit further research I found a solution by adding the following to the pom file:
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>Finchley.RC1</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
all versions of spring-cloud-dependenciesseem to be incompatible to Spring Boot 2.x.x
I had this problem starting Spring Boot 2 as well because spring-cloud-starter-hystrix was a dependency I used in my project. However I found that spring-cloud-starter-hystrix has been deprecated. I also found the feign classes I was using in there have been moved to spring-cloud-openfeign (https://github.com/spring-cloud/spring-cloud-openfeign). So all I did was remove spring-cloud-starter-hystrix from my dependency and added spring-cloud-openfeign instead. This works perfectly for me.
Basically I replaced
compile group: 'org.springframework.cloud', name: 'spring-cloud-starter-hystrix', version: '1.4.4.RELEASE'
with
compile group: 'org.springframework.cloud', name: 'spring-cloud-starter-openfeign', version: '2.0.0.RELEASE'
and Spring Boot 2 is ready to go. Hope this helps.
NB: I use Gradle, you can easily find the maven pom dependency equivalents if necessary.
I faced a similar problem with Spring Boot 2, concisely 2.2.0.RELEASE. My mvn project compiled well but Spring Boot application stopped starting, without showing any real hints.
The solution that worked was using the artifact spring-cloud-starter-netflix-hystrix instead of spring-cloud-starter-hystrix from the same group. Then you can use the same same version as Spring Boot to retrieve the dependency.
From old pom.xml :
<!-- hysterix -->
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-hystrix</artifactId>
<version>1.4.7.RELEASE</version>
</dependency>
New part in working pom.xml:
<!-- hysterix -->
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-hystrix</artifactId>
<version>${spring.boot.version}</version>
</dependency>
After some time spent on researching and testing, here is what I found and noticed
I think that in the latest Spring Boot version (2.5.x), the Hystrix looks to be deprecated or I just couldn't find out way to add it as a dependency.
So I downgraded the Spring boot version to 2.3.x where I managed to run the application
So here is how my working pom.xml looks like:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.12.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>org.hldservices</groupId>
<artifactId>payment-app</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>SpringCloudPaymentCircuitBreakerApplication</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>11</java.version>
<spring-cloud.version>Hoxton.SR11</spring-cloud.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-hystrix</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-hystrix-dashboard</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
Keep in mind that I had to add following configuration in my Project:
SpringCloudPaymentCircuitBreakerApplication(main class)
#EnableHystrix
#EnableHystrixDashboard
application.propreties
management.endpoints.web.exposure.include=*
hystrix.dashboard.proxyStreamAllowList=*

spring cloud version Brixton.SR5 with spring boot 1.4

I have a new project that we are doing with spring Brixton.SR1...
and Brixton.SR1 or SR5 is built on 1.3.5.RELEASE but forum says it has been tested with 1.4.0.RELEASE and thus i want to use some features of 1.4.0.
<dependencyManagement>
<dependencies>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-parent</artifactId>
<version>Brixton.SR1</version>
<type>pom</type>
<scope>import</scope>
</dependency>
..
</dependencyManagement>
And then we are adding dependencies and are all default versions are used eg.. spring boot is 1.3.5.RELEASE, so current structure is as given below.
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-autoconfigure</artifactId>
</dependency>
....
But i want to use 1.4.0 . Can i exclude 1.3.5 version and use this new version....and i dont want to overwritte this for all spring boot artifacts . eg.. as given below
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-autoconfigure</artifactId>
<version>1.4.0.RELEASE</version>
</dependency>
and so on so forth..
rather want to have a common version for spring-boot artifact and which should give default versions to all spring artifacts as 1.4.0
just import spring boot's 1.4 bom and spring cloud's bom into your pom.xml:
<dependencyManagement>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>1.4.0.RELEASE</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>Brixton.SR5</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>

How to exclude transitive dependencies of spring-boot-dependencies from maven import scope

I have the following in my Spring Boot application pom as per the documentation:
<dependencyManagement>
<dependencies>
<!-- Spring -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>${spring-boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
I need to use use dependencyManagement and <scope>import</scope> because I need to use a standard corporate base pom.
However, it doesn't seem possible to exclude transitive dependencies of spring-boot-dependencies. In my particular case, Spring Boot 1.2.1.RELEASE is bringing in a version of Jetty that is too new with respect to some of my other <dependencies>. I tried using an <exclusion> of the form:
<dependencyManagement>
<dependencies>
<!-- Spring -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>${spring-boot.version}</version>
<type>pom</type>
<scope>import</scope>
<!-- Doesn't work -->
<exclusions>
<exclusion>
<groupId>org.eclipse.jetty</groupId>
<artifactId>*</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</dependencyManagement>
using Maven 3.2.1's wildcard support, but it doesn't seem to take effect.
Is there a solution to this problem other than explicitly overriding all the Jetty dependencies? There are many Jetty libraries and that approach would be quite brittle. Furthermore, it appears I would need to do the same with Jetty's transitive dependencies as well.
According to the Spring Boot Maven Plugin 2.3.1.RELEASE documentation, to override individual dependencies, you need to add entries in the dependencyManagement section of your project before the spring-boot-dependencies entry.
<dependencyManagement>
<dependencies>
<!-- Your jetty version dependency -->
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>*</artifactId>
<version>${jetty.version}</version>
</dependency>
<!-- Spring -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>${spring-boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
Looks like this isn't possible with Maven import scope:
The import scope can be used to include dependency management
information from a remote POM into the current project. One of the
limitations of this is that it does not allow additional excludes to
be defined for a multi module project.
Likewise, there is a confirmation from the Spring Boot documentation:
If you have added spring-boot-dependencies in your own
dependencyManagement section with <scope>import</scope> you have to
redefine the artifact yourself [...].

Resources