I am migrating to spring4 and am using these jars
org.apache.cxf - cxf-api
org.apache.cxf - cxf-bundle
org.apache.cxf - cxf-rt-frontend-jaxrs
I came to know that CXF3.x versions are compatible with spring4. Can I use the same versioned jars for all three like CXF3.x.y , if so which version I can use? If not which versions I should go with for errorless code?
cxf-api and cxf-bundle no longer exist in CXF 3.x, so just use cxf-rt-frontend-jaxrs.
Related
I am currently using spring-boot version 1.5.22.RELEASE and I am trying to upgrade my Jackson-databind dependency's version( currently 2.8.11.3 ) in my pom-file to the latest one( 2.12.3 ) ,but even after mvn clean install I see two jars for Jackson databind i.e. both the versions 2.8.11.3 and 2.12.3 ,why is this happening,is it because version 2.12.3 is not supported by spring boot 1.5.22.RELEASE ?Have also tried Downgrading it to 2.5.1 and I still have multiple versions (2.5.1 and 2.8.11.3) of Jackson databind.( Please note that I have excluded Jackson databind in from the components that require it like spring-boot-starter-web and made Jackson-databind as a direct dependency)
I am working on updating from an older version of Jboss to Wildfly.
As in my poms I declared Resteasy provided, I was wondering how I can get to know which version is provided by the container, in order to update my declared version too.
By doing some search, I found that this should help: https://github.com/wildfly/boms/tree/18.0.1.Final. Unfortunately, by checking out the bom, I am still not able to understand which version of RESTeasy is being used.
How can I do that?
I did this last on a wildfly 10.1 so maybe this is a bit outdated, but there you will find the used version in the modules directory of wildfly under
<INSTALL_PATH>/modules/system/layers/base/
There is a path to most libraries that are supplied by wildfly so you can just look them up there.
Resteasy is hidden under
<INSTALL_PATH>/modules/system/layers/base/org/jboss/resteasy/
You have to look into one of the library subdirs (like e.g. "resteasy-jaxrs"), where you will find a main sub dir with the actual library:
<INSTALL_PATH>/modules/system/layers/base/org/jboss/resteasy/resteasy-jaxrs/main/
In this directory you will find the actual libraries (including versions) and a file called modules.xml that describes them.
Version of resteasy on wildlfy 10.1 was "3.0.19.Final".
EDIT: I just verified that on wildfly 18.0.1 it is all the same! Resteasy version there is 3.9.1.Final.
There's also an easy way if you want to check first the RESTEasy version for the Wildfly you're using. Just go to the Wildfly repository on github. For each version, there's a pom.xml. Under that file you'll see versions. You can check there as to what version it is using. Sample: Wildfly 25 RestEasy version
I noticed that I cannot create an issue on the spring-batch github and I could not create a topic on the Spring forum so I was redirected here.
I have this in my pom.xml file as explained on Spring.io's Batch tutorial
<dependency>
<groupId>org.springframework.batch</groupId>
<artifactId>spring-batch-core</artifactId>
<version>4.0.1.RELEASE</version>
</dependency>
And when I run the mvn dependency-check:check I see these issues
spring-tx-5.0.0.RELEASE.jar
CVE-2018-1199 - upgrade spring framework to latest 4.x
spring-batch-core-4.0.1.RELEASE.jar
CVE-2014-0225 - upgrade spring mvc - added it and latest 4.x
CVE-2015-5211 - upgrade springframework 4.x
CVE-2016-5007 - upgrade springframework 4.x
CVE-2014-3578 - upgrade springframework 4.x
CVE-2014-3625 - upgrade springframework 4.x
I ran mvn dependency:build-classpath -Dmdep.outputFile=cp.txt the offending jars above are located in my classpath. Then ran 'mvn dependency:tree` but did not see the offending jars.
mvn dependency:tree 2>&1 | egrep -i 'batch-core|spring-tx'
I tried googling some of the core CVEs which said to upgrade spring-mvc which I don't even have in my project but I explicitly defined it anyway. My spring version is set to the latest 4.x and even upgrading to 5.x still throws the vulnerability because spring-batch-core's latest version is still vulnerable.
Am I doing something wrong in my pom file?
To start, none of those CVEs apply directly to Spring Batch or the spring-batch-core jar file. They are all related to Spring Framework and Spring MVC. Also, every one of those CVEs has been mitigated in the specified patch versions.
If you have confirmed that your POM is bringing in the correct, non-vunlerable, version of Spring Framework, this is a case of a false positive and you'll need to configure whatever tool you're using to address this. If the artifact you are building as a result of the build process includes a vulnerable version of Spring Framework (or related components), then you do have an issue with your POM. We can help, but we need to see the POM in order to do so.
In the project using both the jars spring-jdbc.jar and org.springframework.jdbc.jar. I want to remove one of the jars due to the mismatch of the version. Spring-jdbc has 4.1.4 jar version and other one is 3.2.5 which is latest for both the jar.
Due to jar version mismatch I am getting the error during runtime. Could anyone tell me the correct latest jar version for both the files.
Open the manifest.MF of the org.sprigframework.jdbc.jar and you will find import/export-package statements in it.
Those jars where available on the spring ebr repository until it was closed last year. If you're not using OSGi, you can drop the old jar version, otherwise look fot apache servicemix bundles.
I'm trying to build a complete Spring Framework distribution for version 3.2.4.RELEASE without using maven (just the spring jars) and managed to manually get all jars except for spring-asm.
Spring-asm stops at version 3.1.4. Why is that?
I have older spring distributions up to 3.1.1 (those for which you had a zip file, not forced to use maven) and all have the same spring-asm jar inside, with the same version.
Why is there no spring-asm-3.2.4.RELEASE jar?
Here is from release notes for 3.2
we've eliminated the dedicated spring-asm jar in M2 in favor of including org.springframework.asm classes directly in spring-core