Unit tests print exception after upgrading liquibase to 3.2.2 - spring-boot

I have a spring boot/liquibase app and after upgrading liquibase to 3.2.2 unit tests starts to print this exception, but tests still pass:
[WARN] liquibase - Error initializing SpringLiquibase
java.io.FileNotFoundException: ServletContext resource [/] cannot be resolved to URL because it does not exist
at org.springframework.web.context.support.ServletContextResource.getURL(ServletContextResource.java:156) ~[spring-web-4.0.7.RELEASE.jar:4.0.7.RELEASE]
at liquibase.integration.spring.SpringLiquibase$SpringResourceOpener.init(SpringLiquibase.java:74) [liquibase-core-3.2.2.jar:na]
at liquibase.resource.AbstractResourceAccessor.(AbstractResourceAccessor.java:19) [liquibase-core-3.2.2.jar:na]
at liquibase.integration.spring.SpringLiquibase$SpringResourceOpener.(SpringLiquibase.java:64) [liquibase-core-3.2.2.jar:na]
at liquibase.integration.spring.SpringLiquibase.createResourceOpener(SpringLiquibase.java:388) [liquibase-core-3.2.2.jar:na]
at liquibase.integration.spring.SpringLiquibase.createLiquibase(SpringLiquibase.java:349) [liquibase-core-3.2.2.jar:na]
at liquibase.integration.spring.SpringLiquibase.afterPropertiesSet(SpringLiquibase.java:300) [liquibase-core-3.2.2.jar:na]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1613) [spring-beans-4.0.7.RELEASE.jar:4.0.7.RELEASE]
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1550) [spring-beans-4.0.7.RELEASE.jar:4.0.7.RELEASE]
at ...

Spring Boot doesn't support Liquibase 3.2.2 at the moment. I haven't seen the exact error that you've posted in the question, but I suspect it's another symptom of the incompatibilities between Liquibase 3.0.x and 3.2.x.
To be safe, you should stick with Liquibase 3.0.x for now, although I believe that 3.1.x may work as well.
There's an open Spring Boot issue describing some of the problems with 3.2.x. There's also an open Spring Boot pull request that provides compatibility with Liquibase 3.2.x. It's scheduled for inclusion in Spring Boot 1.2 which is due for release in Novemeber.

Related

In spring-boot 2.6.2 Could not initialize Logback logging from classpath:logback-spring.groovy

I migrated my spring boot app for spring-boot 2.5.6 to spring-boot 2.6.2, but since then the start up tells
java.lang.IllegalStateException: Could not initialize Logback logging from classpath:logback-spring.groovyCaused by: ch.qos.logback.core.LogbackException:
Caused by: ch.qos.logback.core.LogbackException:Unexpected filename extension of file [file:/xyz/out/production/resources/logback-spring.groovy]. Should be either .groovy or .xml
Can someone help if you have a solution?
Thanks
Logback 1.2.9 dropped the support for Groovy.
You can either migrate your logback.groovy to logback.xml or downgrade the logback version to 1.2.7 (logback.version=1.2.7) and see if they’ll come around and support Groovy again (which they might).

How to resolve CVEs in spring-batch-core 4.0.1.RELEASE?

I noticed that I cannot create an issue on the spring-batch github and I could not create a topic on the Spring forum so I was redirected here.
I have this in my pom.xml file as explained on Spring.io's Batch tutorial
<dependency>
<groupId>org.springframework.batch</groupId>
<artifactId>spring-batch-core</artifactId>
<version>4.0.1.RELEASE</version>
</dependency>
And when I run the mvn dependency-check:check I see these issues
spring-tx-5.0.0.RELEASE.jar
CVE-2018-1199 - upgrade spring framework to latest 4.x
spring-batch-core-4.0.1.RELEASE.jar
CVE-2014-0225 - upgrade spring mvc - added it and latest 4.x
CVE-2015-5211 - upgrade springframework 4.x
CVE-2016-5007 - upgrade springframework 4.x
CVE-2014-3578 - upgrade springframework 4.x
CVE-2014-3625 - upgrade springframework 4.x
I ran mvn dependency:build-classpath -Dmdep.outputFile=cp.txt the offending jars above are located in my classpath. Then ran 'mvn dependency:tree` but did not see the offending jars.
mvn dependency:tree 2>&1 | egrep -i 'batch-core|spring-tx'
I tried googling some of the core CVEs which said to upgrade spring-mvc which I don't even have in my project but I explicitly defined it anyway. My spring version is set to the latest 4.x and even upgrading to 5.x still throws the vulnerability because spring-batch-core's latest version is still vulnerable.
Am I doing something wrong in my pom file?
To start, none of those CVEs apply directly to Spring Batch or the spring-batch-core jar file. They are all related to Spring Framework and Spring MVC. Also, every one of those CVEs has been mitigated in the specified patch versions.
If you have confirmed that your POM is bringing in the correct, non-vunlerable, version of Spring Framework, this is a case of a false positive and you'll need to configure whatever tool you're using to address this. If the artifact you are building as a result of the build process includes a vulnerable version of Spring Framework (or related components), then you do have an issue with your POM. We can help, but we need to see the POM in order to do so.

Spring Boot Flyway AutoConfiguration

Hy,
I'm using Spring Boot 1.5.7RELEASE with Flyway 4.2.0.
I have a problem with the configuration of the flyway.locations property for file system locations.
If I use file: prefix, I have Flyway error:
Caused by: org.flywaydb.core.api.FlywayException: Unknown prefix for location (should be either filesystem: or classpath:):
If I use filesystem: prefix, I have
Caused by: java.lang.IllegalStateException: Cannot find migrations location in:
What am I doing wrong ? (If I use classpath: everything is ok)
This appears to be a bug with FlywayAutoConfiguration in Spring Boot.
A workaround is to use the filesystem: prefix but disable location checking:
spring.flyway.check-location=false # spring boot 2.0.x
flyway.check-location=false # spring boot 1.5.x
I have raised an issue and submitted a PR.
Update
The fix was merged into Spring Boot 1.5.15 and 2.0.4.

spring-security-saml2-core:1.0.3.BUILD-SNAPSHOT is not found in the repo https://repo.spring.io/libs-snapshot

I am trying to upgrade to Spring 5. I want to upgrade to spring Security 5 too.
Spring security 5 upgrade causes issue with Spring Saml2.
This issue of class not found error is solved in the PR which is merged.
The snapshot, 1.0.3.BUILD-SNAPSHOT is not there in the specified repo.
Warning:project ':api': Web Facets/Artifacts will not be configured properly
Details: org.gradle.api.artifacts.ResolveException: Could not resolve all dependencies for configuration ':api:runtimeClasspath'.
Caused by: org.gradle.internal.resolve.ModuleVersionNotFoundException:
Could not find org.springframework.security.extensions:spring-security-saml2-core:1.0.3.BUILD-SNAPSHOT.
Required by:
project :api
project :api > project :common
project :api > project :core
Help me with finding the snapshot in the spring repo.
This issue is solved in the December release 1.0.3.RELEASE of Spring security Saml.

Grails 1.2.1 with Spring 3.0.0 dependency problem under Jetty

Just moved to Grails 1.2.1 (used 1.1.1 before). Changed application.properties, ran grails upgrade, fixed BuildConfig and Bootstrap - everything works just fine from grails console.
However, getting a problem when deploy packaged war under jetty 6.1.22:
1581 [main] ERROR org.springframework.web.context.ContextLoader - Context initialization failed org.springframework.beans.factory.access.BootstrapException: Error executing bootstraps; nested exception is java.lang.NoSuchMethodError: org.codehaus.groovy.grails.commons.spring.ReloadAwareAutowireCapableBeanFactory.setParameterNameDiscoverer(Lorg/springframework/core/ParameterNameDiscoverer;)V
My project is built with maven2. I researched the war dependencies and see that both spring 2.5.6 and 3.0.0.RELEASE are used there.
I then tried to suppress use of spring 2.5.6 and got a problem with Acegi plugin (using version 0.5.1):
2010-03-10 21:06:56.440:WARN::Nested in org.springframework.beans.factory.access.BootstrapException: Error executing bootstraps; nested exception is java.lang.NoSuchMethodError: org.springframework.web.context.ConfigurableWebApplicationContext.setId(Ljava/lang/String;)V
Any help would be greatly appreciated.
The problem is caused by the fact that in new version of Spring
ConfigurableWebApplicationContext is located in spring-web.jar, but the interface it inherits ConfigurableApplicationContext, which contains setId(String) method is in located in spring-context.jar.
If you have a library which has been compiled against older version of spring-context it will fail with NoMethodFound exception.
The solution is to locate and recompile that library against latest Spring version.
If you are using Spring version below 3.0 you could try to put full Spring bundle Jar instead of separate packages.

Resources