I'm trying to build a complete Spring Framework distribution for version 3.2.4.RELEASE without using maven (just the spring jars) and managed to manually get all jars except for spring-asm.
Spring-asm stops at version 3.1.4. Why is that?
I have older spring distributions up to 3.1.1 (those for which you had a zip file, not forced to use maven) and all have the same spring-asm jar inside, with the same version.
Why is there no spring-asm-3.2.4.RELEASE jar?
Here is from release notes for 3.2
we've eliminated the dedicated spring-asm jar in M2 in favor of including org.springframework.asm classes directly in spring-core
Related
In my build.gradle , for one of the direct dependency A , "jersey-client" 2.25.1 is transitive dependency. But when I do gradle build it downloads 2.7 version, when I check dependency A pom, it has only 2.25.1 version, how Gradle resolves it to 2.7?
There are versions above 2.7 as well in the artifactory, how only 2.7 is downloaded?
Only dependency A is using jersey-client.
Cleared gradle cache and tried, but same result.
There's probably another dependency in your dependency graph bringing in a later version. Try running
gradle dependencies
And it should show some insight into why it chose the newer version. Gradle has a few strategies allowing you to force a particular version of a dependency or perhaps ignoring transitive dependencies of a particular dependency should you wish to do so
Spring dependency management plugin is overriding jersey 2.25.1 with 2.7,
I have explicitly declared in my build.gradle file to use 2.25.1 by adding the below property.
ext['jersey.version'] = '2.25.1'
I have created a Spring Starter data jpa project and its connecting with mysql. through STS its running fine.
i wanted to deploy it individually so i clean install the application using maven and used java jar <jarfile.jar> in command prompt.
I followed the video of java brains.
Below is the error which get
JAXB is not found.
It seems that you set the scope of the JAXB dependency to provided or built the project for an old Java Version (like Java 8) that comes with JAXB and run it with a newer Java version (like Java 10) that does not come with JAXB.
You can fix this by adding the JAXB dependency to the classpath when running the JAR or by adding the dependency to your project manually(or set the scope to compile)
I noticed that I cannot create an issue on the spring-batch github and I could not create a topic on the Spring forum so I was redirected here.
I have this in my pom.xml file as explained on Spring.io's Batch tutorial
<dependency>
<groupId>org.springframework.batch</groupId>
<artifactId>spring-batch-core</artifactId>
<version>4.0.1.RELEASE</version>
</dependency>
And when I run the mvn dependency-check:check I see these issues
spring-tx-5.0.0.RELEASE.jar
CVE-2018-1199 - upgrade spring framework to latest 4.x
spring-batch-core-4.0.1.RELEASE.jar
CVE-2014-0225 - upgrade spring mvc - added it and latest 4.x
CVE-2015-5211 - upgrade springframework 4.x
CVE-2016-5007 - upgrade springframework 4.x
CVE-2014-3578 - upgrade springframework 4.x
CVE-2014-3625 - upgrade springframework 4.x
I ran mvn dependency:build-classpath -Dmdep.outputFile=cp.txt the offending jars above are located in my classpath. Then ran 'mvn dependency:tree` but did not see the offending jars.
mvn dependency:tree 2>&1 | egrep -i 'batch-core|spring-tx'
I tried googling some of the core CVEs which said to upgrade spring-mvc which I don't even have in my project but I explicitly defined it anyway. My spring version is set to the latest 4.x and even upgrading to 5.x still throws the vulnerability because spring-batch-core's latest version is still vulnerable.
Am I doing something wrong in my pom file?
To start, none of those CVEs apply directly to Spring Batch or the spring-batch-core jar file. They are all related to Spring Framework and Spring MVC. Also, every one of those CVEs has been mitigated in the specified patch versions.
If you have confirmed that your POM is bringing in the correct, non-vunlerable, version of Spring Framework, this is a case of a false positive and you'll need to configure whatever tool you're using to address this. If the artifact you are building as a result of the build process includes a vulnerable version of Spring Framework (or related components), then you do have an issue with your POM. We can help, but we need to see the POM in order to do so.
In the project using both the jars spring-jdbc.jar and org.springframework.jdbc.jar. I want to remove one of the jars due to the mismatch of the version. Spring-jdbc has 4.1.4 jar version and other one is 3.2.5 which is latest for both the jar.
Due to jar version mismatch I am getting the error during runtime. Could anyone tell me the correct latest jar version for both the files.
Open the manifest.MF of the org.sprigframework.jdbc.jar and you will find import/export-package statements in it.
Those jars where available on the spring ebr repository until it was closed last year. If you're not using OSGi, you can drop the old jar version, otherwise look fot apache servicemix bundles.
Is there a maven command that can analyze a given pom.xml and report if there are newer versions of plugins or dependencies.
For example suppose that the pom.xml depends on hibernate 4.1.6 and hibernate 4.1.7 is released is there a command that can analyze the pom.xml and print out something along the lines, you are using hibernate 4.1.6 and the latest version is 4.1.7?
Check Versions Maven Plugin goals version-display-* and versions-use-*