I am planning to upgrade services from spring boot 2.2.6 to 3.0.2. I want to know if latest spring boot version has any new vulnerabilities and if all old vulnerabilities have been fixed in the spring boot latest version? Where can I get this information?
Note : I can see list of 57 vulnerabilities from maven repository in 2.2.6 version, but it did not list any vulnerabilities for 3.0.2 version. While spring might have fixed direct vulnerabilities, there can be few vulnerabilities which are coming from transitive dependency.
Is there a way to find all vulnerabilities coming from direct and transitive dependencies ?
The answer is not easy, because we don't know all your used (sub-)dependencies. And an answer can be outdate in a couple of hours/days/weeeks ...
But you can lookup the dependencies manually with the new MavenCentral-website.
An example: When you search for "Spring JPA", then you will find this site: https://search.maven.org/artifact/org.springframework.boot/spring-boot-starter-data-jpa/3.0.2/jar
And there is button to view the OSS-index which is pointing to this site:
https://ossindex.sonatype.org/component/pkg:maven/org.springframework.boot/spring-boot-starter-data-jpa#3.0.2
Or, just make the upgrade and let your IDE resolve all the vulnerabilities automatically.
IntelliJ does it very well:
Related
I tried to migrate gradle project with spring boot from selenium 3 to selenium 4
(implementation 'org.seleniumhq.selenium:selenium-java:4.1.1')
But chrome, firefox and edge web drivers remains from selenium version 3
(org.seleniumhq.selenium:selenium-chrome-driver:3.141.59).
If I remove spring boot dependency from project, they updates to 4.1.1
Currently using gradle version "7.3.3".
Spring boot "2.6.3".
Spring dependency management "1.0.11.RELEASE".
Any ideas why this happens, I hoped that dependency hell dissapeared with spring boot creation)
Thanks in advance!
I have the same promble, I found in spring-boot-starter-parent, there is a spring-boot-dependencies in ~/.m2/repository/org/springframework/boot/spring-boot-dependencies/2.6.3/spring-boot-dependencies-2.6.3.pom, which declared <selenium.version>3.141.59</selenium.version> in properties, so you can try add
<properties>
<selenium.version>4.1.2</selenium.version>
</properties>
in your project pom.xml.
Spring Boot comes with a set of versions that are know to work together. But you can override them in your build script. In case of Gradle, add to build.gradle:
ext['selenium.version'] = '4.1.2'
It is because Spring Boot comes packed with a set of predefined dependecies that you can find here: https://docs.spring.io/spring-boot/docs/2.6.7/reference/htmlsingle/#appendix.dependency-versions
In this page, you will also find, how to change predefined version. In general, you need to add .version to your dependency name and, in case of multiple word names, you change spaces to dashes (not needed in case of selenium).
So, to change version to most recent, type in build.gradle ext['selenium.version'] = '4.4.0' at 0 indent level. (don't add it, say inside dependencies {})
Is it somehow possible to use Maven dependency with older Spring Boot version? The project is using version 2.x and the custom dependency uses 1.5.x.
Could not found any documentation on the topic.
I'm asking because of getting a NoClassDefFoundError while introspecting class inside the custom jar file.
No. Spring Boot 2.X is a major version which is not backwards compatible with Spring Boot 1.5.X. Same goes for major Spring Framework versions, you can't mix Spring Framework 5.X and 4.X.
Maven only manages project dependencies. It has nothing to do with your problem.
Basically there can only be one version of any given combination of groupId and artifactId in any maven project. So with plain vanilla maven, the answer is 'No'. But there is the maven-shade-plugin that can be used to change the group- and artifact ids of any dependency.
I am using spring boot 1.4.0 along with jhipster 3.6.1 in my project. I want to upgrade spring boot from 1.4.0 to 2.0.3 but I found some release notes of jhipster according to which it won't support Spring boot 2.0.3.
Can anyone help me out by letting me know if there is any easy and quick way to exclude jhipster from my project.
JHipster 3 won't be updated for Spring Boot 2, only JHipster 5 supports it.
So either you upgrade your project to JHipster 5 using jhipster upgrade command or you remove all dependencies from JHipster and you manually upgrade your project.
These dependencies can be of 3 types: BOM for maven dependencies, server library and client library (not required for your use case). For BOM and server library, the idea is to retrieve the source of the version used by your app and to integrate it into your own git repo so that you can modify it.
Which version of spring security is compatible with Spring-4.3.0-release.
my jars are as follows
spring-aop-4.3.0.RELEASE.jar
spring-beans-4.3.0.RELEASE.jar
spring-context-4.3.0.RELEASE.jar
spring-context-support-4.3.0.RELEASE.jar
spring-core-4.3.0.RELEASE.jar
spring-expression-4.3.0.RELEASE.jar
spring-jdbc-4.3.0.RELEASE.jar
spring-orm-4.3.0.RELEASE.jar
spring-oxm-4.3.0.RELEASE.jar
spring-tx-4.3.0.RELEASE.jar
spring-web-4.3.0.RELEASE.jar
With Security jars
spring-security-config-3.2.5.RELEASE.jar
spring-security-core-3.2.5.RELEASE.jar
spring-security-web-3.2.5.RELEASE.jar
The documentation for spring security 4.2.x says that the current spring security version 4.2.x is compatible with 4.3.26 and 4.0.x.
For spring security 3.2.5 you should use spring 4.0.2 (doc for 3.2.5)
(Latest Version)
UPDATES - Spring Security 5.6.0
Spring Security 5.6.0 was released on 15 November 2021. This is a maintenance/bug fix release.
Spring Security 5.6.0 is compatible with Spring Framework 5.3.13
If you want to use the latest version, update your Maven POM file to use the compatible versions below
<springframework.version>5.3.13</springframework.version>
<springsecurity.version>5.6.0</springsecurity.version>
I keep coming back to asking myself which spring-security version is "compatible" with which spring-framework version.
There's this Spring Security docs page, that informs on that subject, distinguishing between Spring Boot / Non-Spring-Boot projects combined with Maven / Gradle.
For Non-Spring-Boot projects the recommended way is to use the BOM (bill of material) artifact.
details for Maven
details for Gradle
Spring Boot utilizes this BOM too, so you don't have to set anything specifically there.
You can also find the same information for a specific spring-security version, e.g. for 5.1.13 it's: https://docs.spring.io/spring-security/site/docs/5.1.13.RELEASE/reference/htmlsingle/#get-spring-security
which contains version specific details. Just go to https://docs.spring.io/spring-security/site/docs and find your version.
im using spring boot in a recommended way, that is by adding
classpath("org.springframework.boot:spring-boot-gradle-plugin:${springBootVersion}")
and then adding dependencies i need, like:
compile('org.springframework.boot:spring-boot-starter-web')
That dependency pulls some predefined version of tomcat that will host my microservice.
but what happens when there is a security fix for tomcat released? does spring team track all the security issues in all the project they use and bump spring-boot version when new fix is released? or do i have to track it by myself and control dependencies (like tomcat) manually instead of using 'the spring-boot way'?
Whenever we release a new version of Spring Boot, we update the managed dependency versions to the latest appropriate release of that dependency. Appropriate means that we won't, for example, move to a new major or minor version of a dependency in a maintenance release of Spring Boot.
Generally speaking, a new version of a managed dependency (even if it contains a security fix) won't trigger the release of a new version of Spring Boot. It's impossible for us to know exactly how a dependency is being used and if the fix is relevant to all, some, or even any of Spring Boot's users.
This means that you do need to keep track of security vulnerabilities yourself. If a vulnerability affects you and Spring Boot has not yet updated its managed version then you can easily override that version in your build script. For example, if you are using Gradle:
ext['tomcat.version']='8.0.36'
Or Maven:
<properties>
<tomcat.version>8.0.36</tomcat.version>
</properties>