I scanned my Spring Boot app using Synk and there are some vulnerabilities after scan. For this reason, I needed to update snakeyaml, but as far as I know, it is a dependency below spring-boot-starter-web.
Here is the dependency tree for my project:
[INFO] +- org.springframework.boot:spring-boot-starter-web:jar:2.7.5:compile
[INFO] | +- org.springframework.boot:spring-boot-starter:jar:2.7.5:compile
[INFO] | | +- org.springframework.boot:spring-boot-starter-logging:jar:2.7.5:compile
[INFO] | | | +- ch.qos.logback:logback-classic:jar:1.2.11:compile
[INFO] | | | | \- ch.qos.logback:logback-core:jar:1.2.11:compile
[INFO] | | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.17.2:compile
[INFO] | | | | \- org.apache.logging.log4j:log4j-api:jar:2.17.2:compile
[INFO] | | | \- org.slf4j:jul-to-slf4j:jar:1.7.36:compile
[INFO] | | +- jakarta.annotation:jakarta.annotation-api:jar:1.3.5:compile
[INFO] | | \- org.yaml:snakeyaml:jar:1.30:compile
In this scene, how can I update snakeyaml? Should I add a remove annotation below the spring-boot-starter-web and then add the following dependency in pom.xml?
I know the last version also has a vulnerability, but I just wanted to know what should I do for this kind of situations (assume that the last version has no vulnerability)? Any idea?
<!-- https://mvnrepository.com/artifact/org.yaml/snakeyaml -->
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>1.33</version>
</dependency>
First off all don't panic and step back. Although the dependency mentioned has a vulnerability, if you don't actually use it (i.e. no YAML in your application) it actually doesn't apply. Those dependency scans are pretty dumb as they can only see dependencies not the fact that you are or aren't using them.
That being said, to fix you should upgrade the Spring Boot version for your application. For this, assuming you are using a Spring Boot as a parent, update that version.
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.8</version>
</parent>
NOTE: Don't mix modules of different versions of Spring Boot (or any framework/library for that matter) as that will lead to problems. So don't put a version tag in your dependencies (at least not the spring-boot-starter-* ones!).
This has Snake YAML 1.30, if you can you could also upgrade to 3.0.2 which actually includes the 1.33 version.
To upgrade only Snake YAML you can just override the version property used by Spring Boot to manage the dependencies. The version properties are documented in the Spring Boot Documentation. How to override those versions is documented in the Spring Boot Plugin Documentation.
In short you would need to override the snakeyaml.version property with the version you wish to use (that is only for 2.7.x) if you upgrade to 3.02 you don't need this.
<properties>
<snakeyaml.version>1.33</snakeyaml.version>
</properties>
This will pull in that version. You don't need to exclude anything or use dependency management for this. Drawback when a new version of Snake YAML comes out and Spring Boot pulls that in, this will override it. So take care when updating after this.
This all being said, as mentioned in the beginning the fact that a certain jar/dependency is included doesn't mean it is a risk. If not used it won't pose a risk, so instead of panicking on Snyk warnings you should properly investigate them.
Try to update whatever brings you the dependency (here: spring-boot-starter-web)
If not possible: Add an entry to <dependencyManagement> with the newer version and put a comment into the pom.xml why you do this (Vulnerability XY).
Related
When I have an aar library how to list all the dependencies of this aar ? for exemple i have facebook-core-5.15.1.aar and the dependencies are :
+--- com.facebook.android:facebook-core:5.15.1
| +--- com.parse.bolts:bolts-android:1.4.0
| | +--- com.parse.bolts:bolts-tasks:1.4.0
| | \--- com.parse.bolts:bolts-applinks:1.4.0
| | \--- com.parse.bolts:bolts-tasks:1.4.0
| +--- com.android.support:support-annotations:27.0.2
| +--- com.android.support:support-core-utils:27.0.2
| | +--- com.android.support:support-annotations:27.0.2
| | \--- com.android.support:support-compat:27.0.2
| | +--- com.android.support:support-annotations:27.0.2
| | \--- android.arch.lifecycle:runtime:1.0.3
| | +--- android.arch.lifecycle:common:1.0.3
| | \--- android.arch.core:common:1.0.0
| \--- com.android.installreferrer:installreferrer:1.1
How to retrieve this dependencies tree from a command line? and accessory how to know where to download all thoses dependencies?
I need to know this because as far as I know If I add com.facebook.android:facebook-core:5.15.1.aar in my project without adding com.parse.bolts:bolts-android:1.4.0.aar (for exemple), then my project will not work.
In the research I did I found this way to know all the dependencies needed by a libraries, I must create a android studio project, add the dependencies like this:
dependencies {
implementation 'com.facebook.android:facebook-core:5.15.1'
}
and then run: gradlew app:dependencies But I want to avoid to create an android project and I need to automate the task from a command line
AFAIK, when you run ./gradlew app:dependencies command, it will report all dependencies of the app module, no command for specific library's dependencies report. However, Android Studio have the resolved dependencies report (after synced project), you may check if it is your need.
File > Project Structure > Dependencies menu > Your modules (app) > Resolved dependencies.
You might be looking for something already existing, for example:
https://github.com/status-im/go-maven-resolver. Usage:
$ echo commons-io:commons-io:2.4 | ./go-maven-resolver
https://repo.maven.apache.org/maven2/commons-io/commons-io/2.4/commons-io-2.4.pom
https://repo.maven.apache.org/maven2/org/apache/commons/commons-parent/25/commons-parent-25.pom
https://repo.maven.apache.org/maven2/org/apache/apache/9/apache-9.pom
Although it gives you dependency URLs, but you can easily parse them to get GAV coordinates, or modify the script to print out the tree-like structure.
List of dependencies can be found on mvnrepository.com or search.maven.org
You can write a program that will parse these sites and give out data in the desired format
P.S.
Resolving child dependencies is one of the main purposes of gradle. The fact that you have to manually write child dependencies indicates that you have some kind of error in the configuration (maybe a newer version of the dependency is already included)
A library (aar or jar) does not contain any dependency informations by itself. However, libraries are
generally available in Maven repositories, and such repositories provide dependency informations via
POM files (which are XML files).
The URL where a POM file is available can be constructed from the following elements:
Repository URL
groupId
artifactId
version
The main repository is Maven Central. Its URL is https://repo1.maven.org/maven2/. Most libraries are
available there.
For com.facebook.android:facebook-core:5.15.1, the POM URL is:
https://repo1.maven.org/maven2/com/facebook/android/facebook-core/5.15.1/facebook-core-5.15.1.pom
The file contains a <dependencies> element:
<dependencies>
<dependency>
<groupId>com.parse.bolts</groupId>
<artifactId>bolts-android</artifactId>
<version>1.4.0</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>com.android.support</groupId>
<artifactId>support-annotations</artifactId>
<version>27.0.2</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>com.android.support</groupId>
<artifactId>support-core-utils</artifactId>
<version>27.0.2</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>com.android.installreferrer</groupId>
<artifactId>installreferrer</artifactId>
<version>1.1</version>
<scope>compile</scope>
</dependency>
</dependencies>
Only the direct dependencies are listed. To get the so-called "transitive dependencies", you need to iterate
the process and fetch the POM files of the dependencies.
Note that Google publishes its Android libraries in its own Maven repository, at this URL:
https://maven.google.com/
So, for com.google.firebase:firebase-messaging:12.0.1, the POM URL is:
https://maven.google.com/com/google/firebase/firebase-messaging/12.0.1/firebase-messaging-12.0.1.pom
I'm building an Automation Tool using Java Automation Framework under the hood, to which users will not have access to the main POM.xml file. Sometimes users require to add a custom Java function which requires additional depedencies / repositories. Presently I have to make changes to the main POM file to accommodate the user request. User has access only to "src/test/java/com/script/custom" folder to write custom scripts / functions. I have explored options like Parent/Child POM, Plugin Management, Profile, etc. but examples are mainly for multiple projects. I'm a NodeJs/Angular person, so I'm a beginner at Java.
Project
|
|--src/test/java/com/script/custom
| |
| custom_code.java
| |
| custom_pom.xml
|
--pom.xml
Users should only enter additional dependencies / repos in custom_pom.xml. Parent pom.xml will still hold the main dependencies/repos of the project.
Running code (apart from tests) is against the core concept of Maven as a build tool. There are ways, however, to excute arbitrary code at build time:
Exec Maven Plugin
without an additional plugin (and with cleanly separated projects):
+- project
| +- pom.xml
+- custom
+- src/main/java/com/script/custom
| +- CustomCode.java ... convention for Java class names is CamelCase
+- src/test/java/com/script/custom
| +- CustomCodeTest.java ... instantiates and runs CustomCode
+- pom.xml ... containing <parent><relativePath>../project
For <parent> see Introduction to the POM #Project Inheritance. See also Maven: Lifecycle vs. Phase vs. Plugin vs. Goal for further basics.
In a Maven project I have tests that are using the Kotlin ScriptEngine (just calling scriptEngine.eval(script)). When I run the tests from IntelliJ they all pass, but during runs of mvn test, I am getting the following error:
javax.script.ScriptException: Cannot access script base class 'kotlin.script.experimental.jsr223.KotlinJsr223DefaultScript'. Check your module classpath for missing or conflicting dependencies
Cannot access script provided property class 'kotlin.script.experimental.jvmhost.jsr223.KotlinJsr223ScriptEngineImpl'. Check your module classpath for missing or conflicting dependencies
Cannot access script provided property class 'org.jetbrains.kotlin.cli.common.repl.AggregatedReplStageState'. Check your module classpath for missing or conflicting dependencies
I have these three classes in the classpath via appropriate Maven dependencies. (I actually added a call to System.out.println(KotlinJsr223DefaultScript.class.getName()) in the failing tests to make sure it's the case.) Here's the relevant fragment of the dependency tree:
[INFO] | \- org.jetbrains.kotlin:kotlin-scripting-jsr223:jar:1.3.72:compile
[INFO] | +- org.jetbrains.kotlin:kotlin-script-runtime:jar:1.3.72:compile
[INFO] | +- org.jetbrains.kotlin:kotlin-scripting-common:jar:1.3.72:compile
[INFO] | | \- org.jetbrains.kotlinx:kotlinx-coroutines-core:jar:1.2.1:compile
[INFO] | +- org.jetbrains.kotlin:kotlin-scripting-jvm:jar:1.3.72:compile
[INFO] | +- org.jetbrains.kotlin:kotlin-scripting-jvm-host:jar:1.3.72:compile
[INFO] | | \- org.jetbrains.intellij.deps:trove4j:jar:1.0.20181211:runtime
[INFO] | +- org.jetbrains.kotlin:kotlin-scripting-compiler:jar:1.3.72:compile
[INFO] | | +- org.jetbrains.kotlin:kotlin-scripting-js:jar:1.3.72:compile
[INFO] | | +- org.jetbrains.kotlin:kotlin-util-klib:jar:1.3.72:compile
[INFO] | | | \- org.jetbrains.kotlin:kotlin-util-io:jar:1.3.72:compile
[INFO] | | \- org.jetbrains.kotlin:kotlin-scripting-compiler-impl:jar:1.3.72:compile
[INFO] | +- org.jetbrains.kotlin:kotlin-compiler:jar:1.3.72:runtime
[INFO] | \- org.jetbrains.kotlin:kotlin-reflect:jar:1.3.72:runtime
I saw people on the Internet run into similar issues, but their solution was to make sure the classes are available on the classpath, which I already have.
I was able to get the unit tests to work on the command line. The issue was the surefire plugin that would use a manifest-only jar that would contain the classpath. For some reason, the order in which the jars were listed in that manifest-only jar caused the issues that OP describes above. I was able to fix this issue by setting surefire.useManifestOnlyJar=false, either in pom.xml
<properties>
<surefire.useManifestOnlyJar>false</surefire.useManifestOnlyJar>
</properties>
or as command line argument for Maven:
mvn -Dsurefire.useManifestOnlyJar=false test
For more details on that property, see
mvn surefire:help -Ddetail=true
This resolves the problem for me.
There is also documentation on class loading with surefire: https://maven.apache.org/surefire/maven-surefire-plugin/examples/class-loading.html
I'm setting up a GitRepo, with different modules of a project. It has some legacy code, some C/C++ for Ardino, and a JavaFX project with some dependencies and Kotlin files in it.
What I actually need is, to build that JavaFx project on pull requests, targeting the develop branch
I already have an empty cloudbuild.yaml in my repository root. What I want is a non-Docker continous integration, so on pull request, I need an artifact build, so the executable can be downloaded for the other project members. GitHub and Google Cloud are connected, only the config is needed.
What is also specific, that I want to build with jdk8u201 (because of the licensing)
The folder structure is something like that:
+- legacy
+- Arduino_codes
+- JavaFX_project
| +- FILES...
+- cloudbuild.yaml
+- .git
If it is possible, that would be great if the builded version would be downloadable, or stored in a specific place in the repository
Try to add :3.5.0-jdk-8 to gcr.io/cloud-builders/mvn if you use maven. Result gcr.io/cloud-builders/mvn:3.5.0-jdk-8
It helped me. More info and cases you can find here.
We have a microservice architecture where the entire project looks as follows:
+- Utilities
+- Service A REST
+- Service A Backend
+- Service B REST
+- Service B Backend
...
+- Service X REST
+- Service X Backend
Each of these is an independent Maven project that can be independently developed.
It so happens, of course, that some of the projects may have to use classes from another one (e.g. to be able to give back corresponding Exception classes in error messages).
Thus one of the projects may have the following dependencies:
Service A backend
+- dependency 1
+- dependency 2
...
\- Utilities
\- Service B backend
In a standard deployment, we would use a Maven repository and simply add the latest jars as dependencies. The problem is during development: if we make a change in Service B backend, a dependency of Service A backend, we cannot simply do mvn compile Service-A-backend because Service B backend will not be recompiled. Doing this for every single project during development is extremely error-prone.
Eclipse might be able to work around this by having the project on the build path, but we do not want to bind ourselves to an IDE and would like to ideally be able to solve the issue with Maven itself.
Can you use Maven in the above scenario so that you can list Service B backend above as a source dependency where, if we compile or package Service A backend, its local source dependencies also get recompiled if there have been any changes? If not, can you do it with gradle or ant?
You should consider looking at the Maven modules feature. Here is an example of use in a POM file:
<modules>
<module>A</module>
....
</modules>
I personally use in addition to maven modules (for compilation ) git sub-module for pull/push code base on multiple project feature.