Is it somehow possible to use Maven dependency with older Spring Boot version? The project is using version 2.x and the custom dependency uses 1.5.x.
Could not found any documentation on the topic.
I'm asking because of getting a NoClassDefFoundError while introspecting class inside the custom jar file.
No. Spring Boot 2.X is a major version which is not backwards compatible with Spring Boot 1.5.X. Same goes for major Spring Framework versions, you can't mix Spring Framework 5.X and 4.X.
Maven only manages project dependencies. It has nothing to do with your problem.
Basically there can only be one version of any given combination of groupId and artifactId in any maven project. So with plain vanilla maven, the answer is 'No'. But there is the maven-shade-plugin that can be used to change the group- and artifact ids of any dependency.
Related
I am planning to upgrade services from spring boot 2.2.6 to 3.0.2. I want to know if latest spring boot version has any new vulnerabilities and if all old vulnerabilities have been fixed in the spring boot latest version? Where can I get this information?
Note : I can see list of 57 vulnerabilities from maven repository in 2.2.6 version, but it did not list any vulnerabilities for 3.0.2 version. While spring might have fixed direct vulnerabilities, there can be few vulnerabilities which are coming from transitive dependency.
Is there a way to find all vulnerabilities coming from direct and transitive dependencies ?
The answer is not easy, because we don't know all your used (sub-)dependencies. And an answer can be outdate in a couple of hours/days/weeeks ...
But you can lookup the dependencies manually with the new MavenCentral-website.
An example: When you search for "Spring JPA", then you will find this site: https://search.maven.org/artifact/org.springframework.boot/spring-boot-starter-data-jpa/3.0.2/jar
And there is button to view the OSS-index which is pointing to this site:
https://ossindex.sonatype.org/component/pkg:maven/org.springframework.boot/spring-boot-starter-data-jpa#3.0.2
Or, just make the upgrade and let your IDE resolve all the vulnerabilities automatically.
IntelliJ does it very well:
I am using Gradle 5's BOM (Bill of Materials) feature. This is how I describe it for my JUnit 5 dependencies:
testImplementation(enforcedPlatform("org.junit:junit-bom:5.4.0")) // JUnit 5 BOM
testImplementation("org.junit.jupiter:junit-jupiter-api")
testRuntimeOnly("org.junit.jupiter:junit-jupiter-engine")
testImplementation("org.junit.jupiter:junit-jupiter-params")
My assumption is that providing the BOM will resolve the versions of the dependencies to 5.4.0. However, they get resolved to 5.1.1. I am not sure why. (I also request enforcedPlatform() to lock the specified version)
Inspecting JUnit 5's BOM we see that all org.junit.jupiter dependencies are listed with version 5.4.0 (resolving to 5.1.1 in the project) and all org.junit.platform dependencies are listed with version 1.4.0 which resolve correctly in the project.
I am not sure what I am missing and was hoping to get some help here. Thanks!
EDIT:
I used Sormuras response and moved all BOMs at the top of the dependencies {} block but was still not getting version 5.4.0. Then I suspected it might be coming from the Gradle Spring Dependency Management plugin that I use, so when I commented it out, I got version JUnit 5.4.0. How do I disable JUnit coming from the Gradle Spring Dependency Management plugin?
FINALLY:
I decided to use the Spring Boot Dependencies BOM directly and remove the Gradle plugin:
implementation(platform("org.springframework.boot:spring-boot-dependencies:2.0.5.RELEASE"))
I imagine the plugin was created for those version of Gradle before Gradle 5 where you couldn't use a BOM file. Now with the BOM support I can directly include it. This way my version of JUnit is as I have specified it in the enforcedPlatform() block.
I accepted Sam Brannen's answer below because he explains well how the issue occurs and what solves it and I think it's relevant for those who use older versions of Gradle.
How do I disable JUnit coming from the Gradle Spring Dependency Management plugin?
For starters, if you are using the dependency management plugin from Spring, you should not be importing the junit-bom since that results in duplicate (and potentially conflicting) management of those dependencies.
Aside from that, whenever you use the dependency management plugin from Spring and want to override a managed version, you have to do it by overriding the exact name of the version defined in the BOM used by the plugin.
This is documented in Spring Boot for Gradle and for Maven.
For Spring Boot the name of the JUnit Jupiter version is "junit-jupiter.version". You can find the names of all managed versions for Spring Boot 2.1.2 here.
So, in Gradle you would override it as follows.
ext['junit-jupiter.version'] = '5.4.0'.
You can see that I have done exactly that here.
With Maven you would override it as follows.
<properties>
<junit-jupiter.version>5.4.0</junit-jupiter.version>
</properties>
Further background information here: https://docs.spring.io/platform/docs/current/reference/html/getting-started-overriding-versions.html
JUnit 5.4.0 simplified its artifacts, and now delivered a single artifact for Jupiter - org.junit:junit-jupiter. I.e., you should simplify your Gradle file too:
testImplementation(enforcedPlatform("org.junit:junit-bom:5.4.0")) // JUnit 5 BOM
testImplementation("org.junit.jupiter:junit-jupiter")
Ensure to include JUnit's BOM before other BOMs that also refer to JUnit. First BOM wins and locks version of all later artifacts.
See this issue for a similar setup using Maven and Spring Boot: https://github.com/sormuras/junit-platform-maven-plugin/issues/29#issuecomment-456958188
Which version of spring security is compatible with Spring-4.3.0-release.
my jars are as follows
spring-aop-4.3.0.RELEASE.jar
spring-beans-4.3.0.RELEASE.jar
spring-context-4.3.0.RELEASE.jar
spring-context-support-4.3.0.RELEASE.jar
spring-core-4.3.0.RELEASE.jar
spring-expression-4.3.0.RELEASE.jar
spring-jdbc-4.3.0.RELEASE.jar
spring-orm-4.3.0.RELEASE.jar
spring-oxm-4.3.0.RELEASE.jar
spring-tx-4.3.0.RELEASE.jar
spring-web-4.3.0.RELEASE.jar
With Security jars
spring-security-config-3.2.5.RELEASE.jar
spring-security-core-3.2.5.RELEASE.jar
spring-security-web-3.2.5.RELEASE.jar
The documentation for spring security 4.2.x says that the current spring security version 4.2.x is compatible with 4.3.26 and 4.0.x.
For spring security 3.2.5 you should use spring 4.0.2 (doc for 3.2.5)
(Latest Version)
UPDATES - Spring Security 5.6.0
Spring Security 5.6.0 was released on 15 November 2021. This is a maintenance/bug fix release.
Spring Security 5.6.0 is compatible with Spring Framework 5.3.13
If you want to use the latest version, update your Maven POM file to use the compatible versions below
<springframework.version>5.3.13</springframework.version>
<springsecurity.version>5.6.0</springsecurity.version>
I keep coming back to asking myself which spring-security version is "compatible" with which spring-framework version.
There's this Spring Security docs page, that informs on that subject, distinguishing between Spring Boot / Non-Spring-Boot projects combined with Maven / Gradle.
For Non-Spring-Boot projects the recommended way is to use the BOM (bill of material) artifact.
details for Maven
details for Gradle
Spring Boot utilizes this BOM too, so you don't have to set anything specifically there.
You can also find the same information for a specific spring-security version, e.g. for 5.1.13 it's: https://docs.spring.io/spring-security/site/docs/5.1.13.RELEASE/reference/htmlsingle/#get-spring-security
which contains version specific details. Just go to https://docs.spring.io/spring-security/site/docs and find your version.
im using spring boot in a recommended way, that is by adding
classpath("org.springframework.boot:spring-boot-gradle-plugin:${springBootVersion}")
and then adding dependencies i need, like:
compile('org.springframework.boot:spring-boot-starter-web')
That dependency pulls some predefined version of tomcat that will host my microservice.
but what happens when there is a security fix for tomcat released? does spring team track all the security issues in all the project they use and bump spring-boot version when new fix is released? or do i have to track it by myself and control dependencies (like tomcat) manually instead of using 'the spring-boot way'?
Whenever we release a new version of Spring Boot, we update the managed dependency versions to the latest appropriate release of that dependency. Appropriate means that we won't, for example, move to a new major or minor version of a dependency in a maintenance release of Spring Boot.
Generally speaking, a new version of a managed dependency (even if it contains a security fix) won't trigger the release of a new version of Spring Boot. It's impossible for us to know exactly how a dependency is being used and if the fix is relevant to all, some, or even any of Spring Boot's users.
This means that you do need to keep track of security vulnerabilities yourself. If a vulnerability affects you and Spring Boot has not yet updated its managed version then you can easily override that version in your build script. For example, if you are using Gradle:
ext['tomcat.version']='8.0.36'
Or Maven:
<properties>
<tomcat.version>8.0.36</tomcat.version>
</properties>
I understand the concept of Spring boot, but I am looking for the logic how it is implemented and where it is maintaining the configuration. When we add any Starter-pom immediately it is giving the dependency and the configuration needed for it. How it automated that feature and where is that automating code in the spring boot?
Thanks in advance
The configuration classes for Spring Boot are in the module spring-boot-autoconfigure. A starter POM has a dependency on that (through the general spring-boot-starter module) and the required 3rd party libraries, and then the autoconfiguration for that library is activated.
The SpringBoot project has been put there so to be more productive & build production ready app in no time. SpringBoot project referes many starter projects like spring-boot-starter-jdbc, spring-boot-starter-logging, etc. All these starter libraries are like maven sub module projects and they add a set of libraries to respective project in turn. Like the spring-boot-starter-jdbc library adds these libraries -> spring-jdbc,spring-tx,tomcat-jdbc.
Now for the configuration part, spring boot has maintained another library called spring-boot-autoconfigure which auto configures all needed configs depending on the libraries present on your pom and the initial set of config annotation been used on the app. For Eg. if it sees ojdbc jar present in your pom then it will autoconfigure oracle datasource to your project
From my bare understanding, this feature are not provided by Spring Boot. It is the power of Maven. Maven allow you to declare dependencies, and the dependencies themselves, PLUS the transitive dependencies will be retrieved.
The starter POMs are simply normal Maven POM-type artifact which declared essential dependencies, and hence, when you include in your own POM, related dependencies will be downloaded.
You may get some more understanding on Maven from Maven Site or Maven Guide by Sonatype