im using spring boot in a recommended way, that is by adding
classpath("org.springframework.boot:spring-boot-gradle-plugin:${springBootVersion}")
and then adding dependencies i need, like:
compile('org.springframework.boot:spring-boot-starter-web')
That dependency pulls some predefined version of tomcat that will host my microservice.
but what happens when there is a security fix for tomcat released? does spring team track all the security issues in all the project they use and bump spring-boot version when new fix is released? or do i have to track it by myself and control dependencies (like tomcat) manually instead of using 'the spring-boot way'?
Whenever we release a new version of Spring Boot, we update the managed dependency versions to the latest appropriate release of that dependency. Appropriate means that we won't, for example, move to a new major or minor version of a dependency in a maintenance release of Spring Boot.
Generally speaking, a new version of a managed dependency (even if it contains a security fix) won't trigger the release of a new version of Spring Boot. It's impossible for us to know exactly how a dependency is being used and if the fix is relevant to all, some, or even any of Spring Boot's users.
This means that you do need to keep track of security vulnerabilities yourself. If a vulnerability affects you and Spring Boot has not yet updated its managed version then you can easily override that version in your build script. For example, if you are using Gradle:
ext['tomcat.version']='8.0.36'
Or Maven:
<properties>
<tomcat.version>8.0.36</tomcat.version>
</properties>
Related
I am planning to upgrade services from spring boot 2.2.6 to 3.0.2. I want to know if latest spring boot version has any new vulnerabilities and if all old vulnerabilities have been fixed in the spring boot latest version? Where can I get this information?
Note : I can see list of 57 vulnerabilities from maven repository in 2.2.6 version, but it did not list any vulnerabilities for 3.0.2 version. While spring might have fixed direct vulnerabilities, there can be few vulnerabilities which are coming from transitive dependency.
Is there a way to find all vulnerabilities coming from direct and transitive dependencies ?
The answer is not easy, because we don't know all your used (sub-)dependencies. And an answer can be outdate in a couple of hours/days/weeeks ...
But you can lookup the dependencies manually with the new MavenCentral-website.
An example: When you search for "Spring JPA", then you will find this site: https://search.maven.org/artifact/org.springframework.boot/spring-boot-starter-data-jpa/3.0.2/jar
And there is button to view the OSS-index which is pointing to this site:
https://ossindex.sonatype.org/component/pkg:maven/org.springframework.boot/spring-boot-starter-data-jpa#3.0.2
Or, just make the upgrade and let your IDE resolve all the vulnerabilities automatically.
IntelliJ does it very well:
I tried to migrate gradle project with spring boot from selenium 3 to selenium 4
(implementation 'org.seleniumhq.selenium:selenium-java:4.1.1')
But chrome, firefox and edge web drivers remains from selenium version 3
(org.seleniumhq.selenium:selenium-chrome-driver:3.141.59).
If I remove spring boot dependency from project, they updates to 4.1.1
Currently using gradle version "7.3.3".
Spring boot "2.6.3".
Spring dependency management "1.0.11.RELEASE".
Any ideas why this happens, I hoped that dependency hell dissapeared with spring boot creation)
Thanks in advance!
I have the same promble, I found in spring-boot-starter-parent, there is a spring-boot-dependencies in ~/.m2/repository/org/springframework/boot/spring-boot-dependencies/2.6.3/spring-boot-dependencies-2.6.3.pom, which declared <selenium.version>3.141.59</selenium.version> in properties, so you can try add
<properties>
<selenium.version>4.1.2</selenium.version>
</properties>
in your project pom.xml.
Spring Boot comes with a set of versions that are know to work together. But you can override them in your build script. In case of Gradle, add to build.gradle:
ext['selenium.version'] = '4.1.2'
It is because Spring Boot comes packed with a set of predefined dependecies that you can find here: https://docs.spring.io/spring-boot/docs/2.6.7/reference/htmlsingle/#appendix.dependency-versions
In this page, you will also find, how to change predefined version. In general, you need to add .version to your dependency name and, in case of multiple word names, you change spaces to dashes (not needed in case of selenium).
So, to change version to most recent, type in build.gradle ext['selenium.version'] = '4.4.0' at 0 indent level. (don't add it, say inside dependencies {})
I am developing two projects.
Project 1 is a spring-boot application based on gradle for dependency management. This application defines extension-points. If - at runtime - an extension is found on the classpath, this extension is being called from the main application under certain circumstances.
Project 2 is such an extension. This extension should only provide low-level functionality. So basically, I need spring annotations and an EntityManager within the application but I would like to prevent the full spring-boot dependencies to be present on the compile-path.
The obvious (and not satisfactory) solution is to define a compileonly-dependency on a specific version of, say, spring-context. This is somewhat dangerous, as the spring-boot version may progress and it may be easy to forget to adjust the spring version.
Providing a compileOnly dependency to spring-boot-starter (or even the main project) is out of the question.
So, is there a clever trick to tell gralde to use "the spring-version coming with spring-boot-xxx"?
Sometimes you are within a forrest and not seeing the trees...
Thanks to the comment of #emrekgn I looked for BOM/Gradle/Spring and found... the spring boot dependency-management plugin.
Adding this to your gradle file will allow you to include dependencies matching to the spring boot version you are using:
plugins {
id 'org.springframework.boot' version '2.6.2'
}
apply plugin: 'io.spring.dependency-management'
Obviously, you have to match the boot-version to your needs.
Is it somehow possible to use Maven dependency with older Spring Boot version? The project is using version 2.x and the custom dependency uses 1.5.x.
Could not found any documentation on the topic.
I'm asking because of getting a NoClassDefFoundError while introspecting class inside the custom jar file.
No. Spring Boot 2.X is a major version which is not backwards compatible with Spring Boot 1.5.X. Same goes for major Spring Framework versions, you can't mix Spring Framework 5.X and 4.X.
Maven only manages project dependencies. It has nothing to do with your problem.
Basically there can only be one version of any given combination of groupId and artifactId in any maven project. So with plain vanilla maven, the answer is 'No'. But there is the maven-shade-plugin that can be used to change the group- and artifact ids of any dependency.
We want to run our own instance of the Spring Initializr and enhance it with own modules. However there is still no stable version available: Spring Inititializr's current version is still 1.0.0.BUILD-SNAPSHOT and it is not available on Maven central. Moreover, there have been some major changes in the module structure some weeks ago, which makes building and maintaining from source difficult...
My questions: is there a roadmap for the Spring Initializr project? When will it be available on Maven central?
Spring Initializr works in a continous deployment mode with no release scheduled at the moment. Every time we push a change on master, the whole tests suite is ran and if it passes we deploy the new version to production.
We did a quiet 0.1.0.RELEASE on repo.spring.io because a project requires it but we have no intention to go 1.0.0.RELEASE on Maven central at the moment. Part of the reasoning is that Spring Initializr is a service and not a library and we want to have the freedom to make breaking changes if necessary.
We do have some plans for an official release but nothing scheduled.