Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Jackson, SnakeYAML, Spring, and JAVA versions #704

Open
VictorCavichioli opened this issue Aug 26, 2024 · 3 comments · May be fixed by #763
Open

Update Jackson, SnakeYAML, Spring, and JAVA versions #704

VictorCavichioli opened this issue Aug 26, 2024 · 3 comments · May be fixed by #763
Assignees
@jwaeab
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@VictorCavichioli
Copy link
Contributor

VictorCavichioli commented Aug 26, 2024
edited by jwaeab
Loading

Story Description:
Evaluate how to upgrade the versions of Jackson and SnakeYAML, after change #701 I saw that we have some other things to update together, else the openapi fails.

Also step to Spring 6 and JAVA 17

Acceptance Criteria:

NA

Definition of Done:

Change approved by maintainers and passing on tests

Notes:

NA
@VictorCavichioli VictorCavichioli added enhancement New feature or request good first issue Good for newcomers labels Aug 26, 2024
@VictorCavichioli VictorCavichioli mentioned this issue Aug 26, 2024
Merged
@tommystendahl tommystendahl mentioned this issue Oct 15, 2024
Closed
@jwaeab jwaeab changed the title Update Jackson and SnakeYAML version Update Jackson, SnakeYAML, Spring, and JAVA versions Oct 15, 2024
@dapc11
Copy link
Contributor

dapc11 commented Oct 22, 2024
edited
Loading

Hi,

A lot of CVEs to be fixed by uplifting Spring to 6.1.x:

SnakeYaml stepping to 2.x would solve:

//DT

@jwaeab jwaeab self-assigned this Oct 23, 2024
@VictorCavichioli
Copy link
Contributor Author

Guava:

  • Guava vulnerable to insecure use of temporary directory
  • Information Disclosure in Guava

Fix available in 32.0.0-android, we are using version 32.0.1-jre, but the com.datastax.oss/java-driver-shaded-guava uses version 25.1-jre. This dependency was moved to com.datastax.oss/java-driver-core so I think we don't actually need the shaded-guava, so we can remove this i guess (Not fully sure), and add an exclusion on the java-driver-core so we can use 32.0.1-jre as guava version.

Spring:

  • Spring Framework DataBinder Case Sensitive Match Exception - org.springframework:spring-context - Fix in >= 6.1.14/6.0.25
  • Spring Framework vulnerable to Denial of Service - org.springframework:spring-expression - Fix in >= 5.3.39
  • Pivotal Spring Framework contains unsafe Java deserialization methods - org.springframework:spring-web - Fix in >= 6.0.0
  • Spring Framework DoS via conditional HTTP request - org.springframework:spring-web - Fix in >= 6.0.23/6.1.12
  • Path traversal vulnerability in functional web frameworks - org.springframework:spring-webmvc - Fix in >= 6.1.13/6.0.24

Apache Tomcat - Denial of Service:

  • org.apache.tomcat.embed:tomcat-embed-core - Fix in >= 11.0.0-M21/10.1.25/9.0.90
  • org.apache.tomcat:tomcat-coyote - Fix in >= 11.0.0-M21/10.1.25/9.0.90

@jwaeab
Copy link
Collaborator

jwaeab commented Oct 30, 2024

Guava:

  • Guava vulnerable to insecure use of temporary directory
  • Information Disclosure in Guava

Fix available in 32.0.0-android, we are using version 32.0.1-jre, but the com.datastax.oss/java-driver-shaded-guava uses version 25.1-jre. This dependency was moved to com.datastax.oss/java-driver-core so I think we don't actually need the shaded-guava, so we can remove this i guess (Not fully sure), and add an exclusion on the java-driver-core so we can use 32.0.1-jre as guava version.

Spring:

  • Spring Framework DataBinder Case Sensitive Match Exception - org.springframework:spring-context - Fix in >= 6.1.14/6.0.25
  • Spring Framework vulnerable to Denial of Service - org.springframework:spring-expression - Fix in >= 5.3.39
  • Pivotal Spring Framework contains unsafe Java deserialization methods - org.springframework:spring-web - Fix in >= 6.0.0
  • Spring Framework DoS via conditional HTTP request - org.springframework:spring-web - Fix in >= 6.0.23/6.1.12
  • Path traversal vulnerability in functional web frameworks - org.springframework:spring-webmvc - Fix in >= 6.1.13/6.0.24

Apache Tomcat - Denial of Service:

  • org.apache.tomcat.embed:tomcat-embed-core - Fix in >= 11.0.0-M21/10.1.25/9.0.90
  • org.apache.tomcat:tomcat-coyote - Fix in >= 11.0.0-M21/10.1.25/9.0.90

The current status on my work (so it aligns with above issues):

guava = 33.3.1-jre
spring = 6.1.14
tomcat = 10.1.31
... but many, many other versions (with their vulnerabilities) are also needed to be stepped.

Regarding the shading, it has been removed due to the fact (as you state) it has been moved to java-driver-core.

jwaeab added a commit to jwaeab/ecchronos that referenced this issue Nov 5, 2024
@jwaeab
Bump Spring, Tomcat, Java, SnakeYaml, Jackson and various other depen…
90e3bd0 
…dencies

Closes Ericsson#704, Ericsson#754
@jwaeab jwaeab linked a pull request Nov 5, 2024 that will close this issue
Open
tommystendahl pushed a commit to tommystendahl/ecchronos that referenced this issue Nov 6, 2024
@jwaeab @tommystendahl
Bump Spring, Tomcat, Java, SnakeYaml, Jackson and various other depen…
21c49a4 
…dencies

Closes Ericsson#704, Ericsson#754
jwaeab added a commit to jwaeab/ecchronos that referenced this issue Nov 7, 2024
@jwaeab
Bump Spring, Tomcat, Java, SnakeYaml, Jackson and various other depen…
fe321b6 
…dencies

Closes Ericsson#704, Ericsson#754
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jwaeab jwaeab

Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Bump Spring, Tomcat, Java, SnakeYaml, Jackson and other dependencies jwaeab/ecchronos
3 participants
@dapc11 @VictorCavichioli @jwaeab