Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MODCONSKC-59: Release 1.5.2 (Quesnelia): Spring Boot 3.3.7, edge-api-utils 1.5.0 fixing vulns #140

Open
wants to merge 3 commits into
base: b1.5
Choose a base branch
from
Open

MODCONSKC-59: Release 1.5.2 (Quesnelia): Spring Boot 3.3.7, edge-api-utils 1.5.0 fixing vulns #140

wants to merge 3 commits into from

Conversation

julianladisch
Copy link

https://folio-org.atlassian.net/browse/MODCONSKC-59

Purpose

Fix 3 security vulnerabilities in dependencies.
And release the fix as mod-consortia-keycloak 1.5.2.

Approach

Upgrade Spring Boot from 3.3.4 to 3.3.7.

The Spring Boot upgrade indirectly upgrades kafka-clients from 3.7.1 to 3.7.2 fixing this security vulnerability:

The Spring Boot upgrade indirectly upgrades tomcat-embed-core from 10.1.30 to 10.1.34 fixing this vulnerability:

Upgrading edge-api-utils from 1.3.0 to the Quesnelia version 1.5.0 removes the ion-java library that has this vulnerability in the used version 1.0.2:

TODOS and Open Questions

  • Check logging

Pre-Merge Checklist:

Before merging this PR, please go through the following list and take appropriate actions.

  • Does this PR meet or exceed the expected quality standards?
    • Code coverage on new code is 80% or greater
    • Duplications on new code is 3% or less
    • [x]There are no major code smells or security issues
  • Does this introduce breaking changes?
    • There are no breaking changes in this PR.

@julianladisch
MODCONSKC-59: Spring Boot 3.3.7, edge-api-utils 1.5.0 fixing vulns
cef4e99 
https://folio-org.atlassian.net/browse/MODCONSKC-59

Upgrade Spring Boot from 3.3.4 to 3.3.7.

The Spring Boot upgrade indirectly upgrades kafka-clients from 3.7.1 to 3.7.2 fixing this security vulnerability:

* https://www.cve.org/CVERecord?id=CVE-2024-56128 kafka-clients: wrong SCRAM nonce verification for SASL_PLAINTEXT

The Spring Boot upgrade indirectly upgrades tomcat-embed-core from 10.1.30 to 10.1.34 fixing this vulnerability:

* https://www.cve.org/CVERecord?id=CVE-2024-52317 tomcat-embed-core: HTTP/2 request and/or response mix-up

Upgrading edge-api-utils from 1.3.0 to the Quesnelia version 1.5.0 removes the ion-java library that has this vulnerability in the used version 1.0.2:

* https://www.cve.org/CVERecord?id=CVE-2024-21634 ion-java: Allocation of Resources Without Limits or Throttling
@julianladisch
[maven-release-plugin] prepare release v1.5.2
22d497f
@julianladisch
[maven-release-plugin] prepare for next development iteration
1c1263a
@julianladisch julianladisch requested a review from a team as a code owner January 17, 2025 15:48
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@julianladisch