Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Jackson, SnakeYAML, Spring, and JAVA versions #704

Closed
VictorCavichioli opened this issue Aug 26, 2024 · 3 comments · Fixed by #763
Closed

Update Jackson, SnakeYAML, Spring, and JAVA versions #704

VictorCavichioli opened this issue Aug 26, 2024 · 3 comments · Fixed by #763
Assignees
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@VictorCavichioli
Copy link
Contributor

VictorCavichioli commented Aug 26, 2024

Story Description:
Evaluate how to upgrade the versions of Jackson and SnakeYAML, after change #701 I saw that we have some other things to update together, else the openapi fails.

Also step to Spring 6 and JAVA 17

Acceptance Criteria:

NA

Definition of Done:

Change approved by maintainers and passing on tests

Notes:

NA

@VictorCavichioli VictorCavichioli added enhancement New feature or request good first issue Good for newcomers labels Aug 26, 2024
@jwaeab jwaeab changed the title Update Jackson and SnakeYAML version Update Jackson, SnakeYAML, Spring, and JAVA versions Oct 15, 2024
@dapc11
Copy link
Contributor

dapc11 commented Oct 22, 2024

Hi,

A lot of CVEs to be fixed by uplifting Spring to 6.1.x:

SnakeYaml stepping to 2.x would solve:

//DT

@jwaeab jwaeab self-assigned this Oct 23, 2024
@VictorCavichioli
Copy link
Contributor Author

Guava:

  • Guava vulnerable to insecure use of temporary directory
  • Information Disclosure in Guava

Fix available in 32.0.0-android, we are using version 32.0.1-jre, but the com.datastax.oss/java-driver-shaded-guava uses version 25.1-jre. This dependency was moved to com.datastax.oss/java-driver-core so I think we don't actually need the shaded-guava, so we can remove this i guess (Not fully sure), and add an exclusion on the java-driver-core so we can use 32.0.1-jre as guava version.

Spring:

  • Spring Framework DataBinder Case Sensitive Match Exception - org.springframework:spring-context - Fix in >= 6.1.14/6.0.25
  • Spring Framework vulnerable to Denial of Service - org.springframework:spring-expression - Fix in >= 5.3.39
  • Pivotal Spring Framework contains unsafe Java deserialization methods - org.springframework:spring-web - Fix in >= 6.0.0
  • Spring Framework DoS via conditional HTTP request - org.springframework:spring-web - Fix in >= 6.0.23/6.1.12
  • Path traversal vulnerability in functional web frameworks - org.springframework:spring-webmvc - Fix in >= 6.1.13/6.0.24

Apache Tomcat - Denial of Service:

  • org.apache.tomcat.embed:tomcat-embed-core - Fix in >= 11.0.0-M21/10.1.25/9.0.90
  • org.apache.tomcat:tomcat-coyote - Fix in >= 11.0.0-M21/10.1.25/9.0.90

@jwaeab
Copy link
Collaborator

jwaeab commented Oct 30, 2024

Guava:

  • Guava vulnerable to insecure use of temporary directory
  • Information Disclosure in Guava

Fix available in 32.0.0-android, we are using version 32.0.1-jre, but the com.datastax.oss/java-driver-shaded-guava uses version 25.1-jre. This dependency was moved to com.datastax.oss/java-driver-core so I think we don't actually need the shaded-guava, so we can remove this i guess (Not fully sure), and add an exclusion on the java-driver-core so we can use 32.0.1-jre as guava version.

Spring:

  • Spring Framework DataBinder Case Sensitive Match Exception - org.springframework:spring-context - Fix in >= 6.1.14/6.0.25
  • Spring Framework vulnerable to Denial of Service - org.springframework:spring-expression - Fix in >= 5.3.39
  • Pivotal Spring Framework contains unsafe Java deserialization methods - org.springframework:spring-web - Fix in >= 6.0.0
  • Spring Framework DoS via conditional HTTP request - org.springframework:spring-web - Fix in >= 6.0.23/6.1.12
  • Path traversal vulnerability in functional web frameworks - org.springframework:spring-webmvc - Fix in >= 6.1.13/6.0.24

Apache Tomcat - Denial of Service:

  • org.apache.tomcat.embed:tomcat-embed-core - Fix in >= 11.0.0-M21/10.1.25/9.0.90
  • org.apache.tomcat:tomcat-coyote - Fix in >= 11.0.0-M21/10.1.25/9.0.90

The current status on my work (so it aligns with above issues):

guava = 33.3.1-jre
spring = 6.1.14
tomcat = 10.1.31
... but many, many other versions (with their vulnerabilities) are also needed to be stepped.

Regarding the shading, it has been removed due to the fact (as you state) it has been moved to java-driver-core.

jwaeab added a commit to jwaeab/ecchronos that referenced this issue Nov 5, 2024
tommystendahl pushed a commit to tommystendahl/ecchronos that referenced this issue Nov 6, 2024
jwaeab added a commit to jwaeab/ecchronos that referenced this issue Nov 7, 2024
jwaeab added a commit to jwaeab/ecchronos that referenced this issue Nov 8, 2024
jwaeab added a commit to jwaeab/ecchronos that referenced this issue Nov 8, 2024
jwaeab added a commit to jwaeab/ecchronos that referenced this issue Nov 8, 2024
jwaeab added a commit to jwaeab/ecchronos that referenced this issue Nov 8, 2024
jwaeab added a commit to jwaeab/ecchronos that referenced this issue Nov 8, 2024
@jwaeab jwaeab closed this as completed in ad1804f Nov 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants