Skip to content

[Snyk] Upgrade org.springframework.boot:spring-boot-starter-security from 2.1.5.RELEASE to 2.7.18#2

Open
Rajcapabilityassessment wants to merge 1 commit into
masterfrom
snyk-upgrade-d6fa1cd5c53215960ab635d2051d5d33
Open

[Snyk] Upgrade org.springframework.boot:spring-boot-starter-security from 2.1.5.RELEASE to 2.7.18#2
Rajcapabilityassessment wants to merge 1 commit into
masterfrom
snyk-upgrade-d6fa1cd5c53215960ab635d2051d5d33

Conversation

@Rajcapabilityassessment

Copy link
Copy Markdown
Owner

snyk-top-banner

Snyk has created this PR to upgrade org.springframework.boot:spring-boot-starter-security from 2.1.5.RELEASE to 2.7.18.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.


  • The recommended version is 105 versions ahead of your current version.

  • The recommended version was released 3 years ago.

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

…om 2.1.5.RELEASE to 2.7.18

Snyk has created this PR to upgrade org.springframework.boot:spring-boot-starter-security from 2.1.5.RELEASE to 2.7.18.

See this package in maven:
org.springframework.boot:spring-boot-starter-security

See this project in Snyk:
https://app.eu.snyk.io/org/hsbc-sast-pov-org/project/c12c5f85-7f45-444f-82d9-02c8dfe4dc73?utm_source=github&utm_medium=referral&page=upgrade-pr
@Rajcapabilityassessment

Copy link
Copy Markdown
Owner Author

Merge Risk: High

This is a major upgrade from Spring Boot 2.1.5 to 2.7.18, which introduces significant breaking changes, most notably in Spring Security. A full refactoring of your security configuration is required.

Key Breaking Changes:

  • WebSecurityConfigurerAdapter is Deprecated: Spring Boot 2.7 uses Spring Security 5.7, which deprecates WebSecurityConfigurerAdapter. You must migrate from extending this class to a component-based approach by defining SecurityFilterChain beans.

    • Old Approach (Before):

      @Configuration  
      public class SecurityConfig extends WebSecurityConfigurerAdapter {  
          @Override  
          protected void configure(HttpSecurity http) throws Exception {  
              http.authorizeRequests().anyRequest().authenticated().and().formLogin();  
          }  
      }  
    • New Approach (After):

      @Configuration  
      public class SecurityConfig {  
          @Bean  
          public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {  
              http.authorizeHttpRequests(authz -> authz.anyRequest().authenticated())  
                  .formLogin(Customizer.withDefaults());  
              return http.build();  
          }  
      }  
  • Path Matching Strategy Change: As of Spring Boot 2.6, the default MVC path matching strategy changed from AntPathMatcher to PathPatternParser. This can break security rules. For example, a rule matching "/path" may no longer match "/path/". You must review your mvcMatchers rules to ensure they are still correct.

  • Circular Dependencies Blocked: Spring Boot 2.6 prohibits circular dependencies between beans by default. This can cause application startup failures that need to be resolved by refactoring your bean dependencies.

  • SAML Properties Renamed: In Spring Boot 2.7, SAML configuration properties under identityprovider have been moved to assertingparty.

Recommendation: This upgrade requires a mandatory and significant refactoring of your security configuration. Do not merge without allocating time to rewrite your WebSecurityConfigurerAdapter classes as SecurityFilterChain beans and verifying all security-related functionality, especially endpoint authorization rules.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@Rajcapabilityassessment

Copy link
Copy Markdown
Owner Author

Logo
Checkmarx One – Scan Summary & Details6d771b69-9e8e-4398-891d-f73c418d4244


New Issues (125)

Critical: 2 · High: 12 · Medium: 18 · Low: 93

Checkmarx found the following issues in this Pull Request

# Severity Issue Source File / Package Checkmarx Insight
1 CRITICAL CGI_Stored_XSS src/main/java/org/joychou/security/AntObjectInputStream.java: 70
detailsThe method embeds untrusted data in generated output with name, at line 71 of /src/main/java/org/joychou/security/AntObjectInputStream.java. Thi...
Attack Vector
2 CRITICAL CGI_Stored_XSS src/main/java/org/joychou/controller/PathTraversal.java: 53
detailsThe method embeds untrusted data in generated output with aa, at line 54 of /src/main/java/org/joychou/controller/PathTraversal.java. This untru...
Attack Vector
3 HIGH CGI_Reflected_XSS src/main/java/org/joychou/controller/WebSockets.java: 31
detailsThe method embeds untrusted data in generated output with println, at line 45 of /src/main/java/org/joychou/controller/WebSockets.java. This unt...
Attack Vector
4 HIGH CGI_Reflected_XSS src/main/java/org/joychou/controller/WebSockets.java: 31
detailsThe method embeds untrusted data in generated output with println, at line 42 of /src/main/java/org/joychou/controller/WebSockets.java. This unt...
Attack Vector
5 HIGH CGI_Reflected_XSS src/main/java/org/joychou/util/WebUtils.java: 21
detailsThe method embeds untrusted data in generated output with println, at line 41 of /src/main/java/org/joychou/controller/QLExpress.java. This untr...
Attack Vector
6 HIGH CGI_Reflected_XSS src/main/java/org/joychou/controller/WebSockets.java: 54
detailsThe method embeds untrusted data in generated output with println, at line 68 of /src/main/java/org/joychou/controller/WebSockets.java. This unt...
Attack Vector
7 HIGH CGI_Reflected_XSS src/main/java/org/joychou/controller/WebSockets.java: 54
detailsThe method embeds untrusted data in generated output with println, at line 65 of /src/main/java/org/joychou/controller/WebSockets.java. This unt...
Attack Vector
8 HIGH CGI_Reflected_XSS src/main/java/org/joychou/util/WebUtils.java: 21
detailsThe method embeds untrusted data in generated output with println, at line 23 of /src/main/java/org/joychou/controller/QLExpress.java. This untr...
Attack Vector
9 HIGH CGI_Reflected_XSS src/main/java/org/joychou/util/WebUtils.java: 21
detailsThe method embeds untrusted data in generated output with println, at line 34 of /src/main/java/org/joychou/controller/QLExpress.java. This untr...
Attack Vector
10 HIGH CGI_Reflected_XSS src/main/java/org/joychou/controller/WebSockets.java: 55
detailsThe method embeds untrusted data in generated output with println, at line 68 of /src/main/java/org/joychou/controller/WebSockets.java. This unt...
Attack Vector
11 HIGH CGI_Reflected_XSS src/main/java/org/joychou/util/WebUtils.java: 21
detailsThe method embeds untrusted data in generated output with println, at line 27 of /src/main/java/org/joychou/controller/QLExpress.java. This untr...
Attack Vector
12 HIGH CGI_Reflected_XSS src/main/java/org/joychou/controller/WebSockets.java: 55
detailsThe method embeds untrusted data in generated output with println, at line 65 of /src/main/java/org/joychou/controller/WebSockets.java. This unt...
Attack Vector
13 HIGH CGI_Reflected_XSS src/main/java/org/joychou/controller/WebSockets.java: 32
detailsThe method embeds untrusted data in generated output with println, at line 45 of /src/main/java/org/joychou/controller/WebSockets.java. This unt...
Attack Vector
14 HIGH CGI_Reflected_XSS src/main/java/org/joychou/controller/WebSockets.java: 32
detailsThe method embeds untrusted data in generated output with println, at line 42 of /src/main/java/org/joychou/controller/WebSockets.java. This unt...
Attack Vector
15 MEDIUM Command_Argument_Injection src/main/java/org/joychou/controller/CommandInject.java: 52
detailsAn argument is passed to an external OS command by start at /src/main/java/org/joychou/controller/CommandInject.java in line 60. This could allow...
Attack Vector
16 MEDIUM Command_Argument_Injection src/main/java/org/joychou/controller/CommandInject.java: 42
detailsAn argument is passed to an external OS command by start at /src/main/java/org/joychou/controller/CommandInject.java in line 47. This could allow...
Attack Vector
17 MEDIUM Command_Argument_Injection src/main/java/org/joychou/controller/Rce.java: 63
detailsAn argument is passed to an external OS command by start at /src/main/java/org/joychou/controller/Rce.java in line 70. This could allow an attack...
Attack Vector
18 MEDIUM Command_Argument_Injection src/main/java/org/joychou/controller/CommandInject.java: 25
detailsAn argument is passed to an external OS command by start at /src/main/java/org/joychou/controller/CommandInject.java in line 30. This could allow...
Attack Vector
19 MEDIUM Dangerous_File_Size_Upload src/main/java/org/joychou/util/WebUtils.java: 21
detailsThe uploaded file next in /src/main/java/org/joychou/util/WebUtils.java at line 21 is stored in /src/main/java/org/joychou/controller/XXE.java at...
Attack Vector
20 MEDIUM Dangerous_File_Size_Upload src/main/java/org/joychou/controller/XXE.java: 241
detailsThe uploaded file getInputStream in /src/main/java/org/joychou/controller/XXE.java at line 241 is stored in /src/main/java/org/joychou/controller/...
Attack Vector
21 MEDIUM Dangerous_File_Size_Upload src/main/java/org/joychou/util/WebUtils.java: 21
detailsThe uploaded file next in /src/main/java/org/joychou/util/WebUtils.java at line 21 is stored in /src/main/java/org/joychou/controller/XXE.java at...
Attack Vector
22 MEDIUM Dangerous_File_Size_Upload src/main/java/org/joychou/util/WebUtils.java: 21
detailsThe uploaded file next in /src/main/java/org/joychou/util/WebUtils.java at line 21 is stored in /src/main/java/org/joychou/controller/XXE.java at...
Attack Vector
23 MEDIUM Dangerous_File_Size_Upload src/main/java/org/joychou/controller/FileUpload.java: 186
detailsThe uploaded file getBytes in /src/main/java/org/joychou/controller/FileUpload.java at line 186 is stored in /src/main/java/org/joychou/controller...
Attack Vector
24 MEDIUM Dangerous_File_Size_Upload src/main/java/org/joychou/controller/FileUpload.java: 61
detailsThe uploaded file getBytes in /src/main/java/org/joychou/controller/FileUpload.java at line 61 is stored in /src/main/java/org/joychou/controller/...
Attack Vector
25 MEDIUM Dangerous_File_Size_Upload src/main/java/org/joychou/controller/FileUpload.java: 143
detailsThe uploaded file getBytes in /src/main/java/org/joychou/controller/FileUpload.java at line 143 is stored in /src/main/java/org/joychou/controller...
Attack Vector
26 MEDIUM Information_Exposure_Through_Query_String src/main/java/org/joychou/security/LoginFailureHandler.java: 26
detailsThe password ""password"" at /src/main/java/org/joychou/security/LoginFailureHandler.java in line 26 is sent in a URL as a GET parameter by getPar...
Attack Vector
27 MEDIUM JWT_Use_Of_Hardcoded_Secret src/main/java/org/joychou/util/JwtUtils.java: 20
detailsThe variable ""123456"" at line 20 of file /src/main/java/org/joychou/util/JwtUtils.java is assigned with a hardcoded, literal value. This value ...
Attack Vector
28 MEDIUM Secure_Cookie_Flag_Not_Set src/main/java/org/joychou/controller/Login.java: 42
detailsThe /src/main/java/org/joychou/controller/Login.java application configuration file, at line 42, does not define sensitive application cookies wit...
Attack Vector
29 MEDIUM Secure_Cookie_Flag_Not_Set src/main/java/org/joychou/controller/XSS.java: 44
detailsThe /src/main/java/org/joychou/controller/XSS.java application configuration file, at line 44, does not define sensitive application cookies with ...
Attack Vector
30 MEDIUM Secure_Cookie_Flag_Not_Set src/main/java/org/joychou/controller/CRLFInjection.java: 27
detailsThe /src/main/java/org/joychou/controller/CRLFInjection.java application configuration file, at line 27, does not define sensitive application coo...
Attack Vector
31 MEDIUM Secure_Cookie_Flag_Not_Set src/main/java/org/joychou/util/CookieUtils.java: 17
detailsThe /src/main/java/org/joychou/util/CookieUtils.java application configuration file, at line 17, does not define sensitive application cookies wit...
Attack Vector
32 MEDIUM Secure_Cookie_Flag_Not_Set src/main/java/org/joychou/util/CookieUtils.java: 30
detailsThe /src/main/java/org/joychou/util/CookieUtils.java application configuration file, at line 30, does not define sensitive application cookies wit...
Attack Vector
33 LOW Cookie_Overly_Broad_Path src/main/java/org/joychou/controller/Jwt.java: 43
detailsThe sensitive cookie set by ""/"", in the file /src/main/java/org/joychou/controller/Jwt.java at line 43, is set to encompass a broad path.
Attack Vector
34 LOW Cookie_Overly_Broad_Path src/main/java/org/joychou/controller/Login.java: 41
detailsThe sensitive cookie set by ""/"", in the file /src/main/java/org/joychou/controller/Login.java at line 41, is set to encompass a broad path.
Attack Vector
35 LOW Cookie_Overly_Broad_Path src/main/java/org/joychou/util/CookieUtils.java: 29
detailsThe sensitive cookie set by ""/"", in the file /src/main/java/org/joychou/util/CookieUtils.java at line 29, is set to encompass a broad path.
Attack Vector
36 LOW Cookie_Overly_Broad_Path src/main/java/org/joychou/util/CookieUtils.java: 16
detailsThe sensitive cookie set by ""/"", in the file /src/main/java/org/joychou/util/CookieUtils.java at line 16, is set to encompass a broad path.
Attack Vector
37 LOW Creation_of_Temp_File_in_Dir_with_Incorrect_Permissions src/main/java/org/joychou/controller/FileUpload.java: 180 Attack Vector
38 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/security/AntObjectInputStream.java: 67
detailsThe application's method in /src/main/java/org/joychou/security/AntObjectInputStream.java defines and initializes the AntObjectInputStream object...
Attack Vector
39 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/controller/SQLI.java: 100
detailsThe application's method in /src/main/java/org/joychou/controller/SQLI.java defines and initializes the getConnection object at 100. This object...
Attack Vector
40 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/controller/Deserialize.java: 49
detailsThe application's method in /src/main/java/org/joychou/controller/Deserialize.java defines and initializes the ObjectInputStream object at 49. T...
Attack Vector
41 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/security/AntObjectInputStream.java: 58
detailsThe application's method in /src/main/java/org/joychou/security/AntObjectInputStream.java defines and initializes the FileOutputStream object at ...
Attack Vector
42 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/controller/Deserialize.java: 76
detailsThe application's method in /src/main/java/org/joychou/controller/Deserialize.java defines and initializes the AntObjectInputStream object at 76...
Attack Vector
43 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/controller/Shiro.java: 37
detailsThe application's method in /src/main/java/org/joychou/controller/Shiro.java defines and initializes the ObjectInputStream object at 37. This ob...
Attack Vector
44 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/controller/SQLI.java: 58
detailsThe application's method in /src/main/java/org/joychou/controller/SQLI.java defines and initializes the getConnection object at 58. This object ...
Attack Vector
45 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/security/AntObjectInputStream.java: 59
detailsThe application's method in /src/main/java/org/joychou/security/AntObjectInputStream.java defines and initializes the ObjectOutputStream object a...
Attack Vector
46 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/controller/XXE.java: 296
detailsThe application's method in /src/main/java/org/joychou/controller/XXE.java defines and initializes the StringReader object at 296. This object e...
Attack Vector
47 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/controller/XXE.java: 326
detailsThe application's method in /src/main/java/org/joychou/controller/XXE.java defines and initializes the StringReader object at 326. This object e...
Attack Vector
48 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/security/AntObjectInputStream.java: 66
detailsThe application's method in /src/main/java/org/joychou/security/AntObjectInputStream.java defines and initializes the FileInputStream object at 6...
Attack Vector
49 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/controller/FileUpload.java: 185
detailsThe application's method in /src/main/java/org/joychou/controller/FileUpload.java defines and initializes the FileOutputStream object at 185. Th...
Attack Vector
50 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/controller/Rce.java: 38
detailsThe application's method in /src/main/java/org/joychou/controller/Rce.java defines and initializes the BufferedReader object at 38. This object ...
Attack Vector
51 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/controller/XXE.java: 274
detailsThe application's method in /src/main/java/org/joychou/controller/XXE.java defines and initializes the StringReader object at 274. This object e...
Attack Vector
52 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/util/HttpUtils.java: 77
detailsThe application's method in /src/main/java/org/joychou/util/HttpUtils.java defines and initializes the BufferedReader object at 77. This object ...
Attack Vector
53 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/controller/Rce.java: 72
detailsThe application's method in /src/main/java/org/joychou/controller/Rce.java defines and initializes the BufferedReader object at 72. This object ...
Attack Vector
54 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/util/HttpUtils.java: 124
detailsThe application's method in /src/main/java/org/joychou/util/HttpUtils.java defines and initializes the BufferedReader object at 124. This object...
Attack Vector
55 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/controller/SQLI.java: 144
detailsThe application's method in /src/main/java/org/joychou/controller/SQLI.java defines and initializes the getConnection object at 144. This object...
Attack Vector
56 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/util/HttpUtils.java: 96
detailsThe application's method in /src/main/java/org/joychou/util/HttpUtils.java defines and initializes the BufferedReader object at 96. This object ...
Attack Vector
57 LOW Improper_Resource_Shutdown_or_Release src/main/java/org/joychou/util/WebUtils.java: 20
detailsThe application's method in /src/main/java/org/joychou/util/WebUtils.java defines and initializes the Scanner object at 20. This object encapsul...
Attack Vector
58 LOW Incorrect_Permission_Assignment_For_File_System_Resources src/main/java/org/joychou/security/AntObjectInputStream.java: 58
detailsA file is created on the file system by fos in /src/main/java/org/joychou/security/AntObjectInputStream.java at line 58 with potentially dangerous...
Attack Vector
59 LOW Incorrect_Permission_Assignment_For_File_System_Resources src/main/java/org/joychou/controller/FileUpload.java: 158
detailsA file is created on the file system by delFile in /src/main/java/org/joychou/controller/FileUpload.java at line 158 with potentially dangerous pe...
Attack Vector
60 LOW Incorrect_Permission_Assignment_For_File_System_Resources src/main/java/org/joychou/controller/FileUpload.java: 144
detailsA file is created on the file system by path in /src/main/java/org/joychou/controller/FileUpload.java at line 144 with potentially dangerous permi...
Attack Vector
61 LOW Incorrect_Permission_Assignment_For_File_System_Resources src/main/java/org/joychou/controller/FileUpload.java: 180
detailsA file is created on the file system by convFile in /src/main/java/org/joychou/controller/FileUpload.java at line 180 with potentially dangerous p...
Attack Vector
62 LOW Incorrect_Permission_Assignment_For_File_System_Resources src/main/java/org/joychou/controller/PathTraversal.java: 43
detailsA file is created on the file system by f in /src/main/java/org/joychou/controller/PathTraversal.java at line 43 with potentially dangerous permis...
Attack Vector
63 LOW Incorrect_Permission_Assignment_For_File_System_Resources src/main/java/org/joychou/controller/FileUpload.java: 62
detailsA file is created on the file system by path in /src/main/java/org/joychou/controller/FileUpload.java at line 62 with potentially dangerous permis...
Attack Vector
64 LOW Information_Exposure_Through_an_Error_Message src/main/java/org/joychou/util/HttpUtils.java: 105
detailsMethod , at line 105 of /src/main/java/org/joychou/util/HttpUtils.java, handles an Exception or runtime Error e. During the exception handling co...
Attack Vector
65 LOW Information_Exposure_Through_an_Error_Message src/main/java/org/joychou/controller/XXE.java: 256
detailsMethod , at line 256 of /src/main/java/org/joychou/controller/XXE.java, handles an Exception or runtime Error e. During the exception handling co...
Attack Vector
66 LOW Information_Exposure_Through_an_Error_Message src/main/java/org/joychou/util/HttpUtils.java: 133
detailsMethod , at line 133 of /src/main/java/org/joychou/util/HttpUtils.java, handles an Exception or runtime Error e. During the exception handling co...
Attack Vector
67 LOW Information_Exposure_Through_an_Error_Message src/main/java/org/joychou/util/JwtUtils.java: 46
detailsMethod , at line 46 of /src/main/java/org/joychou/util/JwtUtils.java, handles an Exception or runtime Error e. During the exception handling code...
Attack Vector
68 LOW Information_Exposure_Through_an_Error_Message src/main/java/org/joychou/util/HttpUtils.java: 133
detailsMethod , at line 133 of /src/main/java/org/joychou/util/HttpUtils.java, handles an Exception or runtime Error e. During the exception handling co...
Attack Vector
69 LOW Information_Exposure_Through_an_Error_Message src/main/java/org/joychou/util/HttpUtils.java: 213
detailsMethod , at line 213 of /src/main/java/org/joychou/util/HttpUtils.java, handles an Exception or runtime Error e. During the exception handling co...
Attack Vector
70 LOW Information_Exposure_Through_an_Error_Message src/main/java/org/joychou/util/HttpUtils.java: 105
detailsMethod , at line 105 of /src/main/java/org/joychou/util/HttpUtils.java, handles an Exception or runtime Error e. During the exception handling co...
Attack Vector

More results are available on the CxOne platform


Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants