Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Upgrade spring to 2.7.x #15467

Merged
merged 16 commits into from
Sep 30, 2022
Merged

fix: Upgrade spring to 2.7.x #15467

merged 16 commits into from
Sep 30, 2022

Conversation

zhem0004
Copy link
Contributor

@zhem0004 zhem0004 commented Jul 30, 2022
edited by antobinary

What does this PR do?

This PR upgrades version of spring to 2.7.x.

Motivation

The newer version is more up to date and there are fixes that have been applied in Spring Boot 2.7

To fix

The presentation is not being set as current Insert document request is not working properly Presentation is not displayed properly

image

More

Note that we now specify versions explicitly for:

  implementation "org.springframework:spring-core:5.3.21"
  implementation "org.springframework:spring-context:5.3.21"

This was done to override the default spring-core and spring-context included in Spring.

The upgraded transitive dependencies include the following fixes:

  Upgrade org.grails:grails-core@5.0.1 to org.grails:grails-core@5.2.5 to fix
  ✗ Improper Handling of Case Sensitivity [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634] in org.springframework:spring-context@5.3.12
    introduced by org.grails:grails-core@5.0.1 > org.springframework:spring-context@5.3.12 and 8 other path(s)
  ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828] in org.springframework:spring-expression@5.3.12
    introduced by org.grails:grails-core@5.0.1 > org.springframework:spring-context@5.3.12 > org.springframework:spring-expression@5.3.12 and 1 other path(s)
  ✗ Improper Input Validation [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878] in org.springframework:spring-core@5.3.12
    introduced by org.grails:grails-core@5.0.1 > org.springframework:spring-core@5.3.12 and 13 other path(s)
    
  
  
  
  Upgrade org.grails:grails-plugin-rest@5.0.1 to org.grails:grails-plugin-rest@5.2.0 to fix
  ✗ Improper Handling of Case Sensitivity [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634] in org.springframework:spring-context@5.3.12
    introduced by org.grails:grails-core@5.0.1 > org.springframework:spring-context@5.3.12 and 8 other path(s)
  ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313] in org.springframework:spring-beans@5.3.12
    introduced by org.grails:grails-core@5.0.1 > org.springframework:spring-beans@5.3.12 and 8 other path(s)
  ✗ Improper Input Validation [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878] in org.springframework:spring-core@5.3.12
    introduced by org.grails:grails-core@5.0.1 > org.springframework:spring-core@5.3.12 and 13 other path(s)

    
  
  Upgrade org.grails:grails-web-boot@5.0.1 to org.grails:grails-web-boot@5.2.0 to fix
  ✗ Improper Handling of Case Sensitivity [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634] in org.springframework:spring-context@5.3.12
    introduced by org.grails:grails-core@5.0.1 > org.springframework:spring-context@5.3.12 and 8 other path(s)
  ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313] in org.springframework:spring-beans@5.3.12
    introduced by org.grails:grails-core@5.0.1 > org.springframework:spring-beans@5.3.12 and 8 other path(s)
  ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828] in org.springframework:spring-expression@5.3.12
    introduced by org.grails:grails-core@5.0.1 > org.springframework:spring-context@5.3.12 > org.springframework:spring-expression@5.3.12 and 1 other path(s)
  ✗ Improper Input Validation [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878] in org.springframework:spring-core@5.3.12
    introduced by org.grails:grails-core@5.0.1 > org.springframework:spring-core@5.3.12 and 13 other path(s)
    
  
  
  
  Upgrade org.springframework.boot:spring-boot-autoconfigure@2.5.5 to org.springframework.boot:spring-boot-autoconfigure@2.5.13 to fix
  ✗ Improper Handling of Case Sensitivity [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634] in org.springframework:spring-context@5.3.12
    introduced by org.grails:grails-core@5.0.1 > org.springframework:spring-context@5.3.12 and 8 other path(s)
  ✗ Improper Input Validation [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878] in org.springframework:spring-core@5.3.12
    introduced by org.grails:grails-core@5.0.1 > org.springframework:spring-core@5.3.12 and 13 other path(s)
    
  
  
  
  Upgrade org.springframework.boot:spring-boot-starter-actuator@2.5.5 to org.springframework.boot:spring-boot-starter-actuator@3.0.0 to fix
  ✗ Improper Input Validation [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878] in org.springframework:spring-core@5.3.12
    introduced by org.grails:grails-core@5.0.1 > org.springframework:spring-core@5.3.12 and 13 other path(s)
    
  
  
  
  Upgrade org.springframework.boot:spring-boot-starter-logging@2.5.5 to org.springframework.boot:spring-boot-starter-logging@2.5.7 to fix
  ✗ Insufficient Hostname Verification [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-1726923] in ch.qos.logback:logback-core@1.2.6
    introduced by org.springframework.boot:spring-boot-starter-logging@2.5.5 > ch.qos.logback:logback-classic@1.2.6 > ch.qos.logback:logback-core@1.2.6

@sonarcloud
Copy link

sonarcloud bot commented Jul 30, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@gustavotrott gustavotrott self-requested a review August 1, 2022 10:19
@antobinary antobinary added this to the Release 2.6 milestone Aug 4, 2022
@github-actions
Copy link

github-actions bot commented Aug 5, 2022

This pull request has conflicts ☹
Please resolve those so we can review the pull request.
Thanks.

@gustavotrott
Copy link
Collaborator

It would be better to avoid changing the name of the configs!
cause it will break the servers that have changed the config using the old names!
I would say to keep using the old name e.g beans.presentationService.defaultUploadedPresentation instead of defaultUploadedPresentation.

It seems we can keep the old name and make the resources.xml read it!
image(11)

gustavotrott
gustavotrott requested changes Aug 31, 2022
View reviewed changes
Copy link
Collaborator

@gustavotrott gustavotrott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Keep the previous names for the configs to avoid break issues!

gustavotrott
gustavotrott requested changes Sep 16, 2022
View reviewed changes
Copy link
Collaborator

@gustavotrott gustavotrott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After your change the securitySalt is being read from bigbluebutton.properties instead of /etc/bigbluebutton/bbb-web.properties.

All configs set on /etc/bigbluebutton/bbb-web.properties have priority! Make sure to keep this behavior!

bigbluebutton-web/grails-app/conf/bigbluebutton.properties Outdated Show resolved Hide resolved
bigbluebutton-web/grails-app/conf/bigbluebutton.properties Outdated
Comment on lines 377 to 378
# Inject values into grails service beans
beans.presentationService.presentationDir=${presentationDir}
#presentationDir=${presentationDir}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Prefer removing it instead of comment! If will not be necessary anymore.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Set to be as it used to

@zhem0004 zhem0004 marked this pull request as ready for review September 19, 2022 20:43
@sonarcloud
Copy link

sonarcloud bot commented Sep 28, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

gustavotrott
gustavotrott approved these changes Sep 30, 2022
View reviewed changes
Copy link
Collaborator

@gustavotrott gustavotrott left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@gustavotrott gustavotrott merged commit 9a18f5f into bigbluebutton:v2.6.x-release Sep 30, 2022
@gustavotrott gustavotrott mentioned this pull request Oct 3, 2022
Merged
@GuiLeme GuiLeme mentioned this pull request Oct 5, 2022
Merged
@antobinary antobinary changed the title Upgrade spring to 2.7.x fix: Upgrade spring to 2.7.x Jan 4, 2023
@zhem0004 zhem0004 mentioned this pull request Jan 4, 2023
Merged
@gustavotrott gustavotrott mentioned this pull request Apr 10, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gustavotrott gustavotrott gustavotrott approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Release 2.6
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@zhem0004 @gustavotrott @antobinary