Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependencies for latest CVEs #5488

Closed
onobc opened this issue Oct 3, 2023 · 6 comments
Closed

Update dependencies for latest CVEs #5488

onobc opened this issue Oct 3, 2023 · 6 comments
Assignees
@onobc
Labels
area/dependencies Belongs project dependencies
Milestone
2.11.1

Comments

@onobc
Copy link
Contributor

onobc commented Oct 3, 2023 

            <dependency>
                <groupId>org.yaml</groupId>
                <artifactId>snakeyaml</artifactId>
                <version>1.33</version>
            </dependency>
            <dependency>
                <groupId>org.xerial.snappy</groupId>
                <artifactId>snappy-java</artifactId>
                <version>1.1.10.4</version>
            </dependency>
            <dependency>
                <groupId>net.minidev</groupId>
                <artifactId>json-smart</artifactId>
                <version>2.4.11</version>
            </dependency>
            <dependency>
                <groupId>com.nimbusds</groupId>
                <artifactId>nimbus-jose-jwt</artifactId>
                <version>9.31</version>
            </dependency>
@onobc onobc added the area/dependencies Belongs project dependencies label Oct 3, 2023
@onobc onobc added this to the 2.11.1 milestone Oct 3, 2023
@onobc onobc self-assigned this Oct 3, 2023
onobc added a commit to onobc/spring-cloud-dataflow that referenced this issue Oct 3, 2023
@onobc
Add versions to dependency management for CVEs
cdff301 
* com.nimbusds:nimbus-jose-jwt:9.31
* net.minidev:json-smart:2.4.11
* org.xerial.snappy:snappy-java:1.1.10.4
* org.yaml:snakeyaml:1.33

Fixes spring-cloud#5488
@onobc
Copy link
Contributor Author

onobc commented Oct 3, 2023
edited

I ran the following commands:

  • ./mvnw dependency:tree -Dincludes='com.nimbusds:nimbus-jose-jwt' > nimbus.txt
  • ./mvnw dependency:tree -Dincludes='net.minidev:json-smart' > json-smart.txt
  • ./mvnw dependency:tree -Dincludes='org.xerial.snappy:snappy-java' > snappy.txt
  • ./mvnw dependency:tree -Dincludes='org.yaml:snakeyaml' > snakeyml.txt

The resulting files (attached) show ZERO signs of the problematic versions:

Dep Bad Version Good Version
com.nimbusds:nimbus-jose-jwt 9.22 9.31
net.minidev:json-smart 2.4.8 2.4.11
org.xerial.snappy:snappy-java 1.1.10.1 1.1.10.4
org.yaml:snakeyaml 1.31 1.33

@mheath mheath closed this as completed in 64d64d9 Oct 3, 2023
@onobc
Copy link
Contributor Author

onobc commented Oct 3, 2023

Another good command(s) to run in a repo to see a consolidated view of what the versions in the questionable libraries is:

./mvnw dependency:tree -Dincludes='net.minidev:json-smart' | grep -E 'net.minidev:json-smart'
./mvnw dependency:tree -Dincludes='com.nimbusds:nimbus-jose-jwt' | grep -E 'com.nimbusds:nimbus-jose-jwt'
./mvnw dependency:tree -Dincludes='org.xerial.snappy:snappy-java' | grep -E 'org.xerial.snappy:snappy-java'
./mvnw dependency:tree -Dincludes='org.yaml:snakeyaml' | grep -E 'org.yaml:snakeyaml'

@Risae
Copy link

Risae commented Oct 21, 2023
edited

@onobc What about flyway? As far as i can tell the current version is

spring-cloud-dataflow/spring-cloud-dataflow-common/spring-cloud-dataflow-common-flyway/pom.xml

	<properties>
		<flyway.version>8.5.11
		</flyway.version> <!-- have to repeat this here in order for filtering in src/main/resources/ -->
	</properties>

And this old version has quite a lot of CVEs, which are patched in later versions?

https://documentation.red-gate.com/fd/release-notes-for-flyway-engine-179732572.html

@onobc
Copy link
Contributor Author

onobc commented Oct 21, 2023

Hi @Risae ,

We align w/ the Spring Boot BOM for dependency versions. Dataflow 2.11.1 is using Spring Boot 2.7.16 which uses Flyway 8.5.13 for Flyway. In Dataflow 2.11.2 we will update to Spring Boot 2.7.17 (which is still using Flyway 8.5.13). At that time we are planning to bump from Flyway 8.5.11 to 8.5.13.

The major update from 8.x to 9.x Flyway does not occur until Boot 3.x. As such, Dataflow 2.x will remain on Flyway 8.x for its lifespan. We are planning a Dataflow 3.x that will use Boot 3.x and at that time we will move to Flyway 9.x.

Also note that the 2 CVEs that show up for the version of Flyway we are using originate in the Postgres driver which is an optional dependency.
See: https://mvnrepository.com/artifact/org.flywaydb/flyway-core/8.5.11

@Risae
Copy link

Risae commented Oct 21, 2023

Hi @Risae ,

We align w/ the Spring Boot BOM for dependency versions. Dataflow 2.11.1 is using Spring Boot 2.7.16 which uses Flyway 8.5.13 for Flyway. In Dataflow 2.11.2 we will update to Spring Boot 2.7.17 (which is still using Flyway 8.5.13). At that time we are planning to bump from Flyway 8.5.11 to 8.5.13.

The major update from 8.x to 9.x Flyway does not occur until Boot 3.x. As such, Dataflow 2.x will remain on Flyway 8.x for its lifespan. We are planning a Dataflow 3.x that will use Boot 3.x and at that time we will move to Flyway 9.x.

Also note that the 2 CVEs that show up for the version of Flyway we are using originate in the Postgres driver which is an optional dependency. See: https://mvnrepository.com/artifact/org.flywaydb/flyway-core/8.5.11

Got it, thank you!

@onobc
Copy link
Contributor Author

onobc commented Oct 22, 2023

The issue tracking the updates in 2.11.2 is #5522

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@onobc onobc

Labels
area/dependencies Belongs project dependencies
Projects
None yet
Milestone
2.11.1
Development

No branches or pull requests
2 participants
@onobc @Risae