hostsharing/hs.hsadmin.ng
6
0
Fork 0
Code Pull Requests 2 Activity

Version Upgrade to Spring Boot 3.1.7, JDK 21, Gradle 8.5, Postgres 15 etc. #5

Merged
hsh-michaelhoennig merged 28 commits from version-upgrade-spring-boot-3-2-1-etc into master 2024-01-05 13:40:50 +01:00
Conversation 0 Commits 28 Files Changed 52 +14 -4
3 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 1f49970e66 - Show all commits

1
build.gradle
View File

@ -208,7 +208,6 @@ dependencyCheck {
apiKey = project.property('OWASP_API_KEY') // set it in ~/.gradle/gradle.properties apiKey = project.property('OWASP_API_KEY') // set it in ~/.gradle/gradle.properties
delay = 16000 delay = 16000
} }
// cveValidForHours = 4
format = 'ALL' format = 'ALL'
suppressionFile = 'etc/owasp-dependency-check-suppression.xml' suppressionFile = 'etc/owasp-dependency-check-suppression.xml'
failOnError = true failOnError = true

6
etc/owasp-dependency-check-suppression.xml
View File

@ -51,7 +51,11 @@
</suppress> </suppress>
<suppress> <suppress>
<notes><![CDATA[ <notes><![CDATA[
We've explicitly bumped to 2.2, but the dependency checker does not seem to notice that. Spring Boot 3.1.x has a transient dependency to snakeyaml 1.3
which contains this vulnerability.
We've explicitly bumped to 2.2, but the vulnerability checker does not seem to notice that.
TODO: Remove this suppression once we are on SpringBoot 3.2, TODO: Remove this suppression once we are on SpringBoot 3.2,
as well as the explicit version bump and the transient dependency exclude. as well as the explicit version bump and the transient dependency exclude.
]]></notes> ]]></notes>

11
settings.gradle
View File

@ -13,8 +13,15 @@ dependencyResolutionManagement {
allVariants { allVariants {
withDependencies { withDependencies {
removeAll { removeAll {
// TODO: Remove this transient dependency exclude once we are on SpringBoot 3.2.x // Spring Boot 3.1.x has a transient dependency to snakeyaml 1.3
// as well as the related explicit dependency in build.gradle // which contains a severe vulnerability.
// Here we remove this transient dependency and in build.gradle
// we add an explicit dependency to snakeyaml 2.2,
// which does not have this vulnerability anymore.
//
// TODO: Check Once we are on SpringBoot 3.2.x, check if this exclude
// is still neccessary. If not:
// Remove it // as well as the related explicit dependency in build.gradle
// and the dependency suppression in owasp-dependency-check-suppression.xml. // and the dependency suppression in owasp-dependency-check-suppression.xml.
it.module in [ 'snakeyaml' ] it.module in [ 'snakeyaml' ]
} }