hostsharing/hs.hsadmin.ng
6
0
Fork 0
Code Pull Requests 2 Activity

Version Upgrade to Spring Boot 3.1.7, JDK 21, Gradle 8.5, Postgres 15 etc. #5

Merged
hsh-michaelhoennig merged 28 commits from version-upgrade-spring-boot-3-2-1-etc into master 2024-01-05 13:40:50 +01:00
Conversation 0 Commits 28 Files Changed 52 +14 -4
3 changed files with 14 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 1f49970e66 - Show all commits

1
build.gradle
View File

@ -208,7 +208,6 @@ dependencyCheck {
apiKey = project.property('OWASP_API_KEY') // set it in ~/.gradle/gradle.properties apiKey = project.property('OWASP_API_KEY') // set it in ~/.gradle/gradle.properties
delay = 16000 delay = 16000
} }
// cveValidForHours = 4
format = 'ALL' format = 'ALL'
hsh-michaelhoennig marked this conversation as resolved Outdated
hsh-timotheuspokorra commented 2024-01-05 09:18:09 +01:00
Outdated
Review
Copy Link

muss wieder rein

muss wieder rein
hsh-michaelhoennig commented 2024-01-05 11:12:59 +01:00
Outdated
Review
Copy Link

Ich hatte nachträglich wohl noch die Version des OWASP-Dependency-Checkers hochgedreht, und der neue kennt die Option gar nicht mehr. Wird also gelöscht statt auskommentiert.

Ich hatte nachträglich wohl noch die Version des OWASP-Dependency-Checkers hochgedreht, und der neue kennt die Option gar nicht mehr. Wird also gelöscht statt auskommentiert.
suppressionFile = 'etc/owasp-dependency-check-suppression.xml' suppressionFile = 'etc/owasp-dependency-check-suppression.xml'
failOnError = true failOnError = true

6
etc/owasp-dependency-check-suppression.xml
View File

@ -51,7 +51,11 @@
</suppress> </suppress>
<suppress> <suppress>
<notes><![CDATA[ <notes><![CDATA[
We've explicitly bumped to 2.2, but the dependency checker does not seem to notice that. Spring Boot 3.1.x has a transient dependency to snakeyaml 1.3
hsh-michaelhoennig marked this conversation as resolved Outdated
hsh-timotheuspokorra commented 2024-01-05 09:22:22 +01:00
Outdated
Review
Copy Link

erwähne snakeyaml 1.3

erwähne snakeyaml 1.3
which contains this vulnerability.
We've explicitly bumped to 2.2, but the vulnerability checker does not seem to notice that.
TODO: Remove this suppression once we are on SpringBoot 3.2, TODO: Remove this suppression once we are on SpringBoot 3.2,
as well as the explicit version bump and the transient dependency exclude. as well as the explicit version bump and the transient dependency exclude.
]]></notes> ]]></notes>

11
settings.gradle
View File

@ -13,8 +13,15 @@ dependencyResolutionManagement {
allVariants { allVariants {
withDependencies { withDependencies {
removeAll { removeAll {
// TODO: Remove this transient dependency exclude once we are on SpringBoot 3.2.x // Spring Boot 3.1.x has a transient dependency to snakeyaml 1.3
// as well as the related explicit dependency in build.gradle // which contains a severe vulnerability.
// Here we remove this transient dependency and in build.gradle
// we add an explicit dependency to snakeyaml 2.2,
// which does not have this vulnerability anymore.
//
// TODO: Check Once we are on SpringBoot 3.2.x, check if this exclude
// is still neccessary. If not:
// Remove it // as well as the related explicit dependency in build.gradle
// and the dependency suppression in owasp-dependency-check-suppression.xml. // and the dependency suppression in owasp-dependency-check-suppression.xml.
it.module in [ 'snakeyaml' ] it.module in [ 'snakeyaml' ]
} }