Version Upgrade to Spring Boot 3.1.7, JDK 21, Gradle 8.5, Postgres 15 etc. #5

Merged
hsh-michaelhoennig merged 28 commits from version-upgrade-spring-boot-3-2-1-etc into master 2024-01-05 13:40:50 +01:00
3 changed files with 14 additions and 4 deletions
Showing only changes of commit 1f49970e66 - Show all commits

View File

@ -208,7 +208,6 @@ dependencyCheck {
apiKey = project.property('OWASP_API_KEY') // set it in ~/.gradle/gradle.properties
delay = 16000
}
// cveValidForHours = 4
format = 'ALL'
hsh-michaelhoennig marked this conversation as resolved Outdated

muss wieder rein

muss wieder rein

Ich hatte nachträglich wohl noch die Version des OWASP-Dependency-Checkers hochgedreht, und der neue kennt die Option gar nicht mehr. Wird also gelöscht statt auskommentiert.

Ich hatte nachträglich wohl noch die Version des OWASP-Dependency-Checkers hochgedreht, und der neue kennt die Option gar nicht mehr. Wird also gelöscht statt auskommentiert.
suppressionFile = 'etc/owasp-dependency-check-suppression.xml'
failOnError = true

View File

@ -51,7 +51,11 @@
</suppress>
<suppress>
<notes><![CDATA[
We've explicitly bumped to 2.2, but the dependency checker does not seem to notice that.
Spring Boot 3.1.x has a transient dependency to snakeyaml 1.3
hsh-michaelhoennig marked this conversation as resolved Outdated

erwähne snakeyaml 1.3

erwähne snakeyaml 1.3
which contains this vulnerability.
We've explicitly bumped to 2.2, but the vulnerability checker does not seem to notice that.
TODO: Remove this suppression once we are on SpringBoot 3.2,
as well as the explicit version bump and the transient dependency exclude.
]]></notes>

View File

@ -13,8 +13,15 @@ dependencyResolutionManagement {
allVariants {
withDependencies {
removeAll {
// TODO: Remove this transient dependency exclude once we are on SpringBoot 3.2.x
// as well as the related explicit dependency in build.gradle
// Spring Boot 3.1.x has a transient dependency to snakeyaml 1.3
// which contains a severe vulnerability.
// Here we remove this transient dependency and in build.gradle
// we add an explicit dependency to snakeyaml 2.2,
// which does not have this vulnerability anymore.
//
// TODO: Check Once we are on SpringBoot 3.2.x, check if this exclude
// is still neccessary. If not:
// Remove it // as well as the related explicit dependency in build.gradle
// and the dependency suppression in owasp-dependency-check-suppression.xml.
it.module in [ 'snakeyaml' ]
}