Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Vulns Fixes 2024-07-27 #506

Draft
wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

Security Vulns Fixes 2024-07-27 #506

wants to merge 7 commits into from

Conversation

canarycr
Copy link

  • Breaking change? (if so, please describe the impact and migration path for existing application instances)

What changes did you make? (Give an overview)
Upgrade a few components in order to mitigate some high severity vulnerabilities.

Is there anything you'd like reviewers to focus on?
No.

How Has This Been Tested? (put an "x" (case-sensitive!) next to an item)

  • No need to
  • Manually (please, describe, if necessary)
  • Unit checks
  • Integration checks
  • Covered by existing automation

Checklist (put an "x" (case-sensitive!) next to all the items, otherwise the build will fail)

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation (e.g. ENVIRONMENT VARIABLES)
  • My changes generate no new warnings (e.g. Sonar is happy)
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • Any dependent changes have been merged

Check out Contributing and Code of Conduct

A picture of a cute animal (not mandatory but encouraged)
image

canarycr and others added 5 commits July 27, 2024 19:12
@canarycr
Upgraded spring-boot version > 3.1.11 to resolve vulnerabilities
5d248b6
@snyk-bot
fix: api/pom.xml to reduce vulnerabilities
ed36a4c 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JAVA-COMNIMBUSDS-6247633
- https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-6097493
@snyk-bot
fix: e2e-tests/pom.xml to reduce vulnerabilities
fb71c66 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JAVA-ORGXERIALSNAPPY-5710960
- https://snyk.io/vuln/SNYK-JAVA-ORGXERIALSNAPPY-5918282
- https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEZOOKEEPER-5961102
- https://snyk.io/vuln/SNYK-JAVA-ORGXERIALSNAPPY-5710959
- https://snyk.io/vuln/SNYK-JAVA-ORGXERIALSNAPPY-5710961
- https://snyk.io/vuln/SNYK-JAVA-ORGAPACHEZOOKEEPER-6447882
@canarycr
Merge pull request #4 from canarycr/snyk-fix-7889ad84fa7497416005fa5b…
166cd6a 
…3adcab13

Security upgrade org.apache.kafka:kafka_2.13 from 3.3.1 to 3.6.1
@canarycr
Merge pull request #3 from canarycr/snyk-fix-3d499ebc79742ab21923310a…
64b31a0 
…ff3ba179

Fix for 2 vulnerabilities
@canarycr canarycr requested review from a team as code owners July 27, 2024 13:55
@kapybro kapybro bot added status/triage Issues pending maintainers triage status/triage/manual Manual triage in progress status/triage/completed Automatic triage completed and removed status/triage Issues pending maintainers triage labels Jul 27, 2024
snyk-bot and others added 2 commits July 27, 2024 14:09
@snyk-bot
fix: e2e-tests/pom.xml to reduce vulnerabilities
21a4444 
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JAVA-ORGBITBUCKETBC-6139942
@canarycr
Merge pull request #5 from canarycr/snyk-fix-adc3da7a37cd030e84dfb949…
4af65eb 
…addd9c28

[Snyk] Security upgrade org.apache.kafka:kafka_2.13 from 3.6.1 to 3.6.2
@canarycr
Copy link
Author

@Haarolean - I think we need to update Springboot to atleast 3.2.7 in order to fix some critical vulnerabilities. But whenever I try to update it beyond 3.1.11, I ma getting 2 backend tests failure here:
@test
void resolvesCustomConfigClassProperties() {
env.setProperty("prop.0.custProps.f1", "f1val");
env.setProperty("prop.0.custProps.f2", "1234");

var resolver = new PropertyResolverImpl(env);
assertThat(resolver.getProperty("prop.0.custProps", CustomPropertiesClass.class))
    .hasValue(new CustomPropertiesClass("f1val", 1234));

}

And this is the error. --->>>
[ERROR] Failures:
[ERROR] PropertyResolverImplTest$WithPrefix.resolvesCustomConfigClassProperties:138
Expecting Optional to contain:
PropertyResolverImplTest.CustomPropertiesClass(f1=f1val, f2=1234)
but was empty.
[ERROR] PropertyResolverImplTest.resolvesCustomConfigClassProperties:85
Expecting Optional to contain:
PropertyResolverImplTest.CustomPropertiesClass(f1=f1val, f2=1234)

I tried to figure it out but I am not that good with Java. So could you please help me in free time to upgrade springboot to atleast 3.2.7?

Regards.

@Haarolean
Copy link
Member

If spring bump had been easy, we would've merged it already :)

@Haarolean Haarolean marked this pull request as draft August 10, 2024 15:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
status/triage/completed Automatic triage completed status/triage/manual Manual triage in progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@canarycr @Haarolean @snyk-bot