英文:
Upgrading to maven Springboot 5.2.x from Springboot 2.7.x for CVE Vulnerability
问题
我是Springboot框架的新手,正在制作简单的Rest API。
我们为一个组织的子公司部署了一个API和URL缩短服务,该组织非常关注信息安全方面。
显然,他们的信息安全团队列出了一组具有CVE id的漏洞,我们目前正在使用Springboot 2.7.7。其中许多CVEs'添加的漏洞(例如CVE-2022-22965)至少需要Spring Framework 5.2.22。
问题1)如何知道Springboot 2.7.7是否受到此漏洞的影响
问题2)即使我必须升级到5.x版本以消除此漏洞并在Eclipse POM.XML中更改整个现有代码的版本,我在POM.XML中遇到以下错误
- 项目构建错误:无法解析的父POM com.Solus_Microservice: reco_API:0.0.1-SNAPSHOT:org.springframework.boot:spring-boot-starter-parent:pom:5.2.22在先前的尝试中未在https://repo.maven.apache.org/maven2中找到。此故障已缓存在本地存储库中,解析将在中央的更新间隔已过或强制更新时不会重新尝试,'parent.relativePath'指向没有本地POM
- 项目构建错误:无法解析的父POM com.Solus_Microservice: reco_API:0.0.1-SNAPSHOT:在中央(https://repo.maven.apache.org/maven2)中找不到artifact org.springframework.boot:spring-boot-starter-parent:pom:5.2。
在这个确切的位置
然后在其他地方创建问题,比如注解没有得到解决等等
问题3)Spring Initializr没有选择Spring 5.x的选项,只限于3.x。找不到任何关于如何创建具有我们选择的Spring Boot的完整Maven项目的教程/资源
我正在尝试升级的Rest API应用程序具有一个简单的Controller-Entity-Repository设计,用于查询MySQL数据库
非常感谢帮助更新此漏洞
下面的文章没有提供有关在哪里进行更改的参考信息
https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.0-Release-Notes
还读到一些冲突的信息
Spring Boot 2.0基于并需要Spring Framework 5。在这里https://github.com/spring-projects/spring-framework/wiki/Upgrading-to-Spring-Framework-5.x#upgrading-to-version-50
这是否意味着我根本不需要升级?
我已经粘贴了我的当前POM.XML如下:
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.7</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.Simple_Microservice</groupId>
<artifactId>reco_API</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging>
<name>reco_API</name>
<description>Solus Recommendation API</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
<version>3.1.2</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<artifactId>logback-classic</artifactId>
<groupId>ch.qos.logback</groupId>
</exclusion>
<exclusion>
<artifactId>log4j-over-slf4j</artifactId>
<groupId>org.slf4j</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.mysql</groupId>
<artifactId>mysql-connector-j</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.24</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
<version>2.6</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
<exclusions>
<exclusion>
<artifactId>logback-classic</artifactId>
<groupId>ch.qos.logback</groupId>
</exclusion>
<exclusion>
<artifactId>log4j-over-slf4j</artifact
<details>
<summary>英文:</summary>
I am a complete Noobie in Springboot framework making simple Rest APIs
We deployed an API and a URL Shortener service for a subsidiary of an Organization who is super keen on Info Sec Aspect
Apparently their InfoSec Team listed a set of Vulnerabilities with CVE ids,
We are currently using Springboot 2.7.7
Many of the CVEs’ that they have added are vulnerabilities (eg. CVE-2022-22965 ) requires
Spring Framework 5.2.22 atleast
https://spring.io/security/cve-2022-22965
**Problem 1)** How to know if Springboot 2.7.7 gets affected by this vulnerability
**Problem 2)** Even if I have to upgrade to 5.x version to remove this vulnerability and transfer the whole existing code and change the version in Eclipse POM.XML I get the following error in POM.XML
```Multiple markers at this line
- Project build error: Non-resolvable parent POM for com.Solus_Microservice:reco_API:0.0.1-SNAPSHOT: org.springframework.boot:spring-boot-starter-parent:pom:5.2.22 was not found in https://repo.maven.apache.org/maven2 during a previous attempt. This failure was cached in the local repository and resolution is not reattempted until the update interval of central has elapsed or updates are forced and 'parent.relativePath' points at no local POM
- Non-resolvable parent POM for com.Solus_Microservice:reco_API:0.0.1-SNAPSHOT: Could not find artifact org.springframework.boot:spring-boot-starter-parent:pom:5.2. in central (https://repo.maven.apache.org/maven2)
At this exact location
And later creating issues in other places like Annotations not getting resolved and stuff
Problem 3) Spring Initializr does not have option for selecting Spring 5.x, just limited to 3.x
Didnt find any tutorial/resource to find how to make a complete maven project with Spring boot of our choice
The Rest API application I am trying to upgrade has a simple Controller-Entity-Repository design that Queries a MySql database
Would be thankful for any help in updating this Vulnerability
Article given below does not give much reference as to where to make the changes
https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.0-Release-Notes
Also read something Conflicting that
Spring Boot 2.0 builds on and requires Spring Framework 5. here https://github.com/spring-projects/spring-framework/wiki/Upgrading-to-Spring-Framework-5.x#upgrading-to-version-50
Does it mean that I dont need to upgrade in the first place itself
Have pasted my current POM.XML below
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.7.7</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.Simple_Microservice</groupId>
<artifactId>reco_API</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>war</packaging>
<name>reco_API</name>
<description>Solus Recommendation API</description>
<properties>
<java.version>1.8</java.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
<version>3.1.2</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<artifactId>logback-classic</artifactId>
<groupId>ch.qos.logback</groupId>
</exclusion>
<exclusion>
<artifactId>log4j-over-slf4j</artifactId>
<groupId>org.slf4j</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>com.mysql</groupId>
<artifactId>mysql-connector-j</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<version>8.0.24</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>commons-lang</groupId>
<artifactId>commons-lang</artifactId>
<version>2.6</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
<exclusions>
<exclusion>
<artifactId>logback-classic</artifactId>
<groupId>ch.qos.logback</groupId>
</exclusion>
<exclusion>
<artifactId>log4j-over-slf4j</artifactId>
<groupId>org.slf4j</groupId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
<artifactId>jjwt</artifactId>
<version>0.9.1</version>
</dependency>
<dependency>
<groupId>org.glassfish</groupId>
<artifactId>javax.json</artifactId>
<version>1.0.4</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>org.json</groupId>
<artifactId>json</artifactId>
<version>20210307</version>
</dependency>
<dependency>
<groupId>org.owasp.esapi</groupId>
<artifactId>esapi</artifactId>
<version>2.2.3.1</version>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
答案1
得分: 3
问题在于您混淆了Spring Boot的版本与Spring的版本。这两个项目遵循不同的发布节奏。例如,当前版本的Spring是6.0.x,而Spring Boot当前版本是3.1.x。
这就是为什么您的IDE无法解析org.springframework.boot:spring-boot-starter-parent:pom:5.2.22,也无法在Spring Initializr中选择它的原因。Spring Boot 5.x 简单地不存在。
要找出Spring Boot 2.7.7中使用的Spring框架版本,您可以查看参考指南。您会看到此版本依赖于Spring 5.3.24,因此不应受CVE的影响。
还要注意,有些代码分析工具有时会错误地将Spring Boot的版本误认为是Spring的版本。这可能会导致在漏洞列表中出现虚假阳性。这就是为什么始终先阅读CVE并仔细检查您是否受到影响的重要性。
(1) 如果您想检查其他版本的情况,请更改URL中的Spring Boot版本。
英文:
The issue is that you're confusing Spring Boot's version with Spring's version. Both of these projects follow a difference release cadence. For example, the current version of Spring is 6.0.x, while Spring Boot is currently at 3.1.x.
This is why your IDE cannot resolve org.springframework.boot:spring-boot-starter-parent:pom:5.2.22and why you can't select it in Spring Initializr. Spring Boot 5.x simply does not exist.
To find out which version of the Spring framework is used within Spring Boot 2.7.7, you can check the reference guide<sup>(1)</sup>. You'll see that this version relies on Spring 5.3.24, and thus, should not be impacted by the CVE.
Also be aware that some code analysis tools also sometimes mistakenly identify Spring Boot's version for Spring's version. This can cause false positives to appear in the list of vulnerabilities. That's why it's important to always read the CVE first and double-check whether you're impacted.
<sup>(1) Change the Spring Boot version in the URL if you want to check this for other versions as well.</sup>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论