To resolve spring-framework vulnerability posted by spring.io
I tried upgrading spring-boot version from 2.4.5
to 2.5.12
and with gradle-6.8
version, on running ./gradlew clean build
task is failing with error
Invalid packaging for parent POM org.apache.logging.log4j:log4j-api:2.17.2, must be "pom" but is "jar" in org.apache.logging.log4j:log4j-api:2.17.2
The dependency org.springframework.boot:spring-boot-starter-webflux
loads the internal dependency log4j-api:2.17.2
How to resolve invalid parent POM packaging for internal dependencies?
build.gradle
buildscript {
ext {
springBootVersion = '2.5.12'
}
repositories {
mavenCentral()
}
dependencies {
classpath("org.springframework.boot:spring-boot-gradle-plugin:${springBootVersion}")
{
exclude group: 'org.slf4j', module: 'slf4j-ext'
}
}
}
apply plugin: 'java'
apply plugin: 'eclipse'
apply plugin: 'org.springframework.boot'
apply plugin: 'io.spring.dependency-management'
group = 'com.service'
version = ''
sourceCompatibility = 11
def logbackVersion = '1.2.3'
repositories {
mavenCentral()
}
configurations.all {
resolutionStrategy.eachDependency { DependencyResolveDetails details ->
if (details.requested.group == 'org.apache.logging.log4j') {
details.useVersion '2.17.1'
}
}
}
dependencies {
implementation ('org.springframework.boot:spring-boot-starter-webflux')
developmentOnly('org.springframework.boot:spring-boot-devtools')
testImplementation('org.springframework.boot:spring-boot-starter-test')
testImplementation('io.projectreactor:reactor-test')
implementation("ch.qos.logback:logback-core:${logbackVersion}")
implementation("ch.qos.logback:logback-classic:${logbackVersion}")
implementation('org.apache.httpcomponents:httpclient:4.5.11')
implementation('org.apache.commons:commons-collections4:4.4')
implementation("org.springframework.cloud:spring-cloud-vault-config:2.1.3.RELEASE")
implementation("org.springframework.cloud:spring-cloud-vault-config-consul:2.1.3.RELEASE")
implementation group: 'org.springframework.cloud', name: 'spring-cloud-consul-dependencies', version: '1.0.0.RELEASE', ext: 'pom'
implementation('com.amazonaws:aws-java-sdk-sqs:1.11.634')
implementation('org.projectlombok:lombok:1.18.12')
implementation('org.yaml:snakeyaml:1.26')
implementation group: 'com.google.code.gson', name: 'gson', version: '2.8.6'
annotationProcessor('org.projectlombok:lombok:1.18.12')
implementation group: 'org.bouncycastle', name: 'bc-fips', version: '1.0.2'
implementation group: 'org.bouncycastle', name: 'bctls-fips', version: '1.0.11'
}
CodePudding user response:
Adding mavenBom spring-cloud-dependencies helped resolve this issue. Suspecting webflux pulled in a transitive dependency to an older release and adding spring-cloud-dependencies bom in dependencyManagement ensured all Spring dependencies are at the same version
Here's update build.gradle file that worked
plugins {
id 'org.springframework.boot' version '2.6.6'
id 'io.spring.dependency-management' version '1.0.11.RELEASE'
id 'java'
id 'application'
}
group = 'com.service'
version = '1.0.0-SNAPSHOT'
sourceCompatibility = '11'
application {
mainClass = 'com.service.scheduler.SchedulerApplication'
}
repositories {
mavenCentral()
}
ext {
set('springCloudVersion', "2021.0.1")
set('logbackVersion', "1.2.11")
}
bootJar {
archiveFileName = 'scheduler.jar'
}
bootRun {
systemProperties = System.properties
}
dependencies {
/*---spring dependencies---*/
implementation 'org.springframework.boot:spring-boot-starter-webflux'
implementation 'org.springframework.cloud:spring-cloud-starter-vault-config'
implementation 'org.springframework.cloud:spring-cloud-vault-config-consul'
developmentOnly 'org.springframework.boot:spring-boot-devtools'
testImplementation 'org.springframework.boot:spring-boot-starter-test'
testImplementation 'io.projectreactor:reactor-test'
implementation 'com.amazonaws:aws-java-sdk-sqs:1.12.187'
implementation 'org.apache.httpcomponents:httpclient:4.5.13'
implementation 'org.apache.commons:commons-collections4:4.4'
implementation 'org.yaml:snakeyaml:1.30'
implementation 'com.google.code.gson:gson:2.9.0'
/*---fips dependencies---*/
implementation group: 'org.bouncycastle', name: 'bc-fips', version: '1.0.2'
implementation group: 'org.bouncycastle', name: 'bctls-fips', version: '1.0.11'
/*---lombok dependencies---*/
implementation 'org.projectlombok:lombok:1.18.22'
annotationProcessor 'org.projectlombok:lombok:1.18.22'
/*---logback dependencies---*/
implementation("ch.qos.logback:logback-core:${logbackVersion}")
implementation("ch.qos.logback:logback-classic:${logbackVersion}")
}
dependencyManagement {
imports {
mavenBom "org.springframework.cloud:spring-cloud-dependencies:${springCloudVersion}"
}
}