I am planning to upgrade services from spring boot 2.2.6 to 3.0.2. I want to know if latest spring boot version has any new vulnerabilities and if all old vulnerabilities have been fixed in the spring boot latest version? Where can I get this information?
Note : I can see list of 57 vulnerabilities from maven repository in 2.2.6 version, but it did not list any vulnerabilities for 3.0.2 version. While spring might have fixed direct vulnerabilities, there can be few vulnerabilities which are coming from transitive dependency.
Is there a way to find all vulnerabilities coming from direct and transitive dependencies ?
CodePudding user response:
The answer is not easy, because we don't know all your used (sub-)dependencies. And an answer can be outdate in a couple of hours/days/weeeks ...
But you can lookup the dependencies manually with the new MavenCentral-website.
An example: When you search for "Spring JPA", then you will find this site: