Skip to content

[Snyk] Fix for 2 vulnerabilities#1566

Open
macroscope-cloud wants to merge 6 commits into
snyk-fix-57f3238a88d2c5ac44459661a58e9846from
snyk-fix-4a4a17e0c9d889df361dfb8c3c0d1714
Open

[Snyk] Fix for 2 vulnerabilities#1566
macroscope-cloud wants to merge 6 commits into
snyk-fix-57f3238a88d2c5ac44459661a58e9846from
snyk-fix-4a4a17e0c9d889df361dfb8c3c0d1714

Conversation

@macroscope-cloud

Copy link
Copy Markdown

snyk-top-banner

Snyk has created this PR to fix 2 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

  • examples/iOS-Hybrid-App-Java-Server/pom.xml

Vulnerabilities that will be fixed with an upgrade:

Issue Score Upgrade
high severity Improper Authentication
SNYK-JAVA-ORGAPACHETOMCATEMBED-17732890
  726   org.apache.tomcat.embed:tomcat-embed-core:
11.0.12 -> 11.0.23
org.apache.tomcat.embed:tomcat-embed-websocket:
11.0.10 -> 11.0.23
org.springframework.boot:spring-boot-starter-tomcat:
3.5.5 -> 4.0.0
Major version upgrade No Known Exploit
high severity Detection of Error Condition Without Action
SNYK-JAVA-ORGAPACHETOMCATEMBED-17733746
  721   org.apache.tomcat.embed:tomcat-embed-core:
11.0.12 -> 11.0.23
org.apache.tomcat.embed:tomcat-embed-websocket:
11.0.10 -> 11.0.23
org.springframework.boot:spring-boot-starter-tomcat:
3.5.5 -> 4.0.0
Major version upgrade No Known Exploit

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.


Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic


Learn how to fix vulnerabilities with free interactive lessons:

🦉 Improper Authentication

@macroscope-cloud

Copy link
Copy Markdown
Author

Merge Risk: High

The upgrade of spring-boot-starter-tomcat from version 3.5.5 to 4.0.0 is a major and high-risk update with significant breaking changes. The other Tomcat dependency upgrades are minor and their changes are encompassed within the Spring Boot migration.

Key Breaking Changes in Spring Boot 4.0:

  • Platform and Java Version: Spring Boot 4.0 is built upon Spring Framework 7 and Jakarta EE 11. It requires Java 17 or later to run. [4, 10, 19]
  • Servlet Container: The starter now uses Tomcat 11 and requires a Servlet 6.1 compatible container. As a result, support for Undertow has been completely removed. Projects using Undertow must migrate to Tomcat or Jetty before this upgrade. [2, 4, 17]
  • Dependency & API Changes:
    • Jackson 3: The default JSON library is now Jackson 3, which uses a new package namespace (tools.jackson instead of com.fasterxml.jackson). This will require code changes for imports and ObjectMapper configurations. [8, 14]
    • Modularization: Many starters have been broken into smaller, more focused modules (e.g., spring-boot-starter-web is now spring-boot-starter-webmvc). This may require updating build dependencies. [8, 18]
    • Removed APIs: All APIs deprecated in the 3.x release line have been removed. [4, 7]
  • Configuration Properties: Numerous configuration properties have been renamed or removed. For example, management.tracing.enabled is now management.tracing.export.enabled. [2, 13]

Recommendation:

This is a major migration effort that requires careful planning.

  1. Upgrade to the latest Spring Boot 3.5.x release first and resolve all deprecation warnings before attempting the upgrade to 4.0. [4, 6]
  2. Use the spring-boot-properties-migrator module as a dependency to help identify and manage renamed configuration properties during the migration. [4]
  3. Thoroughly review the official Spring Boot 4.0 Migration Guide for a complete list of changes. [4]

Source: Spring Boot 4.0 Migration Guide [4]

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants