Bump Spring Framework to a version = 5.3.39 = 6.0.23, and >= 6.1.13

[tasso94]

Acceptance Criteria (Required on creation)

Bump Spring Framework to a version >= 5.3.40, >= 6.0.24, and >= 6.1.13.

Hints

Links

• https://jira.camunda.com/browse/SEC-1119
• https://jira.camunda.com/browse/SEC-1076
• https://jira.camunda.com/browse/SEC-1075
• https://jira.camunda.com/browse/SEC-1153

Breakdown

Pull Requests

Beta Give feedback

1. chore(engine): Bump Spring Framework #4681
   bot:backport:7.20 bot:backport:7.21 bot:backport:7.22 bot:java-dependency-check ci:all-as ci:e2e ci:spring-boot ci:wildfly +8
   
2. https://github.com/camunda/camunda-bpm-platform-maintenance/pull/1285
3. https://github.com/camunda/camunda-bpm-platform-maintenance/pull/1286
4. https://github.com/camunda/camunda-bpm-platform-maintenance/pull/1287
5. chore(spring-boot): Bump Spring Boot version to 3.3.5 #4747
   bot:backport:7.22 bot:java-dependency-check ci:all-as ci:spring-boot scope:spring-boot +5
   
6. https://github.com/camunda/camunda-bpm-platform-maintenance/pull/1288
7. https://github.com/camunda/camunda-bpm-platform-maintenance/pull/1291

Dev2QA handover

• Does this ticket need a QA test and the testing goals are not clear from the description? Add a Dev2QA handover comment

[mboskamp]

Spring versions >=6.0.24 and >=5.3.40 will only be available for Spring enterprise customers (Source).

There is no CE upgrade path for Spring 5.3.x. We have the following options:

• Upgrade
  • Necessary actions:
    • Move away from Spring Framework 5.3.x.
  • Pro
    • Only one Spring Framework version needs to be maintained
    • Up-to-date Spring Framework version for all components without the need for Spring EE support license
  • Con
    • Higher migration effort
• Accept risk
  • Necessary actions:
    • Risk analysis
    • Document the security risk
    • Document users should have Spring EE support license and use the latest 5.3.x version
  • Pro
    • Less migration effort
  • Con
    • It will not be possible for us to test the patch versions >5.3.39
    • Users might miss the documentation and use a potentially vulnerable version

Decision:
We will

• use 5.3.39 (the latest CE release)
• inform those customers who use environments using 5.3.x to
  • get EE support for Spring
  • build the affected artifacts themselves

[yanavasileva]

@mboskamp, I think we should bump the Spring Boot version too otherwise the Spring Framework version used in Starter and Run remains old patch.
https://github.com/camunda/automation-platform-vulnerability-scan/issues/3696

[mboskamp]

I have added PRs for master (automatic backport to 7.22) and 7.21 (see list above). For 7.20, we are already on the newest version (3.1.12).

[tasso94]

Hey @mboskamp, Spring 6.1.14 was released two weeks ago. Can we bump to it right away?

[mboskamp]

@tasso94, the Spring Framework PRs have been merged for three weeks. Currently, this ticket is about bumping the Spring Boot version as well because it affects the Spring Framework version in those components.
Of course, I can revisit the Spring Framework PRs, but it feels like a moving target.

[mboskamp]

@tasso94, I created a follow-up issue for bumping the versions again just before the next patch release.
#4751

[mboskamp]

All Spring Boot PRs merged.