Skip to content

Latest commit

 

History

History
279 lines (204 loc) · 11.3 KB

6.x.md

File metadata and controls

279 lines (204 loc) · 11.3 KB

6.1.2

Suppressions for

  • CVE-2024-50379 as this affects the default tomcat servlet that we don't include
  • CVE-2024-12798 and CVE-2024-12801 as the attacher needs to have write access to the logback configuration or be able to manipulate environment variables

6.1.1

Upgrade to spring-boot 3.4.1

This includes an upgrade to Sprine Boot 3.4.1

Version upgrades

  • io.spring.dependency-management:io.spring.dependency-management.gradle.plugin [1.1.6 -> 1.1.7]
  • org.eclipse.jgit:org.eclipse.jgit [7.0.0.202409031743-r -> 7.1.0.202411261347-r]
  • org.jlleitschuh.gradle.ktlint:org.jlleitschuh.gradle.ktlint.gradle.plugin [12.1.1 -> 12.1.2]
  • com.fasterxml.jackson.module:jackson-module-kotlin [2.18.1 -> 2.18.2]

Test upgrades

  • net.javacrumbs.json-unit:json-unit-assertj [4.0.0 -> 4.1.0]
  • org.assertj:assertj-core [3.26.3 -> 3.27.0]
  • org.junit.jupiter:junit-jupiter [5.11.3 -> 5.11.4]

6.1.0

Upgrade to spring-boot 3.4.0

This includes an upgrade to Sprine Boot 3.4.0

Note that we have encountered issues with the hibernate part of the spring upgrade, so have pinned hibernate to 6.5.3.Final in Prison API by temporarily adding:

ext["hibernate.version"] = "6.5.3.Final"

to build.gradle.kts.

Version upgrades

  • com.microsoft.azure:applicationinsights-agent [3.6.1 -> 3.6.2]
  • com.fasterxml.jackson.module:jackson-module-kotlin [2.17.2 -> 2.18.1]

Test dependency upgrades

  • net.javacrumbs.json-unit:json-unit-assertj:[3.4.1 -> 4.0.0]

6.0.9

Pin netty to latest version 4.1.115.Final for Denial of Service attack

From CVE-2024-47535:

From the CVE:

An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

6.0.8

Upgrade to spring-boot 3.3.5

This includes an upgrade to Sprine Boot 3.3.5

Upgrade to Kotlin 2.0.21

This includes an upgrade to Kotlin 2.0.21

6.0.7

Spring Framework Path traversal vulnerability suppression

Suppression for https://spring.io/security/cve-2024-38819 as it only affects applications that use WebMvc.fn or WebFlux.fn.

Version upgrades

  • com.microsoft.azure:applicationinsights-agent [3.5.4 -> 3.6.1]
  • io.opentelemetry:opentelemetry-api [1.40.0 -> 1.43.0]

Test version upgrades

  • org.junit.jupiter:junit-jupiter [5.11.0 -> 5.11.3]
  • org.junit.vintage:junit-vintage-engine [5.11.0 -> 5.11.3]
  • org.mockito:mockito-junit-jupiter [5.13.0 -> 5.14.2]

6.0.6

Upgrade to spring-boot 3.3.4

This includes an upgrade to Spring Boot 3.3.4

6.0.5

Spring Framework Path traversal vulnerability suppression

Suppression for https://spring.io/security/cve-2024-38816 as it only affects applications where both the following are true:

  1. the web application uses RouterFunctions to serve static resources
  2. resource handling is explicitly configured with a FileSystemResource location

Version upgrades

  • com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin [1.2.1 -> 1.3.0]
  • org.eclipse.jgit:org.eclipse.jgit [6.10.0.202406032230-r -> 7.0.0.202409031743-r]
  • Gradle: [8.10 -> 8.10.1]

Test version upgrades

  • org.mockito:mockito-junit-jupiter [5.12.0 -> 5.13.0]

6.0.4

Upgrade to spring-boot 3.3.3

This includes an upgrade to Spring Boot 3.3.3

Upgrade to Kotlin 2.0.20

This includes an upgrade to Kotlin 2.0.20

Removal of Spring Framework DoS suppression

Suppression for CVE-2024-38809 was removed as Spring Framework has now been upgraded.

Removal of incremental compilation from gradle.properties

When running gradle with incremental compilation the following message appears:

History based incremental compilation approach for JVM platform is deprecated and will be removed soon in favor of approach based on ABI snapshots.
Please remove 'kotlin.incremental.useClasspathSnapshot=false' from 'gradle.properties' file.

We have therefore followed the advice and removed that configuration from gradle.properties.

6.0.3

Spring Framework DoS suppression

Suppression for https://spring.io/security/cve-2024-38809 as it only affects applications that parse ETags from "If-Match" or "If-None-Match" request headers.

Upgrade to Kotlin 2.0.10

This includes an upgrade to Kotlin 2.0.10

Version upgrades

  • com.microsoft.azure:applicationinsights-agent [3.5.3 -> 3.5.4]
  • com.microsoft.azure:applicationinsights-core [3.5.3 -> 3.5.4]
  • io.opentelemetry:opentelemetry-api [1.38.0 -> 1.40.0]
  • org.junit.vintage:junit-vintage-engine [5.10.2 -> 5.11.0]
  • org.junit.jupiter:junit-jupiter [5.10.3 -> 5.11.0]

6.0.2

Breaking change

If this upgrade starts breaking tests with error:

java.lang.NullPointerException: Cannot invoke "org.springframework.http.HttpStatusCode.is1xxInformational()" because "this.statusCode" is null

then the likely cause is unit test setup that something like this:

doThrow(WebClientResponseException.BadGateway::class).whenever(someService).someMethod(anyString())

The problem is that Mockito doesn't set the status code in the exception but Spring has changed to assume the status code is not null.

To workaround this issue, you can change the test to:

doThrow(WebClientResponseException.create(HttpStatus.BAD_GATEWAY, "error", HttpHeaders.EMPTY, ByteArray(0), null, null)).whenever(someService).someMethod(anyString())

Upgrade to spring-boot 3.3.2

This includes an upgrade to Spring Boot 3.3.2

Version Upgrades

  • org.springframework.boot:spring-boot-gradle-plugin [3.3.1 -> 3.3.2]
  • io.spring.dependency-management:io.spring.dependency-management.gradle.plugin:[1.1.5 -> 1.1.6]
  • org.owasp:dependency-check-core:[8.4.2 -> 8.4.3]
  • org.owasp:dependency-check-gradle:[8.4.2 -> 8.4.3]
  • com.fasterxml.jackson.module:jackson-module-kotlin [2.16.1 -> 2.17.2 ]

Test dependency upgrades

  • org.mockito.kotlin:mockito-kotlin [5.3.1 -> 5.4.0]
  • org.junit.jupiter:junit-jupiter:[5.10.2 - > 5.10.3]
  • org.assertj:assertj-core:[3.26.0 -> 3.26.3]
  • net.javacrumbs.json-unit:json-unit-assertj:[3.2.7 -> 3.4.1]

6.0.1

Warning

Please ensure that opentelemetry versions are matched with the application insights 3.5.3 and aren't bumped to the latest versions. The following error was discovered when opentelemetry was upgrade to 1.39 and annotations to 2.5:

{"status":500,"userMessage":"Unexpected error: Handler dispatch failed: java.lang.NoClassDefFoundError: Could not initialize class reactor.netty.http.client.HttpClientSecure","developerMessage":"Handler dispatch failed: java.lang.NoClassDefFoundError: Could not initialize class reactor.netty.http.client.HttpClientSecure"}

Please note that this plugin automatically includes the correct version of opentelemetry-api so this should not be included as a dependency in your project.

The only opentelemetry implementation dependency you therefore need is:

  implementation("io.opentelemetry.instrumentation:opentelemetry-instrumentation-annotations:2.4.0")

For testing you can also add

  testImplementation("io.opentelemetry:opentelemetry-sdk-testing:1.38.0")

Upgrade to spring-boot 3.3.1

This includes an upgrade to Spring Boot 3.3.1

Version Upgrades

  • org.springframework.boot:spring-boot-gradle-plugin [3.3.0 -> 3.3.1]
  • org.eclipse.jgit:org.eclipse.jgit [:6.9.0.202403050737-r -> 6.10.0.202406032230-r]
  • com.microsoft.azure:applicationinsights-core [3.5.2 -> 3.5.3]
  • com.microsoft.azure:applicationinsights-agent [3.5.2 -> 3.5.3]
  • opentelemetry.version [1.37 -> 1.38]

6.0.0

Breaking changes

The spring boot release includes upgrades Flyway to 10.0, which includes a breaking change for nearly all database users.

Database support has been moved to separate database packages rather than being included in the flyway-core package. The relevant package then needs to be included as well e.g.

  runtimeOnly("org.flywaydb:flyway-database-postgresql")

Please see upgrading from Spring Boot 3.2 for more information.

H2 and Hibernate for tests

Potential errors similar to the following may occur in the build process:

Caused by: org.hibernate.exception.SQLGrammarException: could not prepare statement ... Caused by: org.h2.jdbc.JdbcSQLSyntaxErrorException: Syntax error in SQL statement ...

These may potentially be resolved by ensuring hibernate is configured to know that H2 rather than postgres is used in the test environment

application.yml

    data:
        jdbc:
            dialect: postgresql

application-test.yml

    jpa:
        database-platform: org.hibernate.dialect.H2Dialect

    data:
        jdbc:
            dialect: h2

Upgrade to Java 21

This is the first release of the plugin to target Java 21 instead of Java 17.

Upgrade to Spring Boot 3.3.0

This includes an upgrade to Spring Boot 3.3.0

Upgrade to Kotlin 2.0.0

This includes an upgrade to Kotlin 2.0.0

This upgrade causes a warning to appear in some projects:

'kotlinOptions(KotlinJvmOptionsDeprecated /* = KotlinJvmOptions */.() -> Unit): Unit' is deprecated. Please migrate to the compilerOptions DSL. More details are here: https://kotl.in/u1r8ln

To fix the warning change the existing code in build.gradle.kts:

     kotlinOptions {
      jvmTarget = JavaVersion.VERSION_21.toString()
    }

to

    compilerOptions.jvmTarget = org.jetbrains.kotlin.gradle.dsl.JvmTarget.JVM_21

at the top of the file.

Version upgrades

  • com.google.code.gson:gson [2.10.1 -> 2.11.0]
  • com.gorylenko.gradle-git-properties:com.gorylenko.gradle-git-properties.gradle.plugin [2.4.1 -> 2.4.2]
  • io.spring.dependency-management:io.spring.dependency-management.gradle.plugin [1.1.4 -> 1.1.5]
  • org.jlleitschuh.gradle.ktlint:org.jlleitschuh.gradle.ktlint.gradle.plugin [12.1.0 -> 12.1.1]
  • com.microsoft.azure:applicationinsights-agent [3.5.1 -> 3.5.2]
  • com.microsoft.azure:applicationinsights-core [3.5.1 -> 3.5.2]
  • io.opentelemetry:opentelemetry-api [1.35.0 -> 1.37.0]

Test dependency upgrades

  • org.assertj:assertj-core [3.25.3 -> 3.26.0]
  • org.mockito:mockito-junit-jupiter [5.11.0 -> 5.12.0]
  • org.mockito.kotlin:mockito-kotlin [5.2.1 -> 5.3.1]