Skip to content

upgraded os-core-common for all providers and sanitized the poms for all providers

Deepa Kumari requested to merge az/39359-fix-spring-vuln into master

In order to fix spring-web, spring-core, spring-security-vulnerabilities:

  1. https://community.opengroup.org/osdu/platform/system/dataset/-/security/vulnerabilities/35639
  2. https://community.opengroup.org/osdu/platform/system/dataset/-/security/vulnerabilities/35635
  3. https://community.opengroup.org/osdu/platform/system/dataset/-/security/vulnerabilities/35633
  4. https://community.opengroup.org/osdu/platform/system/dataset/-/security/vulnerabilities/35105

Incorporated the os-core-common spring6 version 0.27.0-rc1 and sanitized the pom so all providers use the same versions. In the process since new os-core-common spring6 is only using cleaned up dependencies, had to include the javaassist separately in the core module.

During the pipeline runs various conflicts were there with this exception:

java.lang.NoSuchMethodError: 'com.fasterxml.jackson.databind.PropertyName com.fasterxml.jackson.databind.PropertyName.merge(com.fasterxml.jackson.databind.PropertyName, com.fasterxml.jackson.databind.PropertyName)'
	at com.fasterxml.jackson.dataformat.xml.JacksonXmlAnnotationIntrospector.findNameForSerialization(JacksonXmlAnnotationIntrospector.java:200) ~[jackson-dataformat-xml-2.17.0.jar!/:2.17.0]
	

So, upgraded the jackson versions as well to fix this issue for all providers.

Before and after changes for 3 main vulnerabilities are attached.vuln.txt

vuln_after.txt

Above changes were reverted from AWS due to unresolved failures.

Edited by Deepa Kumari

Merge request reports