[Snyk] Fix for 2 vulnerabilities#5241
Conversation
…bilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGHIBERNATE-15038759 - https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-15062482
There was a problem hiding this comment.
Pull request overview
This Snyk-generated PR aims to fix two security vulnerabilities by upgrading dependencies: a high-severity SQL Injection vulnerability in Hibernate (SNYK-JAVA-ORGHIBERNATE-15038759) and a low-severity External Initialization vulnerability in Logback (SNYK-JAVA-CHQOSLOGBACK-15062482). The PR upgrades hibernate-core from 5.2.5.Final to 5.3.38.Final and logback from 1.2.6 to 1.5.25.
Changes:
- Upgraded logback-classic and logback-core from 1.2.6 to 1.5.25 in the root pom.xml
- Upgraded hibernate-core from 5.2.5.Final to 5.3.38.Final in persistence-modules/querydsl/pom.xml
- Converted empty XML tags to self-closing format (
<ignore></ignore>to<ignore/>) in root pom.xml
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| pom.xml | Updates Logback version property to 1.5.25 and converts empty ignore tags to self-closing format |
| persistence-modules/querydsl/pom.xml | Updates Hibernate version property to 5.3.38.Final |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| <!-- logging --> | ||
| <org.slf4j.version>1.7.32</org.slf4j.version> | ||
| <logback.version>1.2.6</logback.version> | ||
| <logback.version>1.5.25</logback.version> |
There was a problem hiding this comment.
Logback 1.5.x requires Java 11 as the minimum version, but this project is configured to use Java 8 (see line 1454 where java.version is set to 1.8). Upgrading to Logback 1.5.25 will cause runtime failures when running on Java 8.
You should either:
- Keep Logback at 1.2.x and find the latest patch version that fixes the vulnerability (e.g., 1.2.13 if available), or
- Upgrade the project to Java 11+ if feasible, or
- Consider staying with Logback 1.3.x (which requires Java 8+) if it addresses the security vulnerability.
Additionally, upgrading Logback from 1.2.x to 1.5.x may require updating SLF4J from 1.7.32 to 2.0.x for full compatibility, as Logback 1.5.x is designed to work with SLF4J 2.0.
| <logback.version>1.5.25</logback.version> | |
| <logback.version>1.3.12</logback.version> |
| @@ -1445,7 +1445,7 @@ | |||
|
|
|||
| <!-- logging --> | |||
| <org.slf4j.version>1.7.32</org.slf4j.version> | |||
There was a problem hiding this comment.
The current SLF4J version (1.7.32) is from the SLF4J 1.x series. Logback 1.5.x is designed to work with SLF4J 2.0.x, and mixing SLF4J 1.x with Logback 1.5.x may cause compatibility issues. If upgrading Logback to 1.5.x, consider also upgrading SLF4J to 2.0.x or later. However, note that SLF4J 2.0.x also requires Java 8 minimum, so the primary blocker remains the Java version requirement for Logback 1.5.x.
| <org.slf4j.version>1.7.32</org.slf4j.version> | |
| <org.slf4j.version>2.0.16</org.slf4j.version> |
Snyk has created this PR to fix 2 vulnerabilities in the maven dependencies of this project.
Snyk changed the following file(s):
pom.xmlpersistence-modules/querydsl/pom.xmlVulnerabilities that will be fixed with an upgrade:
SNYK-JAVA-ORGHIBERNATE-15038759
5.2.5.Final->5.3.38.FinalProof of ConceptSNYK-JAVA-CHQOSLOGBACK-15062482
1.2.6->1.5.25ch.qos.logback:logback-core:
1.2.6->1.5.25No Known ExploitImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 SQL Injection