[Snyk] Fix for 2 vulnerabilities#5245
Conversation
…n-server/pom.xml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-IONETTY-14423947 - https://snyk.io/vuln/SNYK-JAVA-CHQOSLOGBACK-15062482
There was a problem hiding this comment.
Pull request overview
This PR attempts to address 2 security vulnerabilities by upgrading dependencies: Spring Boot Admin from 2.4.1 to 3.5.7 (major version) and logback from 1.2.6 to 1.5.25. However, these upgrades introduce critical compatibility issues that will prevent the application from building and running.
Changes:
- Upgraded spring-boot-admin-starter-server from 2.4.1 to 3.5.7
- Upgraded logback-classic and logback-core from 1.2.6 to 1.5.25
- Minor XML formatting changes (self-closing tags)
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| spring-boot-modules/spring-boot-admin/spring-boot-admin-server/pom.xml | Upgrades Spring Boot Admin server to 3.5.7, incompatible with project's Spring Boot 2.6.3 |
| pom.xml | Upgrades logback to 1.5.25 (requires SLF4J 2.x but project uses 1.7.32) and cosmetic XML formatting changes |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| <properties> | ||
| <spring-boot-admin-server.version>2.4.1</spring-boot-admin-server.version> | ||
| <spring-boot-admin-server.version>3.5.7</spring-boot-admin-server.version> |
There was a problem hiding this comment.
This major version upgrade from Spring Boot Admin 2.4.1 to 3.5.7 introduces a critical compatibility issue. Spring Boot Admin 3.x requires Spring Boot 3.x as a minimum, but this project uses Spring Boot 2.6.3 (defined in parent-boot-2/pom.xml:91).
Additionally, the existing code uses WebSecurityConfigurerAdapter (see WebSecurityConfig.java:18) which was removed in Spring Security 6.0 that ships with Spring Boot 3.x. This will cause compilation failures.
To properly address the security vulnerabilities, you should either:
- Upgrade the entire Spring Boot ecosystem to version 3.x along with necessary code refactoring for the security configuration, or
- Use Spring Boot Admin 2.7.x which is the latest version compatible with Spring Boot 2.x and still receives security updates
| <spring-boot-admin-server.version>3.5.7</spring-boot-admin-server.version> | |
| <spring-boot-admin-server.version>2.7.15</spring-boot-admin-server.version> |
| <properties> | ||
| <spring-boot-admin-server.version>2.4.1</spring-boot-admin-server.version> | ||
| <spring-boot-admin-server.version>3.5.7</spring-boot-admin-server.version> | ||
| <spring-boot-admin-starter-client.version>2.4.1</spring-boot-admin-starter-client.version> |
There was a problem hiding this comment.
Version mismatch detected: spring-boot-admin-starter-server has been upgraded to 3.5.7, but spring-boot-admin-starter-client remains at 2.4.1. These versions are incompatible and will cause communication failures between the server and client. Both should use the same major version.
| <spring-boot-admin-starter-client.version>2.4.1</spring-boot-admin-starter-client.version> | |
| <spring-boot-admin-starter-client.version>3.5.7</spring-boot-admin-starter-client.version> |
| <!-- logging --> | ||
| <org.slf4j.version>1.7.32</org.slf4j.version> | ||
| <logback.version>1.2.6</logback.version> | ||
| <logback.version>1.5.25</logback.version> |
There was a problem hiding this comment.
The logback upgrade from 1.2.6 to 1.5.25 introduces a potential compatibility issue. Logback 1.5.x requires SLF4J 2.0.x, but this project uses SLF4J 1.7.32 (line 1447). This mismatch will cause runtime errors. You should either:
- Upgrade slf4j to version 2.0.x or later to match logback 1.5.25, or
- Use logback 1.3.x which is the latest version compatible with SLF4J 1.7.x and addresses many security vulnerabilities
| <logback.version>1.5.25</logback.version> | |
| <logback.version>1.3.14</logback.version> |
Snyk has created this PR to fix 2 vulnerabilities in the maven dependencies of this project.
Snyk changed the following file(s):
pom.xmlspring-boot-modules/spring-boot-admin/spring-boot-admin-server/pom.xmlVulnerabilities that will be fixed with an upgrade:
SNYK-JAVA-IONETTY-14423947
2.4.1->3.5.7Major version upgradeProof of ConceptSNYK-JAVA-CHQOSLOGBACK-15062482
1.2.6->1.5.25ch.qos.logback:logback-core:
1.2.6->1.5.25No Known ExploitImportant
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 CRLF Injection