Spring Boot use always latest tomcat version - security

I have a spring boot application and I want to always use the latest tomcat version, or even better the latest patched tomcat version of a given major and minor version:
F.e the latest version of 8 or the latest of 8.5. (like 8.5.32)
So, I would get the latest security patches if I rebuild my application.
I know I can manual give in one concrete version inside the properties.
But this would get fast outdated and I don't want to have to adjust this all the time manually.

If you use gradle then you can do it using this configuration:
compile('org.springframework.boot:spring-boot-starter-web') {
exclude module: "spring-boot-starter-tomcat"
}
compile 'org.apache.tomcat.embed:tomcat-embed-core:+'
compile 'org.apache.tomcat.embed:tomcat-embed-el:+'
compile 'org.apache.tomcat.embed:tomcat-embed-logging-juli:+'
compile 'org.apache.tomcat.embed:tomcat-embed-websocket:+'
if you want to give specific version then use version+

if using maven it's pretty easy! This would get the latest from version 9.0.0 to 9.1.0.
pom.xml:
<properties>
<tomcat.version>[9.0,9.1)</tomcat.version>
</properties>

Related

OWASP security issue with jackson-databind-2.9.8 jar

I have a maven web project(RESTful, Spring Rest/data) running in Java 8(tomcat 8.5.5) and using 'jackson-databind-2.9.8.jar'. When the Dependency Check Tool(Checks vulnerable jar version and generates report) is run against the libraries the project is using, it showed 'jackson-databind-2.9.8.jar' as Vulnerable(Reference- https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Afasterxml&cpe_product=cpe%3A%2F%3Afasterxml%3Ajackson-databind&cpe_version=cpe%3A%2F%3Afasterxml%3Ajackson-databind%3A2.9.8)
Problem:- Changing to 'jackson-databind-2.10.0.jar' version fixes OWASP security issue(running Dependency Check Tool) but, when project is build and run it throws error since 2.10.0 uses jdk9+ complaint classes(Reference- https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10)
What should be done to resolve the issue, can we make the project compile in Java 8 and run in JDK11(since JDK9 is out of support) or something else should be done? Please suggest.
Thanks in advance!
CVE-2019-12086 is fixed in jackson-databind-2.9.9.jar .
See the report: https://nvd.nist.gov/vuln/detail/CVE-2019-12086
Maven repo for 2.9.9 : https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.9.9

Overwrite Jboss jar with Maven dependencies

Hi we have to use JBoss 6.4, But when I try to execute my code it fails due to missing method and works fine with JBoss 6.3 and JBoss 7
the setSSLContext method became available in v4.5 of HttpClientBuiler.
JBOSS 6.4 comes bundled with v4.3.6JBOSS 6.4 comes bundled with v4.3.6
So if I use version 4.5.2 via maven, does it override all the JBoss methods. If not what is the solution?
I want to use JBoss 6.4 only.
If you want to want to use any other version of components which is not bundled with specific Jboss release, then you can create it as module dependencies and use it. Make sure that you should exclude the particular version of components which bundle with JBoss inside jboss-deployment-structure.xml file
see the link: https://docs.jboss.org/author/display/AS7/Class+Loading+in+AS7

pom file java version spec for Maven

I am a new user to Maven, as I am trying to use it to build apache spark on amazon EC2 VMs. I have mannually installed java version 1.7.0 on the VMs. However as I was running the Maven, the following error occurs:
Failed to execute goal net.alchim31.maven:scala-maven-plugin:3.2.0:testCompile (scala-test-compile-first) on project spark-core_2.10: Execution scala-test-compile-first of goal net.alchim31.maven:scala-maven-plugin:3.2.0:testCompile failed. CompileFailed
As I think the java version mismatch is the potential reason, causing the compiling problem. I opened up the pom file of the spark for maven tool, it has declared java related version in two seperate places:
<java.version>1.6</java.version>
and
<aws.java.sdk.version>1.8.3</aws.java.sdk.version>
What are the differences between these two versions?
Which one should be edited to solve the jave version mismatch?
It's two different things
<java.version>1.6</java.version>
is the java version used and
<aws.java.sdk.version>1.8.3</aws.java.sdk.version>
is the AWS SDK for Java version used.
The minumum requirement of AWS SDK 1.9 is Java 1.6+ so there is no compatibility issues.

Upgrading from Groovy 1.7.2 to 1.8.x

My project demands and upgrade from groovy 1.7.2 to 1.8.x stable release, there are several jar's are created using groovy 1.7.2 version, let me know whether these jar's will be compatible with 1.8.x also or not, or do i need to completely re-built it,
As it says on this mailing list entry:
A jar built with 1.7 will not run with a 1.8 runtime because two files were moved and one was removed.

Groovy plugin installation fails in STS 2.5.2 and 2.7

I have tried installing Groovy plugin via STS's dashboard install feature in both 2.7 (the version I downloaded initially which was the latest version at the time). My colleague recommended downloading 2.5.2, the version he is using, so I did; however the Groovy plugin installer still fails. It starts with:
Cannot complete the install because of a conflicting dependency.
Software being installed: Groovy-Eclipse Feature 2.5.2.xx-20110808-1400-e36 (org.codehaus.groovy.eclipse.feature.feature.group 2.5.2.xx-20110808-1400-e36)
Windows 7 64B
groovy v 1.8.2
grails v 1.3.7
jvm 1.6.0_26
Greatly appreciate any hints/recommendations/ideas. THANK YOU!
Make sure that your STS install is in a directory where the current user has write permissions. Also, there is a problem with installing into the Program Files directory (it is not really writable, even if you think it is).
The reason for this problem is the feature patch that comes with Groovy-Eclipse must be installed into the same directory as the rest of STS (an Eclipse limitation). This patch is the thing that patches the jdt compiler so that it can also compile groovy code.

Resources