search

daust / JasperReportsIntegration

JasperReportsIntegration provides an interface to use the JasperReports reporting engine in an Oracle database application, specifically with Oracle Application Express (Oracle APEX).
BSD 3-Clause "New" or "Revised" License
55 stars 23 forks source link

Upgrade spring boot libraries #90

Closed daust closed 2 years ago

daust commented 2 years ago

In the past, I have always tried to make it as easy for developers as possible. One pitfall I wanted to avoid was that users built their report in JasperSoftStudio, deployed it onto the JRI-Integration, and it would break.

Thus, I tried to include all libraries that might be required. Sometimes, libraries get added that are just there for running some tests/samples, e.g. the Spring Boot libraries.

I never wanted to go through the hassle of understanding all dependencies, thus I included most of the libraries.

After the log4shell issue I am more reluctant to do so.

I have just come across the security warning here: https://github.com/TIBCOSoftware/jasperreports/issues/241

In the upcoming release (and forward) I will remove all references to spring boot. If you should need them, you can add those libraries back yourself.

daust commented 2 years ago

The gradle task jriDownloadJasperLibraries will first download the libraries, then copy them to the local lib directory. In this step, the spring libraries will be excluded: 

  // https://github.com/TIBCOSoftware/jasperreports/issues/241
  // CVE-2021-22096 - Medium Severity Vulnerability,  Vulnerable Library - spring-core-5.1.4.RELEASE.jar
  // spring boot framework should not be required anyway
  exclude "spring-core-*"
  exclude "spring-beans-*"
daust commented 2 years ago

the spring framework is required for recompiling the .jrxml file into .jasper. Thus, I will remove the vulnerable version from the jasper-lib download and always upgrade to the latest one through the gradle build. Currently, I have included: spring-core-5.3.15.jar, spring-beans-5.3.15.jar