Update spring-web and spring-boot-starter-test references to major versions

[sethdarragile6]

Description

Dependabot flagged 2 dependencies for update:

• spring-web from 5.3.23 to 6.0.2
• spring-boot-starter-test from 2.7.5 to 3.0.0

It was decided to delay this update. Per Afsin:

Delaying this for now; major releases and need to understand implications better. We need to update all spring and spring boot major library updates at the same time.

Acceptance Criteria

1. Update spring-web from 5.3.23 to 6.0.2
2. Update spring-boot-starter-test from 2.7.5 to 3.0.0

[sethdarragile6]

Our spring-web version was identified by SecRel as a critical vulnerability. I acknowledge the vulnerability in Aqua with a reference to this ticket.

[yoomlam]

In branch yoom/use-secrel4 (which updates to use SecRel 4.0), I updated to spring_boot_version 2.7.6 for SecRel to pass due to Snyk alerts:

• https://app.snyk.io/org/va-abd-rrd/project/9a9f1b6c-4553-49e5-80ce-40cac63e6181#issue-SNYK-JAVA-ORGAPACHETOMCATEMBED-3225086
• https://app.snyk.io/org/va-abd-rrd/project/678243df-81e6-44a8-a9ec-9bd8d786b078#issue-SNYK-JAVA-ORGAPACHETOMCATEMBED-3225086
• https://app.snyk.io/org/va-abd-rrd/project/4f8c41e2-ca7a-4add-8a2c-39106f428f8a#issue-SNYK-JAVA-ORGAPACHETOMCATEMBED-3225086

[sethdarragile6]

More and more aqua alerts coming up around 5.x versions of Spring lately. Might want to prioritize this ticket soon.

[yoomlam]

Note:

• Dependabot recommendations are not required
• Remedies for SecRel alerts are (almost always) required

[tejans24]

More SecRel issues based on spring-web - Suppressed for 2 weeks

Image: abd-vro-internal/dev_vro-svc-bie-kafka:882d8a1

Note: Hyperlink can only be accessed if you are on Citrix or utilizing GFE.

Severity | Description | Remediation | Fix Version | Vulnerability Name -- | -- | -- | -- | -- Critical | Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data. | Upgrade package spring-web to version 6.0.0 or above. | 6.0.0 | CVE-2016-1000027 Image: [abd-vro-internal/dev_vro-svc-bie-kafka:882d8a1](https://aqua.lighthouse.va.gov/#/images/Ad%20Hoc%20Scans/ghcr.io%2Fdepartment-of-veterans-affairs%2Fabd-vro-internal%2Fdev_vro-svc-bie-kafka:882d8a1/vulns?digest=sha256%3A466557ac64fca59ac789e05795f8e947bd94179cf96e4c757f933bff5b93d129) Note: Hyperlink can only be accessed if you are on Citrix or utilizing GFE. Severity Description Remediation Fix Version Vulnerability Name Critical Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data. Upgrade package spring-web to version 6.0.0 or above. 6.0.0 https://github.com/advisories/GHSA-4wrc-f8pq-fpqp