search

spring-projects / spring-integration

Spring Integration provides an extension of the Spring programming model to support the well-known Enterprise Integration Patterns (EIP)
http://projects.spring.io/spring-integration/
Apache License 2.0
1.55k stars 1.11k forks source link

No patch release for Spring Integration to support Spring Boot 2.1.12 & Spring Core 5.1.13 #3166

Closed Suvojit closed 4 years ago

Suvojit commented 4 years ago

Affects Version(s): 5.1.9

Hello,

I am using Maven to set up dependency in my app.

I am using Spring Boot v2.1.12.RELEASE which brings in Spring Core v5.1.13.

Also I am using Spring Integration v5.1.9 (which is latest) and it brings Spring Core v5.1.11.RELEASE

As you can see that I want Spring Integration to not resolve to v5.1.11 of Spring Core as it has some vulnerabilities.

I think we are missing on a patch release for Spring Integration which resolves to Spring Core v5.1.13

Could someone check for this?

garyrussell commented 4 years ago

It's not clear what you mean; Spring Boot's dependency management will always override the version that Spring Integration pulls in transitively,

Suvojit commented 4 years ago

Spring Integration pulls in v5.1.11 whereas Spring Boot pulls v5.1.13 of Spring Core.

Ideally, 5.1.13 should override v5.1.11, which I agree with you.

But in my case Spring Integration resolves to 5.1.13 in the dependency tree, which causes a CVE to appear (which I try to resolve by upgrading Spring Core to 5.1.13)

artembilan commented 4 years ago

I have just generated project from start.spring.io from that Spring Boot 2.1.12 with a Spring Integration starter. Here is my dependency tree:

[INFO] --- maven-dependency-plugin:3.1.1:tree (default-cli) @ demo ---
[INFO] com.example:demo:jar:0.0.1-SNAPSHOT
[INFO] +- org.springframework.boot:spring-boot-starter-integration:jar:2.1.12.RELEASE:compile
[INFO] |  +- org.springframework.boot:spring-boot-starter-aop:jar:2.1.12.RELEASE:compile
[INFO] |  |  +- org.springframework:spring-aop:jar:5.1.13.RELEASE:compile
[INFO] |  |  |  \- org.springframework:spring-beans:jar:5.1.13.RELEASE:compile
[INFO] |  |  \- org.aspectj:aspectjweaver:jar:1.9.5:compile
[INFO] |  \- org.springframework.integration:spring-integration-core:jar:5.1.9.RELEASE:compile
[INFO] |     +- org.springframework:spring-context:jar:5.1.13.RELEASE:compile
[INFO] |     |  \- org.springframework:spring-expression:jar:5.1.13.RELEASE:compile
[INFO] |     +- org.springframework:spring-messaging:jar:5.1.13.RELEASE:compile
[INFO] |     +- org.springframework:spring-tx:jar:5.1.13.RELEASE:compile
[INFO] |     +- org.springframework.retry:spring-retry:jar:1.2.5.RELEASE:compile
[INFO] |     \- io.projectreactor:reactor-core:jar:3.2.14.RELEASE:compile
[INFO] |        \- org.reactivestreams:reactive-streams:jar:1.0.3:compile
[INFO] +- org.springframework.boot:spring-boot-starter-test:jar:2.1.12.RELEASE:test
[INFO] |  +- org.springframework.boot:spring-boot-starter:jar:2.1.12.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot:jar:2.1.12.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-autoconfigure:jar:2.1.12.RELEASE:compile
[INFO] |  |  +- org.springframework.boot:spring-boot-starter-logging:jar:2.1.12.RELEASE:compile
[INFO] |  |  |  +- ch.qos.logback:logback-classic:jar:1.2.3:compile
[INFO] |  |  |  |  \- ch.qos.logback:logback-core:jar:1.2.3:compile
[INFO] |  |  |  +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.11.2:compile
[INFO] |  |  |  |  \- org.apache.logging.log4j:log4j-api:jar:2.11.2:compile
[INFO] |  |  |  \- org.slf4j:jul-to-slf4j:jar:1.7.30:compile
[INFO] |  |  +- javax.annotation:javax.annotation-api:jar:1.3.2:compile
[INFO] |  |  \- org.yaml:snakeyaml:jar:1.23:runtime
[INFO] |  +- org.springframework.boot:spring-boot-test:jar:2.1.12.RELEASE:test
[INFO] |  +- org.springframework.boot:spring-boot-test-autoconfigure:jar:2.1.12.RELEASE:test
[INFO] |  +- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO] |  |  +- net.minidev:json-smart:jar:2.3:test
[INFO] |  |  |  \- net.minidev:accessors-smart:jar:1.2:test
[INFO] |  |  |     \- org.ow2.asm:asm:jar:5.0.4:test
[INFO] |  |  \- org.slf4j:slf4j-api:jar:1.7.30:compile
[INFO] |  +- junit:junit:jar:4.12:test
[INFO] |  +- org.assertj:assertj-core:jar:3.11.1:test
[INFO] |  +- org.mockito:mockito-core:jar:2.23.4:test
[INFO] |  |  +- net.bytebuddy:byte-buddy:jar:1.9.16:test
[INFO] |  |  +- net.bytebuddy:byte-buddy-agent:jar:1.9.16:test
[INFO] |  |  \- org.objenesis:objenesis:jar:2.6:test
[INFO] |  +- org.hamcrest:hamcrest-core:jar:1.3:test
[INFO] |  +- org.hamcrest:hamcrest-library:jar:1.3:test
[INFO] |  +- org.skyscreamer:jsonassert:jar:1.5.0:test
[INFO] |  |  \- com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test
[INFO] |  +- org.springframework:spring-core:jar:5.1.13.RELEASE:compile
[INFO] |  |  \- org.springframework:spring-jcl:jar:5.1.13.RELEASE:compile
[INFO] |  +- org.springframework:spring-test:jar:5.1.13.RELEASE:test
[INFO] |  \- org.xmlunit:xmlunit-core:jar:2.6.3:test
[INFO] \- org.springframework.integration:spring-integration-test:jar:5.1.9.RELEASE:test
[INFO]    \- org.springframework.integration:spring-integration-test-support:jar:5.1.9.RELEASE:test

As you see there is fully no mentioning of version 5.1.11. Something different is going on in your project... It even feels like it is not based on Spring Boot parent...

Any chances that you can share with us a simple project to reproduce?

Thanks for understanding!

artembilan commented 4 years ago

Closed as Invalid with no activity from the reporter.

Feels free to reopen if there are some news what and how could be adapted in this project.

Thank you!