Skip to content
This repository has been archived by the owner on Sep 1, 2022. It is now read-only.

Commit

Permalink
Merge pull request #1397 from Unidata/suppress-spring-cve
Browse files Browse the repository at this point in the history
upgrade to spring 5
  • Loading branch information
haileyajohnson authored May 26, 2022
2 parents e92d2ab + 813672c commit ca3119f
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 46 deletions.
4 changes: 2 additions & 2 deletions gradle/dependencies.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ libraries["unidata-nexus"] = "edu.ucar.unidata:unidata-nexus-gradle:0.0.1"

////////////////////////////////////////// Spring //////////////////////////////////////////

versions["spring"] = "4.3.30.RELEASE"
versions["spring"] = "5.3.20"

libraries["spring-core"] = "org.springframework:spring-core:${versions["spring"]}"

Expand All @@ -101,7 +101,7 @@ libraries["spring-webmvc"] = "org.springframework:spring-webmvc:${versions["spri

////////////////////////////////////////// Spring security //////////////////////////////////////////

versions["spring-security"] = "3.2.5.RELEASE"
versions["spring-security"] = "5.6.5"

libraries["spring-security-config"] = "org.springframework.security:spring-security-config:${versions["spring-security"]}"

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -67,54 +67,18 @@
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-beans-4.3.29.RELEASE.jar
reason: only vulnerable for JDK 9+
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-beans@.*$</packageUrl>
<cve>CVE-2022-22965</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-core-4.3.30.RELEASE.jar
reason: (CVE-2016-1000027) this CVE does not point to a vulnerability in the project itself, it is a vulnerability that occurs with improper use of HTTPInvoker, which we do not use.
(CVE-2022-22965) only vulnerable for JDK 9+.
(CVE-2022-22968) case sensitivity vulnerability in DataBinder disallowedFields, which we do not use
]]></notes>
file name: spring-core-5.3.20.jar
reason: resolved CVE - only valid if using HTTPInvokerServiceExporter
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-core@.*$</packageUrl>
<cve>CVE-2016-1000027</cve>
<cve>CVE-2022-22965</cve>
<cve>CVE-2022-22968</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-context-4.3.30.RELEASE.jar
reason: case sensitivity vulnerability in DataBinder disallowedFields, which we do not use
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-context@.*$</packageUrl>
<cve>CVE-2022-22968</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-expression-4.3.30.RELEASE.jar
reason: we do not use SpEL
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-expression@.*$</packageUrl>
<cve>CVE-2022-22950</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-web-4.3.30.RELEASE.jar
<notes><![CDATA[(
file name: spring-web-5.3.20.jar
reason: resolved CVE - only valid if using HTTPInvokerServiceExporter
]]></notes>
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-web@.*$</packageUrl>
<cve>CVE-2016-1000027</cve>
</suppress>
<suppress>
<notes><![CDATA[
file name: spring-webmvc-4.3.30.RELEASE.jar
reason: (CVE-2020-5397) vulnerability introduce in 5.2.x
]]></notes>
<packageUrl regex="true">^pkg:maven/org\.springframework/spring-webmvc@.*$</packageUrl>
<cve>CVE-2020-5397</cve>
</suppress>
</suppressions>
2 changes: 0 additions & 2 deletions tds/src/main/java/thredds/server/config/TdsContext.java
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,6 @@
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;
import org.springframework.web.context.ServletContextAware;
import org.springframework.web.util.Log4jWebConfigurer;
import org.w3c.dom.Document;
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
Expand Down Expand Up @@ -240,7 +239,6 @@ public void destroy() {
logServerStartup.info("TdsContext: Shutting down collection manager");
CollectionUpdater.INSTANCE.shutdown();
logServerStartup.info("TdsContext: shutdownLogging()");
Log4jWebConfigurer.shutdownLogging(servletContext);
}


Expand Down

0 comments on commit ca3119f

Please sign in to comment.