Updating Transitive Dependency in Maven Project

Question

We have a Spring Boot based project that uses Maven as the build tool. We recently encountered that the Spring-Beans(5.2.13) which is a transitive dependency has been reported to have the vulnerability CVE-22-2965

The parent pom contains the spring-boot-starter-parent

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.3.9.RELEASE</version>
</parent>

The transitive dependency of Spring-Beans(5.2.13.RELEASE) is getting added by spring-boot-starter-web-2.3.9.RELEASE.jar

To fix the vulnerability we have tried following two approach :

1) Added a new spring-beans version in the dependency section of parent pom.xml

<dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-beans</artifactId>
        <version>5.2.22.RELEASE</version>
    </dependency>

   <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-core</artifactId>
        <version>5.3.20</version>
    </dependency>

Also, we had to update the Spring-core to 5.3.20 from 5.2.13 as we were getting incompatibility issues

2) Updating the spring-boot-starter-parent to latest version

<parent>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-parent</artifactId>
    <version>2.7.0</version>
    <type>pom</type>
</parent>

In the second approach we are facing following error and build failure

java.lang.NoSuchMethodError: org.mockito.Answers.get()Lorg/mockito/stubbing/Answer;
   java.lang.NoClassDefFoundError: Could not initialize class org.mockito.Mockito
        at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:365)
        at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:273)
        at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:238)
        at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:159)

Which is the better approach and is there another way in which we can update the version and remove the Vulnerability .What is the correct method to do it?

I'd prefer upgrading the `spring-boot-starter-parent` version, so that you get a consistent set of dependencies. This may help with your Mockito problem: https://stackoverflow.com/questions/71973762/java-lang-nosuchmethoderror-org-mockito-answers-getlorg-mockito-stubbing-answ — tgdavies, Jun 13 '22 at 09:57
Don't... This will only lead to errors as you are now mixing jars from different versions of a framework, never mix versions. — M. Deinum, Jun 13 '22 at 10:01
I strongly recommend to upgrade the project to most recent version of spring boot (2.7.0) your version `2.3.9.RELEASE` is old...(see for details: https://spring.io/projects/spring-boot#support) — khmarbaise, Jun 13 '22 at 10:01
Upgrading Spring Boot is the proper way, However you are upgrading 4 versions (2.4, 2.5, 2.6, 2.7) which have significant changes. Judging at the error you get, you are trying to add dependencies yourself and with that work around SPring BOot and its dependency managment, leading to issues. That or you are using / configuring plugins in the wrong way. — M. Deinum, Jun 13 '22 at 10:03
Do NOT handle the versions of dependencies yourself that's simply the wrong way...use the ones which are done by the parent/spring-boot-dependencies etc. — khmarbaise, Jun 13 '22 at 10:04

Updating Transitive Dependency in Maven Project

0 Answers0