0

My organization started to scan all our application for vulnerabilities and the scanner show up with lots of findings.

Some CVE are easy to fix, but some require extra steps, and I wonder how to properly fix CVE in transitive dependencies, expecially Spring Boot transitive dependencies, since in my application we use spring-boot-starter dependency to pull all other Spring-related dependencies.

For example one of my application still use Spring Boot version 2.6.2 and some of the CVE findings include CVE-2022-22978 so I need to upgrade the spring-security-core dependency to, at least, version 5.6.9. Is it better to upgrade the Spring Boot version to the latest 2.6.14 or just upgrade the spring-security-core dependency? My concern on upgrading the Spring Boot version to the latest will somehow break my application and will cause a major change to the application.

  1. How do we properly fix CVE issue on the transitive dependency while the direct dependency has not release their fix yet?
  2. Is it safe just to upgrade specific transitive dependency? How do we know if the upgraded transitive dependency compatible with its direct dependency?
Pino
  • 7,468
  • 6
  • 50
  • 69
Aleson
  • 332
  • 2
  • 9
  • 3
    You are at greater risk, imho, by updating a single dependency then by upgrading a version of Spring Boot. If you upgrade a single dependency (in this case 1 jar from spring security) you run the risk of getting incompatible combinations of jars, leading to all sorts of fun and weird things to debug. – M. Deinum Jan 03 '23 at 08:15
  • thank you @M.Deinum for your inputs, I have been scratching my head over what to do as the proper approaches or the troublesome one – Aleson Jan 03 '23 at 08:36
  • 2
    As @M.Deinum already mentioned fixing one dependency of Spring Boot can get you in trouble. It would be much better to update Spring Boot because there maybe other vulnerabilities in other dependencies that simply were not discovered. – Simon Martinelli Jan 03 '23 at 09:26

1 Answers1

0

Probably the risk of breaking your application is higher upgrading a single Spring library than upgrading the whole framework.

Usually an upgrade that modifies only the third version number is safe and for bigger upgrades Spring provides a migration guide. For example see this page for upgrading from Spring Boot 2.6.x to 2.7.x.

One of the best jobs done by Spring Boot is managing dependencies: it manages not only the versions of its own libraries but also the versions of many well known libraries often used with Spring Boot like Hibernate, Logback and Jackson. This is done by spring-boot-dependencies or, even better, by spring-boot-starter-parent (the latter also manages the version of many Maven plugins). From your question it is not clear if you are using one of them or not; if not, I recommend reading this page of the official documentation.

I use spring-boot-starter-parent and, in most cases, to remove CVEs (not only in Spring!) or upgrade anything for any reason, I simply upgrade the version of spring-boot-starter-parent (just one line!).

Pino
  • 7,468
  • 6
  • 50
  • 69