Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Override logback version to 1.2.13 #5595

Merged
merged 1 commit into from
Dec 7, 2023
Merged

Override logback version to 1.2.13 #5595

merged 1 commit into from
Dec 7, 2023

Conversation

onobc
Copy link
Contributor

@onobc onobc commented Dec 7, 2023
edited
Loading

This commit overrides the logback version in order to fix CVE-2023-6378.

See #5593

Before changes

 cbono@cbono-a01 spring-cloud-dataflow % ./mvnw clean dependency:tree -Dincludes='ch.qos.logback' | grep -e  '1.2.12' | wc -l
      96
cbono@cbono-a01 spring-cloud-dataflow % ./mvnw clean dependency:tree -Dincludes='ch.qos.logback' | grep -e  '1.2.13' | wc -l
       0

After changes

cbono@cbono-a01 spring-cloud-dataflow % ./mvnw clean dependency:tree -Dincludes='ch.qos.logback' | grep -e  '1.2.12' | wc -l
       0
cbono@cbono-a01 spring-cloud-dataflow % ./mvnw clean dependency:tree -Dincludes='ch.qos.logback' | grep -e  '1.2.13' | wc -l
      96

onobc
onobc commented Dec 7, 2023
View reviewed changes
spring-cloud-dataflow-build/spring-cloud-dataflow-build-dependencies/pom.xml
@@ -87,13 +88,6 @@
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since our parent is SBD, having the direct import of SBD does nothing other than removes the ability to do easy version overrides such as https://github.com/spring-cloud/spring-cloud-dataflow/pull/5595/files#diff-7059f95906ccc5bf99ecd1a8702cabced0dc3f24f787c8d32281c624e4f33943R42.

onobc
onobc commented Dec 7, 2023
View reviewed changes
spring-cloud-dataflow-parent/pom.xml
@@ -113,6 +114,22 @@
<artifactId>spring-security-oauth2-client</artifactId>
<version>${spring-security.version}</version>
</dependency>
<!-- Override Logback provided by Spring Boot -->
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because we do NOT inherit from SBD all we have to do is declare the dep. mgmt. above the SBD dep. mgmt (background).

onobc
onobc commented Dec 7, 2023
View reviewed changes
spring-cloud-dataflow-build/spring-cloud-dataflow-build-dependencies/pom.xml Outdated
@@ -39,6 +39,7 @@
<kubernetes-fabric8-client.version>5.12.4</kubernetes-fabric8-client.version>
<junit.version>4.13.1</junit.version>
<junit-jupiter.version>5.9.2</junit-jupiter.version>
<logback.version>1.3.14</logback.version>
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that I have removed the direct import of SBD, we can simply override the version (background).

@onobc
Override logback version to 1.2.13
cc17eb3 
This commit overrides the logback version in order to fix CVE-2023-6378.

See spring-cloud#5593
@onobc onobc force-pushed the GH-5593-logback-cve-fix branch from 5964c5e to cc17eb3 Compare December 7, 2023 01:13
@onobc onobc changed the title Override logback version to 1.13.14 Override logback version to 1.2.13 Dec 7, 2023
@corneil corneil self-requested a review December 7, 2023 09:46
@onobc onobc merged commit 8143226 into spring-cloud:main Dec 7, 2023
3 checks passed
@onobc onobc deleted the GH-5593-logback-cve-fix branch December 7, 2023 17:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@corneil corneil corneil approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@onobc @corneil