• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Devaka Cooray
  • Tim Cooke
Sheriffs:
  • Rob Spoor
  • Liutauras Vilda
  • paul wheaton
Saloon Keepers:
  • Tim Holloway
  • Tim Moores
  • Mikalai Zaikin
  • Carey Brown
  • Piet Souris
Bartenders:
  • Stephan van Hulst

Fixing Open source Vulnerabilities in Java

 
Ranch Hand
Posts: 102
Eclipse IDE
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In our project, we have close to around 200 spring boot microservices. We are in the process of fixing the Open source vulnerabilities for these microservices. Our microservices are spring boot based and the version that is currently available is 2.3.X. While upgrading the spring boot parent version, I have the below queries

  • When upgrading the spring boot version, Is there any guiding principle based on which we need to select the version of spring boot. Currently when I checked the mvn repository for spring boot parent, the latest version available is 3.0. Can I directly update to the latest version ? or is there any parameters to be considered while selecting the latest version
  • In our project, We also have the spring cloud dependencies, I checked the spring site(https://spring.io/projects/spring-cloud) and was able to get the spring cloud version compatible with Spring boot version. I could get this only for spring cloud. Is there any site available which provides the compatibility details for the other jars like spring core etc.

  • Any inputs on the above is really appreciated
     
    Sheriff
    Posts: 22808
    132
    Eclipse IDE Spring Chrome Java Windows
    • Likes 1
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Any version other than 2.7.6 and 3.0.0 (or higher) should be ignored. Everything before version 2.7 is already end-of-life unless you have paid support.

    You can upgrade to Spring Boot 3.0.0, but that's going to be a pretty big step from 2.3.x. The two biggest changes:
  • It requires Java 17 or higher (yes, really!)
  • It switches from Jakarta EE 8 (javax package prefixes) to Jakarta EE 9 (jakarta package prefixes)


  • If I were you, I'd upgrade to Spring Boot 2.7.6 now (and then keep updating to latest patch versions). A lot will still work; I have created a Spring Boot starter that I haven't had to change since Spring Boot 2.2.x. There may be some issues though, but these can mostly be solved by reading the release nodes:
  • 2.4
  • 2.5
  • 2.6
  • 2.7

  • Once you're using Spring Boot 2.7, you can start migrating to migrate to Spring Boot 3.x; version 2.7 isn't going to be end-of-life until next year November. Fortunately, there's a migration guide: https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-3.0-Migration-Guide.
     
    If you have a bad day in October, have a slice of banana cream pie. And this tiny ad:
    Smokeless wood heat with a rocket mass heater
    https://woodheat.net
    reply
      Bookmark Topic Watch Topic
    • New Topic