Comprehensive Dependency and Security Upgrade: Spring Boot 2.7.18, Java 17, and 20+ CVE Fixes#204
Open
devin-ai-integration[bot] wants to merge 17 commits intomasterfrom
Open
Conversation
Update jackson-core, jackson-databind, and jackson-datatype-jsr310 from version 2.9.7 to 2.17.1 to address multiple CVEs including CVE-2019-12086, CVE-2019-14379, CVE-2019-14540, CVE-2019-16335, and CVE-2019-17531. Co-Authored-By: Wes Convery <2wconvery@gmail.com>
Co-Authored-By: Wes Convery <2wconvery@gmail.com>
- Flyway: 6.0.0 -> 9.22.3 (latest 9.x, Java 8+ compatible) - MySQL Connector: mysql:mysql-connector-java:8.0.33 -> com.mysql:mysql-connector-j:8.4.0 (artifact renamed) Co-Authored-By: Wes Convery <2wconvery@gmail.com>
- docker-compose.yml: Replace hardcoded MySQL passwords with env var references using defaults - ftgo-flyway/build.gradle: Replace hardcoded Flyway credentials with env var references - build.gradle: Remove deprecated jcenter() repository (mavenCentral() already present) Co-Authored-By: Wes Convery <2wconvery@gmail.com>
- JAXB: Replace jaxb-api 2.2.11 + jaxb-core/jaxb-impl with jaxb-api 2.3.1 + jaxb-runtime 2.3.9 - commons-lang: Migrate from commons-lang 2.6 to commons-lang3 3.14.0 (build files and all Java imports) - javax.el: Upgrade javax.el-api from 2.2.5 to 3.0.0 in 4 service modules - Micrometer: Upgrade from 1.0.4 to 1.13.0 Co-Authored-By: Wes Convery <2wconvery@gmail.com>
- Remove springfox-swagger2 and springfox-swagger-ui dependencies - Add springdoc-openapi-ui:1.8.0 (compatible with Spring Boot 2.x) - Replace Docket/EnableSwagger2 configuration with GroupedOpenApi and OpenAPI beans - No changes needed to service configuration files (they only import CommonSwaggerConfiguration) Co-Authored-By: Wes Convery <2wconvery@gmail.com>
…h 2.9.0 - JUnit: 4.12 -> 4.13.2 (fixes CVE-2020-15250) in ftgo-domain, ftgo-test-util - REST Assured: 2.9.0 -> 5.4.0 in gradle.properties - Updated groupId from com.jayway.restassured to io.rest-assured in ftgo-consumer-service, ftgo-restaurant-service, ftgo-end-to-end-tests-common - Updated hardcoded 3.0.6 versions to use $restAssuredVersion variable in ftgo-order-service, ftgo-courier-service - Updated Java imports from com.jayway.restassured to io.restassured in AbstractEndToEndTests.java - json-path: 2.3.0 -> 2.9.0 in ftgo-consumer-service, ftgo-restaurant-service, ftgo-end-to-end-tests-common Co-Authored-By: Wes Convery <2wconvery@gmail.com>
Replace static schema.sql with init-db.sh shell script that reads MYSQL_USER at container startup, ensuring custom users get proper privileges on the ftgo database. Addresses Devin Review feedback about hardcoded username in GRANT. Co-Authored-By: Wes Convery <2wconvery@gmail.com>
- Update springBootVersion from 2.0.3.RELEASE to 2.7.18 - Update springDependencyManagementPluginVersion from 1.0.3.RELEASE to 1.1.4 - Update sourceCompatibility/targetCompatibility from 1.8 to 17 - Upgrade Gradle wrapper from 4.10.2 to 7.6.4 (required by Spring Boot 2.7.x) - Migrate deprecated Gradle configurations: - compile -> api (java-library plugin) - testCompile -> testImplementation - runtime -> runtimeOnly - Update IntegrationTestsPlugin for Gradle 7 API changes Co-Authored-By: Wes Convery <2wconvery@gmail.com>
…enter' into devin/1777649990-consolidated-security-upgrades
Co-Authored-By: Wes Convery <2wconvery@gmail.com>
…nto devin/1777649990-consolidated-security-upgrades
…flicts with task3 Co-Authored-By: Wes Convery <2wconvery@gmail.com>
…nto devin/1777649990-consolidated-security-upgrades
Co-Authored-By: Wes Convery <2wconvery@gmail.com>
…olve all conflicts Co-Authored-By: Wes Convery <2wconvery@gmail.com>
…ventuate-util-test upgrade, add JUnit dependency Co-Authored-By: Wes Convery <2wconvery@gmail.com>
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consolidated upgrade of all major dependencies across the ftgo-monolith codebase, addressing 20+ CVEs, replacing deprecated libraries, and modernizing the build infrastructure. This PR merges the work from 8 parallel task branches:
Changes by Task
devin/task1-upgrade-docker-base-imagesopenjdk:8u171-jre-alpine→eclipse-temurin:17-jre-alpine,mysql:5.7.13→mysql:8.0devin/task2-upgrade-spring-boot-java2.0.3.RELEASE→2.7.18, Java1.8→17, Gradle4.10.2→7.6.4devin/task3-upgrade-jackson2.9.7→2.17.1(fixes CVE-2019-12086, CVE-2019-14379, CVE-2019-14540, CVE-2019-16335, CVE-2019-17531, and 20+ more)devin/task4-replace-springfox2.8.0→ springdoc-openapi1.8.0devin/task5-upgrade-jaxb-commons-el-micrometer2.2.11→2.3.1/2.3.9, commons-lang2.6→ commons-lang33.14.0, javax.el2.2.5→3.0.0, Micrometer1.0.4→1.13.0devin/task6-upgrade-test-deps4.12→4.13.2(CVE-2020-15250), REST Assured2.9.0→5.4.0, json-path2.3.0→2.9.0devin/task7-upgrade-flyway-mysql-connector6.0.0→9.22.3, MySQL Connectormysql-connector-java:8.0.33→mysql-connector-j:8.4.0devin/task8-fix-creds-replace-jcenterjcenter()Task 9: Post-Merge Fixes
MoneyModule.java: replaced removedDeserializationContext.mappingException()withJsonMappingException.from()(Jackson 2.12+ API change)eventuate-util-testfrom0.1.0.RELEASEto0.18.0.RELEASE(old version only on dead Bintray repo)ftgo-common(needed aftercompile→testImplementationmigration)compile→api,testCompile→testImplementation,runtime→runtimeOnlyCVEs Fixed
Review & Testing Checklist for Human
./gradlew clean build -x :ftgo-application:test -x :ftgo-end-to-end-tests:testto verify compilation and unit tests pass (integration tests require a running MySQL)docker-compose upand verify MySQL 8.0 starts with themysql_native_passwordauth plugin/swagger-ui.html(now powered by springdoc-openapi)MYSQL_ROOT_PASSWORD,MYSQL_USER,MYSQL_PASSWORDenvironment variable overrides work in docker-composeNotes
ftgo-application:test,ftgo-end-to-end-tests:test) require a running MySQL database and will fail without one — this is pre-existing behavior, not a regressionftgo-order-servicehas a deprecation warning fornew Long(long)— minor, not addressed in this PRLink to Devin session: https://app.devin.ai/sessions/8de07287502d4e5e8eb0915934907c1e
Requested by: @WesternConcrete
Devin Review