fix: Remediate Snyk SAST high/critical vulnerabilities via dependency upgrades#571
Open
devin-ai-integration[bot] wants to merge 4 commits intomasterfrom
Open
fix: Remediate Snyk SAST high/critical vulnerabilities via dependency upgrades#571devin-ai-integration[bot] wants to merge 4 commits intomasterfrom
devin-ai-integration[bot] wants to merge 4 commits intomasterfrom
Conversation
…abilities - Spring Boot: 2.6.3 -> 2.7.18 (fixes Spring Framework, Security, Tomcat, Jackson, Logback, SnakeYAML CVEs) - Spring Dependency Management: 1.0.11.RELEASE -> 1.1.4 - DGS Framework: 4.9.21 -> 5.5.1 (fixes graphql-java CVEs) - DGS Codegen: 5.0.6 -> 5.6.9 - graphql-java: pinned to 19.2 (fixes DoS/Stack Overflow CVEs) - sqlite-jdbc: 3.36.0.3 -> 3.42.0.0 (fixes Arbitrary Code Execution CVE) - jjwt: 0.11.2 -> 0.11.5 - json-smart: constrained to 2.4.9 (fixes DoS CVE) - snakeyaml: overridden to 2.0 (fixes DoS/Code Execution CVEs) - Spotless: 6.2.1 -> 6.25.0 (Java 17 compatibility) - Updated GraphQL PageInfo usage to match DGS 5.x generated types Co-Authored-By: Abhay Aggarwal <abhay.aggarwal@codeium.com>
Co-Authored-By: Abhay Aggarwal <abhay.aggarwal@codeium.com>
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
Author
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
…ritical CVEs - Tomcat: 9.0.83 -> 9.0.104 (fixes auth bypass, path traversal, DoS CVEs) - Spring Security: 5.7.11 -> 5.7.13 (fixes access control, missing auth CVEs) - Spring Framework: 5.3.31 -> 5.3.33 (fixes open redirect, incomplete cleanup CVEs) - Logback: 1.2.12 -> 1.2.13 (fixes DoS CVE) - Jackson BOM: 2.13.5 -> 2.15.4 (fixes allocation/DoS/buffer overflow CVEs) - Commons Lang3: 3.12.0 -> 3.18.0 (fixes uncontrolled recursion CVE) - Added resolutionStrategy to force graphql-java 19.2 (DGS compatibility) Co-Authored-By: Abhay Aggarwal <abhay.aggarwal@codeium.com>
…VE fixes - Tomcat: 9.0.104 -> 9.0.117 (latest 9.0.x, fixes cert validation, auth, path traversal CVEs) - Jackson BOM: 2.15.4 -> 2.18.6 (fixes resource allocation/DoS CVEs) Co-Authored-By: Abhay Aggarwal <abhay.aggarwal@codeium.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Upgrades project dependencies to remediate high and critical severity vulnerabilities identified by a Snyk SCA scan. The original scan found 200+ vulnerabilities across transitive dependencies. This PR reduces that to ~152 total and drops high/critical issues from 131 → 57, with the remaining ones requiring a Spring Boot 3.x migration (Spring 6.x+) to resolve.
Key dependency changes:
Code changes: The DGS 5.5.1 upgrade required updating
ArticleDatafetcherandCommentDatafetcherto use the DGS codegen-generatedio.spring.graphql.types.PageInfoinstead ofgraphql.relay.DefaultPageInfo, since the connection builder types changed between DGS 4.x and 5.x.Remaining unfixable CVEs (require Spring Boot 3.x / Spring 6.x+ migration):
spring-security-crypto@5.7.13— CRITICAL: Authentication Bypass (fix: 6.3.8+)spring-security-web@5.7.13— CRITICAL: Cache Sensitive Info (fix: 6.5.9+)spring-beans/core/web/webmvc@5.3.33— HIGH: Path traversal, authorization, cleanup issues (fix: 6.x+)graphql-java@19.2— HIGH: DoS/buffer overflow (fix: 19.4+, but incompatible with DGS 5.5.1)Review & Testing Checklist for Human
new Constructor(class)pattern). Verify the app starts correctly and YAML config parsing works — unit tests may not cover all runtime YAML paths.PageInfotype was changed fromgraphql.relay.DefaultPageInfoto the DGS codegen-generated type. Verify that GraphQL queries with cursor-based pagination (first/after/last/before) return correctpageInfofields../gradlew bootRun, hitcurl http://localhost:8080/tagsto verify startup, then exercise the GraphQL endpoint at/graphqlwith a paginated articles query. Also test article creation, user login, and favoriting to exercise Jackson serialization paths.Notes
DefaultJwtServiceTest.javachange is purely a Spotless reformatting (line wrap).mybatis-spring-boot-starterwas intentionally kept at 2.2.2 as it had no high/critical CVEs.graphql-javais pinned to 19.2 via bothextproperty andresolutionStrategybecause the DGS 5.5.1 platform BOM was allowing a downgrade to 18.5 (which lacksRuntimeWiring.transform()). Versions 19.4+ break DGS 5.5.1 due to removal of that method.Link to Devin session: https://app.devin.ai/sessions/dc88039c316841b3a091eb0d202113e6
Requested by: @abhay-codeium