Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#11441 update spring expression dependency to get rid of security issue #11432

Merged
merged 2 commits into from
Feb 9, 2023
Merged

#11441 update spring expression dependency to get rid of security issue #11432

merged 2 commits into from
Feb 9, 2023

Conversation

MartinWahnschaffe
Copy link
Contributor

@MartinWahnschaffe MartinWahnschaffe commented Feb 2, 2023
edited
Loading

Fixes #11441

@MartinWahnschaffe MartinWahnschaffe force-pushed the 11032-spring-expression-dependency branch from f0507af to 04854d5 Compare February 6, 2023 09:26
@StefanKock StefanKock changed the title #11032 update spring expression dependency to get rid of security issue #11441 update spring expression dependency to get rid of security issue Feb 6, 2023
StefanKock
StefanKock suggested changes Feb 6, 2023
View reviewed changes
Copy link
Contributor

@StefanKock StefanKock left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Findings:

  1. Document version change explicitly in the commit message: spring-context ....... 4.3.30.RELEASE -> 5.3.25
  2. Switch one changed import to org.apache.commons.collections4.CollectionUtils.
  3. Do the same in SormasToSormasShareRequestService and ShareRequestInfoService.
  4. Organize imports in de.symeda.sormas.ui.campaign.expressions.ExpressionProcessor to clean from not used imports related to springframework.

Remark: We have only one dependency on org.springframework.context.expression.MapAccessor, the rest of the dependencies is in spring-expression. We could reduce our dependencies to spring-expression & spring-core (1.4 MB) and get rid of spring-context, spring-aop, spring-beans (2.3 MB), if we copy MapAccessor (no other useful replacement found). We could at least exclude spring-aop, spring-beans (1.2 MB) via Maven.

sormas-app/app/src/main/java/de/symeda/sormas/app/backend/common/AdoDtoHelper.java Outdated
@@ -21,7 +21,7 @@
import com.j256.ormlite.logger.Logger;
import com.j256.ormlite.logger.LoggerFactory;

import org.springframework.util.CollectionUtils;
import org.apache.commons.collections.CollectionUtils;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Switch to org.apache.commons.collections4.CollectionUtils, also in SormasToSormasShareRequestService and ShareRequestInfoService.

@MartinWahnschaffe
#11441 spring-context ....... 4.3.30.RELEASE -> 5.3.25
d4533e1 
(update spring expression dependency to get rid of security issue)
SpEL is need for campaigns. Added test to make sure needed dependencies are available on Android
@MartinWahnschaffe
#11441 excluded dependencies to spring-aop and spring-beans
90e496e 
Replaced import of spring utils CollectionUtils with apache commons4
Cleaned up imports of touched files
@MartinWahnschaffe MartinWahnschaffe force-pushed the 11032-spring-expression-dependency branch from 5b82f88 to 90e496e Compare February 9, 2023 06:32
@sormas-vitagroup
Copy link
Contributor

SonarCloud analysis: Please find the results at https://sonarcloud.io/dashboard?id=SORMAS-Project&pullRequest=11432

1 similar comment
@sormas-vitagroup
Copy link
Contributor

SonarCloud analysis: Please find the results at https://sonarcloud.io/dashboard?id=SORMAS-Project&pullRequest=11432

@MartinWahnschaffe MartinWahnschaffe merged commit 4fb7468 into development Feb 9, 2023
@MartinWahnschaffe MartinWahnschaffe deleted the 11032-spring-expression-dependency branch February 9, 2023 08:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@StefanKock StefanKock StefanKock requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Update spring expression dependency to 5.3
3 participants
@MartinWahnschaffe @sormas-vitagroup @StefanKock