I am using spring-boot 2.3.3.RELEASE with the according spring-boot-starter-parent in maven.
<parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.3.3.RELEASE</version> <relativePath/> <!-- lookup parent from repository --> </parent>
Due to the spring4shell CVE I wanted to upgrade the spring-framework to 5.2.20.RELEASE instead of the already included 5.2.8.RELEASE. I tried overriding the spring-framework.version property from spring-boot-dependencies.
<spring-framework.version>5.2.20.RELEASE</spring-framework.version>
But it did not work. I also looked up the spring-boot-starter-web-2.3.3.RELEASE.pom and it has the spring-web dependency hardcoded to 5.2.8.RELEASE.
Are there any other ways of upgrading the spring-framework version in spring-boot besides adding all the new versions as dependencies to the dependencyManagement section?
Thx
Full POM:
<?xml version="1.0"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.3.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>group</groupId>
<artifactId>app</artifactId>
<version>3.1.0-SNAPSHOT</version>
<packaging>war</packaging>
<properties>
<flyway.version>4.1.2</flyway.version>
<groovy.version>2.4.20</groovy.version>
<spring-framework.version>5.2.20.RELEASE</spring-framework.version>
<spring-cloud.version>Hoxton.SR7</spring-cloud.version>
<h2.version>1.4.196</h2.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-rest</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-webflux</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
<scope>provided</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-configuration-processor</artifactId>
<optional>true</optional>
</dependency>
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
</dependency>
<dependency>
<groupId>org.codehaus.groovy</groupId>
<artifactId>groovy-all</artifactId>
<version>${groovy.version}</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-xml -->
<dependency>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-xml</artifactId>
</dependency>
</dependencies>
<build>
<finalName>app</finalName>
<resources>
<resource>
<directory>src/main/resources</directory>
<filtering>true</filtering>
<includes>
<include>**/version.json</include>
<include>**/**.properties</include>
</includes>
</resource>
<resource>
<directory>src/main/resources</directory>
<filtering>false</filtering>
<includes>
<include>**/*.*</include>
</includes>
<excludes>
<exclude>**/version.json</exclude>
<exclude>**/**.properties</exclude>
</excludes>
</resource>
</resources>
</build>
</project>
EDIT: This is a part of mvn dependency:tree:
+- org.springframework.boot:spring-boot-starter-webflux:jar:2.3.3.RELEASE:compile [INFO] | +- org.springframework.boot:spring-boot-starter-json:jar:2.3.3.RELEASE:compile [INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.11.2:compile [INFO] | | - com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.11.2:compile [INFO] | +- org.springframework.boot:spring-boot-starter-reactor-netty:jar:2.3.3.RELEASE:compile [INFO] | +- org.springframework:spring-web:jar:5.2.8.RELEASE:compile [INFO] | +- org.springframework:spring-webflux:jar:5.2.8.RELEASE:compile [INFO] | - org.synchronoss.cloud:nio-multipart-parser:jar:1.1.0:compile [INFO] | - org.synchronoss.cloud:nio-stream-storage:jar:1.1.3:compile
If you have a look at the spring-boot-starter-webflux-2.3.3.RELEASE.pom which includes the problematic spring-web 5.2.8.RELEASE you will find that the spring version is hardcoded to 5.2.8.RELEASE. So setting the spring.framework property in maven will have no effect.
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>5.2.8.RELEASE</version>
<scope>compile</scope>
</dependency>
Output of mvn help:effective-pom:
<dependency>
<groupId>org.springframework</groupId> <!-- org.springframework:spring-framework-bom:5.2.8.RELEASE, line 126 -->
<artifactId>spring-web</artifactId> <!-- org.springframework:spring-framework-bom:5.2.8.RELEASE, line 127 -->
<version>5.2.8.RELEASE</version> <!-- org.springframework:spring-framework-bom:5.2.8.RELEASE, line 128 -->
</dependency>
<dependency>
<groupId>org.springframework</groupId> <!-- org.springframework:spring-framework-bom:5.2.8.RELEASE, line 131 -->
<artifactId>spring-webflux</artifactId> <!-- org.springframework:spring-framework-bom:5.2.8.RELEASE, line 132 -->
<version>5.2.8.RELEASE</version> <!-- org.springframework:spring-framework-bom:5.2.8.RELEASE, line 133 -->
</dependency>
Edit after Solution by @Inthai2002: I have additonally an internal lib pom imported in my pom.xml
<dependencyManagement>
<dependencies>
<dependency>
<groupId>internal</groupId>
<artifactId>lib</artifactId>
<version>4.4.0</version>
<scope>import</scope>
<type>pom</type>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-dependencies</artifactId>
<version>${spring-cloud.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
and this internal lib has the spring-boot-dependencies pom directly imported which leads to the fact that spring-framework.version property is ignored:
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>2.3.3.RELEASE</version>
<scope>import</scope>
<type>pom</type>
</dependency>
Advertisement
Answer
I just tried your pom (with and without the spring-framework.version property) on a clean m2 repo. Without the property, spring-framework is 5.2.8, with the property, it is 5.2.20. Can you try on a clean repo?
The spring-framework-bom at version X is hardcoded to all the spring packages for version X (see https://repo1.maven.org/maven2/org/springframework/spring-framework-bom/5.2.8.RELEASE/spring-framework-bom-5.2.8.RELEASE.pom)
The spring-framework.version property is declared and used to pull the spring-framework-bom in spring-boot-dependencies and inherited by its descendants (see https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-dependencies/2.3.3.RELEASE/spring-boot-dependencies-2.3.3.RELEASE.pom).
spring-boot-dependencies is parent of spring-boot-starter-parent (see https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-starter-parent/2.3.3.RELEASE/spring-boot-starter-parent-2.3.3.RELEASE.pom).
Because the property is inherited by descendant, you can override its value at the pom of your application. By overriding it with 5.2.20, you are swapping out spring-framework-bom 5.2.8 for 5.2.20 which effectively pull most of the spring packages for 5.2.20