I am using spring-boot 2.3.3.RELEASE with the according spring-boot-starter-parent in maven.
<parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.3.3.RELEASE</version> <relativePath/> <!-- lookup parent from repository --> </parent>Due to the spring4shell CVE I wanted to upgrade the spring-framework to 5.2.20.RELEASE instead of the already included 5.2.8.RELEASE. I tried overriding the spring-framework.version property from spring-boot-dependencies.
<spring-framework.version>5.2.20.RELEASE</spring-framework.version>But it did not work. I also looked up the spring-boot-starter-web-2.3.3.RELEASE.pom and it has the spring-web dependency hardcoded to 5.2.8.RELEASE.
Are there any other ways of upgrading the spring-framework version in spring-boot besides adding all the new versions as dependencies to the dependencyManagement section?
Thx
Full POM:
<?xml version="1.0"?><project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"><modelVersion>4.0.0</modelVersion><parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.3.3.RELEASE</version> <relativePath/> <!-- lookup parent from repository --></parent><groupId>group</groupId><artifactId>app</artifactId><version>3.1.0-SNAPSHOT</version><packaging>war</packaging><properties> <flyway.version>4.1.2</flyway.version> <groovy.version>2.4.20</groovy.version> <spring-framework.version>5.2.20.RELEASE</spring-framework.version> <spring-cloud.version>Hoxton.SR7</spring-cloud.version> <h2.version>1.4.196</h2.version></properties><dependencyManagement><dependencies> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-dependencies</artifactId> <version>${spring-cloud.version}</version> <type>pom</type> <scope>import</scope> </dependency></dependencies></dependencyManagement><dependencies><dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId></dependency><dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-jdbc</artifactId></dependency><dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-data-rest</artifactId></dependency><dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-webflux</artifactId></dependency><dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId></dependency><dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-test</artifactId> <scope>test</scope></dependency><dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-tomcat</artifactId> <scope>provided</scope></dependency><dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-configuration-processor</artifactId> <optional>true</optional></dependency><dependency> <groupId>org.mockito</groupId> <artifactId>mockito-core</artifactId></dependency><dependency> <groupId>org.codehaus.groovy</groupId> <artifactId>groovy-all</artifactId> <version>${groovy.version}</version></dependency><!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-xml --><dependency> <groupId>com.fasterxml.jackson.dataformat</groupId> <artifactId>jackson-dataformat-xml</artifactId></dependency></dependencies><build><finalName>app</finalName><resources> <resource> <directory>src/main/resources</directory> <filtering>true</filtering> <includes> <include>**/version.json</include> <include>**/**.properties</include> </includes> </resource> <resource> <directory>src/main/resources</directory> <filtering>false</filtering> <includes> <include>**/*.*</include> </includes> <excludes> <exclude>**/version.json</exclude> <exclude>**/**.properties</exclude> </excludes> </resource></resources></build></project>EDIT: This is a part of mvn dependency:tree:
+- org.springframework.boot:spring-boot-starter-webflux:jar:2.3.3.RELEASE:compile[INFO] | +- org.springframework.boot:spring-boot-starter-json:jar:2.3.3.RELEASE:compile[INFO] | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.11.2:compile[INFO] | | - com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.11.2:compile[INFO] | +- org.springframework.boot:spring-boot-starter-reactor-netty:jar:2.3.3.RELEASE:compile[INFO] | +- org.springframework:spring-web:jar:5.2.8.RELEASE:compile[INFO] | +- org.springframework:spring-webflux:jar:5.2.8.RELEASE:compile[INFO] | - org.synchronoss.cloud:nio-multipart-parser:jar:1.1.0:compile[INFO] | - org.synchronoss.cloud:nio-stream-storage:jar:1.1.3:compileIf you have a look at the spring-boot-starter-webflux-2.3.3.RELEASE.pom which includes the problematic spring-web 5.2.8.RELEASE you will find that the spring version is hardcoded to 5.2.8.RELEASE. So setting the spring.framework property in maven will have no effect.
<dependency> <groupId>org.springframework</groupId> <artifactId>spring-web</artifactId> <version>5.2.8.RELEASE</version> <scope>compile</scope> </dependency>Output of mvn help:effective-pom:
<dependency> <groupId>org.springframework</groupId> <!-- org.springframework:spring-framework-bom:5.2.8.RELEASE, line 126 --> <artifactId>spring-web</artifactId> <!-- org.springframework:spring-framework-bom:5.2.8.RELEASE, line 127 --> <version>5.2.8.RELEASE</version> <!-- org.springframework:spring-framework-bom:5.2.8.RELEASE, line 128 --> </dependency> <dependency> <groupId>org.springframework</groupId> <!-- org.springframework:spring-framework-bom:5.2.8.RELEASE, line 131 --> <artifactId>spring-webflux</artifactId> <!-- org.springframework:spring-framework-bom:5.2.8.RELEASE, line 132 --> <version>5.2.8.RELEASE</version> <!-- org.springframework:spring-framework-bom:5.2.8.RELEASE, line 133 --> </dependency>Edit after Solution by @Inthai2002: I have additonally an internal lib pom imported in my pom.xml
<dependencyManagement> <dependencies> <dependency> <groupId>internal</groupId> <artifactId>lib</artifactId> <version>4.4.0</version> <scope>import</scope> <type>pom</type> </dependency> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-dependencies</artifactId> <version>${spring-cloud.version}</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies> </dependencyManagement>and this internal lib has the spring-boot-dependencies pom directly imported which leads to the fact that spring-framework.version property is ignored:
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-dependencies</artifactId> <version>2.3.3.RELEASE</version> <scope>import</scope> <type>pom</type> </dependency>Advertisement
Answer
I just tried your pom (with and without the spring-framework.version property) on a clean m2 repo. Without the property, spring-framework is 5.2.8, with the property, it is 5.2.20. Can you try on a clean repo?
The spring-framework-bom at version X is hardcoded to all the spring packages for version X (see https://repo1.maven.org/maven2/org/springframework/spring-framework-bom/5.2.8.RELEASE/spring-framework-bom-5.2.8.RELEASE.pom)
The spring-framework.version property is declared and used to pull the spring-framework-bom in spring-boot-dependencies and inherited by its descendants (see https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-dependencies/2.3.3.RELEASE/spring-boot-dependencies-2.3.3.RELEASE.pom).
spring-boot-dependencies is parent of spring-boot-starter-parent (see https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-starter-parent/2.3.3.RELEASE/spring-boot-starter-parent-2.3.3.RELEASE.pom).
Because the property is inherited by descendant, you can override its value at the pom of your application. By overriding it with 5.2.20, you are swapping out spring-framework-bom 5.2.8 for 5.2.20 which effectively pull most of the spring packages for 5.2.20