Upgrade libraries to fix security issues

pboos · pboos · commit d87498c1ce06 · 2025-06-17T15:41:29.000+02:00
diff --git a/build.gradle b/build.gradle
@@ -64,21 +64,24 @@ subprojects {
         testCompileOnly(libs.lombok)
         testAnnotationProcessor(libs.lombok)
 
-        // Security constraints
-        constraints {
-            implementation("ch.qos.logback:logback-core:1.5.15") {
-                because("versions below 1.5.15 have security vulnerabilities - see dependabot #7, #6")
-            }
-            implementation("ch.qos.logback:logback-classic:1.5.15") {
-                because("versions below 1.5.15 have security vulnerabilities - see dependabot #7, #6")
-            }
-            implementation("org.springframework:spring-web:6.2.8") {
-                because("versions below 6.2.8 have security vulnerabilities including CVE-2024-38820 - see dependabot #12")
-            }
-            implementation("org.apache.tomcat.embed:tomcat-embed-core:10.1.42") {
-                because("versions below 10.1.42 have security vulnerabilities including CVE-2024-56337 - see dependabot #13")
+        // Security constraints - force minimum versions for vulnerable dependencies
+        def enforceMinVersion = { groupId, artifactId, minVersion, reason ->
+            return { details ->
+                if (details.requested.group == groupId && details.requested.name == artifactId) {
+                    def parse = { String v -> v.tokenize('.').collect { it.padLeft(3, '0') }.join() }
+                    def current = parse(details.requested.version)
+                    def minimum = parse(minVersion)
+                    if (current < minimum) {
+                        details.useVersion minVersion
+                        details.because reason
+                    }
+                }
             }
         }
+        configurations.configureEach {
+            resolutionStrategy.eachDependency enforceMinVersion('org.springframework', 'spring-web', '6.2.8', 'versions below 6.2.8 have security vulnerabilities including CVE-2024-38820 - see dependabot #12')
+            resolutionStrategy.eachDependency enforceMinVersion('org.apache.tomcat.embed', 'tomcat-embed-core', '10.1.42', 'versions below 10.1.42 have security vulnerabilities including CVE-2024-56337 - see dependabot #13')
+        }
     }
 
     checkstyle {
diff --git a/examples/example-spring-boot-starter-web/build.gradle b/examples/example-spring-boot-starter-web/build.gradle
@@ -6,13 +6,14 @@ plugins {
 }
 
 // Needed for security. See:
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/7
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/6
-// Hopefully with spring-boot 3.4.2+ this won't be needed anymore and can be removed.
+// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/13
+// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/14
+// Hopefully with spring-boot 3.5.0+ this won't be needed anymore and can be removed.
 dependencyManagement {
     dependencies {
-        dependency 'ch.qos.logback:logback-core:1.5.18'
-        dependency 'ch.qos.logback:logback-classic:1.5.18'
+        dependency 'org.apache.tomcat.embed:tomcat-embed-core:10.1.42'
+        dependency 'org.apache.tomcat.embed:tomcat-embed-el:10.1.42'
+        dependency 'org.apache.tomcat.embed:tomcat-embed-websocket:10.1.42'
     }
 }
 
diff --git a/examples/example-spring-boot-starter-webflux/build.gradle b/examples/example-spring-boot-starter-webflux/build.gradle
@@ -6,13 +6,14 @@ plugins {
 }
 
 // Needed for security. See:
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/7
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/6
-// Hopefully with spring-boot 3.4.2+ this won't be needed anymore and can be removed.
+// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/13
+// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/14
+// Hopefully with spring-boot 3.5.0+ this won't be needed anymore and can be removed.
 dependencyManagement {
     dependencies {
-        dependency 'ch.qos.logback:logback-core:1.5.18'
-        dependency 'ch.qos.logback:logback-classic:1.5.18'
+        dependency 'org.apache.tomcat.embed:tomcat-embed-core:10.1.42'
+        dependency 'org.apache.tomcat.embed:tomcat-embed-el:10.1.42'
+        dependency 'org.apache.tomcat.embed:tomcat-embed-websocket:10.1.42'
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -6,13 +6,14 @@ plugins {`
`6`	`6`	`}`
`7`	`7`
`8`	`8`	`// Needed for security. See:`
`9`		`-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/7`
`10`		`-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/6`
`11`		`-// Hopefully with spring-boot 3.4.2+ this won't be needed anymore and can be removed.`
	`9`	`+// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/13`
	`10`	`+// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/14`
	`11`	`+// Hopefully with spring-boot 3.5.0+ this won't be needed anymore and can be removed.`
`12`	`12`	`dependencyManagement {`
`13`	`13`	`dependencies {`
`14`		`- dependency 'ch.qos.logback:logback-core:1.5.18'`
`15`		`- dependency 'ch.qos.logback:logback-classic:1.5.18'`
	`14`	`+ dependency 'org.apache.tomcat.embed:tomcat-embed-core:10.1.42'`
	`15`	`+ dependency 'org.apache.tomcat.embed:tomcat-embed-el:10.1.42'`
	`16`	`+ dependency 'org.apache.tomcat.embed:tomcat-embed-websocket:10.1.42'`
`16`	`17`	`}`
`17`	`18`	`}`
`18`	`19`