From a60d4a245e3f4902a376013460fbd5ef30103d30 Mon Sep 17 00:00:00 2001 From: lprimak Date: Thu, 4 Dec 2025 18:18:57 -0600 Subject: [PATCH 1/4] chore: fix vulnerabilities in tests reported by OpenSSF tool --- integration-tests/meecrowave-support/pom.xml | 27 +++++++++++++ pom.xml | 10 +++++ samples/spring-boot-3-web/pom.xml | 25 ++++++++++++ samples/spring-boot-web/pom.xml | 16 ++++++++ samples/web-jakarta/pom.xml | 39 ++++++++++++++++++- .../spring-boot/spring-boot-starter/pom.xml | 20 ++++++++++ .../spring-boot-web-starter/pom.xml | 21 ++++++++++ 7 files changed, 157 insertions(+), 1 deletion(-) diff --git a/integration-tests/meecrowave-support/pom.xml b/integration-tests/meecrowave-support/pom.xml index f6f33ce0e6..323b4f15d0 100644 --- a/integration-tests/meecrowave-support/pom.xml +++ b/integration-tests/meecrowave-support/pom.xml @@ -73,4 +73,31 @@ + + + + org.apache.cxf + cxf-bom + 3.6.7 + import + pom + + + org.apache.johnzon + johnzon-jsonb + 1.2.21 + + + org.apache.tomcat + tomcat-jaspic-api + 9.0.112 + + + org.apache.tomcat + tomcat-catalina + 9.0.112 + + + + diff --git a/pom.xml b/pom.xml index d0b7f68846..03645a930e 100644 --- a/pom.xml +++ b/pom.xml @@ -1213,6 +1213,16 @@ + + ch.qos.logback + logback-core + 1.5.21 + + + ch.qos.logback + logback-classic + 1.5.21 + org.apache.logging.log4j diff --git a/samples/spring-boot-3-web/pom.xml b/samples/spring-boot-3-web/pom.xml index c6f4acd7e9..388a648428 100644 --- a/samples/spring-boot-3-web/pom.xml +++ b/samples/spring-boot-3-web/pom.xml @@ -117,6 +117,31 @@ import pom + + org.apache.tomcat.embed + tomcat-embed-core + 10.1.49 + + + org.apache.tomcat.embed + tomcat-embed-el + 10.1.49 + + + org.apache.tomcat.embed + tomcat-embed-websocket + 10.1.49 + + + ch.qos.logback + logback-classic + 1.5.21 + + + ch.qos.logback + logback-core + 1.5.21 + diff --git a/samples/spring-boot-web/pom.xml b/samples/spring-boot-web/pom.xml index f553079832..6a7e53f209 100644 --- a/samples/spring-boot-web/pom.xml +++ b/samples/spring-boot-web/pom.xml @@ -97,6 +97,22 @@ + + + org.apache.tomcat.embed + tomcat-embed-core + 9.0.112 + + + org.apache.tomcat.embed + tomcat-embed-el + 9.0.112 + + + org.apache.tomcat.embed + tomcat-embed-websocket + 9.0.112 + diff --git a/samples/web-jakarta/pom.xml b/samples/web-jakarta/pom.xml index 1aa6857a60..adab155705 100644 --- a/samples/web-jakarta/pom.xml +++ b/samples/web-jakarta/pom.xml @@ -33,7 +33,7 @@ 1.2.15 - 10.1.30 + 10.1.49 true @@ -46,6 +46,43 @@ import pom + + org.apache.cxf + cxf-bom + 3.6.7 + import + pom + + + org.apache.johnzon + johnzon-jsonb + 1.2.21 + + + org.apache.tomcat.embed + tomcat-embed-core + 9.0.112 + + + org.apache.tomcat.embed + tomcat-embed-el + 9.0.112 + + + org.apache.tomcat + tomcat-jaspic-api + 9.0.112 + + + org.apache.tomcat.embed + tomcat-embed-websocket + 9.0.112 + + + org.apache.tomcat + tomcat-catalina + 9.0.112 + diff --git a/support/spring-boot/spring-boot-starter/pom.xml b/support/spring-boot/spring-boot-starter/pom.xml index f8fadeb2eb..01b60a9555 100644 --- a/support/spring-boot/spring-boot-starter/pom.xml +++ b/support/spring-boot/spring-boot-starter/pom.xml @@ -94,6 +94,26 @@ + + + + org.apache.tomcat.embed + tomcat-embed-core + 9.0.112 + + + org.apache.tomcat.embed + tomcat-embed-el + 9.0.112 + + + org.apache.tomcat.embed + tomcat-embed-websocket + 9.0.112 + + + + diff --git a/support/spring-boot/spring-boot-web-starter/pom.xml b/support/spring-boot/spring-boot-web-starter/pom.xml index 5045035caa..f75c5b0740 100644 --- a/support/spring-boot/spring-boot-web-starter/pom.xml +++ b/support/spring-boot/spring-boot-web-starter/pom.xml @@ -64,6 +64,27 @@ + + + + + org.apache.tomcat.embed + tomcat-embed-core + 9.0.112 + + + org.apache.tomcat.embed + tomcat-embed-el + 9.0.112 + + + org.apache.tomcat.embed + tomcat-embed-websocket + 9.0.112 + + + + From c6f25205720df36754dc0bee3f51b1b04b9c2b44 Mon Sep 17 00:00:00 2001 From: lprimak Date: Thu, 4 Dec 2025 23:24:17 -0600 Subject: [PATCH 2/4] fix: excluded old spring logging --- support/spring-boot/spring-boot-starter/pom.xml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/support/spring-boot/spring-boot-starter/pom.xml b/support/spring-boot/spring-boot-starter/pom.xml index 01b60a9555..3c077605cf 100644 --- a/support/spring-boot/spring-boot-starter/pom.xml +++ b/support/spring-boot/spring-boot-starter/pom.xml @@ -52,6 +52,12 @@ org.springframework.boot spring-boot-starter-web true + + + org.springframework.boot + spring-boot-starter-logging + + org.springframework From 13c125de77b7c9ca8972cadd9042711433e1d4c7 Mon Sep 17 00:00:00 2001 From: lprimak Date: Thu, 4 Dec 2025 23:36:11 -0600 Subject: [PATCH 3/4] fix: exclude old logging from spring web starter --- support/spring-boot/spring-boot-web-starter/pom.xml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/support/spring-boot/spring-boot-web-starter/pom.xml b/support/spring-boot/spring-boot-web-starter/pom.xml index f75c5b0740..6e8a81d0f5 100644 --- a/support/spring-boot/spring-boot-web-starter/pom.xml +++ b/support/spring-boot/spring-boot-web-starter/pom.xml @@ -57,10 +57,22 @@ org.springframework.boot spring-boot-starter + + + org.springframework.boot + spring-boot-starter-logging + + org.springframework.boot spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-logging + + From b1edaf98c03a7dfe00a036b0ae47629f32171f05 Mon Sep 17 00:00:00 2001 From: lprimak Date: Fri, 5 Dec 2025 00:26:14 -0600 Subject: [PATCH 4/4] fix: SpringBoot and samples use log4j2 --- samples/spring-boot-3-web/pom.xml | 25 ++++++++++------- .../src/main/resources/log4j2.properties | 28 +++++++++++++++++++ .../spring-boot/spring-boot-starter/pom.xml | 4 +++ .../spring-boot-web-starter/pom.xml | 4 +++ 4 files changed, 51 insertions(+), 10 deletions(-) create mode 100644 samples/spring-boot-3-web/src/main/resources/log4j2.properties diff --git a/samples/spring-boot-3-web/pom.xml b/samples/spring-boot-3-web/pom.xml index 388a648428..6c40eb39da 100644 --- a/samples/spring-boot-3-web/pom.xml +++ b/samples/spring-boot-3-web/pom.xml @@ -67,6 +67,21 @@ shiro-spring jakarta + + org.apache.logging.log4j + log4j-slf4j2-impl + runtime + + + org.apache.logging.log4j + log4j-api + runtime + + + org.apache.logging.log4j + log4j-core + runtime + @@ -132,16 +147,6 @@ tomcat-embed-websocket 10.1.49 - - ch.qos.logback - logback-classic - 1.5.21 - - - ch.qos.logback - logback-core - 1.5.21 - diff --git a/samples/spring-boot-3-web/src/main/resources/log4j2.properties b/samples/spring-boot-3-web/src/main/resources/log4j2.properties new file mode 100644 index 0000000000..9ff7959ac6 --- /dev/null +++ b/samples/spring-boot-3-web/src/main/resources/log4j2.properties @@ -0,0 +1,28 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +# Root logger configuration +rootLogger.level = info +rootLogger.appenderRef.stdout.ref = STDOUT + +# Console appender configuration +appender.stdout.type = Console +appender.stdout.name = STDOUT +appender.stdout.layout.type = PatternLayout +# Use %highlight to add color to the log level and %cyan for the logger name +appender.stdout.layout.pattern = %d{yyyy-MM-dd HH:mm:ss.SSS} [%t] %highlight{%-5level} %cyan{%c{1.}} - %msg%n diff --git a/support/spring-boot/spring-boot-starter/pom.xml b/support/spring-boot/spring-boot-starter/pom.xml index 3c077605cf..72dccb0b7b 100644 --- a/support/spring-boot/spring-boot-starter/pom.xml +++ b/support/spring-boot/spring-boot-starter/pom.xml @@ -59,6 +59,10 @@ + + org.springframework.boot + spring-boot-starter-log4j2 + org.springframework spring-webmvc diff --git a/support/spring-boot/spring-boot-web-starter/pom.xml b/support/spring-boot/spring-boot-web-starter/pom.xml index 6e8a81d0f5..e936808663 100644 --- a/support/spring-boot/spring-boot-web-starter/pom.xml +++ b/support/spring-boot/spring-boot-web-starter/pom.xml @@ -74,6 +74,10 @@ + + org.springframework.boot + spring-boot-starter-log4j2 +