项目框架升级:Spring Boot 升级到2.6.5, Spring Framework升级到5.3.18

接到安全漏洞扫描的通知:Spring Boot 集成环境信息泄露漏洞【POC】

处置建议:Spring 官方已发布漏洞修复版本,请用户及时更新至最新版本。

https://github.com/spring-projects/spring-framework/tags
安全版本:
Spring Framework == 5.3.18
Spring Framework == 5.2.20

 

我检查了项目当前的框架版本:

 1     <parent>
 2         <groupId>org.springframework.boot</groupId>
 3         <artifactId>spring-boot-starter-parent</artifactId>
 4         <version>2.3.9.RELEASE</version>
 5     </parent>
 6 
 7     <properties>
 8         <spring-framework.version>5.2.13.RELEASE</spring-framework.version>
 9     ......
10     </properties>

 妥妥地命中,必须要整改。

 

一、升级框架依赖

无论如何,安全是第一,所以先把框架升级再说。(具体是选择哪个版本升级,建议按照安全厂商的要求)

 1     <parent>
 2         <groupId>org.springframework.boot</groupId>
 3         <artifactId>spring-boot-starter-parent</artifactId>
 4         <version>2.6.5</version>
 5     </parent>
 6 
 7 
 8     <properties>
 9         <spring-framework.version>5.3.18</spring-framework.version>
10         <spring-boot.version>2.6.5</spring-boot.version>
11         <spring-data.version>2.6.3</spring-data.version>
12        ......
13     </properties>

 JDK使用corretto-1.8.0_322

 

框架依赖升级了之后,开始编译调试,也就是升级框架带来的兼容性问题,通常最令人抓狂的也就是这部分。

二、调试基础框的兼容性问题

不断地发现报错有各种问题,网上找类似的情况,再分析、筛选、尝试,将搜罗的解决方法记录下来。

 1.RedisCacheWriter错误

先把升级后接口新加的3个方法添加上,后续有问题再调试。

 1     @Override
 2     public void clearStatistics(String name) {
 3         statistics.reset(name) ;
 4     }
 5 
 6     @Override
 7     public RedisCacheWriter withStatisticsCollector(CacheStatisticsCollector cacheStatisticsCollector){
 8         return this;
 9     }
10 
11     @Override
12     public CacheStatistics getCacheStatistics(String cacheName) {
13         return statistics.getCacheStatistics(cacheName);
14     }

在该类头部,添加定义:

1     private final CacheStatisticsCollector statistics = CacheStatisticsCollector.create();

 

2.RedisUtil错误

 (1)替换报错的方法

 1     private Set<String> keys(String keyPrefix) {
 2         String realKey = keyPrefix + "*";
 3 
 4         try {
 5             return redisTemplate.execute((RedisCallback<Set<String>>) connection -> {
 6                 Set<String> binaryKeys = new HashSet<>();
 7 
 8                 Cursor<byte[]> cursor = connection.scan(ScanOptions.scanOptions().match(realKey).count(Integer.MAX_VALUE).build());
 9                 while (cursor.hasNext()) {
10                     binaryKeys.add(new String(cursor.next()));
11                 }
12 
13                 return binaryKeys;
14             });
15         } catch (Throwable e) {
16             e.printStackTrace();
17         }
18 
19         return null;
20     }

(2)报错语句加上类型转换

 1     @SuppressWarnings("unchecked")
 2     public void del(String... key) {
 3         if (key != null && key.length > 0) {
 4             if (key.length == 1) {
 5                 redisTemplate.delete(key[0]);
 6             } else {
 7                 redisTemplate.delete((Collection<String>) CollectionUtils.arrayToList(key));
 8             }
 9         }
10     }

 

3.无法访问okhttp3.HttpUrl 

 1 private static MinioClient initMinio(String minioUrl, String minioName,String minioPass) {
 2     if (minioClient == null) {
 3         try {
 4             minioClient = MinioClient.builder()
 5                     .endpoint(minioUrl)
 6                     .credentials(minioName, minioPass)
 7                     .build();
 8         } catch (Exception e) {
 9             e.printStackTrace();
10         }
11     }
12     return minioClient;
13 }

分析原因:项目里的依赖包版本冲突,修改pom.xml

 1     <properties>
 2         <minio.version>8.3.7</minio.version>
 3         <okhttp.version>4.8.1</okhttp.version>
 4     </properties>
 5 
 6 
 7     <dependencies>
 8 ......
 9         <dependency>
10             <groupId>io.minio</groupId>
11             <artifactId>minio</artifactId>
12             <version>${minio.version}</version>
13             <scope>compile</scope>
14         </dependency>
15 
16         <dependency>
17             <groupId>com.squareup.okhttp3</groupId>
18             <artifactId>okhttp</artifactId>
19             <version>${okhttp.version}</version>
20             <scope>compile</scope>
21         </dependency>
22 ......
23     </dependencies>

 

4.程序包feign.hystrix不存在

 添加依赖引用:

 1     <dependencies>
 2         <!-- feign -->
 3         <dependency>
 4             <groupId>org.springframework.cloud</groupId>
 5             <artifactId>spring-cloud-starter-openfeign</artifactId>
 6         </dependency>
 7        ......
 8         <dependency>
 9             <groupId>io.github.openfeign</groupId>
10             <artifactId>feign-hystrix</artifactId>
11         </dependency>
12     </dependencies>

 

5.程序包org.springframework.cloud.netflix.ribbon不存在

 

1         <dependency>
2             <groupId>org.springframework.cloud</groupId>
3             <artifactId>spring-cloud-openfeign-core</artifactId>
4             <version>3.1.1</version>
5             <scope>compile</scope>
6         </dependency>

检查项目里的依赖包版本冲突问题

6.程序包org.junit不存在

1         <dependency>
2             <groupId>junit</groupId>
3             <artifactId>junit</artifactId>
4             <version>4.13.2</version>
5             <scope>test</scope>
6         </dependency>

 

 7.对RemoteApplicationEvent的引用不明确

1     public JeecgRemoteApplicationEvent(EventObj source, String originService) {
2         super(source, originService, (String) null);
3         this.eventObj = source;
4     }

 

8.dependencies.dependency.version

 

 1 [INFO] Scanning for projects...
 2 [ERROR] [ERROR] Some problems were encountered while processing the POMs:
 3 [ERROR] 'dependencies.dependency.version' for org.springframework.cloud:spring-cloud-starter-netflix-hystrix:jar is missing. @ line 51, column 21
 4  @ 
 5 [ERROR] The build could not read 1 project -> [Help 1]

 注明依赖包的版本号:

1         <dependency>
2             <groupId>org.springframework.cloud</groupId>
3             <artifactId>spring-cloud-starter-netflix-hystrix</artifactId>
4             <version>2.2.10.RELEASE</version>
5             <scope>compile</scope>
6         </dependency>

 

9.解决其他一些依赖包的引用与版本冲突问题,在此就不一一列举

Cannot resolve io.github.openfeign:feign-hystrix:11.8

Cannot resolve org.springframework.boot:spring-boot-configuration-processor:2.6.5

Cannot resolve org.springframework.cloud:spring-cloud-starter-openfeign:3.1.1

Cannot resolve io.netty:netty-all:4.1.75.Final

Cannot resolve org.codehaus.groovy:groovy:3.0.10

 

10.项目编译通过,检查框架是否升级成功,并且不存在其他版本冲突

(1)如图:Spring Framework == 5.3.18

 

 

 

(2)如图:Spring Boot== 2.6.5

 

 

 注:看到以上2个图中的版本与预期一致,说明框架升级编译已没问题,后续再对业务代码进行调试、试运行。

 项目框架升级:Spring Boot 升级到2.6.5, Spring Framework升级到5.3.18 【续】 - 圆觉悟禅道 - 博客园 (cnblogs.com)

 


 

posted @ 2022-04-03 21:43  圆觉悟禅道  阅读(9522)  评论(0编辑  收藏  举报