项目框架升级:Spring Boot 升级到2.6.5, Spring Framework升级到5.3.18
接到安全漏洞扫描的通知:Spring Boot 集成环境信息泄露漏洞【POC】
处置建议:Spring 官方已发布漏洞修复版本,请用户及时更新至最新版本。
https://github.com/spring-projects/spring-framework/tags
安全版本:
Spring Framework == 5.3.18
Spring Framework == 5.2.20
我检查了项目当前的框架版本:
1 <parent> 2 <groupId>org.springframework.boot</groupId> 3 <artifactId>spring-boot-starter-parent</artifactId> 4 <version>2.3.9.RELEASE</version> 5 </parent> 6 7 <properties> 8 <spring-framework.version>5.2.13.RELEASE</spring-framework.version> 9 ...... 10 </properties>
妥妥地命中,必须要整改。
一、升级框架依赖
无论如何,安全是第一,所以先把框架升级再说。(具体是选择哪个版本升级,建议按照安全厂商的要求)
1 <parent> 2 <groupId>org.springframework.boot</groupId> 3 <artifactId>spring-boot-starter-parent</artifactId> 4 <version>2.6.5</version> 5 </parent> 6 7 8 <properties> 9 <spring-framework.version>5.3.18</spring-framework.version> 10 <spring-boot.version>2.6.5</spring-boot.version> 11 <spring-data.version>2.6.3</spring-data.version> 12 ...... 13 </properties>
JDK使用corretto-1.8.0_322
框架依赖升级了之后,开始编译调试,也就是升级框架带来的兼容性问题,通常最令人抓狂的也就是这部分。
二、调试基础框的兼容性问题
不断地发现报错有各种问题,网上找类似的情况,再分析、筛选、尝试,将搜罗的解决方法记录下来。
1.RedisCacheWriter错误
先把升级后接口新加的3个方法添加上,后续有问题再调试。
1 @Override 2 public void clearStatistics(String name) { 3 statistics.reset(name) ; 4 } 5 6 @Override 7 public RedisCacheWriter withStatisticsCollector(CacheStatisticsCollector cacheStatisticsCollector){ 8 return this; 9 } 10 11 @Override 12 public CacheStatistics getCacheStatistics(String cacheName) { 13 return statistics.getCacheStatistics(cacheName); 14 }
在该类头部,添加定义:
1 private final CacheStatisticsCollector statistics = CacheStatisticsCollector.create();
2.RedisUtil错误
(1)替换报错的方法
1 private Set<String> keys(String keyPrefix) { 2 String realKey = keyPrefix + "*"; 3 4 try { 5 return redisTemplate.execute((RedisCallback<Set<String>>) connection -> { 6 Set<String> binaryKeys = new HashSet<>(); 7 8 Cursor<byte[]> cursor = connection.scan(ScanOptions.scanOptions().match(realKey).count(Integer.MAX_VALUE).build()); 9 while (cursor.hasNext()) { 10 binaryKeys.add(new String(cursor.next())); 11 } 12 13 return binaryKeys; 14 }); 15 } catch (Throwable e) { 16 e.printStackTrace(); 17 } 18 19 return null; 20 }
(2)报错语句加上类型转换
1 @SuppressWarnings("unchecked") 2 public void del(String... key) { 3 if (key != null && key.length > 0) { 4 if (key.length == 1) { 5 redisTemplate.delete(key[0]); 6 } else { 7 redisTemplate.delete((Collection<String>) CollectionUtils.arrayToList(key)); 8 } 9 } 10 }
3.无法访问okhttp3.HttpUrl
1 private static MinioClient initMinio(String minioUrl, String minioName,String minioPass) { 2 if (minioClient == null) { 3 try { 4 minioClient = MinioClient.builder() 5 .endpoint(minioUrl) 6 .credentials(minioName, minioPass) 7 .build(); 8 } catch (Exception e) { 9 e.printStackTrace(); 10 } 11 } 12 return minioClient; 13 }
分析原因:项目里的依赖包版本冲突,修改pom.xml
1 <properties> 2 <minio.version>8.3.7</minio.version> 3 <okhttp.version>4.8.1</okhttp.version> 4 </properties> 5 6 7 <dependencies> 8 ...... 9 <dependency> 10 <groupId>io.minio</groupId> 11 <artifactId>minio</artifactId> 12 <version>${minio.version}</version> 13 <scope>compile</scope> 14 </dependency> 15 16 <dependency> 17 <groupId>com.squareup.okhttp3</groupId> 18 <artifactId>okhttp</artifactId> 19 <version>${okhttp.version}</version> 20 <scope>compile</scope> 21 </dependency> 22 ...... 23 </dependencies>
4.程序包feign.hystrix不存在
添加依赖引用:
1 <dependencies> 2 <!-- feign --> 3 <dependency> 4 <groupId>org.springframework.cloud</groupId> 5 <artifactId>spring-cloud-starter-openfeign</artifactId> 6 </dependency> 7 ...... 8 <dependency> 9 <groupId>io.github.openfeign</groupId> 10 <artifactId>feign-hystrix</artifactId> 11 </dependency> 12 </dependencies>
5.程序包org.springframework.cloud.netflix.ribbon不存在
1 <dependency> 2 <groupId>org.springframework.cloud</groupId> 3 <artifactId>spring-cloud-openfeign-core</artifactId> 4 <version>3.1.1</version> 5 <scope>compile</scope> 6 </dependency>
检查项目里的依赖包版本冲突问题
6.程序包org.junit不存在
1 <dependency> 2 <groupId>junit</groupId> 3 <artifactId>junit</artifactId> 4 <version>4.13.2</version> 5 <scope>test</scope> 6 </dependency>
7.对RemoteApplicationEvent的引用不明确
1 public JeecgRemoteApplicationEvent(EventObj source, String originService) { 2 super(source, originService, (String) null); 3 this.eventObj = source; 4 }
8.dependencies.dependency.version
1 [INFO] Scanning for projects... 2 [ERROR] [ERROR] Some problems were encountered while processing the POMs: 3 [ERROR] 'dependencies.dependency.version' for org.springframework.cloud:spring-cloud-starter-netflix-hystrix:jar is missing. @ line 51, column 21 4 @ 5 [ERROR] The build could not read 1 project -> [Help 1]
注明依赖包的版本号:
1 <dependency> 2 <groupId>org.springframework.cloud</groupId> 3 <artifactId>spring-cloud-starter-netflix-hystrix</artifactId> 4 <version>2.2.10.RELEASE</version> 5 <scope>compile</scope> 6 </dependency>
9.解决其他一些依赖包的引用与版本冲突问题,在此就不一一列举
Cannot resolve io.github.openfeign:feign-hystrix:11.8
Cannot resolve org.springframework.boot:spring-boot-configuration-processor:2.6.5
Cannot resolve org.springframework.cloud:spring-cloud-starter-openfeign:3.1.1
Cannot resolve io.netty:netty-all:4.1.75.Final
Cannot resolve org.codehaus.groovy:groovy:3.0.10
10.项目编译通过,检查框架是否升级成功,并且不存在其他版本冲突
(1)如图:Spring Framework == 5.3.18
(2)如图:Spring Boot== 2.6.5
注:看到以上2个图中的版本与预期一致,说明框架升级编译已没问题,后续再对业务代码进行调试、试运行。
项目框架升级:Spring Boot 升级到2.6.5, Spring Framework升级到5.3.18 【续】 - 圆觉悟禅道 - 博客园 (cnblogs.com)