接到安全漏洞掃描的通知:Spring Boot 集成環境信息泄露漏洞【POC】
處置建議:Spring 官方已發布漏洞修復版本,請用戶及時更新至最新版本。
https://github.com/spring-projects/spring-framework/tags
安全版本:
Spring Framework == 5.3.18
Spring Framework == 5.2.20
我檢查了項目當前的框架版本:
1 <parent> 2 <groupId>org.springframework.boot</groupId> 3 <artifactId>spring-boot-starter-parent</artifactId> 4 <version>2.3.9.RELEASE</version> 5 </parent> 6 7 <properties> 8 <spring-framework.version>5.2.13.RELEASE</spring-framework.version> 9 ...... 10 </properties>
妥妥地命中,必須要整改。
一、升級框架依賴
無論如何,安全是第一,所以先把框架升級再說。(具體是選擇哪個版本升級,建議按照安全廠商的要求)
1 <parent> 2 <groupId>org.springframework.boot</groupId> 3 <artifactId>spring-boot-starter-parent</artifactId> 4 <version>2.6.5</version> 5 </parent> 6 7 8 <properties> 9 <spring-framework.version>5.3.18</spring-framework.version> 10 <spring-boot.version>2.6.5</spring-boot.version> 11 <spring-data.version>2.6.3</spring-data.version> 12 ...... 13 </properties>
JDK使用corretto-1.8.0_322
框架依賴升級了之后,開始編譯調試,也就是升級框架帶來的兼容性問題,通常最令人抓狂的也就是這部分。
二、調試基礎框的兼容性問題
不斷地發現報錯有各種問題,網上找類似的情況,再分析、篩選、嘗試,將搜羅的解決方法記錄下來。
1.RedisCacheWriter錯誤
先把升級后接口新加的3個方法添加上,后續有問題再調試。
1 @Override 2 public void clearStatistics(String name) { 3 statistics.reset(name) ; 4 } 5 6 @Override 7 public RedisCacheWriter withStatisticsCollector(CacheStatisticsCollector cacheStatisticsCollector){ 8 return this; 9 } 10 11 @Override 12 public CacheStatistics getCacheStatistics(String cacheName) { 13 return statistics.getCacheStatistics(cacheName); 14 }
在該類頭部,添加定義:
1 private final CacheStatisticsCollector statistics = CacheStatisticsCollector.create();
2.RedisUtil錯誤
(1)替換報錯的方法
1 private Set<String> keys(String keyPrefix) { 2 String realKey = keyPrefix + "*"; 3 4 try { 5 return redisTemplate.execute((RedisCallback<Set<String>>) connection -> { 6 Set<String> binaryKeys = new HashSet<>(); 7 8 Cursor<byte[]> cursor = connection.scan(ScanOptions.scanOptions().match(realKey).count(Integer.MAX_VALUE).build()); 9 while (cursor.hasNext()) { 10 binaryKeys.add(new String(cursor.next())); 11 } 12 13 return binaryKeys; 14 }); 15 } catch (Throwable e) { 16 e.printStackTrace(); 17 } 18 19 return null; 20 }
(2)報錯語句加上類型轉換
1 @SuppressWarnings("unchecked") 2 public void del(String... key) { 3 if (key != null && key.length > 0) { 4 if (key.length == 1) { 5 redisTemplate.delete(key[0]); 6 } else { 7 redisTemplate.delete((Collection<String>) CollectionUtils.arrayToList(key)); 8 } 9 } 10 }
3.無法訪問okhttp3.HttpUrl
1 private static MinioClient initMinio(String minioUrl, String minioName,String minioPass) { 2 if (minioClient == null) { 3 try { 4 minioClient = MinioClient.builder() 5 .endpoint(minioUrl) 6 .credentials(minioName, minioPass) 7 .build(); 8 } catch (Exception e) { 9 e.printStackTrace(); 10 } 11 } 12 return minioClient; 13 }
分析原因:項目里的依賴包版本沖突,修改pom.xml
1 <properties> 2 <minio.version>8.3.7</minio.version> 3 <okhttp.version>4.8.1</okhttp.version> 4 </properties> 5 6 7 <dependencies> 8 ...... 9 <dependency> 10 <groupId>io.minio</groupId> 11 <artifactId>minio</artifactId> 12 <version>${minio.version}</version> 13 <scope>compile</scope> 14 </dependency> 15 16 <dependency> 17 <groupId>com.squareup.okhttp3</groupId> 18 <artifactId>okhttp</artifactId> 19 <version>${okhttp.version}</version> 20 <scope>compile</scope> 21 </dependency> 22 ...... 23 </dependencies>
4.程序包feign.hystrix不存在
添加依賴引用:
1 <dependencies> 2 <!-- feign --> 3 <dependency> 4 <groupId>org.springframework.cloud</groupId> 5 <artifactId>spring-cloud-starter-openfeign</artifactId> 6 </dependency> 7 ...... 8 <dependency> 9 <groupId>io.github.openfeign</groupId> 10 <artifactId>feign-hystrix</artifactId> 11 </dependency> 12 </dependencies>
5.程序包org.springframework.cloud.netflix.ribbon不存在
1 <dependency> 2 <groupId>org.springframework.cloud</groupId> 3 <artifactId>spring-cloud-openfeign-core</artifactId> 4 <version>3.1.1</version> 5 <scope>compile</scope> 6 </dependency>
檢查項目里的依賴包版本沖突問題
6.程序包org.junit不存在
1 <dependency> 2 <groupId>junit</groupId> 3 <artifactId>junit</artifactId> 4 <version>4.13.2</version> 5 <scope>test</scope> 6 </dependency>
7.對RemoteApplicationEvent的引用不明確
1 public JeecgRemoteApplicationEvent(EventObj source, String originService) { 2 super(source, originService, (String) null); 3 this.eventObj = source; 4 }
8.dependencies.dependency.version
1 [INFO] Scanning for projects... 2 [ERROR] [ERROR] Some problems were encountered while processing the POMs: 3 [ERROR] 'dependencies.dependency.version' for org.springframework.cloud:spring-cloud-starter-netflix-hystrix:jar is missing. @ line 51, column 21 4 @ 5 [ERROR] The build could not read 1 project -> [Help 1]
注明依賴包的版本號:
1 <dependency> 2 <groupId>org.springframework.cloud</groupId> 3 <artifactId>spring-cloud-starter-netflix-hystrix</artifactId> 4 <version>2.2.10.RELEASE</version> 5 <scope>compile</scope> 6 </dependency>
9.解決其他一些依賴包的引用與版本沖突問題,在此就不一一列舉
Cannot resolve io.github.openfeign:feign-hystrix:11.8
Cannot resolve org.springframework.boot:spring-boot-configuration-processor:2.6.5
Cannot resolve org.springframework.cloud:spring-cloud-starter-openfeign:3.1.1
Cannot resolve io.netty:netty-all:4.1.75.Final
Cannot resolve org.codehaus.groovy:groovy:3.0.10
10.項目編譯通過,檢查框架是否升級成功,並且不存在其他版本沖突
(1)如圖:Spring Framework == 5.3.18
(2)如圖:Spring Boot== 2.6.5
注:看到以上2個圖中的版本與預期一致,說明框架升級編譯已沒問題,后續再對業務代碼進行調試、試運行。
項目框架升級:Spring Boot 升級到2.6.5, Spring Framework升級到5.3.18 【續】 - 圓覺悟禪道 - 博客園 (cnblogs.com)