Protei/PromucFlow_constructor
2
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity
de2bcae0d5
PromucFlow_constructor/app/server/pom.xml
subratadeypappu 5faaff38ba
fix: CVE-2024-38821 (#41188) 
## Description
CVE-2024-38821 is an authorization-bypass affecting Spring WebFlux apps
that apply non-permitAll rules to static resources. The fix for
CVE-2024-38821 is in Spring Security 6.3.4+.
[Ref](https://spring.io/security/cve-2024-38821)

Mitigation Strategy:
We are upgrading Spring Boot to 3.3.13 which officially manages Spring
Security versions. Spring Security 6.3.10 is well beyond the minimum
required 6.3.4+


### Verification

Verification Results:
1. Spring Security Version Check:  SECURE
Current Version: Spring Security 6.3.10
Vulnerable Range: 6.3.0-6.3.3
Status:  NOT VULNERABLE - Version 6.3.10 is well beyond the vulnerable
range
2. All Spring Security Components Verified:  SECURE
 spring-security-web: 6.3.10
 spring-security-oauth2-client: 6.3.10
 spring-security-oauth2-core: 6.3.10
 spring-security-oauth2-jose: 6.3.10
 spring-security-config: 6.3.10
 spring-security-crypto: 6.3.10
 spring-security-test: 6.3.10
3. No Vulnerable Versions Detected:  CLEAN
 No Spring Security 6.3.0-6.3.3 versions found
 No vulnerable Spring Security components detected

Fixes #`Issue Number`  
_or_  
Fixes `Issue URL`
> [!WARNING]  
> _If no issue exists, please create an issue first, and check with the
maintainers if the issue is valid._

## Automation

/ok-to-test tags="@tag.Sanity"

### 🔍 Cypress test results
<!-- This is an auto-generated comment: Cypress test results  -->
> [!TIP]
> 🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
> Workflow run:
<https://github.com/appsmithorg/appsmith/actions/runs/17201170729>
> Commit: d588e5da0afe52b94730871b77ada4ab9b92c20e
> <a
href="https://internal.appsmith.com/app/cypress-dashboard/rundetails-65890b3c81d7400d08fa9ee5?branch=master&workflowId=17201170729&attempt=1"
target="_blank">Cypress dashboard</a>.
> Tags: `@tag.Sanity`
> Spec:
> <hr>Mon, 25 Aug 2025 07:17:32 UTC
<!-- end of auto-generated comment: Cypress test results  -->


## Communication
Should the DevRel and Marketing teams inform users about this change?
- [ ] Yes
- [ ] No


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Chores**
* Upgraded Spring Boot parent to 3.3.13 to improve stability,
compatibility, and maintenance.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
2025-08-25 18:04:59 +06:00

262 lines
11 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.3.13</version>
<relativePath/>
<!-- lookup parent from repository -->
</parent>
<groupId>com.appsmith</groupId>
<artifactId>integrated</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>pom</packaging>
<name>Integrated Appsmith</name>
<modules>
<module>reactive-caching</module>
<module>appsmith-interfaces</module>
<module>appsmith-plugins</module>
<module>appsmith-server</module>
<module>appsmith-git</module>
</modules>
<properties>
<deploy.disabled>true</deploy.disabled>
<jackson-bom.version>2.17.0</jackson-bom.version>
<jackson.version>2.17.0</jackson.version>
<java.version>17</java.version>
<javadoc.disabled>true</javadoc.disabled>
<maven.compiler.source>${java.version}</maven.compiler.source>
<maven.compiler.target>${java.version}</maven.compiler.target>
<mockito.version>4.4.0</mockito.version>
<mockwebserver.version>5.0.0-alpha.2</mockwebserver.version>
<okhttp3.version>4.10.0</okhttp3.version>
<org.pf4j.version>3.10.0</org.pf4j.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<project.groupId>com.appsmith</project.groupId>
<project.version>1.0-SNAPSHOT</project.version>
<reactor-test.version>3.5.1</reactor-test.version>
<!-- By default skip the dockerization step. Only activate if necessary -->
<skipDockerBuild>true</skipDockerBuild>
<skipITs>${skipTests}</skipITs>
<skipTests>false</skipTests>
<skipUTs>${skipTests}</skipUTs>
<!-- We're forcing this version temporarily to fix CVE-2022-1471-->
<snakeyaml.version>2.0</snakeyaml.version>
<source.disabled>true</source.disabled>
<spotless.version>2.36.0</spotless.version>
<testcontainers.version>1.20.1</testcontainers.version>
</properties>
<build>
<resources>
<resource>
<filtering>false</filtering>
<directory>src/main/java</directory>
<excludes>
<exclude>**/*.java</exclude>
</excludes>
</resource>
<resource>
<directory>src/main/resources</directory>
</resource>
</resources>
<plugins>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>license-maven-plugin</artifactId>
<version>2.0.0</version>
</plugin>
<plugin>
<artifactId>maven-dependency-plugin</artifactId>
<version>3.4.0</version>
</plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>build-helper-maven-plugin</artifactId>
<version>3.3.0</version>
<executions>
<execution>
<id>add-test-source</id>
<goals>
<goal>add-test-source</goal>
</goals>
<phase>generate-test-sources</phase>
<configuration>
<sources>
<source>src/test/java</source>
<!-- Default test directory -->
<source>src/test/it</source>
<!-- Additional test directory -->
<source>src/test/utils</source>
<!-- Another additional directory -->
</sources>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>3.0.0-M5</version>
<configuration>
<printSummary>true</printSummary>
<!-- Allow JUnit to access the test classes -->
<argLine>--add-opens java.base/java.lang=ALL-UNNAMED
--add-opens java.base/java.time=ALL-UNNAMED
--add-opens java.base/java.util=ALL-UNNAMED</argLine>
<testSourceDirectory>src/test/java</testSourceDirectory>
<skipTests>${skipUTs}</skipTests>
</configuration>
<dependencies>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-engine</artifactId>
<version>5.6.2</version>
<exclusions>
<exclusion>
<groupId>org.junit.platform</groupId>
<artifactId>junit-platform-commons</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<version>3.0.0-M5</version>
<configuration>
<printSummary>true</printSummary>
<!-- Allow JUnit to access the test classes -->
<argLine>-ea
--add-opens java.base/java.lang=ALL-UNNAMED
--add-opens java.base/java.time=ALL-UNNAMED
--add-opens java.base/java.util=ALL-UNNAMED</argLine>
<systemPropertyVariables>
<pf4j.pluginsDir>../dist/plugins</pf4j.pluginsDir>
<!-- Specify plugin directory -->
</systemPropertyVariables>
<testSourceDirectory>src/test/it</testSourceDirectory>
<skipITs>${skipITs}</skipITs>
<!-- Property for skipping integration tests -->
</configuration>
<dependencies>
<dependency>
<groupId>org.junit.jupiter</groupId>
<artifactId>junit-jupiter-engine</artifactId>
<version>5.6.2</version>
<exclusions>
<exclusion>
<groupId>org.junit.platform</groupId>
<artifactId>junit-platform-commons</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-enforcer-plugin</artifactId>
<version>3.1.0</version>
<executions>
<execution>
<id>default-cli</id>
<goals>
<goal>enforce</goal>
</goals>
<configuration>
<rules>
<bannedDependencies>
<excludes>
<exclude>junit:junit</exclude>
</excludes>
</bannedDependencies>
</rules>
<fail>true</fail>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<groupId>com.diffplug.spotless</groupId>
<artifactId>spotless-maven-plugin</artifactId>
<version>${spotless.version}</version>
<configuration>
<formats>
<!-- you can define as many formats as you want, each is independent -->
<format>
<!-- define the files to apply to -->
<includes>
<include>*.md</include>
<include>.gitignore</include>
<include>**/*.sql</include>
</includes>
<!-- define the steps to apply to those files -->
<trimTrailingWhitespace/>
<endWithNewline/>
<indent>
<tabs>true</tabs>
<spacesPerTab>2</spacesPerTab>
</indent>
</format>
</formats>
<!-- define a language-specific format -->
<java>
<!-- Cleanthat will refactor your code, but it may break your style: apply it before your formatter -->
<cleanthat/>
<!-- apply a specific flavor of google-java-format and reflow long strings -->
<palantirJavaFormat/>
<importOrder>
<order>,javax|java,\#</order>
</importOrder>
<removeUnusedImports/>
<formatAnnotations/>
</java>
<json>
<excludes>
<exclude>**/target/**/*.json</exclude>
</excludes>
<includes>
<include>**/*.json</include>
</includes>
<prettier>
<config>
<tabWidth>2</tabWidth>
</config>
</prettier>
</json>
<pom>
<includes>
<include>pom.xml</include>
</includes>
<sortPom>
<encoding>UTF-8</encoding>
<keepBlankLines>true</keepBlankLines>
<nrOfIndentSpace>4</nrOfIndentSpace>
<indentBlankLines>false</indentBlankLines>
<indentSchemaLocation>true</indentSchemaLocation>
<expandEmptyElements>false</expandEmptyElements>
<sortProperties>true</sortProperties>
</sortPom>
</pom>
</configuration>
<executions>
<execution>
<goals>
<goal>apply</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</project>
Reference in New Issue View Git Blame Copy Permalink