This is an automated email from the ASF dual-hosted git repository.
lprimak pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/shiro.git
The following commit(s) were added to refs/heads/main by this push:
new 6e2d10921 chore: fix vulnerabilities in tests reported by OpenSSF tool
(#2411)
6e2d10921 is described below
commit 6e2d10921d7d0584ba4c8b6bd728e7405273eece
Author: Lenny Primak <[email protected]>
AuthorDate: Fri Dec 5 01:03:36 2025 -0600
chore: fix vulnerabilities in tests reported by OpenSSF tool (#2411)
* chore: fix vulnerabilities in tests reported by OpenSSF tool
* fix: excluded old spring logging
* fix: exclude old logging from spring web starter
* fix: SpringBoot and samples use log4j2
---
integration-tests/meecrowave-support/pom.xml | 27 +++++++++++++++
pom.xml | 10 ++++++
samples/spring-boot-3-web/pom.xml | 30 +++++++++++++++++
.../src/main/resources/log4j2.properties | 28 ++++++++++++++++
samples/spring-boot-web/pom.xml | 16 +++++++++
samples/web-jakarta/pom.xml | 39 +++++++++++++++++++++-
support/spring-boot/spring-boot-starter/pom.xml | 30 +++++++++++++++++
.../spring-boot/spring-boot-web-starter/pom.xml | 37 ++++++++++++++++++++
8 files changed, 216 insertions(+), 1 deletion(-)
diff --git a/integration-tests/meecrowave-support/pom.xml
b/integration-tests/meecrowave-support/pom.xml
index f6f33ce0e..323b4f15d 100644
--- a/integration-tests/meecrowave-support/pom.xml
+++ b/integration-tests/meecrowave-support/pom.xml
@@ -73,4 +73,31 @@
</dependency>
</dependencies>
+ <dependencyManagement>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-bom</artifactId>
+ <version>3.6.7</version>
+ <scope>import</scope>
+ <type>pom</type>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.johnzon</groupId>
+ <artifactId>johnzon-jsonb</artifactId>
+ <version>1.2.21</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat</groupId>
+ <artifactId>tomcat-jaspic-api</artifactId>
+ <version>9.0.112</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat</groupId>
+ <artifactId>tomcat-catalina</artifactId>
+ <version>9.0.112</version>
+ </dependency>
+ </dependencies>
+ </dependencyManagement>
+
</project>
diff --git a/pom.xml b/pom.xml
index d0b7f6884..03645a930 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1213,6 +1213,16 @@
</exclusion>
</exclusions>
</dependency>
+ <dependency>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-core</artifactId>
+ <version>1.5.21</version>
+ </dependency>
+ <dependency>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-classic</artifactId>
+ <version>1.5.21</version>
+ </dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
diff --git a/samples/spring-boot-3-web/pom.xml
b/samples/spring-boot-3-web/pom.xml
index c6f4acd7e..6c40eb39d 100644
--- a/samples/spring-boot-3-web/pom.xml
+++ b/samples/spring-boot-3-web/pom.xml
@@ -67,6 +67,21 @@
<artifactId>shiro-spring</artifactId>
<classifier>jakarta</classifier>
</dependency>
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-slf4j2-impl</artifactId>
+ <scope>runtime</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-api</artifactId>
+ <scope>runtime</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-core</artifactId>
+ <scope>runtime</scope>
+ </dependency>
<!-- Spring Boot -->
<dependency>
@@ -117,6 +132,21 @@
<scope>import</scope>
<type>pom</type>
</dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-core</artifactId>
+ <version>10.1.49</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-el</artifactId>
+ <version>10.1.49</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-websocket</artifactId>
+ <version>10.1.49</version>
+ </dependency>
</dependencies>
</dependencyManagement>
diff --git a/samples/spring-boot-3-web/src/main/resources/log4j2.properties
b/samples/spring-boot-3-web/src/main/resources/log4j2.properties
new file mode 100644
index 000000000..9ff7959ac
--- /dev/null
+++ b/samples/spring-boot-3-web/src/main/resources/log4j2.properties
@@ -0,0 +1,28 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+#
+# Root logger configuration
+rootLogger.level = info
+rootLogger.appenderRef.stdout.ref = STDOUT
+
+# Console appender configuration
+appender.stdout.type = Console
+appender.stdout.name = STDOUT
+appender.stdout.layout.type = PatternLayout
+# Use %highlight to add color to the log level and %cyan for the logger name
+appender.stdout.layout.pattern = %d{yyyy-MM-dd HH:mm:ss.SSS} [%t]
%highlight{%-5level} %cyan{%c{1.}} - %msg%n
diff --git a/samples/spring-boot-web/pom.xml b/samples/spring-boot-web/pom.xml
index f55307983..6a7e53f20 100644
--- a/samples/spring-boot-web/pom.xml
+++ b/samples/spring-boot-web/pom.xml
@@ -97,6 +97,22 @@
</exclusion>
</exclusions>
</dependency>
+
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-core</artifactId>
+ <version>9.0.112</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-el</artifactId>
+ <version>9.0.112</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-websocket</artifactId>
+ <version>9.0.112</version>
+ </dependency>
</dependencies>
</dependencyManagement>
diff --git a/samples/web-jakarta/pom.xml b/samples/web-jakarta/pom.xml
index 1aa6857a6..adab15570 100644
--- a/samples/web-jakarta/pom.xml
+++ b/samples/web-jakarta/pom.xml
@@ -33,7 +33,7 @@
<properties>
<meecrowave.version>1.2.15</meecrowave.version>
- <tomcat.version>10.1.30</tomcat.version>
+ <tomcat.version>10.1.49</tomcat.version>
<jacoco.skip>true</jacoco.skip>
</properties>
@@ -46,6 +46,43 @@
<scope>import</scope>
<type>pom</type>
</dependency>
+ <dependency>
+ <groupId>org.apache.cxf</groupId>
+ <artifactId>cxf-bom</artifactId>
+ <version>3.6.7</version>
+ <scope>import</scope>
+ <type>pom</type>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.johnzon</groupId>
+ <artifactId>johnzon-jsonb</artifactId>
+ <version>1.2.21</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-core</artifactId>
+ <version>9.0.112</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-el</artifactId>
+ <version>9.0.112</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat</groupId>
+ <artifactId>tomcat-jaspic-api</artifactId>
+ <version>9.0.112</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-websocket</artifactId>
+ <version>9.0.112</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat</groupId>
+ <artifactId>tomcat-catalina</artifactId>
+ <version>9.0.112</version>
+ </dependency>
</dependencies>
</dependencyManagement>
diff --git a/support/spring-boot/spring-boot-starter/pom.xml
b/support/spring-boot/spring-boot-starter/pom.xml
index f8fadeb2e..72dccb0b7 100644
--- a/support/spring-boot/spring-boot-starter/pom.xml
+++ b/support/spring-boot/spring-boot-starter/pom.xml
@@ -52,6 +52,16 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<optional>true</optional>
+ <exclusions>
+ <exclusion>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-starter-logging</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
@@ -94,6 +104,26 @@
</dependency>
</dependencies>
+ <dependencyManagement>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-core</artifactId>
+ <version>9.0.112</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-el</artifactId>
+ <version>9.0.112</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-websocket</artifactId>
+ <version>9.0.112</version>
+ </dependency>
+ </dependencies>
+ </dependencyManagement>
+
<build>
<plugins>
<plugin>
diff --git a/support/spring-boot/spring-boot-web-starter/pom.xml
b/support/spring-boot/spring-boot-web-starter/pom.xml
index 5045035ca..e93680866 100644
--- a/support/spring-boot/spring-boot-web-starter/pom.xml
+++ b/support/spring-boot/spring-boot-web-starter/pom.xml
@@ -57,13 +57,50 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter</artifactId>
+ <exclusions>
+ <exclusion>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-starter-logging</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
+ <exclusions>
+ <exclusion>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-starter-logging</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-starter-log4j2</artifactId>
</dependency>
</dependencies>
+
+ <dependencyManagement>
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-core</artifactId>
+ <version>9.0.112</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-el</artifactId>
+ <version>9.0.112</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.tomcat.embed</groupId>
+ <artifactId>tomcat-embed-websocket</artifactId>
+ <version>9.0.112</version>
+ </dependency>
+ </dependencies>
+ </dependencyManagement>
+
<build>
<plugins>
<plugin>
