exceptionfactory opened a new pull request #5066: URL: https://github.com/apache/nifi/pull/5066
#### Description of PR NIFI-8502 Upgrades Spring Framework and Spring Security dependencies across framework and extension components from version 4 to version 5. Spring Framework 4 is no longer supported as of December 2020. Spring Security version 4, as well as 5.4.3 and below, are vulnerable to [CVE-2021-22112](https://tanzu.vmware.com/security/cve-2021-22112). Although NiFi does not use HttpSession and does not perform multiple modifications to the Spring Security Context, Spring Security should be upgraded to the current version. Upgrading to Spring Framework 5 required a small refactor to the framework `ApplicationStartupContextListener` to avoid calling `ApplicationContext.getBean()` for objects that can be null when running in a standalone configuration. Spring Framework 5 does not return `null` for `getBean()` and instead returns a `NullBean`, which did not meet the expectations of the listener. Refactoring the `ThreadPoolRequestReplicatorFactoryBean` to implement `DisposableBean` allowed the Factory Bean to handle its own lifecycle, and removing the expected class parameter for `loginIdentityProvider` and `authorizer` also avoided unnecessary exceptions. Other framework and extension updates include the following: - Upgraded Spring Framework references from version 4.3.30 to 5.3.6 - Upgraded Spring Security from version 4.2.20 to 5.4.6 - Upgraded Spring Data Redis from 2.1.16 to 2.5.0 - Upgraded Jedis from 2.9.0 to 3.6.0 to match Spring Data Redis 2.5.0 - Upgraded Easy Rules from 3.4.0 to 4.1.0 to support Spring 5 - Upgraded Hortonworks Schema Registry Client from 0.8.1 to 0.9.1 to support Spring 5 - Included spring-security-crypto dependency with references to spring-security-kerberos-core to maintain capability with Spring Security 5 In order to streamline the review of the contribution we ask you to ensure the following steps have been taken: ### For all changes: - [X] Is there a JIRA ticket associated with this PR? Is it referenced in the commit message? - [X] Does your PR title start with **NIFI-XXXX** where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character. - [X] Has your PR been rebased against the latest commit within the target branch (typically `main`)? - [X] Is your initial contribution a single, squashed commit? _Additional commits in response to PR reviewer feedback should be made on this branch and pushed to allow change tracking. Do not `squash` or use `--force` when pushing to allow for clean monitoring of changes._ ### For code changes: - [X] Have you ensured that the full suite of tests is executed via `mvn -Pcontrib-check clean install` at the root `nifi` folder? - [X] Have you written or updated unit tests to verify your changes? - [X] Have you verified that the full build is successful on JDK 8? - [ ] Have you verified that the full build is successful on JDK 11? - [X] If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under [ASF 2.0](http://www.apache.org/legal/resolved.html#category-a)? - [X] If applicable, have you updated the `LICENSE` file, including the main `LICENSE` file under `nifi-assembly`? - [X] If applicable, have you updated the `NOTICE` file, including the main `NOTICE` file found under `nifi-assembly`? - [ ] If adding new Properties, have you added `.displayName` in addition to .name (programmatic access) for each of the new properties? ### For documentation related changes: - [X] Have you ensured that format looks appropriate for the output in which it is rendered? ### Note: Please ensure that once the PR is submitted, you check GitHub Actions CI for build issues and submit an update to your PR as soon as possible. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
