Skip to content
This repository has been archived by the owner on Dec 13, 2023. It is now read-only.

Resolve open vulnerabilities in Conductor #3884

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
98 changes: 49 additions & 49 deletions annotations-processor/dependencies.lock
Original file line number Diff line number Diff line change
@@ -1,42 +1,42 @@
{
"annotationProcessor": {
"org.springframework.boot:spring-boot-configuration-processor": {
"locked": "2.7.16"
"locked": "2.7.18"
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job on these btw - but I have already been targetting these in #3855
As well as the entire upgrade to Spring 3.
We had to have a fork of Netflix Conductor - with Spring 3 ( literally the PR above - copy paste ) - and we are already using that in prod with no problem at all.
I think we should probably push for the change that will give us more bang for our buck, and will move Conductor further in the security space (as Spring 2 is EOL and new versions of libraries are no longer compatible with Spring 2)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! Im definitely interested in those changes as well. My usage of Conductor requires that we maintain 0 CVEs at all times to remain compliant with very stringent security standards where we deploy it in production. For that reason I have had to make these fixes in our local mirror of the Conductor codebase and in the interest of trying to not diverge from the main branch I opened this PR. I’ll leave it up to you guys to decide what to do with it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can't agree more with you - as we have the same requirements.
On saying that - Spring 2 has announced their end of life on the 24th of November, many libraries have started causing problems with newer versions ( all javax vs jakarta, etc ) - which means that we will have to migrate regardless, and that new versions with vulnerabilities will not be able to patched - making conductor unsafe software - in less than 1 year.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We’re also in the process of moving everything over to Spring 3 for the same reason. One of the security requirements for us is we cannot use any EOL libraries. This also meant we had to completely delete the elastic search module from our mirror and turn off ES indexing. Even having the jar packaged but not used is unacceptable for some reason. The 6.x elasticsearch versions were EOL a year ago at this point. So really this PR was just a stop gap to allow us to continue to run Conductor in production. You have my full support for the Spring 3 work you have started on so thanks for that.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO, we can make Conductor 3.15.x live on SpringBoot 2.x for a period of time, while making 3.16.x for SpringBoot 3..

Per my understanding, the SB 3 has breakage changes, so it need some time to stabilize the changes.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@meggarr Have you identified any issues with the changes in #3855 ? If so, what are they and what is the plan to tackle them?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, I haven't looked into SB 3 yet. @LuisLainez

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@meggarr The PR has been open for some weeks now and it passes all tests - we have also had to fork from this branch an add to Atlassian services, because of vulnerabilities that require fixing (like Spring2 End Of Life) - and it's working fine in production for us. IMO I don't think we'll get a lot more signal on things that may not go as we expect until we release.

},
"compileClasspath": {
"com.fasterxml.jackson.core:jackson-annotations": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.core:jackson-core": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.core:jackson-databind": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.dataformat:jackson-dataformat-cbor": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.dataformat:jackson-dataformat-smile": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.dataformat:jackson-dataformat-yaml": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.datatype:jackson-datatype-jdk8": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.datatype:jackson-datatype-joda": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.datatype:jackson-datatype-jsr310": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.module:jackson-module-afterburner": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.github.jknack:handlebars": {
"locked": "4.3.1"
Expand Down Expand Up @@ -192,67 +192,67 @@
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.core:jackson-core": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.core:jackson-databind": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.dataformat:jackson-dataformat-cbor": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.dataformat:jackson-dataformat-smile": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.dataformat:jackson-dataformat-yaml": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.datatype:jackson-datatype-jdk8": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.datatype:jackson-datatype-joda": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.datatype:jackson-datatype-jsr310": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.module:jackson-module-afterburner": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.github.jknack:handlebars": {
"locked": "4.3.1"
Expand Down Expand Up @@ -311,37 +311,37 @@
},
"testCompileClasspath": {
"com.fasterxml.jackson.core:jackson-annotations": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.core:jackson-core": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.core:jackson-databind": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.dataformat:jackson-dataformat-cbor": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.dataformat:jackson-dataformat-smile": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.dataformat:jackson-dataformat-yaml": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.datatype:jackson-datatype-jdk8": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.datatype:jackson-datatype-joda": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.datatype:jackson-datatype-jsr310": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.module:jackson-module-afterburner": {
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.github.jknack:handlebars": {
"locked": "4.3.1"
Expand Down Expand Up @@ -386,10 +386,10 @@
"locked": "5.8.2"
},
"org.springframework.boot:spring-boot-starter-log4j2": {
"locked": "2.7.16"
"locked": "2.7.18"
},
"org.springframework.boot:spring-boot-starter-test": {
"locked": "2.7.16"
"locked": "2.7.18"
},
"org.yaml:snakeyaml": {
"locked": "2.0"
Expand All @@ -400,67 +400,67 @@
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.core:jackson-core": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.core:jackson-databind": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.dataformat:jackson-dataformat-cbor": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.dataformat:jackson-dataformat-smile": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.dataformat:jackson-dataformat-yaml": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.datatype:jackson-datatype-jdk8": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.datatype:jackson-datatype-joda": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.datatype:jackson-datatype-jsr310": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.fasterxml.jackson.module:jackson-module-afterburner": {
"firstLevelTransitive": [
"com.netflix.conductor:conductor-annotations"
],
"locked": "2.15.0"
"locked": "2.15.3"
},
"com.github.jknack:handlebars": {
"locked": "4.3.1"
Expand Down Expand Up @@ -520,10 +520,10 @@
"locked": "5.8.2"
},
"org.springframework.boot:spring-boot-starter-log4j2": {
"locked": "2.7.16"
"locked": "2.7.18"
},
"org.springframework.boot:spring-boot-starter-test": {
"locked": "2.7.16"
"locked": "2.7.18"
},
"org.yaml:snakeyaml": {
"firstLevelTransitive": [
Expand Down
Loading
Loading