Skip to content

SWI-3723 [Snyk] Fix for 4 vulnerabilities#1044

Open
bwappsec wants to merge 1 commit intomasterfrom
snyk-fix-5c621b260778845edb67f889ac1d4916
Open

SWI-3723 [Snyk] Fix for 4 vulnerabilities#1044
bwappsec wants to merge 1 commit intomasterfrom
snyk-fix-5c621b260778845edb67f889ac1d4916

Conversation

@bwappsec
Copy link
Copy Markdown

@bwappsec bwappsec commented Mar 26, 2026

snyk-top-banner

Snyk has created this PR to fix 4 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

  • samples/server/petstore/java-camel/pom.xml

Vulnerabilities that will be fixed with an upgrade:

Issue Score Upgrade
high severity Allocation of Resources Without Limits or Throttling
SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924		   170   org.openapitools:jackson-databind-nullable:
0.2.7 -> 0.2.10
No Path Found Proof of Concept
high severity Directory Traversal
SNYK-JAVA-ORGSPRINGFRAMEWORK-15701845		   111   Major version upgrade No Path Found No Known Exploit
low severity Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
SNYK-JAVA-ORGSPRINGFRAMEWORK-15701755		   29   Major version upgrade No Path Found No Known Exploit
low severity Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
SNYK-JAVA-ORGSPRINGFRAMEWORK-15701756		   29   Major version upgrade No Path Found No Known Exploit

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.

Vulnerabilities that could not be fixed

  • Upgrade:
    • Could not upgrade org.springframework.boot:spring-boot-starter-web@2.7.8 to org.springframework.boot:spring-boot-starter-web@3.5.12; Reason could not apply upgrade, dependency is managed externally ; Location: https://maven-central.storage-download.googleapis.com/maven2/org/springframework/boot/spring-boot-dependencies/2.7.8/spring-boot-dependencies-2.7.8.pom

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Allocation of Resources Without Limits or Throttling
🦉 Directory Traversal

@bwappsec
Copy link
Copy Markdown
Author

bwappsec commented Mar 26, 2026

Merge Risk: High

The upgrade of org.springframework.boot:spring-boot-starter-web from 2.7.8 to 3.5.12 is a high-risk major version change that requires significant developer action. The upgrade to jackson-databind-nullable is low-risk.

Spring Boot 2.7.8 → 3.5.12 (High Risk)

This upgrade crosses a major version boundary (2.x to 3.x) and introduces several substantial breaking changes. Direct migration will require code and environment updates.

Key Breaking Changes:

  • Java 17 Prerequisite: Spring Boot 3.0 requires Java 17 as a minimum version. Applications must be running on JDK 17 or later before this upgrade can be applied.
  • Migration to Jakarta EE: This is the most impactful change. Spring Boot 3 uses Jakarta EE 9+, which renames all Java EE packages from javax.* to jakarta.*. For example, javax.persistence.Entity becomes jakarta.persistence.Entity. This will require updating import statements throughout the application code.
  • Spring Security 6: The upgrade brings in Spring Security 6, which has its own breaking changes. For instance, authorization is now applied to every servlet dispatch type by default.
  • Configuration Property Changes: Numerous configuration properties have been renamed or removed. A dedicated spring-boot-properties-migrator module is available to help identify and temporarily migrate these properties at runtime.
  • Removed Code: All APIs and properties that were deprecated in Spring Boot 2.x have been removed in version 3.0.

Recommendation:

This is a major migration effort. Before merging, developers must:

  1. Upgrade the environment and build tools to use JDK 17.
  2. Perform a codebase-wide migration of javax.* packages to jakarta.*. Tools like OpenRewrite or IDE features can assist with this.
  3. Review and update application configuration files for renamed properties.
  4. Consult the official Spring Boot 3.0 Migration Guide for a complete list of changes.

jackson-databind-nullable 0.2.7 → 0.2.10 (Low Risk)

This is a minor patch upgrade. The release notes for this range indicate dependency updates and bug fixes with no documented breaking changes.

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

@bwappsec bwappsec changed the title [Snyk] Fix for 4 vulnerabilities SWI-3723 [Snyk] Fix for 4 vulnerabilities Mar 26, 2026
@bwappsec
Copy link
Copy Markdown
Author

bwappsec commented Mar 26, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bwappsec @snyk-bot