javax.servlet:javax.servlet-api 3.0.1 dependency #89
Replies: 5 comments
-
|
The quick answer is that the on-premises installation used to work on Tomcat 7 & 8, and the Servlet dependency was never bumped with the move to Tomcat 9. The Servlet API dependency is the least of the problems though to be honest, and at some point in the next few months I want to push the on-premises installation to Java 17 + Spring 6 + Tomcat 10. This will upgrade a large number of the dependencies (and fix most of the CVEs), but it's a non-trivial upgrade. Lite is already on this stack (so the core of the app should work fine, even given the |
Beta Was this translation helpful? Give feedback.
-
|
OK, so how can I help here please?
Thanks
Nathan
… On 18 Nov 2023, at 10:46, Simon Brown ***@***.***> wrote:
The quick answer is that the on-premises installation used to work on Tomcat 7 & 8, and the Servlet dependency was never bumped with the move to Tomcat 9. The Servlet API dependency is the least of the problems though to be honest, and at some point in the next few months I want to push the on-premises installation to Java 17 + Spring 6 + Tomcat 10. This will upgrade a large number of the dependencies (and fix most of the CVEs), but it's a non-trivial upgrade. Lite is already on this stack (so the core of the app should work fine, even given the java to jakarta packaging changes), but the on-premises installation has additional complexity from things like SAML, which is using an old version of the Spring Security SAML library.
—
Reply to this email directly, view it on GitHub <#89 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADGFXFXC4TIDRANU7VMAOU3YFB7YXAVCNFSM6AAAAAA7Q3EQASVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TMMBVGY4DA>.
You are receiving this because you authored the thread.
|
Beta Was this translation helpful? Give feedback.
-
|
I've started the upgrade on a branch named jakarta-ee ... it seems functional, although SAML support is currently missing. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the update, I’ll look at that ...
… On 11 Dec 2023, at 16:24, Simon Brown ***@***.***> wrote:
I've started the upgrade on a branch named jakarta-ee <https://github.com/structurizr/onpremises/tree/jakarta-ee> ... it seems functional, although SAML support is currently missing.
—
Reply to this email directly, view it on GitHub <#89 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADGFXFSNJ3RHKFKOV457KH3YI4QTRAVCNFSM6AAAAAA7Q3EQASVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TQMRRGI2DS>.
You are receiving this because you authored the thread.
|
Beta Was this translation helpful? Give feedback.
-
|
The |
Beta Was this translation helpful? Give feedback.
-
Hi
I have been applying (OWASP) ZAP to the on-premises server to experiment with detecting CVEs, and ZAP has revealed some.
One of the first steps to address CVEs is to upgrade to the latest version of libraries, which is typically relatively straightforward.
We have a dependency on javax.servlet:javax.servlet-api 3.0.1, which is from 2011. The latest version of that library is 4.0.1 from 2018. That 4.0.1 version introduces breaking API changes in the mocks code in test.
I can fix those too, I expect.
Before I go down this path though, I'd like to double check why we have the 3.0.1 version in the first place. It seems oddly anachronistic, given that it is from a pervious generation of the Servlet API in a code base that is much more recent. There might be a good reason for this that is not evident, so I thought I should ask first.
Many thanks
Nathan
Beta Was this translation helpful? Give feedback.
All reactions