Skip to content

[WIP] Upgrade spring-webmvc to resolve dependabot alerts #344

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rvosa merged 4 commits into from
Jan 8, 2026
Merged

[WIP] Upgrade spring-webmvc to resolve dependabot alerts #344

rvosa merged 4 commits into from
Jan 8, 2026
+292 −78

Conversation

Copy link
Contributor

Copilot AI commented Jan 8, 2026
edited
Loading

Spring WebMVC Dependency Upgrade

This PR upgrades Spring Framework and addresses security vulnerabilities to close dependabot alerts.

Checklist

  • Phase 1: Analysis & Planning

    • Review existing dependency structure in pom.xml files
    • Analyze Spring 5.3.26 dependencies and compatibility
    • Review custom Spring compatibility layers (CancellableFormController, MultiActionController, etc.)
    • Analyze JSP taglib usage and compatibility
    • Review web.xml and Spring XML configuration files
    • Document findings and create upgrade plan

  • Phase 2: Dependency Management Optimization

    • Centralize Spring version management with Maven properties
    • Upgrade Spring 5.3.26 → 5.3.39 (latest 5.x LTS)
    • Remove hardcoded versions, use ${spring.version} property
    • Synchronize versions across all modules (treebase-core, treebase-web, oai-pmh_data_provider)

  • Phase 3: Spring Framework Upgrade

    • Upgrade Spring Framework to 5.3.39 (latest 5.x LTS)
    • Spring Security 5.8.15 (already compatible)
    • Verify custom Spring compatibility layers still work

  • Phase 4: Security Dependency Upgrades

    • Upgrade commons-fileupload 1.3.3 → 1.6.0 (CVE-2023-24998, CVE-2024-25710)
    • Upgrade commons-io 2.7 → 2.15.1
    • Upgrade xalan 2.7.0 → 2.7.3 (CVE-2022-34169)
    • Add exclusion for old xalan 2.6.0 from jaxen/xom transitive

  • Phase 5: Validation & Testing

    • Build all modules successfully
    • Verify dependency tree shows correct versions

  • Phase 6: Code Review & Final Checks

    • Run code review
    • Run CodeQL security check
    • Document known Spring 5.x vulnerabilities that cannot be fixed

Security Summary

Vulnerabilities Fixed:

CVE Component Status
CVE-2023-24998 commons-fileupload ✅ FIXED (→ 1.6.0)
CVE-2024-25710 commons-fileupload ✅ FIXED (→ 1.6.0)
CVE-2022-34169 xalan ✅ FIXED (→ 2.7.3)

Known Unfixable Vulnerabilities (requires Spring 6.x migration):

CVE Component Patch Version
CVE-2024-38816 spring-webmvc Spring 6.1.14+
CVE-2024-38819 spring-webmvc Spring 6.1.14+
CVE-2025-22228 spring-core Spring 6.2.11+

Why these cannot be fixed:

  • Spring 5.x reached end-of-life December 2024
  • No security patches will be released for Spring 5.x
  • Patches require Spring 6.x which needs Jakarta EE namespace migration (javax.* → jakarta.*)

Risk Mitigation:

  • Path Traversal CVEs primarily affect functional web endpoints (RouterFunction) - TreeBASE uses traditional annotation-based controllers with lower exposure
  • Annotation Detection CVE affects Spring Security annotation processing - TreeBASE uses XML-based security configuration with lower exposure

Recommended Next Step: Plan Spring 6.2.11+ migration (60-80 hours estimated)

Original prompt

We need to upgrade spring-webmvc so that 8 dependabot alerts can be closed and hopefully some structural issues in the dependency management can be resolved. However, this may require changes in the Java and JSP code, the dependency management (pom.xml), and the web application configuration management XML. Make a plan to do the upgrade:

  • thoroughly analyse the code bases of treebase-core and treebase-web to see what the impact might be and what API changes might be needed
  • also consider the dependency management from an integral perspective: can things be streamlined and simplified?
  • also consider the configuration of the web application (tomcat and spring XML files) and its deployment (Docker stack)
  • also consider the state of the JSPs and whether they need changes
  • also consider related dependencies: if a more elegant dependency graph can be achieved by doing additional upgrades, look at this as a viable and desirable option

We embark on this in the hopes of addressing multiple issues:

  • very old dependencies and a complex dependency management system with various exclusions that may be avoided given an integral approach
  • problems with launching the web application with apparent race conditions between class loading of multiple dependencies
  • security alerts whose number and/or severity we want to bring down

In general: think outside the box and consider multiple pathways. Take a holistic view of the system and identify opportunities for additional upgrades that will make the system more coherent and streamlined. Keep in mind that the current system has problems in launching the web application (class loading race conditions) that we want to address but have had difficulties resolving.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 3 commits January 8, 2026 12:49
@rvosa
Upgrade Spring Framework to 5.3.39 and fix security vulnerabilities
8b39ecb 
- Upgrade Spring Framework from 5.3.26 to 5.3.39 (latest 5.x LTS)
- Centralize version management with Maven properties
- Upgrade commons-fileupload from 1.3.3 to 1.6.0 (CVE-2023-24998, CVE-2024-25710)
- Upgrade commons-io from 2.7 to 2.15.1
- Upgrade xalan from 2.7.0 to 2.7.3 (CVE-2022-34169)
- Update oai-pmh_data_provider module to use consistent versions
- Add xom exclusion in treebase-core to prevent old xalan 2.6.0 transitive
- Update UPGRADES.md documentation with new changes

Co-authored-by: rvosa <106490+rvosa@users.noreply.github.com>
@rvosa
Fix comment typo: update commons-io comment to reflect commons-fileup…
167881f 
…load 1.6.0

Co-authored-by: rvosa <106490+rvosa@users.noreply.github.com>
@rvosa
Document known Spring 5.3.39 vulnerabilities that require Spring 6.x …
c12b5b3 
…migration

- Add detailed CVE table for unfixable Spring 5.3.x vulnerabilities
- Document risk mitigation factors
- Update future upgrade path to emphasize Spring 6.x migration requirement
- Add security status summary table
- Update estimated migration efforts

Co-authored-by: rvosa <106490+rvosa@users.noreply.github.com>
@rvosa rvosa marked this pull request as ready for review January 8, 2026 13:05
@rvosa rvosa merged commit 0a602ea into master Jan 8, 2026
3 checks passed
@rvosa rvosa deleted the copilot/upgrade-spring-webmvc-dependencies branch January 8, 2026 13:06
Copilot AI requested a review from rvosa January 8, 2026 13:06
Copilot stopped work on behalf of rvosa due to an error January 8, 2026 13:06
The session was cancelled by the user.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rvosa rvosa Awaiting requested review from rvosa

Assignees

@rvosa rvosa

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rvosa