From dc4bf316daf753d137fed2c14a464a1bf441e9eb Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Thu, 5 Dec 2024 10:47:46 -0800 Subject: [PATCH 1/3] Force Tomcat version --- server/embedded/build.gradle | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/server/embedded/build.gradle b/server/embedded/build.gradle index 3c66f3d6cf..18e332ad6b 100644 --- a/server/embedded/build.gradle +++ b/server/embedded/build.gradle @@ -33,12 +33,27 @@ configurations { configurations.configureEach { exclude group: 'ch.qos.logback', module: 'logback-classic' exclude group: 'org.apache.logging.log4j', module: 'log4j-to-slf4j' + + resolutionStrategy { + force "org.apache.tomcat.embed:tomcat-embed-core:${apacheTomcatVersion}" + force "org.apache.tomcat.embed:tomcat-embed-websocket:${apacheTomcatVersion}" + } +} + +configurations.all { + + resolutionStrategy { + force "org.apache.tomcat.embed:tomcat-embed-core:${apacheTomcatVersion}" + force "org.apache.tomcat.embed:tomcat-embed-websocket:${apacheTomcatVersion}" + } } dependencies { implementation("org.springframework.boot:spring-boot-starter-web:${springBootVersion}") { exclude group: "org.springframework.boot", module: "spring-boot-starter-json" // Not used (?) and pulls in an old version of Jackson exclude group: "jakarta.annotation", module: "jakarta.annotation-api" // Already present in tomcat-annotations-api + exclude group: "org.apache.tomcat.embed", module: "tomcat-embed-core" // Version we want is declared in bootstrap/build.gradle + exclude group: "org.apache.tomcat.embed", module: "tomcat-embed-websocket" // Version we want is declared in bootstrap/build.gradle } // Allows forcing a Spring Framework version that differs from spring-boot's version (e.g., to address CVEs) From 77f287e00a0ed2fb3b67724dd10db5a0fd5c8693 Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Thu, 5 Dec 2024 14:38:03 -0800 Subject: [PATCH 2/3] Really force Tomcat version --- server/embedded/build.gradle | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/server/embedded/build.gradle b/server/embedded/build.gradle index 18e332ad6b..e3b33d1921 100644 --- a/server/embedded/build.gradle +++ b/server/embedded/build.gradle @@ -33,19 +33,6 @@ configurations { configurations.configureEach { exclude group: 'ch.qos.logback', module: 'logback-classic' exclude group: 'org.apache.logging.log4j', module: 'log4j-to-slf4j' - - resolutionStrategy { - force "org.apache.tomcat.embed:tomcat-embed-core:${apacheTomcatVersion}" - force "org.apache.tomcat.embed:tomcat-embed-websocket:${apacheTomcatVersion}" - } -} - -configurations.all { - - resolutionStrategy { - force "org.apache.tomcat.embed:tomcat-embed-core:${apacheTomcatVersion}" - force "org.apache.tomcat.embed:tomcat-embed-websocket:${apacheTomcatVersion}" - } } dependencies { @@ -53,7 +40,6 @@ dependencies { exclude group: "org.springframework.boot", module: "spring-boot-starter-json" // Not used (?) and pulls in an old version of Jackson exclude group: "jakarta.annotation", module: "jakarta.annotation-api" // Already present in tomcat-annotations-api exclude group: "org.apache.tomcat.embed", module: "tomcat-embed-core" // Version we want is declared in bootstrap/build.gradle - exclude group: "org.apache.tomcat.embed", module: "tomcat-embed-websocket" // Version we want is declared in bootstrap/build.gradle } // Allows forcing a Spring Framework version that differs from spring-boot's version (e.g., to address CVEs) @@ -65,6 +51,11 @@ dependencies { // Allows forcing a Tomcat version that differs from spring-boot's version (e.g., to address CVEs or regressions, // or to test a Tomcat release candidate) + implementation('org.apache.tomcat.embed:tomcat-embed-core') { + version { + strictly "${apacheTomcatVersion}" + } + } implementation('org.apache.tomcat.embed:tomcat-embed-el') { version { strictly "${apacheTomcatVersion}" @@ -74,6 +65,7 @@ dependencies { version { strictly "${apacheTomcatVersion}" } + exclude group: "org.apache.tomcat.embed", module: "tomcat-embed-core" // Version we want is declared in bootstrap/build.gradle } implementation('org.apache.tomcat:tomcat-annotations-api') { version { From 4b80f626c9b52f5b27f4f6961acc7cfbd23c416e Mon Sep 17 00:00:00 2001 From: Adam Rauch Date: Thu, 5 Dec 2024 14:39:31 -0800 Subject: [PATCH 3/3] Correct comments --- server/embedded/build.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/server/embedded/build.gradle b/server/embedded/build.gradle index e3b33d1921..bbb71e5862 100644 --- a/server/embedded/build.gradle +++ b/server/embedded/build.gradle @@ -39,7 +39,7 @@ dependencies { implementation("org.springframework.boot:spring-boot-starter-web:${springBootVersion}") { exclude group: "org.springframework.boot", module: "spring-boot-starter-json" // Not used (?) and pulls in an old version of Jackson exclude group: "jakarta.annotation", module: "jakarta.annotation-api" // Already present in tomcat-annotations-api - exclude group: "org.apache.tomcat.embed", module: "tomcat-embed-core" // Version we want is declared in bootstrap/build.gradle + exclude group: "org.apache.tomcat.embed", module: "tomcat-embed-core" // We want to force apacheTomcatVersion } // Allows forcing a Spring Framework version that differs from spring-boot's version (e.g., to address CVEs) @@ -65,7 +65,7 @@ dependencies { version { strictly "${apacheTomcatVersion}" } - exclude group: "org.apache.tomcat.embed", module: "tomcat-embed-core" // Version we want is declared in bootstrap/build.gradle + exclude group: "org.apache.tomcat.embed", module: "tomcat-embed-core" // We want to force apacheTomcatVersion } implementation('org.apache.tomcat:tomcat-annotations-api') { version {