Skip to content

fix: upgrade org.springframework.boot:spring-boot to 4.0.6, 3.5.14 (CVE-2026-40973) #3514

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
orbisai0security wants to merge 4 commits into
base: master
Choose a base branch
from
Open

fix: upgrade org.springframework.boot:spring-boot to 4.0.6, 3.5.14 (CVE-2026-40973) #3514

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5c38bd8
fix: CVE-2026-40973 security vulnerability
orbisai0security Jun 8, 2026
a330d82
fix: migrate javax to jakarta namespaces for Spring Boot 3.5.14
orbisai0security Jun 9, 2026
a76f885
Apply code changes: It's not going to work without software changes @…
orbisai0security Jun 9, 2026
4929b68
Apply code changes: @orbisai0security can you address code review com…
orbisai0security Jun 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 2 additions & 7 deletions command-query-responsibility-segregation/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,17 +54,12 @@
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-core</artifactId>
<version>5.6.15.Final</version>
<version>6.4.4.Final</version>
</dependency>
<dependency>
<groupId>org.glassfish.jaxb</groupId>
<artifactId>jaxb-runtime</artifactId>
<version>2.3.3</version>
</dependency>
<dependency>
<groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId>
<version>2.3.1</version>
<version>4.0.5</version>
</dependency>
</dependencies>
<build>
Expand Down
22 changes: 11 additions & 11 deletions ...ponsibility-segregation/src/main/java/com/iluwatar/cqrs/commandes/CommandServiceImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,9 +40,9 @@ public class CommandServiceImpl implements CommandService {
private Author getAuthorByUsername(String username) {
Author author;
try (var session = sessionFactory.openSession()) {
var query = session.createQuery("from Author where username=:username");
var query = session.createQuery("from Author where username=:username", Author.class);

@github-actions github-actions Bot Jun 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Potential NonUniqueResultException if username is not unique; consider enforcing a unique constraint on the username column and/or handling NonUniqueResultException to avoid runtime failures.

@anupamme anupamme Jun 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@orbisai0security can you address code review comments?

query.setParameter("username", username);
author = (Author) query.uniqueResult();
author = query.uniqueResult();

@github-actions github-actions Bot Jun 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the username is not unique, uniqueResult may throw NonUniqueResultException. Ensure username is unique at the DB level or switch to a safe retrieval strategy (e.g., getResultList and enforce single element).

}
if (author == null) {
HibernateUtil.getSessionFactory().close();
Expand All @@ -54,9 +54,9 @@ private Author getAuthorByUsername(String username) {
private Book getBookByTitle(String title) {
Book book;
try (var session = sessionFactory.openSession()) {
var query = session.createQuery("from Book where title=:title");
var query = session.createQuery("from Book where title=:title", Book.class);

@github-actions github-actions Bot Jun 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar risk as above for fetching a Book by title. Ensure title column is unique or handle multiple results gracefully.

query.setParameter("title", title);
book = (Book) query.uniqueResult();
book = query.uniqueResult();

@github-actions github-actions Bot Jun 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Retrieving a single Book with uniqueResult can throw NonUniqueResultException if multiple books share the same title. Consider DB-level constraints or safer retrieval.

}
if (book == null) {
HibernateUtil.getSessionFactory().close();
Expand All @@ -70,7 +70,7 @@ public void authorCreated(String username, String name, String email) {
var author = new Author(username, name, email);
try (var session = sessionFactory.openSession()) {
session.beginTransaction();
session.save(author);
session.persist(author);
session.getTransaction().commit();
}
}
Expand All @@ -81,7 +81,7 @@ public void bookAddedToAuthor(String title, double price, String username) {
var book = new Book(title, price, author);
try (var session = sessionFactory.openSession()) {
session.beginTransaction();
session.save(book);
session.persist(book);
session.getTransaction().commit();
}
}
Expand All @@ -92,7 +92,7 @@ public void authorNameUpdated(String username, String name) {
author.setName(name);
try (var session = sessionFactory.openSession()) {
session.beginTransaction();
session.update(author);
session.merge(author);
session.getTransaction().commit();
}
}
Expand All @@ -103,7 +103,7 @@ public void authorUsernameUpdated(String oldUsername, String newUsername) {
author.setUsername(newUsername);
try (var session = sessionFactory.openSession()) {
session.beginTransaction();
session.update(author);
session.merge(author);
session.getTransaction().commit();
}
}
Expand All @@ -114,7 +114,7 @@ public void authorEmailUpdated(String username, String email) {
author.setEmail(email);
try (var session = sessionFactory.openSession()) {
session.beginTransaction();
session.update(author);
session.merge(author);
session.getTransaction().commit();
}
}
Expand All @@ -125,7 +125,7 @@ public void bookTitleUpdated(String oldTitle, String newTitle) {
book.setTitle(newTitle);
try (var session = sessionFactory.openSession()) {
session.beginTransaction();
session.update(book);
session.merge(book);
session.getTransaction().commit();
}
}
Expand All @@ -136,7 +136,7 @@ public void bookPriceUpdated(String title, double price) {
book.setPrice(price);
try (var session = sessionFactory.openSession()) {
session.beginTransaction();
session.update(book);
session.merge(book);
session.getTransaction().commit();
}
}
Expand Down
11 changes: 6 additions & 5 deletions ...query-responsibility-segregation/src/main/java/com/iluwatar/cqrs/domain/model/Author.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,11 @@
*/
package com.iluwatar.cqrs.domain.model;

import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import jakarta.persistence.Entity;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import jakarta.persistence.Column;
import lombok.Getter;
import lombok.Setter;
import lombok.ToString;
Expand All @@ -41,7 +42,7 @@ public class Author {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private long id;

@Column(unique = true)
private String username;
private String name;
private String email;
Expand Down
13 changes: 7 additions & 6 deletions ...d-query-responsibility-segregation/src/main/java/com/iluwatar/cqrs/domain/model/Book.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,12 @@
*/
package com.iluwatar.cqrs.domain.model;

import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;
import javax.persistence.ManyToOne;
import jakarta.persistence.Entity;
import jakarta.persistence.GeneratedValue;
import jakarta.persistence.GenerationType;
import jakarta.persistence.Id;
import jakarta.persistence.Column;
import jakarta.persistence.ManyToOne;
import lombok.Getter;
import lombok.Setter;
import lombok.ToString;
Expand All @@ -45,7 +46,7 @@ public class Book {
@Id
@GeneratedValue(strategy = GenerationType.IDENTITY)
private long id;

@Column(unique = true)
private String title;
private double price;
@ManyToOne private Author author;
Expand Down
18 changes: 11 additions & 7 deletions ...-responsibility-segregation/src/main/java/com/iluwatar/cqrs/queries/QueryServiceImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,8 @@ public Author getAuthorByUsername(String username) {
Query<Author> sqlQuery =
session.createQuery(
"select new com.iluwatar.cqrs.dto.Author(a.name, a.email, a.username)"
+ " from com.iluwatar.cqrs.domain.model.Author a where a.username=:username");
+ " from com.iluwatar.cqrs.domain.model.Author a where a.username=:username",
Author.class);
sqlQuery.setParameter(AppConstants.USER_NAME, username);
authorDto = sqlQuery.uniqueResult();
}
Expand All @@ -62,7 +63,8 @@ public Book getBook(String title) {
Query<Book> sqlQuery =
session.createQuery(
"select new com.iluwatar.cqrs.dto.Book(b.title, b.price)"
+ " from com.iluwatar.cqrs.domain.model.Book b where b.title=:title");
+ " from com.iluwatar.cqrs.domain.model.Book b where b.title=:title",
Book.class);
sqlQuery.setParameter("title", title);
bookDto = sqlQuery.uniqueResult();
}
Expand All @@ -77,7 +79,8 @@ public List<Book> getAuthorBooks(String username) {
session.createQuery(
"select new com.iluwatar.cqrs.dto.Book(b.title, b.price)"
+ " from com.iluwatar.cqrs.domain.model.Author a, com.iluwatar.cqrs.domain.model.Book b "
+ "where b.author.id = a.id and a.username=:username");
+ "where b.author.id = a.id and a.username=:username",
Book.class);
sqlQuery.setParameter(AppConstants.USER_NAME, username);
bookDtos = sqlQuery.list();
}
Expand All @@ -92,9 +95,10 @@ public BigInteger getAuthorBooksCount(String username) {
session.createNativeQuery(
"SELECT count(b.title)"
+ " FROM Book b, Author a"
+ " where b.author_id = a.id and a.username=:username");
+ " where b.author_id = a.id and a.username=:username",
Long.class);
sqlQuery.setParameter(AppConstants.USER_NAME, username);
bookcount = (BigInteger) sqlQuery.uniqueResult();
bookcount = BigInteger.valueOf(sqlQuery.uniqueResult());
}
return bookcount;
}
Expand All @@ -103,8 +107,8 @@ public BigInteger getAuthorBooksCount(String username) {
public BigInteger getAuthorsCount() {
BigInteger authorcount;
try (var session = sessionFactory.openSession()) {
var sqlQuery = session.createNativeQuery("SELECT count(id) from Author");
authorcount = (BigInteger) sqlQuery.uniqueResult();
var sqlQuery = session.createNativeQuery("SELECT count(id) from Author", Long.class);
authorcount = BigInteger.valueOf(sqlQuery.uniqueResult());
}
return authorcount;
}
Expand Down
2 changes: 1 addition & 1 deletion dao-factory/src/main/java/com/iluwatar/daofactory/H2CustomerDAO.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import javax.sql.DataSource;
import jakarta.sql.DataSource;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;

Expand Down
2 changes: 1 addition & 1 deletion dao-factory/src/main/java/com/iluwatar/daofactory/H2DataSourceFactory.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
*/
package com.iluwatar.daofactory;

import javax.sql.DataSource;
import jakarta.sql.DataSource;
import org.h2.jdbcx.JdbcDataSource;

/** H2DataSourceFactory concrete factory. */
Expand Down
2 changes: 1 addition & 1 deletion dao-factory/src/test/java/com/iluwatar/daofactory/H2CustomerDAOTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
import java.sql.DriverManager;
import java.sql.SQLException;
import java.util.List;
import javax.sql.DataSource;
import jakarta.sql.DataSource;
import org.h2.jdbcx.JdbcDataSource;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
Expand Down
2 changes: 1 addition & 1 deletion data-access-object/src/main/java/com/iluwatar/dao/App.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@

import java.sql.SQLException;
import java.util.List;
import javax.sql.DataSource;
import jakarta.sql.DataSource;
import lombok.extern.slf4j.Slf4j;
import org.h2.jdbcx.JdbcDataSource;

Expand Down
2 changes: 1 addition & 1 deletion data-access-object/src/main/java/com/iluwatar/dao/DbCustomerDao.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@
import java.util.function.Consumer;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
import javax.sql.DataSource;
import jakarta.sql.DataSource;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;

Expand Down
2 changes: 1 addition & 1 deletion data-access-object/src/test/java/com/iluwatar/dao/DbCustomerDaoTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.SQLException;
import javax.sql.DataSource;
import jakarta.sql.DataSource;
import org.h2.jdbcx.JdbcDataSource;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
Expand Down
2 changes: 1 addition & 1 deletion dependency-injection/src/main/java/com/iluwatar/dependency/injection/GuiceWizard.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
*/
package com.iluwatar.dependency.injection;

import javax.inject.Inject;
import jakarta.inject.Inject;

/**
* GuiceWizard implements inversion of control. Its dependencies are injected through its
Expand Down
2 changes: 1 addition & 1 deletion domain-model/src/main/java/com/iluwatar/domainmodel/App.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@

import java.sql.SQLException;
import java.time.LocalDate;
import javax.sql.DataSource;
import jakarta.sql.DataSource;
import org.h2.jdbcx.JdbcDataSource;
import org.joda.money.Money;

Expand Down
2 changes: 1 addition & 1 deletion domain-model/src/main/java/com/iluwatar/domainmodel/CustomerDaoImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Optional;
import javax.sql.DataSource;
import jakarta.sql.DataSource;
import org.joda.money.Money;

/** Implementations for database operations of Customer. */
Expand Down
2 changes: 1 addition & 1 deletion domain-model/src/main/java/com/iluwatar/domainmodel/ProductDaoImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Optional;
import javax.sql.DataSource;
import jakarta.sql.DataSource;
import org.joda.money.Money;

/** Implementations for database transactions of Product. */
Expand Down
2 changes: 1 addition & 1 deletion domain-model/src/test/java/com/iluwatar/domainmodel/CustomerDaoImplTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
import java.sql.ResultSet;
import java.sql.SQLException;
import java.time.LocalDate;
import javax.sql.DataSource;
import jakarta.sql.DataSource;
import org.joda.money.CurrencyUnit;
import org.joda.money.Money;
import org.junit.jupiter.api.AfterEach;
Expand Down
2 changes: 1 addition & 1 deletion domain-model/src/test/java/com/iluwatar/domainmodel/ProductDaoImplTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
import java.sql.ResultSet;
import java.sql.SQLException;
import java.time.LocalDate;
import javax.sql.DataSource;
import jakarta.sql.DataSource;
import org.joda.money.Money;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
Expand Down
2 changes: 1 addition & 1 deletion domain-model/src/test/java/com/iluwatar/domainmodel/TestUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@
package com.iluwatar.domainmodel;

import java.sql.SQLException;
import javax.sql.DataSource;
import jakarta.sql.DataSource;
import org.h2.jdbcx.JdbcDataSource;

public class TestUtils {
Expand Down
5 changes: 0 additions & 5 deletions metadata-mapping/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,11 +55,6 @@
<artifactId>hibernate-core</artifactId>
<version>6.6.11.Final</version>
</dependency>
<dependency>
<groupId>javax.xml.bind</groupId>
<artifactId>jaxb-api</artifactId>
<version>2.4.0-b180830.0359</version>
</dependency>
<dependency>
<groupId>org.glassfish.jaxb</groupId>
<artifactId>jaxb-runtime</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion polling-publisher/polling-service/src/main/java/com/iluwatar/polling/DataRepository.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@

import java.util.HashMap;
import java.util.Map;
import javax.annotation.PostConstruct;
import jakarta.annotation.PostConstruct;
import org.springframework.stereotype.Repository;

/** Data repository to keep or store data. */
Expand Down
8 changes: 4 additions & 4 deletions polling-publisher/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,11 +83,11 @@
<version>${spring-boot.version}</version>
</dependency>

<!-- https://mvnrepository.com/artifact/javax.annotation/javax.annotation-api -->
<!-- https://mvnrepository.com/artifact/jakarta.annotation/jakarta.annotation-api -->
<dependency>
<groupId>javax.annotation</groupId>
<artifactId>javax.annotation-api</artifactId>
<version>1.3.2</version>
<groupId>jakarta.annotation</groupId>
<artifactId>jakarta.annotation-api</artifactId>
<version>3.0.0</version>
</dependency>

<dependency>
Expand Down
2 changes: 1 addition & 1 deletion pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

<!-- Spring Boot related dependencies. Keep these in sync! -->
<spring-boot.version>3.4.5</spring-boot.version>
<spring-boot.version>3.5.14</spring-boot.version>
<junit.version>5.11.4</junit.version>
<mockito.version>5.14.2</mockito.version>
<logback.version>1.5.18</logback.version>
Expand Down
2 changes: 1 addition & 1 deletion repository/src/main/java/com/iluwatar/repository/AppConfig.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@

import java.util.List;
import java.util.Properties;
import javax.sql.DataSource;
import jakarta.sql.DataSource;
import lombok.extern.slf4j.Slf4j;
import org.apache.commons.dbcp.BasicDataSource;
import org.hibernate.jpa.HibernatePersistenceProvider;
Expand Down
2 changes: 1 addition & 1 deletion repository/src/test/java/com/iluwatar/repository/AppConfigTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
import static org.junit.jupiter.api.Assertions.assertNotNull;

import java.sql.SQLException;
import javax.sql.DataSource;
import jakarta.sql.DataSource;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.springframework.beans.factory.annotation.Autowired;
Expand Down
Loading
Loading