Upgrade Spring Framework

[Carey Tews]

One of the "remediations" of our Cyber Essentials Plus (UK) audit requires us to upgrade Spring Framework to >= 6.1.13 on our build server.

Is there a reason not to do this?

Has anyone had experience doing it?

I'm going to do this on my own on a dev system, but I'm concerned that it's not possible, for some reason.

I love GoCD and have been using it since 2017, and my life is not a living hell, because of it.

Would love to get some advice.

Thanks :-)

Carey

[Chad Wilson]

Hiya Carey

Assuming you mean upgrading within GoCD itself, please see https://github.com/gocd/gocd/discussions/12947#discussioncomment-10071870 - I suspect because it's non-trivial.

Current GoCD Hibernate version will not work with Spring 5+, and Spring Security will need upgrading alongside Spring.

Sequence of events probably needs to go

- Decommission legacy Spring usages of non-persistence features e.g Velocity templating (DONE)

- Upgrade Hibernate from 3.6 to 4.0 to 5.0 to 5.1 to 5.2 (to 5.3 to 5.4 to 5.5 if you're lucky and compatible with existing Spring 4.3...) https://github.com/gocd/gocd/issues/10262

- Upgrade Spring Framework to v5 at least. Upgrade Spring Security.

- Upgrade Spring Framework to v6. Upgrade Spring Security.

Figuring out the matrix of compatible versions when going back so far between Hibernate, Spring and Spring Security is probably not for the faint-hearted, if one doesn't want to change everything at the same time.

I understand anecdotally from the earlier team that maintained GoCD within Thoughtworks that the Hibernate upgrade beyond 3.6 had been attempted and was difficult (or perhaps it'd have been done long ago), but I have not tried it myself yet.

If you want to help out and do so in public, with a goal to getting all of GoCD's tests passing and releasable, I am interested in the journey. The Hibernate upgrade is the next thing I want to attempt with GoCD when I have some space/enthusiasm.

-Chad

--
You received this message because you are subscribed to the Google Groups "go-cd" group.
To unsubscribe from this group and stop receiving emails from it, send an email to go-cd+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/eb8c8572-1441-4750-b928-9e8d63418555n%40googlegroups.com.

[Carey Tews]

Hey Chad

 

Yes, within GoCD. We aren’t running any other Spring applications running in the server. Just go-server and one agent.

 

That actually sounds really chewy. We like chewy.

 

Upgrading in public also sounds fun. After 7 years of GoCD, the least I can do is contribute.

 

But first I have to talk to the Software Engineering Manager and make sure she’s not in a dead faint whilst we discuss it. 😃

 

Thanks! Will get back to this thread ASAP.

 

Carey

 

Carey Tews​​​​ Senior DevOps Engineer +44 (0)1905 888785 Titania Ltd ,  167‑169 Great Portland Street ,  London ,  W1W 5PF ,  United Kingdom www.titania.com @Titania-Ltd   | @Titania Ltd

​ ​ ​If you have received this email in error please notify the email sender.  ​This message may contain sensitive information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e‑mail.  ​Please notify the sender immediately by e‑mail if you have received this e‑mail by mistake and delete this e‑mail from your system.  ​If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

From: go...@googlegroups.com <go...@googlegroups.com> On Behalf Of Chad Wilson
Sent: Thursday, September 26, 2024 8:50 AM
To: go...@googlegroups.com
Subject: Re: [go-cd] Upgrade Spring Framework

 

Caution: This is an external email. Please take care when clicking links or opening attachments. When in doubt, contact Internal Support.

 

--
You received this message because you are subscribed to a topic in the Google Groups "go-cd" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/go-cd/WSWlyMgYZZU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to go-cd+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/CAA1RwH-3Gz%2BSnCH_f4UD6Peh-MnhBbzuiSdzfWnrrh9yFxDnKg%40mail.gmail.com.

[Chad Wilson]

Another alternative (or parallel mitigation) is that you put effort into convincing those responsible for your audit that the "known vulnerabilities" in GoCD from Spring Framework etc have been assessed and not demonstrated to be vulnerable or relevant in GoCD's particular usage of the framework.

Specifically, all of the Spring/Hibernate-related issues are documented as to why (at least I, Chad) don't believe they affect GoCD at https://github.com/gocd/gocd/blob/9783f612aa3dfb479e08ceb9983c3307a6fb63ef/build-platform/dependency-check-suppress.xml#L20-L162 current with respect to 24.3.0.

Obviously there is still latent risk from using any EOL or unsupported software libraries so that might not go very far.

Side gripe/empathy for your position - often proprietary software is full of similar unsupported libraries, but the more black-box they make it, the more such audits don't even know what the software is comprised of. And some auditors are happy to just say "well, vendor says their product is supported so it's OK if it is made up of old, EOL stuff", such that they are happy to "take a vendor's word for it", in a way they are unwilling to do with open source.

But yes, that's certainly not an "excuse" - and it's certainly "not good" that GoCD relies on these EOL pieces, which is what I have been incrementally working towards documenting, then simplifying, then fixing.

If/when you want to get started, take a look at https://developer.gocd.org/current/ and hit me/others up here or at https://github.com/gocd/gocd/discussions if you get stuck.

-Chad

To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/CWXP123MB516423217404479149BBFF618C6A2%40CWXP123MB5164.GBRP123.PROD.OUTLOOK.COM.

[Carey Tews]

You’re preaching to the choir. My first response to this audit was “why are they adding software development to the scope”.

To view this discussion on the web visit https://groups.google.com/d/msgid/go-cd/CAA1RwH930Bndy-mC3nuMtiM1L50jcRivKuu5EKkXhKjfVNQwzw%40mail.gmail.com.

[Carey Tews]

I'll stop responding by email. I didn't consider the fact that the email "chain" would be included in each message. Duh.

A million apologies.