Skip to content

feature: Comprehensive vulnerability remediation - 87→33 vulns (62% reduction)#258

Open
devin-ai-integration[bot] wants to merge 1 commit into
DevOpsfrom
devin/1782309224-vulnerability-remediation
Open

feature: Comprehensive vulnerability remediation - 87→33 vulns (62% reduction)#258
devin-ai-integration[bot] wants to merge 1 commit into
DevOpsfrom
devin/1782309224-vulnerability-remediation

Conversation

@devin-ai-integration

@devin-ai-integration devin-ai-integration Bot commented Jun 24, 2026

Copy link
Copy Markdown

Summary

Comprehensive dependency vulnerability remediation for the Spring Boot 3.3.3 banking application. Snyk SCA scan identified 87 vulnerabilities (9 Critical, 12 High, 17 Medium) across all dependencies. After upgrading Spring Boot parent and overriding key transitive dependencies, the count drops to 33 vulnerabilities (62% reduction). All remediable CVEs within the Spring Boot 3.3.x constraint are now patched. The 33 remaining are in Spring Framework/Boot/Security/Data core and require a Spring Boot 3.4.x+ upgrade (Spring Framework 6.2.x line) to resolve.

Dependency Changes (Before → After)

Component Before After CVEs Fixed
Spring Boot Parent 3.3.3 3.3.13 SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-16191022 (Cert Validation, Critical), SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-16200231 (Cert Validation, Critical), SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-16191649 (Weak PRNG, High), SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-16198880 (Insecure Temp File, High)
Spring Framework (managed) 6.1.12 6.1.21 SNYK-JAVA-ORGSPRINGFRAMEWORK-12008931 (Path Traversal, High), SNYK-JAVA-ORGSPRINGFRAMEWORK-12817817 (Incorrect Auth, High)
Spring Security (managed) 6.3.3 6.3.10 SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-8309135 (Missing Auth, Critical), SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-8399278 (Auth Bypass, Medium), SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-8399272 (Auth Bypass, Medium)
Tomcat Embedded (override) 10.1.28 10.1.55 SNYK-JAVA-ORGAPACHETOMCATEMBED-10674391 (DoS, High), SNYK-JAVA-ORGAPACHETOMCATEMBED-10676855 (DoS, High), SNYK-JAVA-ORGAPACHETOMCATEMBED-11799152 (Integer Overflow, High), SNYK-JAVA-ORGAPACHETOMCATEMBED-13723930 (Resource Leak, High), SNYK-JAVA-ORGAPACHETOMCATEMBED-15307781 (Cert Validation, Critical), SNYK-JAVA-ORGAPACHETOMCATEMBED-15989812 (Open Redirect, Medium), SNYK-JAVA-ORGAPACHETOMCATEMBED-16643259 (Encoding, Medium), SNYK-JAVA-ORGAPACHETOMCATEMBED-16643269 (Info Exposure, Medium), SNYK-JAVA-ORGAPACHETOMCATEMBED-16643276 (Timing Attack, Medium), SNYK-JAVA-ORGAPACHETOMCATEMBED-16690888 (Improper Auth, Medium), SNYK-JAVA-ORGAPACHETOMCATEMBED-16691220 (Input Validation, Medium), SNYK-JAVA-ORGAPACHETOMCATEMBED-16691224 (Case Sensitivity, Medium), SNYK-JAVA-ORGAPACHETOMCATEMBED-16691231 (Improper Auth, Critical)
Jackson BOM (override) 2.17.2 2.18.8 SNYK-JAVA-COMFASTERXMLJACKSONCORE-15365924 (DoS, High), SNYK-JAVA-COMFASTERXMLJACKSONCORE-15907551 (DoS, High), SNYK-JAVA-COMFASTERXMLJACKSONCORE-17434790 (SSRF, Medium), SNYK-JAVA-COMFASTERXMLJACKSONCORE-17440366 (Disallowed Inputs, Critical), SNYK-JAVA-COMFASTERXMLJACKSONCORE-17440598 (Deserialization, Critical)
Logback (override) 1.5.7 1.5.33 SNYK-JAVA-CHQOSLOGBACK-8539866 (Special Elements, Medium), SNYK-JAVA-CHQOSLOGBACK-8539867 (Special Elements, Medium), SNYK-JAVA-CHQOSLOGBACK-13169722 (External Init, Medium)
Thymeleaf (override) 3.1.2.RELEASE 3.1.5.RELEASE SNYK-JAVA-ORGTHYMELEAF-16078370 (Template Injection, Critical), SNYK-JAVA-ORGTHYMELEAF-16078372 (Template Injection, Critical), SNYK-JAVA-ORGTHYMELEAF-16078377 (Template Injection, Critical), SNYK-JAVA-ORGTHYMELEAF-16078379 (Template Injection, Critical), SNYK-JAVA-ORGTHYMELEAF-16419367 (EL Injection, Critical)
MySQL Connector mysql:mysql-connector-java 8.0.33 com.mysql:mysql-connector-j 8.3.0 (managed) SNYK-JAVA-COMMYSQL-6075938 (Access Control Bypass, High). Also fixes deprecated artifact ID.
Hibernate (managed) 6.5.2.Final 6.5.3.Final
Micrometer (managed) 1.13.3 1.13.15
Spring Data (managed) 3.3.3 3.3.13

Plugin Changes

Plugin Before After Notes
maven-compiler-plugin 3.8.0 3.13.0 Also fixed source/target from Java 1.8 to 17 (aligning with java.version property)

Approach

  • spring-boot-starter-parent upgraded to latest 3.3.x patch (3.3.13) — no API changes, pure security/bug fixes
  • Property overrides (tomcat.version, jackson-bom.version, logback.version, thymeleaf.version) push transitive dependencies beyond what Boot 3.3.13 manages, targeting the latest stable releases with at least 7+ days on Maven Central
  • MySQL connector switched from deprecated mysql:mysql-connector-java to canonical com.mysql:mysql-connector-j, version now managed by Spring Boot BOM (8.3.0)

Remaining Vulnerabilities (33)

All 33 remaining are in Spring Framework 6.1.x / Spring Boot 3.3.x / Spring Security 6.3.x / Spring Data 3.3.x core — these require upgrading to Spring Boot 3.4.x+ (which moves to Spring Framework 6.2.x, Spring Security 6.4.x). This is a minor version upgrade that should be evaluated separately for API compatibility.

SAST Finding (Snyk Code)

  • CSRF protection disabled (CWE-352, High) in SecurityConfig.java:29csrf().disable() is called. This is a code-level issue, not a dependency vulnerability. Recommend enabling CSRF protection for the banking application.

Verification

  • ./mvnw clean compileBUILD SUCCESS
  • Snyk SCA scan: 87 → 33 vulnerabilities

Link to Devin session: https://app.devin.ai/sessions/8fcca08e43384bfeac002b81c583c634
Requested by: @achalc


Devin Review

Status Commit
⚪ Not started

Run Devin Review

Open in Devin Review (Staging)

…transitive dependency upgrades

- Spring Boot Parent: 3.3.3 -> 3.3.13 (latest 3.3.x patch)
- Tomcat Embedded: 10.1.28 -> 10.1.55 (override)
- Jackson BOM: 2.17.2 -> 2.18.8 (override)
- Logback: 1.5.7 -> 1.5.33 (override)
- Thymeleaf: 3.1.2.RELEASE -> 3.1.5.RELEASE (override)
- MySQL Connector: mysql-connector-java 8.0.33 -> mysql-connector-j 8.3.0 (managed)
- Spring Framework: 6.1.12 -> 6.1.21 (managed)
- Spring Security: 6.3.3 -> 6.3.10 (managed)
- maven-compiler-plugin: 3.8.0 -> 3.13.0, source/target 1.8 -> 17

Snyk scan: 87 vulns -> 33 (62% reduction)

Co-Authored-By: Achal Channarasappa <achal.channarasappa@cognition.ai>
@achalc achalc self-assigned this Jun 24, 2026
@devin-ai-integration

Copy link
Copy Markdown
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant