漏洞修复总结
漏洞修复(主要为版本漏洞)
1. 扫描报告
顺序:高危 -> 中危 (大版本升级可解决多漏洞,可多次扫描)
springboot项目**统一软件包版本**,maven项目引入,便于管理
2. 常见漏洞
- fastjson
1.2.83
<dependency>
<groupId>com.alibaba</groupId>
<artifactId>fastjson</artifactId>
<version1.2.83</version>
</dependency>
- databind
2.14.0-rc1
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.14.0-rc1</version>
</dependency>
-
spring-boot版本
2.7.5<parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> <version>2.7.5</version> <relativePath/> </parent>embed-tomcat 适配升级到
9.0.68
缺少javax.validation包,手动引入<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-validation</artifactId> <version>2.7.5</version> </dependency> -
redisson 3.17.6 (适配spring 2.7.5)
<dependency> <groupId>org.redisson</groupId> <artifactId>redisson-spring-boot-starter</artifactId> <version>3.17.6</version> </dependency> -
swagger 删除
-
protobuf 引入新版本
<dependency> <groupId>com.google.protobuf</groupId> <artifactId>protobuf-java</artifactId> <version>3.21.7</version> </dependency> -
snakeyaml
spring-boot-starter-logging、spring-boot-starter、spring-boot-starter-web <exclusion> <groupId>org.yaml</groupId> <artifactId>snakeyaml</artifactId> </exclusion> <dependency> <groupId>org.apache.tomcat.embed</groupId> <artifactId>tomcat-embed-core</artifactId> <version>1.33.0.wso2v1</version> <dependency> -
mybatis-plus
<dependency> <groupId>com.baomidou</groupId> <artifactId>mybatis-plus-boot-starter</artifactId> <version>3.5.3.1</version> </dependency> -
mysql-connector
<dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <version>8.0.28</version> </dependency> <dependency> <groupId>mysql</groupId> <artifactId>mysql-connector-java</artifactId> <exclusions> <exclusion> <artifactId>protobuf-java</artifactId> <groupId>com.google.protobuf</groupId> </exclusion> </exclusions> </dependency>
