通过 chatgpt 修复org.springframework:spring-webmvc 安全漏洞过程记录(chatgpt有时候会乱说或者提不出最优方案)
1,首先我把这个安全漏洞的trivy完整描述send给了chatgpt并且随后把我的pom.xml也完整的send给了它。
chatgpt给出的答案还算比较靠谱。
图一
图二
图三
图四
2,根据chatgpt的回复,我把
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.1.7</version>
<relativePath/>
</parent>
升级到了
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>3.2.10</version>
<relativePath/>
</parent>
然后我直接替换了jar包重启程序报错,如下图:
图五
3,然后根据这个提示我知道了spring-core-6.0.22不兼容问题,其实chatgpt之前已经提到了,我没注意到,所以我删除了如下的配置,使用
spring-boot-starter-parent自带的
<!-- https://mvnrepository.com/artifact/org.springframework/spring-core -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>6.0.22</version>
</dependency>
<!-- https://mvnrepository.com/artifact/org.springframework/spring-web -->
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-web</artifactId>
<version>6.0.22</version>
</dependency>
4,然后再次打包重启,这次报另外一个错误了
Error starting ApplicationContext. To display the condition evaluation report re-run your application with 'debug' enabled. 2024-10-15 16:37:38.507 [] [main] ERROR org.springframework.boot.SpringApplication.reportFailure [859] : Application run failed org.springframework.beans.factory.BeanDefinitionStoreException: Invalid bean definition with name 'commonDVODao' defined in URL [jar:nested:/usr/novaback/nova-back-java-0.0.1-SNAPSHOT.jar/!BOOT-INF/classes/!/com/hp/novaback/dao/CommonDVODao.class]: Invalid value type for attribute 'factoryBeanObjectType': java.lang.String at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getTypeForFactoryBean(AbstractAutowireCapableBeanFactory.java:857) at org.springframework.beans.factory.support.AbstractBeanFactory.getType(AbstractBeanFactory.java:743) at org.springframework.beans.factory.support.DefaultListableBeanFactory.findAnnotationOnBean(DefaultListableBeanFactory.java:735) at org.springframework.boot.sql.init.dependency.AnnotationDependsOnDatabaseInitializationDetector.detect(AnnotationDependsOnDatabaseInitializationDetector.java:36) at org.springframework.boot.sql.init.dependency.DatabaseInitializationDependencyConfigurer$DependsOnDatabaseInitializationPostProcessor.detectDependsOnInitializationBeanNames(DatabaseInitializationDependencyConfigurer.java:152) at org.springframework.boot.sql.init.dependency.DatabaseInitializationDependencyConfigurer$DependsOnDatabaseInitializationPostProcessor.postProcessBeanFactory(DatabaseInitializationDependencyConfigurer.java:115) at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:363) at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:197) at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:789) at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:607) at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146) at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:754) at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:456) at org.springframework.boot.SpringApplication.run(SpringApplication.java:335) at org.springframework.boot.SpringApplication.run(SpringApplication.java:1363) at org.springframework.boot.SpringApplication.run(SpringApplication.java:1352) at com.hp.novaback.NovaBackApplication.main(NovaBackApplication.java:24) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:568) at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:102) at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:64) at org.springframework.boot.loader.launch.JarLauncher.main(JarLauncher.java:40) 2024-10-15 16:49:03.691 [] [main] INFO com.hp.novaback.NovaBackApplication.logStarting [50] : Starting NovaBackApplication v0.0.1-SNAPSHOT using Java 17.0.11 with PID 401410 (/usr/novaback/nova-back-java-0.0.1-SNAPSHOT.jar started by root in /usr/novaback)
图六
5,我再次把报错信息send给chatgpt这次它的答案不太准确,基本上没说到点子上,或者说不是最优解
图七
图八
图九
图十
6,后来我百度查了一下马上找到了正确答案
图十一
我也相应的改了我的pom.xml配置解决了问题
图十二
7,然后打包后重启又出现了新的错误
Error starting ApplicationContext. To display the condition evaluation report re-run your application with 'debug' enabled. 2024-10-15 16:49:10.105 [] [main] ERROR o.s.b.diagnostics.LoggingFailureAnalysisReporter.report [40] : *************************** APPLICATION FAILED TO START *************************** Description: Your project setup is incompatible with our requirements due to following reasons: - Spring Boot [3.2.10] is not compatible with this Spring Cloud release train Action: Consider applying the following actions: - Change Spring Boot version to one of the following versions [3.0.x, 3.1.x] . You can find the latest Spring Boot versions here [https://spring.io/projects/spring-boot#learn]. If you want to learn more about the Spring Cloud Release train compatibility, you can visit this page [https://spring.io/projects/spring-cloud#overview] and check the [Release Trains] section. If you want to disable this check, just set the property [spring.cloud.compatibility-verifier.enabled=false]
图十三
8,然后我又把错误信息完整的发给了chatgpt,这次它的答案同样不令人满意。它让我downgrade spring boot去兼容spring cloud !!!
我费这么大劲升级spring boot就是为了解决安全漏洞,现在又让我降级。。。。。。
图十四
图十五
9,最后我不得不百度,又几分钟就找到了答案,其实已经有最新的<version>2023.0.3</version> <version>2023.0.2</version> <version>2023.0.0</version> 等等spring cloud的版本可以支持spring boot 3.2.10了,问题终于解决。
图十六
图十七
10,最后我知道了答案后,继续追问提示chatgpt,它还是无法给出答案,看了真的不知道,有可能是没有最新数据,但是如下图所示,2023年12月份就有兼容的版本2023.0.0了现在都2024年10月份了,这数据更新也太慢了吧。。。
图十八
图十九
图二十
