我们的Spring Boot(云)应用程序使用rx-netty,其版本是
0.4.20
。它将 netty 及其组件设置为版本 4.1.5.Final
。
目前我们的安全审核系统发现当前的netty-codec版本(
4.1.52.Final
)存在漏洞,建议我们升级到4.1.68+
版本。
我尝试将pom.xml中的
netty-codec
锁定为4.1.68.Final
,但后来我发现其他netty组件如netty-buffer
或netty-handler
仍然停留在4.1.52
。
我想知道:
谢谢
mvn dependency:tree
...
[INFO] +- io.reactivex:rxnetty-contexts:jar:0.4.20:compile
[INFO] +- io.reactivex:rxnetty-servo:jar:0.4.20:compile
[INFO] | \- com.netflix.servo:servo-core:jar:0.12.21:runtime
[INFO] +- io.reactivex:rxnetty:jar:0.4.20:compile
[INFO] | +- io.netty:netty-codec-http:jar:4.1.69.Final:runtime
[INFO] | | +- io.netty:netty-common:jar:4.1.69.Final:runtime
[INFO] | | +- io.netty:netty-buffer:jar:4.1.52.Final:runtime
[INFO] | | +- io.netty:netty-transport:jar:4.1.52.Final:runtime
[INFO] | | \- io.netty:netty-codec:jar:4.1.52.Final:runtime
[INFO] | +- io.netty:netty-handler:jar:4.1.69.Final:runtime
[INFO] | | \- io.netty:netty-resolver:jar:4.1.52.Final:runtime
[INFO] | +- io.netty:netty-transport-native-epoll:jar:4.1.69.Final:runtime
[INFO] | | \- io.netty:netty-transport-native-unix-common:jar:4.1.52.Final:runtime
...
注意:Spring boot版本
2.5.5
使用的是netty4.1.68.Final
,所以如果你把spring-boot-starter-parent
升级到2.5.5
应该没问题
话虽这么说:
如何在 spring-boot 中升级到更高/更低版本的依赖项:
spring-boot-dependencies
根据您的情况,将
netty.version:4.1.69.Final
添加到您的属性中:
<properties>
<java.version>11</java.version>
<netty.version>4.1.69.Final</netty.version>
</properties>
当将
<netty.version>4.1.69.Final</netty.version>
与 spring-boot-starter-parent:2.2.10.RELEASE
一起使用时,请参考 Gist netty-upgrade
当你执行
mvn dependency:tree
时,你可以看到每个netty依赖都升级为4.1.69.Final
输出在“netty”上过滤
Regel 1: [INFO] --- maven-dependency-plugin:3.1.2:tree (default-cli) @ netty-upgrade ---
Regel 2: [INFO] com.example:netty-upgrade:jar:0.0.1-SNAPSHOT
Regel 25: [INFO] | +- org.springframework.boot:spring-boot-starter-reactor-netty:jar:2.2.10.RELEASE:compile
Regel 26: [INFO] | | +- io.projectreactor.netty:reactor-netty:jar:0.9.12.RELEASE:compile
Regel 26: [INFO] | | +- io.projectreactor.netty:reactor-netty:jar:0.9.12.RELEASE:compile
Regel 27: [INFO] | | | +- io.netty:netty-codec-http2:jar:4.1.69.Final:compile
Regel 27: [INFO] | | | +- io.netty:netty-codec-http2:jar:4.1.69.Final:compile
Regel 28: [INFO] | | | +- io.netty:netty-handler-proxy:jar:4.1.69.Final:compile
Regel 28: [INFO] | | | +- io.netty:netty-handler-proxy:jar:4.1.69.Final:compile
Regel 29: [INFO] | | | | \- io.netty:netty-codec-socks:jar:4.1.69.Final:compile
Regel 29: [INFO] | | | | \- io.netty:netty-codec-socks:jar:4.1.69.Final:compile
Regel 30: [INFO] | | | \- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.69.Final:compile
Regel 30: [INFO] | | | \- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.69.Final:compile
Regel 42: [INFO] +- io.reactivex:rxnetty:jar:0.5.1:runtime
Regel 44: [INFO] | +- io.netty:netty-codec-http:jar:4.1.69.Final:compile
Regel 44: [INFO] | +- io.netty:netty-codec-http:jar:4.1.69.Final:compile
Regel 45: [INFO] | | +- io.netty:netty-common:jar:4.1.69.Final:compile
Regel 45: [INFO] | | +- io.netty:netty-common:jar:4.1.69.Final:compile
Regel 46: [INFO] | | +- io.netty:netty-buffer:jar:4.1.69.Final:compile
Regel 46: [INFO] | | +- io.netty:netty-buffer:jar:4.1.69.Final:compile
Regel 47: [INFO] | | +- io.netty:netty-transport:jar:4.1.69.Final:compile
Regel 47: [INFO] | | +- io.netty:netty-transport:jar:4.1.69.Final:compile
Regel 48: [INFO] | | \- io.netty:netty-codec:jar:4.1.69.Final:compile
Regel 48: [INFO] | | \- io.netty:netty-codec:jar:4.1.69.Final:compile
Regel 49: [INFO] | +- io.netty:netty-handler:jar:4.1.69.Final:compile
Regel 49: [INFO] | +- io.netty:netty-handler:jar:4.1.69.Final:compile
Regel 50: [INFO] | | \- io.netty:netty-resolver:jar:4.1.69.Final:compile
Regel 50: [INFO] | | \- io.netty:netty-resolver:jar:4.1.69.Final:compile
Regel 51: [INFO] | +- io.netty:netty-transport-native-epoll:jar:4.1.69.Final:runtime
Regel 51: [INFO] | +- io.netty:netty-transport-native-epoll:jar:4.1.69.Final:runtime
Regel 52: [INFO] | | \- io.netty:netty-transport-native-unix-common:jar:4.1.69.Final:compile
Regel 52: [INFO] | | \- io.netty:netty-transport-native-unix-common:jar:4.1.69.Final:compile
因此,如果您仍有对其他版本的引用,请使用
mvn dependency:tree
查看该引用的来源。