SAST failed after changing spring boot to 2.5.5

oskarq

There is no way to follow the the course in 2024.
Section 6.

After changing spring boot from 2.4.3 to 2.5.5 I got the error below.

Top Priority (universal)
║ pkg:maven/ch.qos.logback/logback-core@1.2.6 │ CVE-2021-42550 │ 1.2.13
║ pkg:maven/org.apache.logging.log4j/log4j-api@2.14.1 │ CVE-2021-44228 │ 2.17.1

Once adding both dependencies in pom.xml
Unable to create live FilePath for devsecops-demo-main-63-7hkmn-vfkmr-tbs94; devsecops-demo-main-63-7hkmn-vfkmr-tbs94 was marked offline: Pod failed (Reason: Evicted, Message: The node was low on resource: memory. Threshold quantity: 100Mi, available: 81588Ki. Container maven was using 2327908Ki, request is 0, has larger consumption of memory. Container kaniko was using 212Ki, request is 0, has larger consumption of memory. Container docker-tools was using 664Ki, request is 0, has larger consumption of memory. Container licensefinder was using 4300Ki, request is 0, has larger consumption of memory. Container slscan was using 3200Ki, request is 0, has larger consumption of memory. Container trufflehog was using 672Ki, request is 0, has larger consumption of memory. )

After adding only logback I see
CVE-2016-1000027 │ org.springframework/spring-webmvc │ 5.3.31 │ 6.0.0 │ CRITICAL

there is a lot of work to make it work.
Can you update the course?

albertgoma

The exact same error happens after upgrading Spring Boot to version "3.2.3".

fcioanca

Hi @albertgoma

We are currently working on updating the course content and labs. A new version is expected to go live in the next 2 weeks or so.

Regards,
Flavia

albertgoma

Thanks @fcioanca, I'm really looking forward to it: even though I managed to follow some of the next labs I keep finding some small problems. For example, in Lab 9 we're required to install Chef Inspec and now we must request a free tier license by providing personal data, including our phone number...