Endor Labs Version Upgrade: Bump org.springframework:spring-web from 5.3.31 to 5.3.36 by endor-labs-pro[bot] · Pull Request #8 · TreetopTechie/BenchmarkJava

endor-labs-pro · 2025-05-12T16:12:18Z

Endor Labs Automated Dependency Update

Summary

This PR updates dependencies to improve security:

📦 Dependencies Updated

Project	Dependency Name	Update Version (From ➡️ To)	Update Risk
TreetopTechie/BenchmarkJava	`org.springframework:spring-web`	`5.3.31` ➡️ `5.3.36`	`LOW`	View Details

Security Impact

Summary of Fixed Issues

Severity	Count
🔴 High	2

🔍 Findings fixed in this pull request (Click to expand)

Advisory	Dependency Reachability	Function Reachability	Severity
GHSA-hgjh-9rj2-g67j	Reachable	Reachable	🔴 High
GHSA-2wrp-6fg6-hmc5	Reachable	Reachable	🔴 High

Remediation Risk

Remediation Risk: LOW

Remediation Risk Factors:

Potential Conflicts: 3
- Major Version Conflicts ℹ️ : 0
- Minor Version Conflicts ℹ️ : 3
Breaking Changes: 0

Reminders

Ignore: If you don't wish to receive this update again, simply close this PR.
Test: Remember to ensure your tests pass and ensure this change doesn't impact your application before you merge.

_{Generated by Endor Labs}

endor-labs-pro · 2025-05-12T16:22:30Z

Endor Labs Security Review

📝 Summary

The project's pom.xml file was updated to upgrade the springframework dependency from version 5.3.31 to 5.3.36. This dependency update might introduce new features, bug fixes, or security patches from the Spring Framework.

🔍 Security Analysis

Upgrading the Spring Framework dependency removes exposure to two high-severity vulnerabilities, significantly improving the application's security posture by incorporating critical upstream patches.

⚠️ Security Changes (1)

🔴 📦 DEPENDENCY: Upgraded Spring Framework dependency to address security flaws

The version of the 'org.springframework:spring-web' dependency was updated from 5.3.31 to 5.3.36. This change directly upgrades the Spring Framework library, and as described in the PR, this update incorporates upstream security patches addressing known vulnerabilities. Such an upgrade reduces the project's exposure to previously reported security flaws in the older version.

Justification

Upgrading the Spring dependency removes exposure to known vulnerabilities present in versions prior to 5.3.36.
The PR references CVEs of high severity, indicating direct security impact.
The change matches the 'New Dependency Added/Updated' and 'Vulnerabilities & Exploits' rules, both emphasizing the mitigation of supply chain risk and known exploits.
A score of 8 reflects the significant reduction in risk by patching actively known high severity flaws.

BenchmarkJava/pom.xml

Lines 1235 to 1236 in 53f4e9e



<version.springframework>5.3.36</version.springframework>

Generated by Endor Labs.
Scanned @ 05-12-2025 16:22:30 UTC

endor-labs-pro · 2025-05-12T16:22:30Z

Warning

Endor Labs detected 1 policy violations associated with this pull request.

Please review the findings that caused the policy violations.

📋 Policy: Warn in CI for Reachable Critical/High (2 findings)

📥 Package mvn://org.owasp:benchmark@1.2

⤵️ Dependency: mvn://org.springframework:spring-context@5.3.36

🚩 GHSA-4wrc-f8pq-fpqp: Pivotal Spring Framework contains unsafe Java deserialization methods

Details

Severity: Critical
Categories: Security Vulnerability ``
Remediation: Update org.owasp:benchmark@1.2 to use org.springframework:spring-context version 6.0.0 (current: 5.3.36, latest: 7.0.0-M4).

⤵️ Dependency: mvn://org.springframework:spring-web@5.3.36

🚩 GHSA-4wrc-f8pq-fpqp: Pivotal Spring Framework contains unsafe Java deserialization methods

Details

Severity: Critical
Categories: Security Vulnerability ``
Remediation: Update org.owasp:benchmark@1.2 to use org.springframework:spring-web version 6.0.0 (current: 5.3.36, latest: 7.0.0-M4).

This comment was automatically generated by Endor Labs.
Scanned @ 05-12-2025 16:22:30 UTC

endor-labs-pro · 2025-05-14T16:15:14Z

A new PR will be opened for the updated version: 5.3.39. This PR is being closed by Endor Labs.

endorlabs: bump org.springframework:spring-web from 5.3.31 to 5.3.36

53f4e9e

endor-labs-pro Bot closed this May 14, 2025

endor-labs-pro Bot deleted the endorlabs-112a/maven/dot-/org.springframework-spring-web-5.3.36 branch May 14, 2025 16:15

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Endor Labs Version Upgrade: Bump org.springframework:spring-web from 5.3.31 to 5.3.36#8

Endor Labs Version Upgrade: Bump org.springframework:spring-web from 5.3.31 to 5.3.36#8
endor-labs-pro[bot] wants to merge 1 commit into
mainfrom
endorlabs-112a/maven/dot-/org.springframework-spring-web-5.3.36

endor-labs-pro Bot commented May 12, 2025

Uh oh!

endor-labs-pro Bot commented May 12, 2025

Justification

Uh oh!

endor-labs-pro Bot commented May 12, 2025

📋 Policy: Warn in CI for Reachable Critical/High (2 findings)

📥 Package mvn://org.owasp:benchmark@1.2

⤵️ Dependency: mvn://org.springframework:spring-context@5.3.36

⤵️ Dependency: mvn://org.springframework:spring-web@5.3.36

Uh oh!

endor-labs-pro Bot commented May 14, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

endor-labs-pro Bot commented May 12, 2025

Endor Labs Automated Dependency Update

Summary

📦 Dependencies Updated

Security Impact

Summary of Fixed Issues

Remediation Risk

Reminders

Uh oh!

endor-labs-pro Bot commented May 12, 2025

Endor Labs Security Review

📝 Summary

🔍 Security Analysis

⚠️ Security Changes (1)

Justification

Uh oh!

endor-labs-pro Bot commented May 12, 2025

Please review the findings that caused the policy violations.

📋 Policy: Warn in CI for Reachable Critical/High (2 findings)

📥 Package mvn://org.owasp:benchmark@1.2

⤵️ Dependency: mvn://org.springframework:spring-context@5.3.36

⤵️ Dependency: mvn://org.springframework:spring-web@5.3.36

Uh oh!

endor-labs-pro Bot commented May 14, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants