3

I have a spring boot application and I want to always use the latest tomcat version, or even better the latest patched tomcat version of a given major and minor version:

F.e the latest version of 8 or the latest of 8.5. (like 8.5.32)

So, I would get the latest security patches if I rebuild my application.

I know I can manual give in one concrete version inside the properties. But this would get fast outdated and I don't want to have to adjust this all the time manually.

snap
  • 1,598
  • 1
  • 14
  • 21
  • 2
    The issue with automatic upgrades is that builds become non-reproducible. However, version management is the task of your build/dependency management tool. If you're using Maven you should read this: https://stackoverflow.com/questions/30571. But rather than using automatic upgrades, you may want to check the [dependency-check-maven](https://jeremylong.github.io/DependencyCheck/dependency-check-maven/index.html) plugin, which is an OWASP tool that verifies if your dependencies are outdated or contain vulnerabilities. – g00glen00b Jul 26 '18 at 08:15
  • This are good points, but I really would like to at least auto update the latest version number for security reasons. F.e. in node (via npm) it's a really common practice to do so. The maven link don't really help me because the tomcat version which is used by spring boot is not a own maven dependency. – snap Jul 26 '18 at 08:32
  • 1
    You can automatically upgrade the Spring boot version in stead. That way you guarantee that you are using the latest Tomcat version that works with Spring boot. Alternatively, you can do the same thing sajib said, but in Maven. Meaning that you include the tomcat dependencies by yourself rather than relying on **spring-boot-starter-tomcat**. – g00glen00b Jul 26 '18 at 08:37
  • @g00glen00b in my actual case i want to get a patch for an actual vulnerability which is only be patched for tomcat 8.5.32 or later. The newest spring boot (release) version has a dependency to embedded tomcat 8.5.31 which is not patched yet. I really would like just to get to 8.5.X tomcat. I guess it would be stable enough for spring boot if just the 3. version level would change. Yes the same manipulation in maven would be an option, but looks a little bit hacky to me. Isn't there a way to just say, use embedded tomcat version 8.5.X for spring-boot-starter-tomcat? – snap Jul 26 '18 at 08:52

2 Answers2

1

If you use gradle then you can do it using this configuration:

compile('org.springframework.boot:spring-boot-starter-web') {
    exclude module: "spring-boot-starter-tomcat"
}
compile 'org.apache.tomcat.embed:tomcat-embed-core:+'
compile 'org.apache.tomcat.embed:tomcat-embed-el:+'
compile 'org.apache.tomcat.embed:tomcat-embed-logging-juli:+'
compile 'org.apache.tomcat.embed:tomcat-embed-websocket:+'

if you want to give specific version then use version+

GolamMazid Sajib
  • 8,698
  • 6
  • 21
  • 39
  • Nice! But sadly the project where I need this feature is not build with gradle. But this could be a first reason for me to think about migrating to gradle... So, thanks for the hint. – snap Jul 26 '18 at 08:34
0

if using maven it's pretty easy! This would get the latest from version 9.0.0 to 9.1.0.

pom.xml:

<properties>        
  <tomcat.version>[9.0,9.1)</tomcat.version>
</properties>
DEP
  • 1