-
Task
-
Resolution: Done
-
L3 - Default
-
None
-
Not defined
Context:
With Optimize 3.8.2 a couple of dependencies got updated:
Updates backend dependencies:
- spring-framework-bom 5.3.20
- classgraph 4.8.146
- java-jwt 3.19.2
- zeebe 8.0.2
- caffeine 3.1.0
- spring.security.version 5.6.3
Updates frontend dependencies:
AT:
- check each of the updates whether they fix CVEs that Optimize was affected by
- update the third-party dependencies in the docs https://docs.camunda.io/docs/reference/dependencies/#optimize-dependencies-front-end
This is the controller panel for Smart Panels app
[OPT-6197] Optimize 3.8.2 Dependency Update
| Labels | Original: current_release | New: current_release documentation |
| Status | Original: Open [ 1 ] | New: In Development [ 10312 ] |
| Description |
Original:
Context:
With Optimize 3.8.2 a couple of dependencies got updated: [https://github.com/camunda/camunda-optimize/pulls?q=is%3Apr+is%3Amerged+base%3Amaintenance%2F3.8++label%3Adependencies+] Updates backend dependencies: * [spring-framework-bom 5.3.20|https://github.com/camunda/camunda-optimize/pull/4738] * [classgraph 4.8.146|https://github.com/camunda/camunda-optimize/pull/4726] * [java-jwt 3.19.2|https://github.com/camunda/camunda-optimize/pull/4719] * [zeebe 8.0.2|https://github.com/camunda/camunda-optimize/pull/4706] * [caffeine 3.1.0|https://github.com/camunda/camunda-optimize/pull/4704] * [spring.security.version 5.6.3|https://github.com/camunda/camunda-optimize/pull/4696] Updates frontend dependencies: * [react-grid-layout 1.3.4|https://github.com/camunda/camunda-optimize/pull/4730] * [react-markdown 8.0.3|https://github.com/camunda/camunda-optimize/pull/4702] * [bpmn-js-disable-collapsed-subprocess 0.1.4|https://github.com/camunda/camunda-optimize/pull/4701] AT: * check each of the updates whether they fix CVEs that Optimize was affected by ** if there were relevant CVEs fixed, create a security notice and include them * update the third-party dependencies in the docs [https://docs.camunda.io/docs/reference/dependencies/#optimize-dependencies-front-end] |
New:
Context:
With Optimize 3.8.2 a couple of dependencies got updated: [https://github.com/camunda/camunda-optimize/pulls?q=is%3Apr+is%3Amerged+base%3Amaintenance%2F3.8++label%3Adependencies+] Updates backend dependencies: * {color:#172b4d}[spring-framework-bom 5.3.20|https://github.com/camunda/camunda-optimize/pull/4738]{color} * {color:#172b4d}[classgraph 4.8.146|https://github.com/camunda/camunda-optimize/pull/4726] {color} * {color:#172b4d}[java-jwt 3.19.2|https://github.com/camunda/camunda-optimize/pull/4719]{color} * {color:#172b4d}[zeebe 8.0.2|https://github.com/camunda/camunda-optimize/pull/4706] {color} * {color:#172b4d}[caffeine 3.1.0|https://github.com/camunda/camunda-optimize/pull/4704] {color} * {color:#172b4d}[spring.security.version 5.6.3|https://github.com/camunda/camunda-optimize/pull/4696]{color} Updates frontend dependencies: * {color:#172b4d}[react-grid-layout 1.3.4|https://github.com/camunda/camunda-optimize/pull/4730]{color} * {color:#172b4d}[react-markdown 8.0.3|https://github.com/camunda/camunda-optimize/pull/4702]{color} * {color:#172b4d}[bpmn-js-disable-collapsed-subprocess 0.1.4|https://github.com/camunda/camunda-optimize/pull/4701]{color} AT: * check each of the updates whether they fix CVEs that Optimize was affected by ** if there were relevant CVEs fixed, create a security notice and include them * update the third-party dependencies in the docs [https://docs.camunda.io/docs/reference/dependencies/#optimize-dependencies-front-end] |
| Description |
Original:
Context:
With Optimize 3.8.2 a couple of dependencies got updated: [https://github.com/camunda/camunda-optimize/pulls?q=is%3Apr+is%3Amerged+base%3Amaintenance%2F3.8++label%3Adependencies+] Updates backend dependencies: * {color:#172b4d}[spring-framework-bom 5.3.20|https://github.com/camunda/camunda-optimize/pull/4738]{color} * {color:#172b4d}[classgraph 4.8.146|https://github.com/camunda/camunda-optimize/pull/4726] {color} * {color:#172b4d}[java-jwt 3.19.2|https://github.com/camunda/camunda-optimize/pull/4719]{color} * {color:#172b4d}[zeebe 8.0.2|https://github.com/camunda/camunda-optimize/pull/4706] {color} * {color:#172b4d}[caffeine 3.1.0|https://github.com/camunda/camunda-optimize/pull/4704] {color} * {color:#172b4d}[spring.security.version 5.6.3|https://github.com/camunda/camunda-optimize/pull/4696]{color} Updates frontend dependencies: * {color:#172b4d}[react-grid-layout 1.3.4|https://github.com/camunda/camunda-optimize/pull/4730]{color} * {color:#172b4d}[react-markdown 8.0.3|https://github.com/camunda/camunda-optimize/pull/4702]{color} * {color:#172b4d}[bpmn-js-disable-collapsed-subprocess 0.1.4|https://github.com/camunda/camunda-optimize/pull/4701]{color} AT: * check each of the updates whether they fix CVEs that Optimize was affected by ** if there were relevant CVEs fixed, create a security notice and include them * update the third-party dependencies in the docs [https://docs.camunda.io/docs/reference/dependencies/#optimize-dependencies-front-end] |
New:
Context:
With Optimize 3.8.2 a couple of dependencies got updated: [https://github.com/camunda/camunda-optimize/pulls?q=is%3Apr+is%3Amerged+base%3Amaintenance%2F3.8++label%3Adependencies+] Updates backend dependencies: * {color:#172b4d}[spring-framework-bom 5.3.20|https://github.com/camunda/camunda-optimize/pull/4738]{color} * {color:#172b4d}[classgraph 4.8.146|https://github.com/camunda/camunda-optimize/pull/4726] {color} * {color:#172b4d}[java-jwt 3.19.2|https://github.com/camunda/camunda-optimize/pull/4719]{color} * {color:#172b4d}[zeebe 8.0.2|https://github.com/camunda/camunda-optimize/pull/4706] {color} * {color:#172b4d}[caffeine 3.1.0|https://github.com/camunda/camunda-optimize/pull/4704] {color} * {color:#172b4d}[spring.security.version 5.6.3|https://github.com/camunda/camunda-optimize/pull/4696]{color} Updates frontend dependencies: * {color:#172b4d}[react-grid-layout 1.3.4|https://github.com/camunda/camunda-optimize/pull/4730]{color} * {color:#172b4d}[react-markdown 8.0.3|https://github.com/camunda/camunda-optimize/pull/4702]{color} * {color:#172b4d}[bpmn-js-disable-collapsed-subprocess 0.1.4|https://github.com/camunda/camunda-optimize/pull/4701]{color} AT: * check each of the updates whether they fix CVEs that Optimize was affected by * update the third-party dependencies in the docs [https://docs.camunda.io/docs/reference/dependencies/#optimize-dependencies-front-end] |
In terms of CVEs:
java-jwt from 3.19.1 to 3.19.2 contained:
- [SDK-3311] Added protection against https://nvd.nist.gov/vuln/detail/CVE-2022-21449
Assessment: This CVE relates to the JDK used and is this not considered worth mentioning from the Camunda perspective. Customers should update the JDK, as our docker image ships with the JDK 11 which is according to the CVE not affected we don't need to communicate proactively about this CVE.
spring-framework 5.3.19/20 contained:
Assessment: Optimize wasn't affected by that as Spring MVC/Webflux is not used.
https://github.com/camunda/camunda-platform-docs/pull/905