Hibernate 6.0, JobRunr 5.0, JHipster 7.8.0, Spring CVE, JReleaser 1.0-RC2
This week’s Java Digest for March 28, 2022 features news on JDK 19, Spring Boot, Spring CVE, Apache Tomcat point releases, Quarkus Tools for Visual Studio Code, Micronaut 3.4.1, JetBrains joins the Micronaut Foundation, Open Liberty Paketo Liberty Buildpack, Hibernate 6.0, JobRunr 5.0, WildFly 26.1 Beta S2I images, JReleaser 1.0-RC2, MicroStream 7.0-M2, JHipster 7.8.0, JMH 1.35.
Version 16 of the early access builds of JDK 19 was made available last week, with updates to version 15 that include fixes to various issues. More details can be found in the release notes.
For JDK 19, developers are encouraged to report bugs through the Java Bug Database.
Spring Framework versions 5.3.18 and 5.2.20 were released in response to CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+, where a Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution via data binding. This was dubbed Spring4Shell. InfoQ will follow with more detailed news.
Spring Framework 5.3.17 has been released to address the CVE-2022-22950: Spring Expression DoS vulnerability, where it is possible for a user to supply a specially crafted Spring Expression Language (SpEL) expression which may cause a denial of service condition .
Spring Cloud Function versions 3.1.7 and 3.2.3 have been released to address CVE-2022-22963: Remote Code Execution in Spring Cloud Function by Malicious Spring Expression, where it is possible for a user, while using the routing functionality, to provide a specially crafted SpEL routing expression that can cause remote code execution that exposes access to local resources.
Spring Boot versions 2.6.6 and 2.5.12 were released with dependency upgrades to Spring Framework 5.3.18 and Jackson BOM versions 188.8.131.5220328 and 184.108.40.20620326, respectively. These two point releases contain Spring Framework versions 5.3.18 and 5.2.20 which fix CVE-2022-22965.
Spring Cloud Azure 4.0 was released with: simplified dependency management; extended support for the Azure Support module; and a redesigned Spring module dependency model to provide a more flexible approach to dealing with different application approaches.
Following on from SpringOne 2021, Jürgen Höller, Senior Engineer and Spring Framework Project Manager at VMware, provided an update on the adoption of JDK 17 and beyond, writing:
We have established the new baseline on our main branches, with some milestones already. The feedback has been very positive, not only in terms of improvements to the framework but also in terms of motivation for an application-level Java upgrade. Of course, it doesn’t end with JDK 17 LTS: JDK 18 is already an immediate option, JDK 19 will be the current release when we go full release later this year, with JDK 20 in Early Access by then – and JDK 21 LTS already on the horizon.
It was a busy week for the Apache Tomcat team as they provided point releases for the 8.5, 9.0 and 10.0 version trains.
Versions 8.5.78, 9.062, 10.0.2 and 10.1.0-M14 alpha all include: an update to the packaged version of the Tomcat native library 1.2.32 to recover Windows binaries built with OpenSSL 1.1.1n; improved logging of unknown HTTP/2 parameter frames; additional warnings if incompatible TLS configurations are used (such as HTTP/2 with CLIENT-CERT authentication); and a class loader hardening to provide mitigation for CVE-2022-22965, i.e. Spring4Shell.
The 8.5 and 9.0 release series serve as an open source software implementation of Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket, and Java Authentication Service Provider Interface for Containers technologies.
The 10.0 and 10.1 milestone release series serve as an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication, and Jakarta Annotations specifications.
Red Had released Quarkus Tools for Visual Studio Code 1.10.0 with: a “more easily discoverable”Deploy to OpenShift” ordered ; a new Qute language server to support completion, validation, hover, etc. ; improvements to the Qute template engine; validate that the
@ConfigMapping the annotation can only be placed on interfaces; and support for
@ApplicationPath annotation to handle the project URL as an alternative to the property support extension. More details about this release can be found in the changelog.
The Micronaut Foundation has released Micronaut 3.4.1 with: support for the
@JsonProperty annotations in the
BeanIntrospectionModule to classify; allow serialization of
null; an update of
jackson-databind 220.127.116.11; and dependency upgrades to Micronaut Serialization 1.0.1; Micronaut AOT 1.0.1; Micronaut Maven Plugin 3.2.1; and Micronaut Servlet 3.2.2. You can find more details about this release in the changelog.
The Micronaut Foundation also announced that JetBrains sro has joined the foundation as a tools and infrastructure partner. JetBrains joins Gradle Inc., which joined in early January 2022 as its very first partner. Established in June 2020 as a non-profit organization, the Micronaut Foundation, supported by the Technology Advisory Board, advances innovation and adoption of the Micronaut framework.
IBM introduced the Paketo Liberty Buildpack, a set of executables that inspects application source code and creates a build plan. Based on Paketo Buildpacks which implements the Cloud Native Computing Foundation buildpack specification, Paketo Liberty Buildpacks are designed to transform application source code into container images and maintain them.
Docker WildFly 26.1 Beta Source-to-Image (S2I) images have been released on quay.io, Red Hat’s utility for creating, analyzing, and distributing container images. The quay.io/wildfly/wildfly-centos7 and quay.io/wildfly/wildfly-runtime-centos7 images, obsolete since WildFly 26, will be replaced by a new architecture based on version 3.0 of the WildFly Application Server Maven plug-in.
Hibernate ORM 6.0 was released last week with new features such as: support for Jakarta Persistence specification; performance improvements via switching from reading by name to reading by position from a
ResultSet; a new SPI mapping model related to the new read-by-position paradigm; redesigned annotations for type safety; and an updated semantic query model. InfoQ will follow with more detailed news.
JobRunr, a utility for performing background processing in Java, released version 5.0 to include a number of new features such as: support for Spring Native and the mapped diagnostic context provided by SLF4J; schedule recurring tasks with a defined interval; integration with MicroMeter; easier integration with multiple databases; and support for performing tasks on the last day of the week or the last day of the month. InfoQ will follow up with a more detailed report.
On the road to 1.0.0, the second release candidate and updated early access builds of JReleaser were made available last week with: dependency upgrades to
jsonschema 4.24.1 and download the Gradle plugin (
downloadPluginVersion) 5.0.4; a fix for the commit message not parsing correctly on Windows; and a hotfix to resolve the “Unable to parse version ‘2000.0.0[.A]’ by ‘AAAA.MINEUR.MICRO[.MODIFIER]’” Error message.
JHipster version 7.8.0 was released to include: a dependency upgrade to Spring Boot 2.6.6; Java 18 support; a React Micro Frontend implementation; a fix for Couchbase paging requests for entities with relationships; and many library upgrades. More details about this release can be found in the changelog.
A week after the first beta, the second beta of MicroStream 7.0 was released with a new Android-like handler due to reflection restrictions in new Android versions.
Java Microbench Harness (JMH)
JMH 1.35 has been released with fixes such as:
SingleShot mode must handle more than one invocation of the
@OperationsPerInvocations annotation; the
async profiler using wrong option for profiler output; the
perfasm profiler not accepting
showCounts=x options, the latter to support configurable event count normalization; and an improvement in
perfasm metadata in which the actual version number, and not