thingsboard/3.8.1-r3: cve remediation

[octo-sts]

thingsboard/3.8.1-r3: fix GHSA-mfj5-cf8g-g2fv/GHSA-2x2g-32r7-p4x8/

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/thingsboard.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: Multiple compilation failures related to missing Spring Framework classes (org.springframework.http, org.springframework.web.filter, etc.)

• Error Category: Dependency

• Failure Point: Maven compilation phase failing in http transport module

• Root Cause Analysis: The Spring Framework dependencies are missing from the Maven build. These are required for the HTTP transport module which uses Spring MVC components.

• Suggested Fix: Add Spring Boot and Spring Framework dependencies to the pombump pipeline:

- uses: maven/pombump
  with:
    add_dependencies: |
      <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
        <version>3.2.1</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc</artifactId>
        <version>6.1.2</version>
      </dependency>

• Explanation: The HTTP transport module uses Spring MVC annotations and classes for REST endpoints. Adding these dependencies will provide the required Spring Framework classes for compilation.

• Additional Notes:

• Spring Boot starter web includes all necessary Spring MVC dependencies
• Version numbers align with ThingsBoard 3.8.1 Spring dependencies
• The transport module specifically needs Spring Web MVC support

• References:

• ThingsBoard Transport Implementation Guide: https://thingsboard.io/docs/reference/transport/
• Spring Boot Dependencies: https://docs.spring.io/spring-boot/docs/current/reference/html/dependency-versions.html
• ThingsBoard HTTP Transport Implementation: https://github.com/thingsboard/thingsboard/tree/master/common/transport/http

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: Multiple compilation failures related to missing Spring Framework dependencies, specifically:
package org.springframework.http does not exist
package org.springframework.web.filter does not exist

• Error Category: Dependency

• Failure Point: Maven compilation phase during build of http transport module

• Root Cause Analysis: The Spring Framework dependencies required for HTTP transport are missing from the project's Maven dependencies. This is a common issue when Spring Boot/Framework dependencies are not properly declared in the pom.xml.

• Suggested Fix: Add Spring Boot/Framework dependencies to the Maven build configuration in the pombump pipeline step:

- uses: maven/pombump
  with:
    add_dependencies: |
      <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
        <version>3.2.1</version>
      </dependency>
      <dependency>
        <groupId>org.springframework</groupId>
        <artifactId>spring-webmvc</artifactId>
        <version>6.1.2</version>
      </dependency>

• Explanation: The HTTP transport module uses Spring MVC annotations and classes for REST endpoints. Adding these dependencies will provide the required Spring Framework classes for compilation.

• Additional Notes:

• Spring Boot starter web includes all necessary Spring MVC dependencies
• Version numbers align with Spring Boot 3.x which is compatible with Java 17
• These are compile-time dependencies needed for the HTTP transport module
• No runtime impact on other modules that don't use Spring

• References:

• Spring Boot Dependencies: https://docs.spring.io/spring-boot/docs/current/reference/html/dependency-versions.html
• ThingsBoard Architecture: https://thingsboard.io/docs/reference/architecture/
• Maven Dependency Management: https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html