Base Dependencies Release Override

Third-party library security vulnerabilities are addressed as part of base dependency releases. These releases are generally able to be plugged into an installation via maven configuration without upgrading the rest of the codebase. The base dependency release cadence more closely follows our policy thresholds for SCA vulnerability remediation, and adheres to a separate lifecycle from our main release train.

Policy

Critical - 7 days
High - 30 days
Medium - 90 days
Low - best effort

Note	Broadleaf evaluates CVEs for false positives regarding Broadleaf framework usage, which may preclude or delay individual third-party library update considerations.

Override Base Dependencies Version

Generally, in order to override the base dependencies version, you will extend the release train BOM.

Extend The Release Train

First, you should create a new maven pom project that inherits from the Broadleaf base dependencies pom:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>com.broadleafcommerce.microservices</groupId>
        <artifactId>broadleaf-microservices-release-train</artifactId>
        <version>1.8.3-GA</version> (1)
        <relativePath/>
    </parent>
    <repositories>
        <repository>
            <id>broadleaf-microservices</id>
            <name>Broadleaf Microservices</name>
            <url>https://repository.broadleafcommerce.com/repository/microservices/</url>
        </repository>
    </repositories>
    <artifactId>microservice-flexpackage-release-train</artifactId> (2)
    <groupId>com.example.microservices</groupId> (3)
    <name>Release Train Override</name>
    <description>Release Train Override</description>
    <version>1.0.0</version> (4)
    <packaging>pom</packaging>
    <properties>
        <broadleaf.base.dependencies.version>1.7.19-GA</broadleaf.base.dependencies.version> (5)
    </properties>
</project>

The version of the Broadleaf release train you’re currently consuming in your installation
The maven artifactId for your override pom
The maven groupId for your override pom
The maven version for your override pom
The version of the Broadleaf base dependencies you want to upgrade to

Import Your Extension

The approach for consuming a new base dependencies version differs slightly depending on whether you are using the legacy static project structure, or the newer manifest based dynamic project structure. For example, if you downloaded a manifest.zip archive from https://start.broadleafcommerce.com, then you are using the newer project structure.

Legacy Static Project Structure

In your base project pom (or any pom you have where the release train BOM is declared), you will need to disable the standard release train BOM import and import your customized extension instead.

...
    <dependencyManagement>
        <dependencies>
            ...
            <!-- <dependency> (1)
                <groupId>com.broadleafcommerce.microservices</groupId>
                <artifactId>broadleaf-microservices-release-train</artifactId>
                <version>${blc.release.train}</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency> -->
            <dependency>
                <groupId>com.example.microservices</groupId> (2)
                <artifactId>microservice-flexpackage-release-train</artifactId> (3)
                <version>1.0.0</version> (4)
                <type>pom</type>
                <scope>import</scope>
            </dependency>
            ...
        </dependencies>
    </dependencyManagement>
...

Comment out (disable) the standard Broadleaf release train import
The maven groupId for your override pom
The maven artifactId for your override pom
The maven version for your override pom

Note

While uncommon, if you are able to include a system property with your maven build command, then you can override the base dependencies version without extending the release train. For example: mvn install -Dbroadleaf.base.dependencies.version=1.7.19-GA. Using this system property approach will inform maven of the value to use for the property consumed in the release train BOM. This value will override whatever is hard-coded into the release train.

Manifest Based Dynamic Project Structure

In your manifest.yml file:

...
project:
  groupId: com.example.microservices
  packageName: com.example.microservices
  starterParentVersion: 1.8.3-GA
  releaseTrainGroupIdOverride: com.example.microservices (1)
  releaseTrainArtifactIdOverride: microservice-flexpackage-release-train (2)
  releaseTrainVersionOverride: 1.0.0 (3)
...

The maven groupId for your override pom
The maven artifactId for your override pom
The maven version for your override pom

If you mvn clean install in your manifest directory, you will now have an updated manifest artifact pointing to your override. If this is a fresh install, you may mvn flex:generate to generate your dynamic project, which will include the appropriate maven coordinates for your override pom. However, if this is not a fresh install, and you do not wish to wipe your current project (e.g. mvn flex:generate -DforceClean=true), then you may manually add maven property overrides in your existing poms that inherit from broadleaf-microservices-flex-parent or broadleaf-microservices-starter-parent:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>com.broadleafcommerce.microservices</groupId>
        <artifactId>broadleaf-microservices-flex-parent</artifactId>
        <version>1.8.3-GA</version>
        <relativePath/>
    </parent>
    <repositories>
        <repository>
            <id>broadleaf-microservices</id>
            <name>Broadleaf Microservices</name>
            <url>https://repository.broadleafcommerce.com/repository/microservices/</url>
        </repository>
    </repositories>
    <artifactId>microservice-flexpackage-auth</artifactId>
    <groupId>com.example.microservices</groupId>
    <name>Auth Flexpackage Starter</name>
    <description>Auth Flexpackage Starter</description>
    <version>1.0.0-SNAPSHOT</version>
    <properties>
        <skip-spring-boot>false</skip-spring-boot>
        <skip-key-tool>false</skip-key-tool>
        <flex-package-name>auth</flex-package-name>
        <skip-mapper-cache>false</skip-mapper-cache>
        <skip-docker-image>false</skip-docker-image>
        <skip-flex-changelog>false</skip-flex-changelog>
        <spring-profiles>-Dspring.profiles.active=dev</spring-profiles>
        <spring-boot-maven-debug-port>8000</spring-boot-maven-debug-port>
        <image-deployment-repo-domain>repository.broadleafcommerce.com</image-deployment-repo-domain>
        <image-deployment-repo-port>5001</image-deployment-repo-port>
        <image-tag-prefix>broadleaf-demo</image-tag-prefix>
        <blc.release.train.groupid>com.broadleafcommerce.microservices</blc.release.train.groupid> (1)
        <blc.release.train.artifactid>broadleaf-microservices-release-train</blc.release.train.artifactid> (2)
        <blc.release.train>1.0.0</blc.release.train> (3)
    </properties>
...

The maven groupId for your override pom
The maven artifactId for your override pom
The maven version for your override pom