feat(初始化): 修复jar漏洞

eitc-admin/pom.xml

@@ -47,21 +47,18 @@
         <dependency>
             <groupId>com.eitc</groupId>
             <artifactId>eitc-framework</artifactId>
-            <version>3.8.7</version>
         </dependency>
 
         <!-- 定时任务-->
         <dependency>
             <groupId>com.eitc</groupId>
             <artifactId>eitc-quartz</artifactId>
-            <version>3.8.7</version>
         </dependency>
 
         <!-- 代码生成-->
         <dependency>
             <groupId>com.eitc</groupId>
             <artifactId>eitc-generator</artifactId>
-            <version>3.8.7</version>
         </dependency>
 
     </dependencies>

eitc-common/pom.xml

@@ -130,7 +130,6 @@
         <dependency>
             <groupId>com.baomidou</groupId>
             <artifactId>mybatis-plus-boot-starter</artifactId>
-            <version>3.5.1</version>
         </dependency>
 
         <!-- Minio 文件存储 -->

eitc-framework/pom.xml

@@ -57,12 +57,10 @@
         <dependency>
             <groupId>com.eitc</groupId>
             <artifactId>eitc-common</artifactId>
-            <version>3.8.7</version>
         </dependency>
         <dependency>
             <groupId>com.eitc</groupId>
             <artifactId>eitc-system</artifactId>
-            <version>3.8.7</version>
         </dependency>
 
     </dependencies>

pom.xml

@@ -52,12 +52,72 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
+            <!--
+            Spring Boot 2.5.15的内置版本
+            <spring-security.version>5.5.8</spring-security.version>
+            强制修改依赖版本为：5.7.12
+            存在漏洞的JAR包：spring-security-core-5.5.8.jar
+            漏洞说明：Spring Security存在安全漏洞，在处理Authentication参数时没有对null值进行检查。当应用程序直接使用AuthenticatedVoter#vote方法，传入null作为认证参数时会错误地返回true值。攻击者可利用该漏洞绕过身份验证，进行提权或窃取系统敏感信息。
+            安全版本： Spring Security  5.7.12、5.8.11、6.0.10、6.1.8、6.2.3 及以上版本，下载地址：https://github.com/spring-projects/spring-security/releases
+            <spring-security.version>5.7.12</spring-security.version>
+
+            注意：因为使用Maven管理依赖，MAVEN具有依赖传递的特性，实质上只需要引入spring-security-config依赖包含了spring-security-core依赖和spring-security-web依赖
+            -->
+            <!-- spring-security 漏洞升级 -->
+            <dependency>
+                <groupId>org.springframework.security</groupId>
+                <artifactId>spring-security-config</artifactId>
+                <version>5.7.12</version>
+                <scope>compile</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.springframework.security</groupId>
+                <artifactId>spring-security-core</artifactId>
+                <version>5.7.12</version>
+                <scope>compile</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.springframework.security</groupId>
+                <artifactId>spring-security-crypto</artifactId>
+                <version>5.7.12</version>
+                <scope>compile</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.springframework.security</groupId>
+                <artifactId>spring-security-web</artifactId>
+                <version>5.7.12</version>
+                <scope>compile</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.quartz-scheduler</groupId>
+                <artifactId>quartz</artifactId>
+                <version>2.4.0-rc2</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>com.mchange</groupId>
+                        <artifactId>c3p0</artifactId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
 
             <!-- 阿里数据库连接池 -->
             <dependency>
                 <groupId>com.alibaba</groupId>
                 <artifactId>druid-spring-boot-starter</artifactId>
                 <version>${druid.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.yaml</groupId>
+                        <artifactId>snakeyaml</artifactId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
+            <!-- yml解析器 漏洞修复，安全版本2.0及以上：https://mvnrepository.com/artifact/org.yaml/snakeyaml-->
+            <!-- 漏洞升级 -->
+            <dependency>
+                <groupId>org.yaml</groupId>
+                <artifactId>snakeyaml</artifactId>
+                <version>2.0</version>
             </dependency>
 
             <!-- 解析客户端操作系统、浏览器等 -->