[Snyk] Security upgrade com.vaadin:vaadin-spring from 3.2.1 to 10.0.0

[pethers]

Snyk has created this PR to fix 2 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• web-widgets/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Improper Handling of Case Sensitivity SNYK-JAVA-ORGSPRINGFRAMEWORK-8230365	40	com.vaadin:vaadin-spring: 3.2.1 -> 10.0.0 Major version upgrade No Known Exploit
	Improper Handling of Case Sensitivity SNYK-JAVA-ORGSPRINGFRAMEWORK-8230366	40	com.vaadin:vaadin-spring: 3.2.1 -> 10.0.0 Major version upgrade No Known Exploit

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

[github-actions]

Dependency Review

The following issues were found:

• ❌ 2 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: The number of snapshots compared for the base SHA (2) and the head SHA (1) do not match. You may see unexpected removals in the diff.

Consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Vulnerabilities

pom.xml

Name	Version	Vulnerability	Severity
commons-fileupload:commons-fileupload	1.3.3	Apache Commons FileUpload denial of service vulnerability	high
com.vaadin:flow-server	1.0.0	Timing side channel vulnerability in UIDL request handler in Vaadin 10, 11-14, and 15-18	moderate
		Reflected cross-site scripting in default RouteNotFoundError view in Vaadin 10 and 11-13	moderate
		Possible route enumeration in production mode via RouteNotFoundError view in Vaadin 10, 11-14, and 15-19	moderate
		Vaadin vulnerable to possible information disclosure in non visible components.	moderate
		Unauthorized client-side property update in UIDL request handler in Vaadin 10 and 11	low
		Vaadin vulnerable to possible information disclosure of class and method names in RPC response	low

OpenSSF Scorecard

Package	Version	Score	Details
maven/com.vaadin:vaadin-spring	10.0.0	🟢 4.2	Details Check Score Reason Code-Review 🟢 9 Found 29/30 approved changesets -- score normalized to 9 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ -1 no workflows found Token-Permissions ⚠️ -1 No tokens found Binary-Artifacts 🟢 10 no binaries found in the repo License ⚠️ 0 license file not detected Pinned-Dependencies ⚠️ -1 no dependencies found Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected SAST 🟢 3 SAST tool is not run on all commits -- score normalized to 3 Vulnerabilities ⚠️ 0 25 existing vulnerabilities detected
maven/commons-fileupload:commons-fileupload	1.3.3	🟢 8.1	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches CI-Tests 🟢 10 20 out of 20 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review ⚠️ 0 Found 0/10 approved changesets -- score normalized to 0 Contributors 🟢 10 project has 44 contributing companies or organizations Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 10 all dependencies are pinned SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 10 0 existing vulnerabilities detected
maven/com.vaadin:flow-server	1.0.0	🟢 5.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege SAST 🟢 10 SAST tool detected Binary-Artifacts 🟢 5 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 47 existing vulnerabilities detected
maven/com.googlecode.gentyref:gentyref	1.2.0	Unknown	Unknown
maven/com.helger:ph-commons	9.0.2	🟢 5.3	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Maintained 🟢 10 28 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 0/30 approved changesets -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected SAST 🟢 10 SAST tool detected: CodeQL Security-Policy ⚠️ 0 security policy file not detected Binary-Artifacts 🟢 10 no binaries found in the repo License 🟢 10 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Packaging 🟢 10 packaging workflow detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected
maven/com.helger:ph-css	6.1.1	🟢 4.9	Details Check Score Reason Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 19 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 1/29 approved changesets -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 6 4 existing vulnerabilities detected
maven/com.vaadin:flow-client	1.0.0	🟢 5.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege SAST 🟢 10 SAST tool detected Binary-Artifacts 🟢 5 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 47 existing vulnerabilities detected
maven/com.vaadin:flow-push	1.0.0	🟢 5.3	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 16 issue activity found in the last 90 days -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ 0 dangerous workflow patterns detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege SAST 🟢 10 SAST tool detected Binary-Artifacts 🟢 5 binaries present in source code Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected Vulnerabilities ⚠️ 0 47 existing vulnerabilities detected
maven/com.vaadin:vaadin-spring	10.0.0	🟢 4.2	Details Check Score Reason Code-Review 🟢 9 Found 29/30 approved changesets -- score normalized to 9 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow ⚠️ -1 no workflows found Token-Permissions ⚠️ -1 No tokens found Binary-Artifacts 🟢 10 no binaries found in the repo License ⚠️ 0 license file not detected Pinned-Dependencies ⚠️ -1 no dependencies found Fuzzing ⚠️ 0 project is not fuzzed Security-Policy 🟢 10 security policy file detected SAST 🟢 3 SAST tool is not run on all commits -- score normalized to 3 Vulnerabilities ⚠️ 0 25 existing vulnerabilities detected
maven/org.springframework:spring-websocket	5.0.7.RELEASE	Unknown	Unknown

Scanned Files

• pom.xml
• web-widgets/pom.xml