[ISSUE-2395]SynchronossPartHttpMessageReader should only create temp directory when needed/CVE-2022-2296

[duhanmin]

spring-projects/spring-framework#27092
1 . SynchronossPartHttpMessageReader should only create temp directory when needed
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965
2. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Does this pull request potentially affect one of the following parts:

• Dependencies (does it add or upgrade a dependency): (yes)

#2395

[codecov]

Codecov Report

Merging #2413 (0d28a42) into dev-1.2.0 (b462730) will decrease coverage by 1.22%.
The diff coverage is n/a.

@@               Coverage Diff               @@
##             dev-1.2.0    #2413      +/-   ##
===============================================
- Coverage        17.83%   16.60%   -1.23%     
- Complexity        1077     1104      +27     
===============================================
  Files              595      636      +41     
  Lines            17667    19520    +1853     
  Branches          2635     2769     +134     
===============================================
+ Hits              3151     3242      +91     
- Misses           14092    15842    +1750     
- Partials           424      436      +12     

Impacted Files	Coverage Δ
...apache/linkis/scheduler/future/BDPFutureTask.scala	70.00% <0.00%> (-5.00%)	⬇️
...org/apache/linkis/common/utils/VariableUtils.scala	59.77% <0.00%> (-0.35%)	⬇️
...n/java/org/apache/linkis/common/utils/DESUtil.java	0.00% <0.00%> (ø)
...a/org/apache/linkis/scheduler/event/LogEvent.scala	50.00% <0.00%> (ø)
...ache/linkis/common/listener/ListenerEventBus.scala	0.00% <0.00%> (ø)
.../apache/linkis/jobhistory/cache/utils/MD5Util.java	0.00% <0.00%> (ø)
...g/apache/linkis/bml/common/HdfsResourceHelper.java	12.85% <0.00%> (ø)
...pache/linkis/bml/common/ResourceHelperFactory.java	0.00% <0.00%> (ø)
...in/java/org/apache/linkis/bml/Entity/Resource.java	0.00% <0.00%> (ø)
...nkis/bml/common/BmlPermissionDeniedException.scala	0.00% <0.00%> (ø)
... and 42 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update b462730...0d28a42. Read the comment docs.

[jackxu2011]

建议，直接在parent的pom文件中， 加入springframe-bom的import, 放到springboot dependency之前就可以了
properties 中 把 spring.version 升级到 5.2.22.RELEASE， 其它的exclude应该都不需要加

<dependency>
    <groupId>org.springframework</groupId>
    <artifactId>spring-framework-bom</artifactId>
    <version>${spring.version}</version>
    <type>pom</type>
    <scope>import</scope>
</dependency>

[jackxu2011]

LGTM