Vulnerability in SpringBot

[vaibhav-db]

##Vulnerability in SpringBot

To resolved the existing vulnerability, we need to migrate to spring bot 4.0.x version

[robmoffat]

😩

[vaibhav-db]

While migrating to spring-bot:4.1.x, we see almost all testcases are failed or compile error.

Most common changes that we need to do is, change @MockBean to @@MockitoBean and few other changes.

We had latest all old and new approach difference below.

@MockBean and Stubbing Timing Issues
@MockBean is managed by Spring and injected into the context before your @TestConfiguration or @Before/afterPropertiesSet runs. If you try to stub the mock in afterPropertiesSet or @before, you can run into timing issues, especially with argument matchers or if the bean is proxied or initialized early.
See: Spring Boot Reference Guide – Mocking and Spying Beans: https://docs.spring.io/spring-boot/docs/current/reference/html/features.html#features.testing.spring-boot-applications.mocking-beans
Argument Matchers and Mockito Strictness
Mockito 4+ and Spring Boot 3.5+ are stricter about argument matchers. You must use them only inside when(...).thenReturn(...) or doReturn(...).when(...), and not outside or in a way that could be evaluated too early.
See: Mockito documentation – Argument Matchers: https://javadoc.io/doc/org.mockito/mockito-core/latest/org/mockito/Mockito.html#argument_matchers
Direct @bean Mock Creation and Stubbing
By creating the mock and stubbing it directly in the @bean method, you guarantee the mock is fully set up before it is injected anywhere. This avoids all timing and proxy issues.
This is the recommended approach for advanced mocking in Spring Boot test configurations.
See: Spring Boot Issue #33347 (official recommendation): spring-projects/spring-boot#33347
See: Spring Boot Test Best Practices (Baeldung): https://www.baeldung.com/spring-boot-testing#mocking-beans

Summary Table:
Old Way (@MockBean + afterPropertiesSet)
New Way (@bean + stubbing in method)
Mock created by Spring, stubbing later
Mock created and stubbed together
Timing issues, especially with matchers
No timing issues, always ready
Can break with new Spring/Mockito
Works with all modern versions