My organization started to scan all our application for vulnerabilities and the scanner show up with lots of findings.
Some CVE are easy to fix, but some require extra steps, and I wonder how to properly fix CVE in transitive dependencies, expecially Spring Boot transitive dependencies, since in my application we use spring-boot-starter dependency to pull all other Spring-related dependencies.
For example one of my application still use Spring Boot version 2.6.2 and some of the CVE findings include CVE-2022-22978 so I need to upgrade the spring-security-core dependency to, at least, version 5.6.9. Is it better to upgrade the Spring Boot version to the latest 2.6.14 or just upgrade the spring-security-core dependency? My concern on upgrading the Spring Boot version to the latest will somehow break my application and will cause a major change to the application.
Probably the risk of breaking your application is higher upgrading a single Spring library than upgrading the whole framework.
Usually an upgrade that modifies only the third version number is safe and for bigger upgrades Spring provides a migration guide. For example see this page for upgrading from Spring Boot 2.6.x to 2.7.x.
One of the best jobs done by Spring Boot is managing dependencies: it manages not only the versions of its own libraries but also the versions of many well known libraries often used with Spring Boot like Hibernate, Logback and Jackson. This is done by spring-boot-dependencies or, even better, by spring-boot-starter-parent (the latter also manages the version of many Maven plugins). From your question it is not clear if you are using one of them or not; if not, I recommend reading this page of the official documentation.
I use spring-boot-starter-parent and, in most cases, to remove CVEs (not only in Spring!) or upgrade anything for any reason, I simply upgrade the version of spring-boot-starter-parent (just one line!).