Merge pull request #506 from RADAR-base/security/upgrade

[Security] Vulnerability fixes and prepare for 2.4.3 release
RADAR-base · Oct 11, 2024 · 53f8b12 · 53f8b12
2 parents cf251a1 + 2fb5a25
commit 53f8b12
Show file tree

Hide file tree

Showing 6 changed files with 81 additions and 11 deletions.
diff --git a/.github/workflows/scheduled-snyk.yaml b/.github/workflows/scheduled-snyk.yaml
@@ -0,0 +1,30 @@
+name: Snyk scheduled test
+on:
+  schedule:
+    - cron: '0 2 * * 1'
+  push:
+    branches:
+      - master
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    env:
+      REPORT_FILE: test.json
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --all-projects --configuration-matching='^runtimeClasspath$' --json-file-output=${{ env.REPORT_FILE }} --severity-threshold=high --policy-path=$PWD/.snyk
+
+      - name: Report new vulnerabilities
+        uses: thehyve/report-vulnerability@master
+        if: success() || failure()
+        with:
+          report-file: ${{ env.REPORT_FILE }}
+        env:
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml
@@ -0,0 +1,17 @@
+name: Snyk test
+
+on:
+ - pull_request
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Snyk to check for JDK vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --all-projects --configuration-matching="^runtimeClasspath$" --fail-on=upgradable --org=radar-base --policy-path=.snyk --severity-threshold=high
diff --git a/.snyk b/.snyk
@@ -0,0 +1,8 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+patch: {}
+exclude:
+  global:
+    - scripts/requirements.txt
diff --git a/build.gradle b/build.gradle
@@ -2,7 +2,7 @@ plugins {
     id 'pmd'
     id 'io.gatling.gradle' version '3.9.2.1'
     id 'com.github.johnrengelman.shadow' version '8.1.0'
-    id 'org.springframework.boot' version "3.0.4"
+    id 'org.springframework.boot' version '3.2.10'
     id 'org.openjfx.javafxplugin' version '0.0.13'
     id("com.github.ben-manes.versions") version "0.46.0"
 }
@@ -14,7 +14,7 @@ apply plugin: 'io.spring.dependency-management'
 apply plugin: 'scala'
 
 group = 'org.radarbase'
-version = '2.4.2'
+version = '2.4.3'
 
 java {
     toolchain {
@@ -32,14 +32,15 @@ bootJar {
 }
 
 ext {
-    springBootVersion = '2.6.6'
+    springBootVersion = '3.2.10'
     springVersion = '6.0.6'
-    springOauth2Version = "2.5.1.RELEASE"
+    springOauth2Version = "2.5.2.RELEASE"
+    springOauth2AutoconfigureVersion = "2.6.8"
     springDocVersion = '2.2.0'
     lombokVersion = '1.18.26'
     junit5Version = '5.9.2'
     radarSpringAuthVersion = '1.2.1'
-    springSecurityVersion = '6.0.2'
+    springSecurityVersion = '6.0.5'
     hibernateValidatorVersion = '8.0.0.Final'
     minioVersion = '8.5.10'
 }
@@ -63,7 +64,7 @@ dependencies {
     implementation('org.springframework.boot:spring-boot-starter-actuator')
     implementation('org.springframework.boot:spring-boot-starter-mail')
     implementation group: "org.springframework.security", name: "spring-security-config", version: springSecurityVersion
-    implementation('org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:' + springBootVersion)
+    implementation('org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:' + springOauth2AutoconfigureVersion)
     implementation('org.springframework.security.oauth:spring-security-oauth2:' + springOauth2Version)
     runtimeOnly("org.hibernate.validator:hibernate-validator:$hibernateValidatorVersion")
     implementation("io.minio:minio:$minioVersion")
@@ -74,7 +75,7 @@ dependencies {
     //runtimeOnly('org.springframework.boot:spring-boot-devtools')
     runtimeOnly('org.hsqldb:hsqldb')
     runtimeOnly('org.liquibase:liquibase-core:4.20.0')
-    runtimeOnly(group: 'org.postgresql', name: 'postgresql', version: '42.5.4')
+    runtimeOnly(group: 'org.postgresql', name: 'postgresql', version: '42.5.5')
 
 
     annotationProcessor group: 'org.projectlombok', name: 'lombok', version: lombokVersion
@@ -83,7 +84,17 @@ dependencies {
     annotationProcessor "org.springframework:spring-context-indexer:$springVersion"
 
     // FCM Admin SDK
-    implementation 'com.google.firebase:firebase-admin:9.1.1'
+    implementation('com.google.firebase:firebase-admin:9.3.0') {
+        // Possibly remove these constraints when a newer version of firebase-adkon is available.
+        constraints {
+            implementation('com.google.protobuf:protobuf-java:3.25.5') {
+                because 'Provided version of protobuf has security vulnerabilities'
+            }
+            implementation('com.google.protobuf:protobuf-java-util:3.25.5') {
+                because 'Provided version of protobuf has security vulnerabilities'
+            }
+        }
+    }
 
     // AOP
     runtimeOnly group: 'org.springframework', name: 'spring-aop', version: springVersion

diff --git a/src/main/java/org/radarbase/appserver/config/TokenVerifierPublicKeyConfig.java b/src/main/java/org/radarbase/appserver/config/TokenVerifierPublicKeyConfig.java
@@ -38,7 +38,7 @@ public class TokenVerifierPublicKeyConfig  {
      * so subsequent calls to this method will return the same object.
      *
      * @return The initialized configuration object based on the contents of the configuration file
-     * @throws RuntimException If there is any problem loading the configuration
+     * @throws RuntimeException If there is any problem loading the configuration
      */
     public static TokenVerifierPublicKeyConfig readFromFileOrClasspath() {
         String customLocation = System.getenv(LOCATION_ENV);
@@ -81,4 +81,8 @@ public String getResourceName() {
         return resourceName;
     }
 
+    public void setResourceName(String resourceName) {
+        this.resourceName = resourceName;
+    }
+
 }
diff --git a/src/test/java/org/radarbase/appserver/repository/UserRepositoryTest.java b/src/test/java/org/radarbase/appserver/repository/UserRepositoryTest.java
@@ -28,10 +28,10 @@
 import static org.radarbase.appserver.controller.RadarUserControllerTest.FCM_TOKEN_1;
 import static org.radarbase.appserver.controller.RadarUserControllerTest.TIMEZONE;
 
+import java.sql.SQLIntegrityConstraintViolationException;
 import java.time.Instant;
 import jakarta.persistence.PersistenceException;
 
-import org.hibernate.exception.ConstraintViolationException;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
@@ -145,6 +145,6 @@ public void whenInsertWithExistingFcmToken_thenThrowException() {
                             entityManager.flush();
                         });
 
-        assertEquals(ConstraintViolationException.class, ex.getCause().getClass());
+        assertEquals(SQLIntegrityConstraintViolationException.class, ex.getCause().getClass());
     }
 }