From ca0c9f20ea031fe1c8e4dba0f3b62cb75f16469f Mon Sep 17 00:00:00 2001 From: pvannierop Date: Tue, 8 Oct 2024 08:35:17 +0200 Subject: [PATCH 01/11] Add Snyk scanning Github Actions --- .github/workflows/scheduled-snyk.yaml | 30 +++++++++++++++++++++++++++ .github/workflows/snyk.yaml | 17 +++++++++++++++ .snyk | 8 +++++++ 3 files changed, 55 insertions(+) create mode 100644 .github/workflows/scheduled-snyk.yaml create mode 100644 .github/workflows/snyk.yaml create mode 100644 .snyk diff --git a/.github/workflows/scheduled-snyk.yaml b/.github/workflows/scheduled-snyk.yaml new file mode 100644 index 00000000..47fce4fc --- /dev/null +++ b/.github/workflows/scheduled-snyk.yaml @@ -0,0 +1,30 @@ +name: Snyk scheduled test +on: + schedule: + - cron: '0 2 * * 1' + push: + branches: + - master + +jobs: + security: + runs-on: ubuntu-latest + env: + REPORT_FILE: test.json + steps: + - uses: actions/checkout@v3 + + - name: Run Snyk to check for vulnerabilities + uses: snyk/actions/gradle-jdk17@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --all-projects --configuration-matching='^runtimeClasspath$' --json-file-output=${{ env.REPORT_FILE }} --severity-threshold=high --policy-path=$PWD/.snyk + + - name: Report new vulnerabilities + uses: thehyve/report-vulnerability@master + if: success() || failure() + with: + report-file: ${{ env.REPORT_FILE }} + env: + TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/snyk.yaml b/.github/workflows/snyk.yaml new file mode 100644 index 00000000..be2d67db --- /dev/null +++ b/.github/workflows/snyk.yaml @@ -0,0 +1,17 @@ +name: Snyk test + +on: + - pull_request + +jobs: + security: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Run Snyk to check for JDK vulnerabilities + uses: snyk/actions/gradle-jdk17@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + args: --all-projects --configuration-matching="^runtimeClasspath$" --fail-on=upgradable --org=radar-base --policy-path=.snyk --severity-threshold=high diff --git a/.snyk b/.snyk new file mode 100644 index 00000000..bd40bc12 --- /dev/null +++ b/.snyk @@ -0,0 +1,8 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +# ignores vulnerabilities until expiry date; change duration by modifying expiry date +ignore: +patch: {} +exclude: + global: + - scripts/requirements.txt \ No newline at end of file From 19ea3425ed4c10522f018a46a3b262fba7083b30 Mon Sep 17 00:00:00 2001 From: pvannierop Date: Wed, 9 Oct 2024 08:47:59 +0200 Subject: [PATCH 02/11] Up postgresql to 42.5.5 --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 7a4abdcb..b80f45f3 100644 --- a/build.gradle +++ b/build.gradle @@ -72,7 +72,7 @@ dependencies { //runtimeOnly('org.springframework.boot:spring-boot-devtools') runtimeOnly('org.hsqldb:hsqldb') runtimeOnly('org.liquibase:liquibase-core:4.20.0') - runtimeOnly(group: 'org.postgresql', name: 'postgresql', version: '42.5.4') + runtimeOnly(group: 'org.postgresql', name: 'postgresql', version: '42.5.5') annotationProcessor group: 'org.projectlombok', name: 'lombok', version: lombokVersion From 9f75a86fa70ecbcebf7a7d383a6a23ad3d5edfad Mon Sep 17 00:00:00 2001 From: pvannierop Date: Wed, 9 Oct 2024 08:48:57 +0200 Subject: [PATCH 03/11] Up firebase to 9.3.0 --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index b80f45f3..2de99f43 100644 --- a/build.gradle +++ b/build.gradle @@ -81,7 +81,7 @@ dependencies { annotationProcessor "org.springframework:spring-context-indexer:$springVersion" // FCM Admin SDK - implementation 'com.google.firebase:firebase-admin:9.1.1' + implementation 'com.google.firebase:firebase-admin:9.3.0' // AOP runtimeOnly group: 'org.springframework', name: 'spring-aop', version: springVersion From c1a89f63d1d91a53976e90cffc8ef2a07456f374 Mon Sep 17 00:00:00 2001 From: pvannierop Date: Wed, 9 Oct 2024 09:13:06 +0200 Subject: [PATCH 04/11] Up transitive dependency protobuf to 3.25.5 --- build.gradle | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 2de99f43..a87c993d 100644 --- a/build.gradle +++ b/build.gradle @@ -81,7 +81,17 @@ dependencies { annotationProcessor "org.springframework:spring-context-indexer:$springVersion" // FCM Admin SDK - implementation 'com.google.firebase:firebase-admin:9.3.0' + implementation('com.google.firebase:firebase-admin:9.3.0') { + // Possibly remove these constraints when a newer version of firebase-adkon is available. + constraints { + implementation('com.google.protobuf:protobuf-java:3.25.5') { + because 'Provided version of protobuf has security vulnerabilities' + } + implementation('com.google.protobuf:protobuf-java-util:3.25.5') { + because 'Provided version of protobuf has security vulnerabilities' + } + } + } // AOP runtimeOnly group: 'org.springframework', name: 'spring-aop', version: springVersion From 73f0e1cd0325a03490baadd1bdaa4bf7dfb70829 Mon Sep 17 00:00:00 2001 From: pvannierop Date: Wed, 9 Oct 2024 09:13:45 +0200 Subject: [PATCH 05/11] Up Spring boot to 3.2.10 --- build.gradle | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index a87c993d..3d7c54f6 100644 --- a/build.gradle +++ b/build.gradle @@ -2,7 +2,7 @@ plugins { id 'pmd' id 'io.gatling.gradle' version '3.9.2.1' id 'com.github.johnrengelman.shadow' version '8.1.0' - id 'org.springframework.boot' version "3.0.4" + id 'org.springframework.boot' version '3.2.10' id 'org.openjfx.javafxplugin' version '0.0.13' id("com.github.ben-manes.versions") version "0.46.0" } @@ -32,9 +32,10 @@ bootJar { } ext { - springBootVersion = '2.6.6' + springBootVersion = '3.2.10' springVersion = '6.0.6' springOauth2Version = "2.5.1.RELEASE" + springOauth2AutoconfigureVersion = "2.6.6" springDocVersion = '2.2.0' lombokVersion = '1.18.26' junit5Version = '5.9.2' @@ -62,7 +63,7 @@ dependencies { implementation('org.springframework.boot:spring-boot-starter-actuator') implementation('org.springframework.boot:spring-boot-starter-mail') implementation group: "org.springframework.security", name: "spring-security-config", version: springSecurityVersion - implementation('org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:' + springBootVersion) + implementation('org.springframework.security.oauth.boot:spring-security-oauth2-autoconfigure:' + springOauth2AutoconfigureVersion) implementation('org.springframework.security.oauth:spring-security-oauth2:' + springOauth2Version) runtimeOnly("org.hibernate.validator:hibernate-validator:$hibernateValidatorVersion") From dcaea8f07478766010f1b0b16fa93bdb1ae90412 Mon Sep 17 00:00:00 2001 From: pvannierop Date: Wed, 9 Oct 2024 09:14:22 +0200 Subject: [PATCH 06/11] Up spring oauth2 autoconfigure to 2.6.8 --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 3d7c54f6..190a99a1 100644 --- a/build.gradle +++ b/build.gradle @@ -35,7 +35,7 @@ ext { springBootVersion = '3.2.10' springVersion = '6.0.6' springOauth2Version = "2.5.1.RELEASE" - springOauth2AutoconfigureVersion = "2.6.6" + springOauth2AutoconfigureVersion = "2.6.8" springDocVersion = '2.2.0' lombokVersion = '1.18.26' junit5Version = '5.9.2' From 9d3cdfae48f1c2fcac4f66b49fbffe2ca1f657a2 Mon Sep 17 00:00:00 2001 From: pvannierop Date: Wed, 9 Oct 2024 09:14:45 +0200 Subject: [PATCH 07/11] Up spring oauth2 to 2.5.2.RELEASE --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 190a99a1..35761d89 100644 --- a/build.gradle +++ b/build.gradle @@ -34,7 +34,7 @@ bootJar { ext { springBootVersion = '3.2.10' springVersion = '6.0.6' - springOauth2Version = "2.5.1.RELEASE" + springOauth2Version = "2.5.2.RELEASE" springOauth2AutoconfigureVersion = "2.6.8" springDocVersion = '2.2.0' lombokVersion = '1.18.26' From 5aa0de1545aed744d0badbb2ec3bc29fc84ebbca Mon Sep 17 00:00:00 2001 From: pvannierop Date: Wed, 9 Oct 2024 09:25:33 +0200 Subject: [PATCH 08/11] Change Exception class in test --- .../radarbase/appserver/repository/UserRepositoryTest.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/test/java/org/radarbase/appserver/repository/UserRepositoryTest.java b/src/test/java/org/radarbase/appserver/repository/UserRepositoryTest.java index 8e2b7e86..9a1fa5e8 100644 --- a/src/test/java/org/radarbase/appserver/repository/UserRepositoryTest.java +++ b/src/test/java/org/radarbase/appserver/repository/UserRepositoryTest.java @@ -28,10 +28,10 @@ import static org.radarbase.appserver.controller.RadarUserControllerTest.FCM_TOKEN_1; import static org.radarbase.appserver.controller.RadarUserControllerTest.TIMEZONE; +import java.sql.SQLIntegrityConstraintViolationException; import java.time.Instant; import jakarta.persistence.PersistenceException; -import org.hibernate.exception.ConstraintViolationException; import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; @@ -145,6 +145,6 @@ public void whenInsertWithExistingFcmToken_thenThrowException() { entityManager.flush(); }); - assertEquals(ConstraintViolationException.class, ex.getCause().getClass()); + assertEquals(SQLIntegrityConstraintViolationException.class, ex.getCause().getClass()); } } From 0381da69bf384e0be7be103dca4988704aa90bde Mon Sep 17 00:00:00 2001 From: pvannierop Date: Wed, 9 Oct 2024 09:34:47 +0200 Subject: [PATCH 09/11] Up spring security config to 6.0.5 --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 35761d89..bfb8637f 100644 --- a/build.gradle +++ b/build.gradle @@ -40,7 +40,7 @@ ext { lombokVersion = '1.18.26' junit5Version = '5.9.2' radarSpringAuthVersion = '1.2.1' - springSecurityVersion = '6.0.2' + springSecurityVersion = '6.0.5' hibernateValidatorVersion = '8.0.0.Final' } From ce36ee18074d719ce65faa09b031f016a360812f Mon Sep 17 00:00:00 2001 From: pvannierop Date: Wed, 9 Oct 2024 11:20:51 +0200 Subject: [PATCH 10/11] Fix resourceName setter in DTO class --- .../appserver/config/TokenVerifierPublicKeyConfig.java | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/radarbase/appserver/config/TokenVerifierPublicKeyConfig.java b/src/main/java/org/radarbase/appserver/config/TokenVerifierPublicKeyConfig.java index 542350cc..a3bda05a 100644 --- a/src/main/java/org/radarbase/appserver/config/TokenVerifierPublicKeyConfig.java +++ b/src/main/java/org/radarbase/appserver/config/TokenVerifierPublicKeyConfig.java @@ -38,7 +38,7 @@ public class TokenVerifierPublicKeyConfig { * so subsequent calls to this method will return the same object. * * @return The initialized configuration object based on the contents of the configuration file - * @throws RuntimException If there is any problem loading the configuration + * @throws RuntimeException If there is any problem loading the configuration */ public static TokenVerifierPublicKeyConfig readFromFileOrClasspath() { String customLocation = System.getenv(LOCATION_ENV); @@ -81,4 +81,8 @@ public String getResourceName() { return resourceName; } + public void setResourceName(String resourceName) { + this.resourceName = resourceName; + } + } \ No newline at end of file From 2fb5a2520e04225139f5f5ee7173cc8ed3505af7 Mon Sep 17 00:00:00 2001 From: pvannierop Date: Wed, 9 Oct 2024 11:21:26 +0200 Subject: [PATCH 11/11] Set project version to 2.4.3 --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index bfb8637f..f63236d8 100644 --- a/build.gradle +++ b/build.gradle @@ -14,7 +14,7 @@ apply plugin: 'io.spring.dependency-management' apply plugin: 'scala' group = 'org.radarbase' -version = '2.4.2' +version = '2.4.3' java { toolchain {