Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

Commit

Permalink
Update CWA-Parent to Spring Boot 3 and JDK 17 (#13)
Browse files Browse the repository at this point in the history
* Update to Spring Boot 3

* Update to Spring Boot 3

* Update Dependencies

* Update CI Jobs to Java 17

* Update Readme

* Update OWASP Exclusions

* Update OWASP Exclusions
  • Loading branch information
f11h authored Feb 14, 2023
1 parent 99ed8ef commit 0507b37
Show file tree
Hide file tree
Showing 8 changed files with 72 additions and 134 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/ci-main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ jobs:
restore-keys: ${{ env.cache-name }}-
- uses: actions/setup-java@v1
with:
java-version: 11
java-version: 17
- name: environment
run: |
sudo apt-get install --yes --no-install-recommends libxml-xpath-perl
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/ci-pull-request.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,11 @@ on:
- reopened
jobs:
build:
runs-on: ubuntu-20.04
runs-on: ubuntu-latest
steps:
- uses: actions/setup-java@v2
with:
java-version: 11
java-version: 17
distribution: adopt
- uses: actions/checkout@v2
with:
Expand All @@ -31,7 +31,7 @@ jobs:
steps:
- uses: actions/setup-java@v2
with:
java-version: 11
java-version: 17
distribution: adopt
- uses: actions/checkout@v2
with:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/ci-release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ jobs:
restore-keys: ${{ env.cache-name }}-
- uses: actions/setup-java@v1
with:
java-version: 11
java-version: 17
- name: version
run: >-
APP_SHA=$(git rev-parse --short ${GITHUB_SHA});
Expand Down
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ In either case open a terminal pointing to the directory you put the sources in.
#### Maven based build
This is the recommended way for taking part in the development.
Please check, whether following prerequisites are installed on your machine:
- [Open JDK 11](https://openjdk.java.net) or a similar JDK 11 compatible VM
- [Open JDK 17](https://adoptium.net) or a similar JDK 17 compatible VM
- [Maven](https://maven.apache.org)

## Documentation
Expand Down
13 changes: 8 additions & 5 deletions keycloak/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -23,18 +23,21 @@
<version>${project.parent.version}</version>
<type>pom</type>
</dependency>

<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-spring-boot-starter</artifactId>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
</dependency>
<dependency>
<groupId>com.c4-soft.springaddons</groupId>
<artifactId>spring-security-oauth2-test-addons</artifactId>
<artifactId>spring-addons-oauth2-test</artifactId>
</dependency>
<dependency>
<groupId>com.c4-soft.springaddons</groupId>
<artifactId>spring-security-oauth2-test-webmvc-addons</artifactId>
<artifactId>spring-addons-webmvc-test</artifactId>
</dependency>
</dependencies>
</project>
4 changes: 2 additions & 2 deletions mysql-persistence/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,8 @@
<artifactId>h2</artifactId>
</dependency>
<dependency>
<groupId>mysql</groupId>
<artifactId>mysql-connector-java</artifactId>
<groupId>com.mysql</groupId>
<artifactId>mysql-connector-j</artifactId>
<scope>runtime</scope>
</dependency>
<dependency>
Expand Down
30 changes: 9 additions & 21 deletions owasp/suppressions.xml
Original file line number Diff line number Diff line change
@@ -1,36 +1,24 @@
<?xml version="1.0" encoding="UTF-8"?>
<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">

<suppress>
<notes>CVE is matching for Spring Security 5.3.x, but we have 5.7.x</notes>
<cve>CVE-2020-5408</cve>
</suppress>

<suppress>
<notes>CVE is matching for Spring Framework up to 5.3.20, but we have 5.3.21</notes>
<cve>CVE-2016-1000027</cve>
</suppress>

<suppress>
<notes>False Positive matches</notes>
<cve>CVE-2022-31514</cve>
<cve>CVE-2022-2393</cve>
<notes>Both CVE are matching for eclipse ide</notes>
<cve>CVE-2008-7271</cve>
<cve>CVE-2010-4647</cve>
</suppress>

<suppress>
<notes>SnakeYML False Positive Matcher (CVE is up to 1.32, but also matches for 1.33)</notes>
<cve>CVE-2022-38752</cve>
<notes>no YAML content from users is parsed within this service</notes>
<cve>CVE-2022-1471</cve>
</suppress>

<suppress>
<notes>This CVE is only affecting Keycloak Server not the Lib. (https://bugzilla.redhat.com/show_bug.cgi?id=2141404)</notes>
<cve>CVE-2022-3916</cve>
<notes>H2 is only used for testing, not production</notes>
<cve>CVE-2022-45868</cve>
</suppress>

<suppress>
<notes>The affected libs are just used for unit-testing.</notes>
<cve>CVE-2022-31690</cve>
<cve>CVE-2022-31692</cve>
<notes>False positive. CVE is matching for hutools. OWASP Check matches for json-lib</notes>
<cve>CVE-2022-45688</cve>
</suppress>

</suppressions>
Loading

0 comments on commit 0507b37

Please sign in to comment.