From 0507b37d8478f6819997eef6c08aee205afb114c Mon Sep 17 00:00:00 2001 From: Felix Dittrich <31076102+f11h@users.noreply.github.com> Date: Tue, 14 Feb 2023 09:31:44 +0100 Subject: [PATCH] Update CWA-Parent to Spring Boot 3 and JDK 17 (#13) * Update to Spring Boot 3 * Update to Spring Boot 3 * Update Dependencies * Update CI Jobs to Java 17 * Update Readme * Update OWASP Exclusions * Update OWASP Exclusions --- .github/workflows/ci-main.yml | 2 +- .github/workflows/ci-pull-request.yml | 6 +- .github/workflows/ci-release.yml | 2 +- README.md | 2 +- keycloak/pom.xml | 13 ++- mysql-persistence/pom.xml | 4 +- owasp/suppressions.xml | 30 ++---- pom.xml | 147 ++++++++------------------ 8 files changed, 72 insertions(+), 134 deletions(-) diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml index a2f9c75..0d8da1d 100644 --- a/.github/workflows/ci-main.yml +++ b/.github/workflows/ci-main.yml @@ -20,7 +20,7 @@ jobs: restore-keys: ${{ env.cache-name }}- - uses: actions/setup-java@v1 with: - java-version: 11 + java-version: 17 - name: environment run: | sudo apt-get install --yes --no-install-recommends libxml-xpath-perl diff --git a/.github/workflows/ci-pull-request.yml b/.github/workflows/ci-pull-request.yml index e4cde91..26111ab 100644 --- a/.github/workflows/ci-pull-request.yml +++ b/.github/workflows/ci-pull-request.yml @@ -7,11 +7,11 @@ on: - reopened jobs: build: - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest steps: - uses: actions/setup-java@v2 with: - java-version: 11 + java-version: 17 distribution: adopt - uses: actions/checkout@v2 with: @@ -31,7 +31,7 @@ jobs: steps: - uses: actions/setup-java@v2 with: - java-version: 11 + java-version: 17 distribution: adopt - uses: actions/checkout@v2 with: diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml index 9635fcf..166043e 100644 --- a/.github/workflows/ci-release.yml +++ b/.github/workflows/ci-release.yml @@ -30,7 +30,7 @@ jobs: restore-keys: ${{ env.cache-name }}- - uses: actions/setup-java@v1 with: - java-version: 11 + java-version: 17 - name: version run: >- APP_SHA=$(git rev-parse --short ${GITHUB_SHA}); diff --git a/README.md b/README.md index 5b02737..1dc01f8 100644 --- a/README.md +++ b/README.md @@ -60,7 +60,7 @@ In either case open a terminal pointing to the directory you put the sources in. #### Maven based build This is the recommended way for taking part in the development. Please check, whether following prerequisites are installed on your machine: -- [Open JDK 11](https://openjdk.java.net) or a similar JDK 11 compatible VM +- [Open JDK 17](https://adoptium.net) or a similar JDK 17 compatible VM - [Maven](https://maven.apache.org) ## Documentation diff --git a/keycloak/pom.xml b/keycloak/pom.xml index 8daf18b..124ebaa 100644 --- a/keycloak/pom.xml +++ b/keycloak/pom.xml @@ -23,18 +23,21 @@ ${project.parent.version} pom - - org.keycloak - keycloak-spring-boot-starter + org.springframework.boot + spring-boot-starter-oauth2-resource-server + + + org.springframework.boot + spring-boot-starter-security com.c4-soft.springaddons - spring-security-oauth2-test-addons + spring-addons-oauth2-test com.c4-soft.springaddons - spring-security-oauth2-test-webmvc-addons + spring-addons-webmvc-test diff --git a/mysql-persistence/pom.xml b/mysql-persistence/pom.xml index 14353c1..efbd2c1 100644 --- a/mysql-persistence/pom.xml +++ b/mysql-persistence/pom.xml @@ -32,8 +32,8 @@ h2 - mysql - mysql-connector-java + com.mysql + mysql-connector-j runtime diff --git a/owasp/suppressions.xml b/owasp/suppressions.xml index ac2f910..bb3e06e 100644 --- a/owasp/suppressions.xml +++ b/owasp/suppressions.xml @@ -1,36 +1,24 @@ - - - CVE is matching for Spring Security 5.3.x, but we have 5.7.x - CVE-2020-5408 - - - - CVE is matching for Spring Framework up to 5.3.20, but we have 5.3.21 - CVE-2016-1000027 - - - False Positive matches - CVE-2022-31514 - CVE-2022-2393 + Both CVE are matching for eclipse ide + CVE-2008-7271 + CVE-2010-4647 - SnakeYML False Positive Matcher (CVE is up to 1.32, but also matches for 1.33) - CVE-2022-38752 + no YAML content from users is parsed within this service + CVE-2022-1471 - This CVE is only affecting Keycloak Server not the Lib. (https://bugzilla.redhat.com/show_bug.cgi?id=2141404) - CVE-2022-3916 + H2 is only used for testing, not production + CVE-2022-45868 - The affected libs are just used for unit-testing. - CVE-2022-31690 - CVE-2022-31692 + False positive. CVE is matching for hutools. OWASP Check matches for json-lib + CVE-2022-45688 diff --git a/pom.xml b/pom.xml index 184bfcb..ea73790 100644 --- a/pom.xml +++ b/pom.xml @@ -27,12 +27,20 @@ - 11 - 11 - 11 + 17 + 17 + 17 UTF-8 UTF-8 + + 3.0.2 + 1.18.26 + 1.5.3.Final + 5.1.0 + 0.11.5 + 3.5.1 + 6.0.12 @@ -59,83 +67,26 @@ org.springframework.boot spring-boot-dependencies - 2.7.5 + ${spring-boot.version} pom import - - - com.fasterxml.jackson.core - jackson-databind - - - org.yaml - snakeyaml - - - org.springframework.security - spring-security-core - - - org.springframework.security - spring-security-web - - - org.springframework.security - spring-security-config - - - org.springframework.security - spring-security-crypto - - - - - org.springframework.security - spring-security-core - 5.7.5 - - - org.springframework.security - spring-security-web - 5.7.5 - - - org.springframework.security - spring-security-config - 5.7.5 - - - org.springframework.security - spring-security-crypto - 5.7.5 - - - - org.yaml - snakeyaml - 1.33 - - - com.fasterxml.jackson.core - jackson-databind - 2.14.0 org.springframework.cloud spring-cloud-dependencies - 2021.0.5 + 2022.0.1 pom import org.springframework.cloud - spring-cloud-starter-openfeign - 3.1.5 + spring-cloud-starter-sleuth + 3.1.6 org.springdoc springdoc-openapi-ui - 1.6.12 + 1.6.14 @@ -143,7 +94,7 @@ org.projectlombok lombok - 1.18.24 + ${lombok.version} @@ -151,12 +102,12 @@ net.javacrumbs.shedlock shedlock-spring - 4.42.0 + ${shedlock.version} net.javacrumbs.shedlock shedlock-provider-jdbc-template - 4.42.0 + ${shedlock.version} @@ -177,23 +128,23 @@ io.jsonwebtoken jjwt-api - 0.11.5 + ${jjwt.version} io.jsonwebtoken jjwt-impl - 0.11.5 + ${jjwt.version} io.jsonwebtoken jjwt-jackson - 0.11.5 + ${jjwt.version} runtime com.nimbusds nimbus-jose-jwt - 9.25.6 + 9.30.1 @@ -201,7 +152,7 @@ org.liquibase liquibase-core - 4.17.2 + 4.19.0 com.h2database @@ -212,7 +163,7 @@ org.postgresql postgresql - 42.5.0 + 42.5.3 @@ -228,7 +179,7 @@ eu.europa.ec.dgc dgc-lib - 1.3.3 + 2.0.0 @@ -244,12 +195,12 @@ com.google.zxing core - 3.5.0 + ${zxing.version} com.google.zxing javase - 3.5.1 + ${zxing.version} @@ -261,25 +212,20 @@ - - org.keycloak - keycloak-spring-boot-starter - 20.0.1 - org.keycloak keycloak-admin-client - 20.0.1 + 20.0.3 com.c4-soft.springaddons - spring-security-oauth2-test-addons - 3.1.19-jdk11 + spring-addons-oauth2-test + ${springaddons.version} com.c4-soft.springaddons - spring-security-oauth2-test-webmvc-addons - 3.1.19-jdk11 + spring-addons-webmvc-test + ${springaddons.version} @@ -287,14 +233,14 @@ org.modelmapper.extensions modelmapper-spring - 3.1.0 + 3.1.1 com.amazonaws aws-java-sdk-s3 - 1.12.344 + 1.12.405 @@ -306,19 +252,19 @@ com.sap.cloud.sdk.cloudplatform scp-cf - 3.75.0 + 4.7.0 com.sap.hcp.cf.logging cf-java-logging-support-logback - 3.6.2 + 3.6.3 org.mapstruct mapstruct - 1.5.3.Final + ${mapstruct.version} @@ -329,7 +275,7 @@ org.springframework.boot spring-boot-maven-plugin - 2.7.5 + ${spring-boot.version} @@ -343,7 +289,7 @@ org.apache.maven.plugins maven-surefire-plugin - 3.0.0-M7 + 3.0.0-M8 @@ -355,12 +301,12 @@ org.projectlombok lombok - 1.18.24 + ${lombok.version} org.mapstruct mapstruct-processor - 1.5.3.Final + ${mapstruct.version} @@ -369,7 +315,7 @@ org.apache.maven.plugins maven-checkstyle-plugin - 3.2.0 + 3.2.1 codestyle/checkstyle.xml target/**/* @@ -412,7 +358,7 @@ org.codehaus.mojo license-maven-plugin - 4.1 + 2.0.0 **/*.java ${project.organization.name} and all other contributors @@ -434,9 +380,10 @@ org.owasp dependency-check-maven - 7.3.1 + 8.0.2 ./owasp/suppressions.xml + false true @@ -450,7 +397,7 @@ org.springframework.restdocs spring-restdocs-asciidoctor - 2.0.6.RELEASE + 3.0.0