From 5e01d4b6b6d5282173390c249fdaa05e5b3c71f4 Mon Sep 17 00:00:00 2001 From: Muhammad Saud Khan Date: Thu, 4 Jul 2024 14:38:38 +0200 Subject: [PATCH 1/2] chore(deps): updated spring-boot dependencies --- DEPENDENCIES_BACKEND | 34 ++++++++++++-------------- dpp-backend/digitalproductpass/pom.xml | 10 ++++---- 2 files changed, 21 insertions(+), 23 deletions(-) diff --git a/DEPENDENCIES_BACKEND b/DEPENDENCIES_BACKEND index 65818d79b..0285758d7 100644 --- a/DEPENDENCIES_BACKEND +++ b/DEPENDENCIES_BACKEND @@ -9,24 +9,23 @@ maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jsr310/2.15.4 maven/mavencentral/com.fasterxml.jackson.module/jackson-module-parameter-names/2.15.4, Apache-2.0, approved, #15219 maven/mavencentral/com.github.stephenc.jcip/jcip-annotations/1.0-1, Apache-2.0, approved, CQ21949 maven/mavencentral/com.google.code.findbugs/jsr305/3.0.2, CC-BY-2.5, approved, #15220 -maven/mavencentral/com.google.code.gson/gson/2.10, Apache-2.0, approved, #6159 -maven/mavencentral/com.google.errorprone/error_prone_annotations/2.18.0, Apache-2.0, approved, clearlydefined -maven/mavencentral/com.google.guava/failureaccess/1.0.1, Apache-2.0, approved, CQ22654 -maven/mavencentral/com.google.guava/guava/32.0.0-jre, Apache-2.0 AND CC0-1.0 AND CC-PDDC, approved, #8772 +maven/mavencentral/com.google.code.gson/gson/2.11.0, Apache-2.0, approved, #14820 +maven/mavencentral/com.google.errorprone/error_prone_annotations/2.26.1, Apache-2.0, approved, #13657 +maven/mavencentral/com.google.guava/failureaccess/1.0.2, Apache-2.0, approved, CQ22654 +maven/mavencentral/com.google.guava/guava/33.2.1-jre, Apache-2.0 AND CC0-1.0 AND (Apache-2.0 AND CC-PDDC), approved, #14607 maven/mavencentral/com.google.guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava, Apache-2.0, approved, CQ22657 -maven/mavencentral/com.google.j2objc/j2objc-annotations/2.8, Apache-2.0, approved, clearlydefined +maven/mavencentral/com.google.j2objc/j2objc-annotations/3.0.0, Apache-2.0, approved, #13676 maven/mavencentral/com.jayway.jsonpath/json-path/2.9.0, Apache-2.0, approved, clearlydefined maven/mavencentral/com.nimbusds/content-type/2.2, Apache-2.0, approved, clearlydefined maven/mavencentral/com.nimbusds/lang-tag/1.7, Apache-2.0, approved, clearlydefined maven/mavencentral/com.nimbusds/nimbus-jose-jwt/9.24.4, Apache-2.0, approved, clearlydefined maven/mavencentral/com.nimbusds/oauth2-oidc-sdk/9.43.3, Apache-2.0, approved, clearlydefined -maven/mavencentral/com.opencsv/opencsv/5.7.1, Apache-2.0, approved, clearlydefined +maven/mavencentral/com.opencsv/opencsv/5.9, Apache-2.0, approved, clearlydefined maven/mavencentral/commons-beanutils/commons-beanutils/1.9.4, Apache-2.0, approved, CQ12654 maven/mavencentral/commons-collections/commons-collections/3.2.2, Apache-2.0, approved, #15185 maven/mavencentral/commons-lang/commons-lang/2.6, Apache-2.0, approved, CQ6183 maven/mavencentral/commons-logging/commons-logging/1.2, Apache-2.0, approved, CQ10162 maven/mavencentral/commons-net/commons-net/3.9.0, Apache-2.0, approved, clearlydefined -maven/mavencentral/io.github.classgraph/classgraph/4.8.149, MIT, approved, CQ22530 maven/mavencentral/io.micrometer/micrometer-commons/1.12.5, Apache-2.0 AND (Apache-2.0 AND MIT), approved, #11679 maven/mavencentral/io.micrometer/micrometer-observation/1.12.5, Apache-2.0, approved, #11680 maven/mavencentral/io.netty/netty-buffer/4.1.109.Final, Apache-2.0, approved, CQ21842 @@ -49,9 +48,9 @@ maven/mavencentral/io.netty/netty-transport/4.1.109.Final, Apache-2.0 AND BSD-3- maven/mavencentral/io.projectreactor.netty/reactor-netty-core/1.1.18, Apache-2.0, approved, #5946 maven/mavencentral/io.projectreactor.netty/reactor-netty-http/1.1.18, Apache-2.0, approved, #6999 maven/mavencentral/io.projectreactor/reactor-core/3.6.5, Apache-2.0, approved, #13392 -maven/mavencentral/io.swagger.core.v3/swagger-annotations-jakarta/2.2.7, Apache-2.0, approved, #5947 -maven/mavencentral/io.swagger.core.v3/swagger-core-jakarta/2.2.7, Apache-2.0, approved, #5929 -maven/mavencentral/io.swagger.core.v3/swagger-models-jakarta/2.2.7, Apache-2.0, approved, #5919 +maven/mavencentral/io.swagger.core.v3/swagger-annotations-jakarta/2.2.21, Apache-2.0, approved, #5947 +maven/mavencentral/io.swagger.core.v3/swagger-core-jakarta/2.2.21, Apache-2.0, approved, #5929 +maven/mavencentral/io.swagger.core.v3/swagger-models-jakarta/2.2.21, Apache-2.0, approved, #5919 maven/mavencentral/jakarta.activation/jakarta.activation-api/2.1.3, EPL-2.0 OR BSD-3-Clause OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jaf maven/mavencentral/jakarta.annotation/jakarta.annotation-api/2.1.1, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.ca maven/mavencentral/jakarta.servlet/jakarta.servlet-api/6.0.0, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.servlet @@ -61,7 +60,7 @@ maven/mavencentral/net.minidev/accessors-smart/2.5.1, Apache-2.0, approved, clea maven/mavencentral/net.minidev/json-smart/2.5.1, Apache-2.0, approved, clearlydefined maven/mavencentral/org.apache.commons/commons-collections4/4.4, Apache-2.0, approved, clearlydefined maven/mavencentral/org.apache.commons/commons-lang3/3.13.0, Apache-2.0, approved, #9820 -maven/mavencentral/org.apache.commons/commons-text/1.10.0, Apache-2.0, approved, clearlydefined +maven/mavencentral/org.apache.commons/commons-text/1.11.0, Apache-2.0, approved, clearlydefined maven/mavencentral/org.apache.logging.log4j/log4j-api/2.21.1, Apache-2.0 AND (Apache-2.0 AND LGPL-2.0-or-later), approved, #11079 maven/mavencentral/org.apache.logging.log4j/log4j-core/2.21.1, Apache-2.0 AND (Apache-2.0 AND LGPL-2.0-or-later), approved, #12592 maven/mavencentral/org.apache.logging.log4j/log4j-to-slf4j/2.21.1, Apache-2.0, approved, #15262 @@ -72,7 +71,7 @@ maven/mavencentral/org.atteo/evo-inflector/1.3, Apache-2.0, approved, clearlydef maven/mavencentral/org.bouncycastle/bcpkix-jdk15on/1.69, MIT, approved, clearlydefined maven/mavencentral/org.bouncycastle/bcprov-jdk15on/1.69, MIT, approved, clearlydefined maven/mavencentral/org.bouncycastle/bcutil-jdk15on/1.69, MIT, approved, clearlydefined -maven/mavencentral/org.checkerframework/checker-qual/3.33.0, MIT, approved, clearlydefined +maven/mavencentral/org.checkerframework/checker-qual/3.42.0, MIT, approved, clearlydefined maven/mavencentral/org.codehaus.plexus/plexus-utils/3.2.1, , approved, CQ20774 maven/mavencentral/org.ow2.asm/asm/9.6, BSD-3-Clause, approved, #10776 maven/mavencentral/org.projectlombok/lombok/1.18.32, MIT, approved, #15192 @@ -83,9 +82,9 @@ maven/mavencentral/org.sonarsource.scanner.api/sonar-scanner-api/2.16.2.588, LGP maven/mavencentral/org.sonarsource.scanner.maven/sonar-maven-plugin/3.9.1.2184, LGPL-3.0-or-later, approved, #6944 maven/mavencentral/org.sonatype.plexus/plexus-cipher/1.4, Apache-2.0, approved, CQ4600 maven/mavencentral/org.sonatype.plexus/plexus-sec-dispatcher/1.4, Apache-2.0, approved, CQ16491 -maven/mavencentral/org.springdoc/springdoc-openapi-starter-common/2.0.2, Apache-2.0, approved, #5920 -maven/mavencentral/org.springdoc/springdoc-openapi-starter-webmvc-api/2.0.2, Apache-2.0, approved, #5950 -maven/mavencentral/org.springdoc/springdoc-openapi-starter-webmvc-ui/2.0.2, Apache-2.0, approved, #5923 +maven/mavencentral/org.springdoc/springdoc-openapi-starter-common/2.5.0, Apache-2.0, approved, clearlydefined +maven/mavencentral/org.springdoc/springdoc-openapi-starter-webmvc-api/2.5.0, Apache-2.0, approved, clearlydefined +maven/mavencentral/org.springdoc/springdoc-openapi-starter-webmvc-ui/2.5.0, Apache-2.0, approved, clearlydefined maven/mavencentral/org.springframework.boot/spring-boot-autoconfigure/3.2.5, Apache-2.0, approved, #11751 maven/mavencentral/org.springframework.boot/spring-boot-starter-data-rest/3.2.5, Apache-2.0, approved, #12594 maven/mavencentral/org.springframework.boot/spring-boot-starter-json/3.2.5, Apache-2.0, approved, #11894 @@ -94,7 +93,7 @@ maven/mavencentral/org.springframework.boot/spring-boot-starter-oauth2-client/3. maven/mavencentral/org.springframework.boot/spring-boot-starter-reactor-netty/3.2.5, Apache-2.0, approved, #12590 maven/mavencentral/org.springframework.boot/spring-boot-starter-security/3.0.2, Apache-2.0, approved, #7329 maven/mavencentral/org.springframework.boot/spring-boot-starter-tomcat/3.2.5, Apache-2.0, approved, #11923 -maven/mavencentral/org.springframework.boot/spring-boot-starter-web/3.0.2, Apache-2.0, approved, #5945 +maven/mavencentral/org.springframework.boot/spring-boot-starter-web/3.3.0, Apache-2.0, approved, clearlydefined maven/mavencentral/org.springframework.boot/spring-boot-starter-webflux/3.2.5, Apache-2.0, approved, #12589 maven/mavencentral/org.springframework.boot/spring-boot-starter/3.2.5, Apache-2.0, approved, #11935 maven/mavencentral/org.springframework.boot/spring-boot/3.2.5, Apache-2.0, approved, #11752 @@ -128,6 +127,5 @@ maven/mavencentral/org.springframework/spring-tx/6.1.6, Apache-2.0, approved, #1 maven/mavencentral/org.springframework/spring-web/6.1.6, Apache-2.0, approved, #15188 maven/mavencentral/org.springframework/spring-webflux/6.1.6, Apache-2.0, approved, #12593 maven/mavencentral/org.springframework/spring-webmvc/6.1.6, Apache-2.0, approved, #15182 -maven/mavencentral/org.webjars/swagger-ui/4.15.5, Apache-2.0 AND MIT, approved, #5921 -maven/mavencentral/org.webjars/webjars-locator-core/0.55, MIT, approved, clearlydefined +maven/mavencentral/org.webjars/swagger-ui/5.13.0, Apache-2.0, approved, #14547 maven/mavencentral/org.yaml/snakeyaml/2.0, Apache-2.0 AND (Apache-2.0 OR BSD-3-Clause OR EPL-1.0 OR GPL-2.0-or-later OR LGPL-2.1-or-later), approved, #7275 diff --git a/dpp-backend/digitalproductpass/pom.xml b/dpp-backend/digitalproductpass/pom.xml index 4b3e089e5..45e244974 100644 --- a/dpp-backend/digitalproductpass/pom.xml +++ b/dpp-backend/digitalproductpass/pom.xml @@ -51,7 +51,7 @@ com.google.guava guava - 32.0.0-jre + 33.2.1-jre jakarta.servlet @@ -98,7 +98,7 @@ spring-boot-starter-logging - 3.0.2 + 3.3.0 com.fasterxml.jackson.dataformat @@ -137,7 +137,7 @@ com.opencsv opencsv - 5.7.1 + 5.9 junit @@ -167,7 +167,7 @@ com.google.code.gson gson - 2.10 + 2.11.0 commons-net @@ -183,7 +183,7 @@ org.springdoc springdoc-openapi-starter-webmvc-ui - 2.0.2 + 2.5.0 From a0067c596d40e780a6859b22ec6d05a36ff08e45 Mon Sep 17 00:00:00 2001 From: Muhammad Saud Khan Date: Mon, 8 Jul 2024 13:17:24 +0200 Subject: [PATCH 2/2] fix(vulnerability): fixed spring-boot tomcat vulnerability and executed IP checks --- DEPENDENCIES_BACKEND | 2 +- dpp-backend/digitalproductpass/pom.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/DEPENDENCIES_BACKEND b/DEPENDENCIES_BACKEND index 0285758d7..28cbeb879 100644 --- a/DEPENDENCIES_BACKEND +++ b/DEPENDENCIES_BACKEND @@ -93,7 +93,7 @@ maven/mavencentral/org.springframework.boot/spring-boot-starter-oauth2-client/3. maven/mavencentral/org.springframework.boot/spring-boot-starter-reactor-netty/3.2.5, Apache-2.0, approved, #12590 maven/mavencentral/org.springframework.boot/spring-boot-starter-security/3.0.2, Apache-2.0, approved, #7329 maven/mavencentral/org.springframework.boot/spring-boot-starter-tomcat/3.2.5, Apache-2.0, approved, #11923 -maven/mavencentral/org.springframework.boot/spring-boot-starter-web/3.3.0, Apache-2.0, approved, clearlydefined +maven/mavencentral/org.springframework.boot/spring-boot-starter-web/3.3.1, Apache-2.0, approved, clearlydefined maven/mavencentral/org.springframework.boot/spring-boot-starter-webflux/3.2.5, Apache-2.0, approved, #12589 maven/mavencentral/org.springframework.boot/spring-boot-starter/3.2.5, Apache-2.0, approved, #11935 maven/mavencentral/org.springframework.boot/spring-boot/3.2.5, Apache-2.0, approved, #11752 diff --git a/dpp-backend/digitalproductpass/pom.xml b/dpp-backend/digitalproductpass/pom.xml index 45e244974..7c017cb63 100644 --- a/dpp-backend/digitalproductpass/pom.xml +++ b/dpp-backend/digitalproductpass/pom.xml @@ -98,7 +98,7 @@ spring-boot-starter-logging - 3.3.0 + 3.3.1 com.fasterxml.jackson.dataformat