From 232503755a6dbece5380f7a57a054de094a18caa Mon Sep 17 00:00:00 2001
From: Lucian Holland <lucian@patientsknowbest.com>
Date: Tue, 28 Mar 2023 17:04:43 +0200
Subject: [PATCH 1/3] Bump deps to fix owasp

---
 pom.xml                            | 47 ++++++++++++++----------------
 spring-boot-infrastructure/pom.xml |  1 -
 spring-infrastructure/pom.xml      |  8 ++---
 suppression.xml                    | 13 +++++++--
 4 files changed, 37 insertions(+), 32 deletions(-)

diff --git a/pom.xml b/pom.xml
index 998dfb97..b7dfdabb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -47,7 +47,7 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 
         <apache.commons.text.version>1.10.0</apache.commons.text.version>
-        <approvalcrest.version>0.61.1</approvalcrest.version>
+        <approvalcrest.version>0.61.2</approvalcrest.version>
         <hamcrest.version>2.2</hamcrest.version>
         <vavr.version>0.10.2</vavr.version>
 
@@ -57,7 +57,7 @@
         <version.apache-commons-io>2.6</version.apache-commons-io>
         <javax.javaee-api.version>8.0</javax.javaee-api.version>
         <avro.version>1.11.0</avro.version>
-        <camel.version>3.19.0</camel.version>
+        <camel.version>3.20.2</camel.version>
 
         <maven.compiler.plugin.version>3.8.1</maven.compiler.plugin.version>
         <maven.source.plugin.version>3.2.1</maven.source.plugin.version>
@@ -75,17 +75,17 @@
 
         <commons.testing.version>54-8e2e575-247593</commons.testing.version>
         <spring-cloud.version>2021.0.5</spring-cloud.version>
-        <spring.boot.version>2.7.5</spring.boot.version>
+        <spring.boot.version>2.7.10</spring.boot.version>
         <immutables.version>2.9.0</immutables.version>
-        <checker-qual.version>3.25.0</checker-qual.version>
+        <checker-qual.version>3.32.0</checker-qual.version>
         <kotlin.version>1.6.21</kotlin.version>
-        <errorprone.version>2.16</errorprone.version>
+        <errorprone.version>2.18.0</errorprone.version>
         <groovy.version>2.5.17</groovy.version>
         <retrofit.version>2.9.0</retrofit.version>
         <okhttp.version>4.10.0</okhttp.version>
         <jakarta.persistence-api.version>2.2.3</jakarta.persistence-api.version>
         <jakarta.xml.bind-api.version>2.3.3</jakarta.xml.bind-api.version>
-        <hibernate-core.version>5.6.9.Final</hibernate-core.version> <!-- Please ensure that this remains consistent with the version specified in the spring boot bom -->
+        <hibernate-core.version>5.6.15.Final</hibernate-core.version> <!-- Please ensure that this remains consistent with the version specified in the spring boot bom -->
         <jakarta.inject-api.version>1.0</jakarta.inject-api.version>
         <jaxb-impl.version>2.3.6</jaxb-impl.version>
         <jakarta.activation-api.version>2.0.1</jakarta.activation-api.version>
@@ -94,13 +94,10 @@
         <assertj-version>3.23.1</assertj-version>
 
         <!-- Required to force google components like pub-sub to more recent versions than camel bom will pull in. Keep in line with PHR -->
-        <spring-cloud-gcp.version>3.4.0</spring-cloud-gcp.version>
+        <spring-cloud-gcp.version>3.4.7</spring-cloud-gcp.version>
 
-        <!-- Only needed because of a security issue, remove when spring-cloud-dependencies uses at least spring security version 5.7.5 -->
-        <spring.security.version>5.7.5</spring.security.version>
 
-        <!--Required until approvalcrest is compatible with latest gson again -->
-        <google.gson.version>2.9.0</google.gson.version>
+        <jackson-bom.version>2.14.2</jackson-bom.version>
     </properties>
 
     <modules>
@@ -119,14 +116,6 @@
 
     <dependencyManagement>
         <dependencies>
-            <!-- Only needed because of a security issue, remove when spring-cloud-dependencies uses at least spring security version 5.7.5 -->
-            <dependency>
-                <groupId>org.springframework.security</groupId>
-                <artifactId>spring-security-bom</artifactId>
-                <version>${spring.security.version}</version>
-                <type>pom</type>
-                <scope>import</scope>
-            </dependency>
             <dependency>
                 <groupId>com.google.cloud</groupId>
                 <artifactId>spring-cloud-gcp-dependencies</artifactId>
@@ -134,6 +123,13 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson</groupId>
+                <artifactId>jackson-bom</artifactId>
+                <version>${jackson-bom.version}</version>
+                <scope>import</scope>
+                <type>pom</type>
+            </dependency>
             <dependency>
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-dependencies</artifactId>
@@ -311,6 +307,13 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
+            <dependency>
+                <groupId>org.apache.camel</groupId>
+                <artifactId>camel-core</artifactId>
+                <type>test-jar</type>
+                <scope>test</scope>
+                <version>${camel.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.apache.camel</groupId>
                 <artifactId>camel-xml-jaxb</artifactId>
@@ -395,12 +398,6 @@
                 <artifactId>jakarta.persistence-api</artifactId>
                 <version>${jakarta.persistence-api.version}</version>
             </dependency>
-            <dependency>
-                <groupId>com.google.code.gson</groupId>
-                <artifactId>gson</artifactId>
-                <!-- latest version is 2.9.0 but it is non-backwards-compatible with karsaig's approval crest -->
-                <version>${google.gson.version}</version>
-            </dependency>
         </dependencies>
     </dependencyManagement>
 
diff --git a/spring-boot-infrastructure/pom.xml b/spring-boot-infrastructure/pom.xml
index 480509f0..ae832eb6 100644
--- a/spring-boot-infrastructure/pom.xml
+++ b/spring-boot-infrastructure/pom.xml
@@ -19,7 +19,6 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter</artifactId>
-            <version>${spring.boot.version}</version>
             <scope>test</scope>
         </dependency>
         <dependency>
diff --git a/spring-infrastructure/pom.xml b/spring-infrastructure/pom.xml
index 5aa5d3eb..caf6e9d9 100644
--- a/spring-infrastructure/pom.xml
+++ b/spring-infrastructure/pom.xml
@@ -17,10 +17,10 @@
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.checkerframework</groupId>
-            <artifactId>checker-qual</artifactId>
-        </dependency>
+        <!--        <dependency>-->
+        <!--            <groupId>org.checkerframework</groupId>-->
+        <!--            <artifactId>checker-qual</artifactId>-->
+        <!--        </dependency>-->
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
diff --git a/suppression.xml b/suppression.xml
index c686e05b..ae221bd5 100644
--- a/suppression.xml
+++ b/suppression.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 
-    <suppress until="2023-03-01Z">
+    <suppress until="2024-01-01Z">
         <!-- This seems to be a false positive because the report refers the com.google.code.gson library -->
         <notes><![CDATA[
    file name: google-http-client-gson-*.jar
@@ -9,7 +9,7 @@
         <packageUrl regex="true">^pkg:maven/com\.google\.http\-client/google\-http\-client\-gson@.*$</packageUrl>
         <cve>CVE-2022-25647</cve>
     </suppress>
-    <suppress until="2022-12-06Z">
+    <suppress until="2024-01-01Z">
         <!-- This is a false positive. The CVE is for much lower version of springs security than this one. But
         according to the CVE website the vulnerability is being "reassessed" so we should check back in 2 months and
         see if there's any update -->
@@ -19,5 +19,14 @@
         <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-.*$</packageUrl>
         <vulnerabilityName>CVE-2020-5408</vulnerabilityName>
     </suppress>
+    <suppress until="2023-06-01Z">
+        <!-- Refer to https://github.com/google/guava/issues/4011 -->
+        <!-- Hopefully Google will either remove or update the deprecated method that is affected by this CVE; until then we suppress it -->
+        <notes><![CDATA[
+   file name: guava-31.1-jre.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+        <cve>CVE-2020-8908</cve>
+    </suppress>
 
 </suppressions>

From 7b9eda9e8a01e36cd19d041965220a829fc54ae0 Mon Sep 17 00:00:00 2001
From: Lucian Holland <lucian@patientsknowbest.com>
Date: Tue, 28 Mar 2023 18:15:26 +0200
Subject: [PATCH 2/3] Add back pin for gson + remove comment

---
 pom.xml                       | 12 +++++++-----
 spring-infrastructure/pom.xml |  4 ----
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/pom.xml b/pom.xml
index b7dfdabb..b0b3fd2f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -98,6 +98,7 @@
 
 
         <jackson-bom.version>2.14.2</jackson-bom.version>
+        <google.gson.version>2.10.1</google.gson.version>
     </properties>
 
     <modules>
@@ -398,6 +399,11 @@
                 <artifactId>jakarta.persistence-api</artifactId>
                 <version>${jakarta.persistence-api.version}</version>
             </dependency>
+            <dependency>
+                <groupId>com.google.code.gson</groupId>
+                <artifactId>gson</artifactId>
+                <version>${google.gson.version}</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 
@@ -449,11 +455,7 @@
                                     to pick the highest version. Otherwise we may end up unexpectedly swapping to an older
                                     version if the 'nearest' definition changes, or end up unexpectedly using a different version
                                     to what we've specified via a parent bom -->
-                                    <requireUpperBoundDeps>
-                                        <excludes>
-                                            <exclude>com.google.code.gson:gson</exclude>
-                                        </excludes>
-                                    </requireUpperBoundDeps>
+                                    <requireUpperBoundDeps/>
                                     <banCircularDependencies/>
                                     <banDuplicateClasses/>
                                     <bannedDependencies>
diff --git a/spring-infrastructure/pom.xml b/spring-infrastructure/pom.xml
index caf6e9d9..2edf1fed 100644
--- a/spring-infrastructure/pom.xml
+++ b/spring-infrastructure/pom.xml
@@ -17,10 +17,6 @@
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
         </dependency>
-        <!--        <dependency>-->
-        <!--            <groupId>org.checkerframework</groupId>-->
-        <!--            <artifactId>checker-qual</artifactId>-->
-        <!--        </dependency>-->
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>

From 3b3cbb33af62dd67d0a1c96f2d02f00d2467b601 Mon Sep 17 00:00:00 2001
From: Lucian Holland <lucian@patientsknowbest.com>
Date: Mon, 27 Mar 2023 11:08:46 +0200
Subject: [PATCH 3/3] Change FakeDateTimeService to return wrapper clock

Allows for injecting a mockable clock into classes
that take a clock as a constructor parameter
---
 .../AutoAdvanceFakeDateTimeService.java       | 20 +++++++--
 .../common/datetime/FakeDateTimeService.java  | 44 +++++++++++++++----
 2 files changed, 52 insertions(+), 12 deletions(-)

diff --git a/date-time/src/main/java/com/pkb/common/datetime/AutoAdvanceFakeDateTimeService.java b/date-time/src/main/java/com/pkb/common/datetime/AutoAdvanceFakeDateTimeService.java
index ab66c054..18d70742 100644
--- a/date-time/src/main/java/com/pkb/common/datetime/AutoAdvanceFakeDateTimeService.java
+++ b/date-time/src/main/java/com/pkb/common/datetime/AutoAdvanceFakeDateTimeService.java
@@ -1,6 +1,8 @@
 package com.pkb.common.datetime;
 
 import java.time.Clock;
+import java.time.Instant;
+import java.time.ZoneId;
 import java.time.temporal.TemporalAmount;
 
 /**
@@ -16,10 +18,22 @@ public class AutoAdvanceFakeDateTimeService extends FakeDateTimeService {
 
     @Override
     public Clock clock() {
-        if (this.currentFixedClock != null && autoAdvanceDuration != null) {
-            moveTime(autoAdvanceDuration);
+        return new AutoAdvanceClockShim(getCurrentZoneId());
+    }
+
+    private class AutoAdvanceClockShim extends ClockShim {
+
+        AutoAdvanceClockShim(ZoneId zone) {
+            super(zone);
+        }
+
+        @Override
+        public Instant instant() {
+            if (currentFixedTime != null && autoAdvanceDuration != null) {
+                moveTime(autoAdvanceDuration);
+            }
+            return super.instant();
         }
-        return super.clock();
     }
 
     public void setAutoAdvanceDuration(TemporalAmount autoAdvanceDuration) {
diff --git a/date-time/src/main/java/com/pkb/common/datetime/FakeDateTimeService.java b/date-time/src/main/java/com/pkb/common/datetime/FakeDateTimeService.java
index 95a207de..c69fb56a 100644
--- a/date-time/src/main/java/com/pkb/common/datetime/FakeDateTimeService.java
+++ b/date-time/src/main/java/com/pkb/common/datetime/FakeDateTimeService.java
@@ -6,16 +6,17 @@
 import java.lang.invoke.MethodHandles;
 import java.time.Clock;
 import java.time.Instant;
+import java.time.ZoneId;
 import java.time.ZonedDateTime;
 import java.time.temporal.TemporalAmount;
 import java.time.temporal.TemporalUnit;
+import java.util.Optional;
 import java.util.concurrent.TimeUnit;
 
 public class FakeDateTimeService implements DateTimeService {
     private static final Logger LOGGER = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
 
-    protected volatile ZonedDateTime currentFixedTime;
-    protected volatile Clock currentFixedClock;
+    volatile ZonedDateTime currentFixedTime;
 
     private final DateTimeService fallbackService;
 
@@ -29,10 +30,11 @@ public FakeDateTimeService(DateTimeService fallbackService) {
 
     @Override
     public Clock clock() {
-        if (currentFixedClock == null) {
-            return fallbackService.clock();
-        }
-        return currentFixedClock;
+        return new ClockShim(getCurrentZoneId());
+    }
+
+    ZoneId getCurrentZoneId() {
+        return Optional.ofNullable(currentFixedTime).map(ZonedDateTime::getZone).orElseGet(fallbackService.clock()::getZone);
     }
 
     @Override
@@ -58,13 +60,37 @@ public long nowNanoTime() {
 
     @Override
     public void forgetFixedCurrentTimeForTesting() {
-        this.currentFixedClock = null;
+        this.currentFixedTime = null;
         LOGGER.info("Cleared fixed fake date time.");
     }
 
     private void fixTime(ZonedDateTime zdt) {
         currentFixedTime = zdt;
-        currentFixedClock = Clock.fixed(zdt.toInstant(), zdt.getZone());
-        LOGGER.info("Set fixed fake date time to: {}", currentFixedClock);
+        LOGGER.info("Set fixed fake date time to: {}", currentFixedTime);
+    }
+
+
+    class ClockShim extends Clock {
+
+        private final ZoneId zone;
+
+        ClockShim(ZoneId zone) {
+            this.zone = zone;
+        }
+
+        @Override
+        public ZoneId getZone() {
+            return zone;
+        }
+
+        @Override
+        public Clock withZone(ZoneId zone) {
+            return new ClockShim(zone);
+        }
+
+        @Override
+        public Instant instant() {
+            return Optional.ofNullable(currentFixedTime).map(ZonedDateTime::toInstant).orElseGet(fallbackService.clock()::instant);
+        }
     }
 }