Hotfix release v5.11.3 (#328)

* Move application.yaml properties to application.properties

* Update available dependencies for fic CVE issues.

* Update Dockerfile

Author: raikbitters

.github/workflows/dockerhub-release.yaml

@@ -17,7 +17,7 @@ jobs:
     name: Retag and push image 
     runs-on: ubuntu-latest
     environment: rc
-    if: github.event.pull_request.base.ref == 'master' || github.event.pull_request.base.ref == 'main'
+    if: github.event.review.state == 'approved' && (github.event.pull_request.base.ref == 'master' || github.event.pull_request.base.ref == 'main')
     steps:
       - name: Checkout
         uses: actions/checkout@v3

.github/workflows/release.yml

@@ -11,7 +11,7 @@ on:
 
 env:
   GH_USER_NAME: github.actor
-  RELEASE_VERSION: 5.11.1
+  RELEASE_VERSION: 5.11.3
 
 jobs:
   release:

Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM gradle:6.8.3-jdk11 AS build
+FROM --platform=$BUILDPLATFORM gradle:8.10.0-jdk11-alpine AS build
 ARG RELEASE_MODE
 ARG APP_VERSION
 WORKDIR /usr/app
@@ -10,13 +10,13 @@ RUN if [ "${RELEASE_MODE}" = true ]; then \
     else gradle build --no-build-cache --exclude-task test -Dorg.gradle.project.version=${APP_VERSION}; fi
 
 # For ARM build use flag: `--platform linux/arm64`
-FROM --platform=$BUILDPLATFORM amazoncorretto:11.0.20
-LABEL version=${APP_VERSION} description="EPAM ReportPortal. Auth Service" maintainer="Andrei Varabyeu <[email protected]>, Hleb Kanonik <[email protected]>"
+FROM --platform=$BUILDPLATFORM amazoncorretto:11.0.24
 ARG APP_VERSION=${APP_VERSION}
+LABEL version=${APP_VERSION} description="EPAM ReportPortal. Auth Service" maintainer="Andrei Varabyeu <[email protected]>, Hleb Kanonik <[email protected]>"
 ENV APP_DIR=/usr/app
 ENV JAVA_OPTS="-Xmx1g -XX:+UseG1GC -XX:InitiatingHeapOccupancyPercent=70 -Djava.security.egd=file:/dev/./urandom"
 WORKDIR $APP_DIR
 COPY --from=build $APP_DIR/build/libs/service-authorization-*exec.jar .
 VOLUME ["/tmp"]
 EXPOSE 8080
-ENTRYPOINT exec java ${JAVA_OPTS} -jar ${APP_DIR}/service-authorization-*exec.jar
+ENTRYPOINT ["sh", "-c", "java ${JAVA_OPTS} -jar ${APP_DIR}/service-authorization-*exec.jar"]

build.gradle

@@ -6,7 +6,7 @@ plugins {
 }
 
 apply from: 'project-properties.gradle'
-apply from: "$scriptsUrl/build-docker.gradle"
+//apply from: "$scriptsUrl/build-docker.gradle"
 apply from: "$scriptsUrl/build-info.gradle"
 apply from: "$scriptsUrl/build-commons.gradle"
 //apply from: "$scriptsUrl/build-quality.gradle"
@@ -15,12 +15,12 @@ apply from: "$scriptsUrl/signing.gradle"
 
 repositories {
     mavenCentral { url "https://repo1.maven.org/maven2" }
-
     if (!releaseMode) {
         maven { url 'https://jitpack.io' }
     }
 }
 
+ext['spring-boot.version'] = '2.5.15'
 //https://nvd.nist.gov/vuln/detail/CVE-2020-10683 (dom4j 2.1.3 version dependency) AND https://nvd.nist.gov/vuln/detail/CVE-2019-14900
 ext['hibernate.version'] = '5.4.18.Final'
 //https://nvd.nist.gov/vuln/detail/CVE-2020-10693
@@ -52,12 +52,10 @@ dependencies {
     implementation 'org.apache.tomcat.embed:tomcat-embed-core:9.0.86'
     implementation 'org.apache.tomcat.embed:tomcat-embed-el:9.0.86'
     implementation 'org.apache.tomcat.embed:tomcat-embed-websocket:9.0.86'
-    //Fix CVE-2020-15522
-    implementation 'org.bouncycastle:bcprov-jdk15on:1.69'
     //Fix CVE-2015-7501, CVE-2015-4852
     implementation 'org.apache.commons:commons-collections4:4.4'
     //Fix CVE-2018-10237
-    implementation 'com.google.guava:guava:31.1-jre'
+    implementation 'com.google.guava:guava:33.3.0-jre'
     //Fix CVE-2020-13956
     implementation 'org.apache.httpcomponents:httpclient:4.5.14'
     //Fix CVE-2022-40152
@@ -70,26 +68,27 @@ dependencies {
     //Fix CVE-2023-34050
     implementation 'org.springframework.amqp:spring-amqp:2.4.17'
     //Fix CVE-2023-40827, CVE-2023-40828, CVE-2023-40826
-    implementation 'org.springframework:spring-webmvc:5.3.33'
-    implementation 'org.springframework:spring-web:5.3.33'
+    implementation 'org.springframework:spring-webmvc:5.3.39'
+    implementation 'org.springframework:spring-web:5.3.39'
 
     ///// Security
     //https://nvd.nist.gov/vuln/detail/CVE-2020-5407 AND https://nvd.nist.gov/vuln/detail/CVE-2020-5408
-    implementation 'org.springframework.security:spring-security-core:5.8.5'
-    implementation 'org.springframework.security:spring-security-config:5.8.5'
-    implementation 'org.springframework.security:spring-security-web:5.8.5'
-    //
-
+    implementation 'org.springframework.security:spring-security-core:5.8.14'
+    implementation 'org.springframework.security:spring-security-config:5.8.14'
+    implementation 'org.springframework.security:spring-security-web:5.8.14'
     implementation 'org.springframework.security:spring-security-oauth2-client'
     //Fix CVE-2023-1370
     implementation 'net.minidev:json-smart:2.4.10'
     //Fix CVE-2022-22969
     implementation 'org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE'
-    implementation 'org.springframework.security:spring-security-jwt:1.0.11.RELEASE'
+    implementation 'org.springframework.security:spring-security-jwt:1.1.1.RELEASE'
+    //Fix CVE-2020-15522 in org.springframework.security:spring-security-jwt:1.1.1.RELEASE
+    implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
     implementation 'org.springframework.security:spring-security-ldap'
     // TODO: consider migration to spring-security-saml2-service-provider
     implementation 'org.springframework.security.extensions:spring-security-saml2-core:2.0.0.M31'
-//  Temporary fix of https://nvd.nist.gov/vuln/detail/CVE-2019-12400
+    implementation 'commons-collections:commons-collections:3.2.2'
+    //Temporary fix of https://nvd.nist.gov/vuln/detail/CVE-2019-12400
     implementation 'org.apache.santuario:xmlsec:3.0.3'
     //Fix CVE-2015-7501, CVE-2015-4852
     implementation 'org.apache.commons:commons-collections4:4.4'
@@ -104,10 +103,11 @@ dependencies {
     implementation 'io.springfox:springfox-swagger2'
     implementation 'org.apache.commons:commons-compress:1.26.0'
     implementation 'org.cryptacular:cryptacular:1.1.4'
-    // TODO: snakeyaml 2.0 supported by Spring Boot 3 only
-    implementation 'org.yaml:snakeyaml:1.33'
+    // TODO: snakeyaml 2.0 supported by Spring Boot 2.7 and 3.X only
+    // We don't user application.yml, so it's safe to use 2.2
+    implementation 'org.yaml:snakeyaml:2.2'
     implementation 'org.hibernate:hibernate-core:5.4.24.Final'
-    implementation 'org.springframework:spring-core:5.3.30'
+    implementation 'org.springframework:spring-core:5.3.39'
     implementation "com.rabbitmq:http-client:5.2.0"
 
     // Lombok

gradle.properties

@@ -1,4 +1,4 @@
-version=5.11.2
+version=5.11.3
 description=Unified Authorization Trap for all ReportPortal's Services
 dockerPrepareEnvironment=
 dockerJavaOpts=-Xmx512m -XX:+UseG1GC -XX:InitiatingHeapOccupancyPercent=70 -Djava.security.egd=file:/dev/./urandom

gradle/wrapper/gradle-wrapper.jar

@@ -1,5 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-6.8-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10-bin.zip
+networkTimeout=10000
+validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists