Feature/trivy findings

.github/workflows/trivy-scan.yaml

@@ -0,0 +1,32 @@
+name: Trivy Scan
+
+on:
+  push:
+    branches:
+      - feature/trivy_findings
+  workflow_dispatch:
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          scanners: 'vuln,secret,config'
+          ignore-unfixed: false
+          format: 'sarif'
+          exit-code: '1'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: 'code'

.jpb/jpb-settings.xml

@@ -1,13 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
-  <component name="DatabaseMigrationSettings" liquibaseFileType="YAML">
-    <database-infos>
-      <database-info>
-        <option name="enabled" value="true" />
-        <dbms-id>postgres</dbms-id>
-      </database-info>
-    </database-infos>
-  </component>
   <component name="PersistenceUnitSettings">
     <persistence-units>
       <persistence-unit name="Default">

Containerfile

@@ -1,4 +1,4 @@
-FROM registry.access.redhat.com/ubi8/openjdk-17:latest
+FROM registry.access.redhat.com/ubi9/openjdk-17:1.20-2.1721231695
 ENV TZ="Europe/Vienna"
 
 USER jboss

pom.xml

@@ -11,7 +11,7 @@
         <jacoco.version>0.8.7</jacoco.version>
         <maven-enforcer-plugin.version>3.0.0-M3</maven-enforcer-plugin.version>
         <maven-resource-plugin.version>3.1.0</maven-resource-plugin.version>
-        <surefire-plugin.version>3.0.0-M5</surefire-plugin.version>
+        <surefire-plugin.version>3.2.3</surefire-plugin.version>
         <cxf-codegen-plugin.version>4.0.0</cxf-codegen-plugin.version>
         <liquibase-maven-plugin.version>4.0.0</liquibase-maven-plugin.version>
         <native2ascii-maven-plugin.plugin.version>2.0.1</native2ascii-maven-plugin.plugin.version>
@@ -21,14 +21,12 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <maven.version>3.8.1</maven.version>
 
-        <commons-lang3.version>3.12.0</commons-lang3.version>
-        <commons-io.version>2.11.0</commons-io.version>
-        <guava.version>31.0.1-jre</guava.version>
+        <guava.version>33.2.1-jre</guava.version>
 
-        <quarkus-plugin.version>3.1.3.Final</quarkus-plugin.version>
-        <quarkus.platform.version>3.1.3.Final</quarkus.platform.version>
+        <quarkus-plugin.version>3.12.1</quarkus-plugin.version>
+        <quarkus.platform.version>3.12.1</quarkus.platform.version>
 
-        <ws.rt.version>4.0.0</ws.rt.version>
+        <ws.rt.version>4.0.2</ws.rt.version>
         <xml.resolver.version>20050927</xml.resolver.version>
         <focus-shift.version>0.16.0</focus-shift.version>
         <assertj.version>3.21.0</assertj.version>
@@ -75,11 +73,11 @@
         </dependency>
         <dependency>
             <groupId>io.quarkus</groupId>
-            <artifactId>quarkus-rest-client</artifactId>
+            <artifactId>quarkus-resteasy-client</artifactId>
         </dependency>
         <dependency>
             <groupId>io.quarkus</groupId>
-            <artifactId>quarkus-rest-client-jackson</artifactId>
+            <artifactId>quarkus-resteasy-client-jackson</artifactId>
         </dependency>
         <!-- Quarkus MicroProfile-Extensions -->
         <dependency>
@@ -154,12 +152,10 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
-            <version>${commons-lang3.version}</version>
         </dependency>
         <dependency>
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
-            <version>${commons-io.version}</version>
         </dependency>
         <dependency>
             <groupId>com.google.guava</groupId>

src/main/java/com/gepardec/mega/db/repository/UserRepository.java

@@ -4,7 +4,6 @@
 import com.gepardec.mega.domain.model.Role;
 import io.quarkus.hibernate.orm.panache.PanacheRepository;
 import io.quarkus.panache.common.Parameters;
-import io.quarkus.vertx.web.Param;
 import jakarta.enterprise.context.ApplicationScoped;
 import jakarta.inject.Inject;
 import jakarta.persistence.EntityManager;

src/test/java/com/gepardec/mega/application/producer/UserContextProducerTest.java

@@ -4,8 +4,8 @@
 import com.gepardec.mega.domain.model.User;
 import com.gepardec.mega.domain.model.UserContext;
 import com.gepardec.mega.service.api.UserService;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import io.quarkus.test.security.TestSecurity;
 import io.quarkus.test.security.jwt.Claim;
 import io.quarkus.test.security.jwt.JwtSecurity;

src/test/java/com/gepardec/mega/notification/mail/NotificationHelperTest.java

@@ -2,8 +2,9 @@
 
 import com.gepardec.mega.application.configuration.NotificationConfig;
 import com.gepardec.mega.application.producer.ResourceBundleProducer;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
+import io.quarkus.test.junit.mockito.MockitoConfig;
 import jakarta.inject.Inject;
 import org.junit.jupiter.api.Test;
 
@@ -22,10 +23,12 @@ class NotificationHelperTest {
     @Inject
     NotificationHelper notificationHelper;
 
-    @InjectMock(returnsDeepMocks = true)
+    @InjectMock
+    @MockitoConfig (returnsDeepMocks = true)
     private NotificationConfig notificationConfig;
 
-    @InjectMock(returnsDeepMocks = true)
+    @InjectMock
+    @MockitoConfig (returnsDeepMocks = true)
     private ResourceBundleProducer resourceBundleProducer;
 
     @Test

src/test/java/com/gepardec/mega/notification/mail/ReminderEmailSenderTest.java

@@ -4,8 +4,8 @@
 import com.gepardec.mega.domain.model.User;
 import com.gepardec.mega.service.api.UserService;
 import io.quarkus.mailer.MockMailbox;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import jakarta.inject.Inject;
 import org.eclipse.microprofile.config.inject.ConfigProperty;
 import org.junit.jupiter.api.BeforeEach;

src/test/java/com/gepardec/mega/notification/mail/receiver/MailReceiverTest.java

@@ -1,9 +1,8 @@
 package com.gepardec.mega.notification.mail.receiver;
 
 import com.gepardec.mega.application.configuration.MailReceiverConfig;
-import com.sun.mail.imap.IMAPMessage;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import jakarta.inject.Inject;
 import jakarta.mail.Folder;
 import jakarta.mail.Message;
@@ -50,7 +49,7 @@ void retrieveZepEmailsFromInbox_Successful() throws MessagingException {
         //GIVEN
         try (var mockedStatic = Mockito.mockStatic(Session.class)) {
             var inbox = mock(Folder.class);
-            when(inbox.search(any())).thenReturn(new Message[]{mock(IMAPMessage.class)});
+            when(inbox.search(any())).thenReturn(new Message[]{mock(Message.class)});
 
             var store = mock(Store.class);
             when(store.getFolder(anyString())).thenReturn(inbox);

src/test/java/com/gepardec/mega/notification/mail/receiver/ZepMailToCommentServiceTest.java

@@ -12,10 +12,10 @@
 import com.gepardec.mega.service.api.CommentService;
 import com.gepardec.mega.service.api.ProjectService;
 import com.gepardec.mega.service.api.UserService;
-import com.sun.mail.imap.IMAPMessage;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import jakarta.inject.Inject;
+import jakarta.mail.Message;
 import jakarta.mail.MessagingException;
 import org.junit.jupiter.api.Test;
 import org.slf4j.Logger;
@@ -74,7 +74,7 @@ void saveAsComment_BillableProject_Successful() throws MessagingException, IOExc
         );
 
         //WHEN
-        testedObject.saveAsComment(mock(IMAPMessage.class));
+        testedObject.saveAsComment(mock(Message.class));
 
         //THEN
         verify(commentService, times(1)).create(
@@ -106,7 +106,7 @@ void saveAsComment_NotBillableProject_Successful() throws MessagingException, IO
         );
 
         //WHEN
-        testedObject.saveAsComment(mock(IMAPMessage.class));
+        testedObject.saveAsComment(mock(Message.class));
 
         //THEN
         verify(commentService, times(1)).create(
@@ -131,7 +131,7 @@ void saveAsComment_ExceptionInMapper_ErrorLogged() throws MessagingException, IO
 
         //WHEN
         //THEN
-        assertThatCode(() -> testedObject.saveAsComment(mock(IMAPMessage.class)))
+        assertThatCode(() -> testedObject.saveAsComment(mock(Message.class)))
                 .doesNotThrowAnyException();
         verify(logger).error(any());
         verify(commentService, times(0)).create(any(), any(), any(), any(), any(), any(), any());
@@ -148,7 +148,7 @@ void saveAsComment_ExceptionInMapper_EmailSent() throws MessagingException, IOEx
 
         //WHEN
         //THEN
-        assertThatCode(() -> testedObject.saveAsComment(mock(IMAPMessage.class)))
+        assertThatCode(() -> testedObject.saveAsComment(mock(Message.class)))
                 .doesNotThrowAnyException();
         verify(commentService, times(0)).create(any(), any(), any(), any(), any(), any(), any());
         verify(mailSender, times(1)).send(

src/test/java/com/gepardec/mega/notification/mail/receiver/ZepProjektzeitDetailsMailMapperTest.java

@@ -1,8 +1,7 @@
 package com.gepardec.mega.notification.mail.receiver;
 
-import com.sun.mail.imap.IMAPMessage;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import jakarta.inject.Inject;
 import jakarta.mail.BodyPart;
 import jakarta.mail.Message;
@@ -64,7 +63,7 @@ void setup() throws MessagingException, IOException {
         var multipart = mock(Multipart.class);
         when(multipart.getBodyPart(0)).thenReturn(bodyPart);
 
-        givenMessage = mock(IMAPMessage.class);
+        givenMessage = mock(Message.class);
         when(givenMessage.getContent()).thenReturn(multipart);
         when(givenMessage.getSubject()).thenReturn(SUBJECT);
     }

src/test/java/com/gepardec/mega/personio/commons/factory/PersonioHeadersFactoryTest.java

@@ -4,8 +4,8 @@
 import com.gepardec.mega.personio.auth.AuthResponse;
 import com.gepardec.mega.personio.auth.AuthResponseData;
 import com.gepardec.mega.personio.auth.PersonioAuthClient;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import io.quarkus.test.junit.mockito.InjectSpy;
 import jakarta.inject.Inject;
 import jakarta.ws.rs.NotAuthorizedException;

src/test/java/com/gepardec/mega/personio/employees/PersonioEmployeesServiceImplTest.java

@@ -6,8 +6,8 @@
 import com.gepardec.mega.personio.commons.model.BaseResponse;
 import com.gepardec.mega.personio.commons.model.ErrorResponse;
 import com.gepardec.mega.personio.employees.absenceBalance.AbsenceBalanceResponse;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import jakarta.inject.Inject;
 import org.eclipse.microprofile.rest.client.inject.RestClient;
 import org.junit.jupiter.api.Test;

src/test/java/com/gepardec/mega/rest/CommentResourceTest.java

@@ -9,8 +9,8 @@
 import com.gepardec.mega.rest.model.CommentDto;
 import com.gepardec.mega.rest.model.NewCommentEntryDto;
 import com.gepardec.mega.service.api.CommentService;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import io.quarkus.test.security.TestSecurity;
 import io.quarkus.test.security.jwt.Claim;
 import io.quarkus.test.security.jwt.JwtSecurity;

src/test/java/com/gepardec/mega/rest/EmployeeResourceTest.java

@@ -6,8 +6,8 @@
 import com.gepardec.mega.rest.mapper.EmployeeMapper;
 import com.gepardec.mega.rest.model.EmployeeDto;
 import com.gepardec.mega.service.api.EmployeeService;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import io.quarkus.test.security.TestSecurity;
 import io.quarkus.test.security.jwt.Claim;
 import io.quarkus.test.security.jwt.JwtSecurity;

src/test/java/com/gepardec/mega/rest/ManagementResourceTest.java

@@ -19,8 +19,8 @@
 import com.gepardec.mega.service.helper.WorkingTimeUtil;
 import com.gepardec.mega.zep.ZepService;
 import com.gepardec.mega.zep.impl.Rest;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import io.quarkus.test.security.TestSecurity;
 import io.quarkus.test.security.jwt.Claim;
 import io.quarkus.test.security.jwt.JwtSecurity;

src/test/java/com/gepardec/mega/rest/PrematureEmployeeCheckResourceTest.java

@@ -6,8 +6,8 @@
 import com.gepardec.mega.rest.model.PrematureEmployeeCheckDto;
 import com.gepardec.mega.rest.model.UserDto;
 import com.gepardec.mega.service.api.PrematureEmployeeCheckService;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import io.quarkus.test.security.TestSecurity;
 import io.quarkus.test.security.jwt.Claim;
 import io.quarkus.test.security.jwt.JwtSecurity;

src/test/java/com/gepardec/mega/rest/StepEntryResourceTest.java

@@ -7,8 +7,8 @@
 import com.gepardec.mega.rest.model.EmployeeDto;
 import com.gepardec.mega.rest.model.EmployeeStepDto;
 import com.gepardec.mega.service.api.StepEntryService;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import io.quarkus.test.security.TestSecurity;
 import io.quarkus.test.security.jwt.Claim;
 import io.quarkus.test.security.jwt.JwtSecurity;

src/test/java/com/gepardec/mega/rest/SyncResourceTest.java

@@ -14,8 +14,8 @@
 
 import com.gepardec.mega.service.api.StepEntryService;
 import com.gepardec.mega.zep.ZepService;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import jakarta.inject.Inject;
 
 import org.junit.jupiter.api.Test;

src/test/java/com/gepardec/mega/rest/UserResourceTest.java

@@ -5,8 +5,8 @@
 import com.gepardec.mega.domain.model.UserContext;
 import com.gepardec.mega.rest.mapper.UserMapper;
 import com.gepardec.mega.rest.model.UserDto;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import io.quarkus.test.junit.mockito.InjectSpy;
 import io.quarkus.test.security.TestSecurity;
 import io.quarkus.test.security.jwt.Claim;

src/test/java/com/gepardec/mega/rest/WorkerResourceTest.java

@@ -42,8 +42,8 @@
 import com.gepardec.mega.service.helper.WorkingTimeUtil;
 import com.gepardec.mega.zep.ZepService;
 import com.gepardec.mega.zep.impl.Rest;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import io.quarkus.test.security.TestSecurity;
 import io.quarkus.test.security.jwt.Claim;
 import io.quarkus.test.security.jwt.JwtSecurity;

src/test/java/com/gepardec/mega/service/impl/absenceservice/AbsenceServiceImplTest.java

@@ -4,8 +4,8 @@
 import com.gepardec.mega.domain.model.AbsenceTime;
 import com.gepardec.mega.service.api.AbsenceService;
 import com.gepardec.mega.service.api.DateHelperService;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import jakarta.inject.Inject;
 import org.junit.jupiter.api.Test;
 

src/test/java/com/gepardec/mega/service/impl/comment/CommentServiceImplTest.java

@@ -15,8 +15,8 @@
 import com.gepardec.mega.notification.mail.MailSender;
 import com.gepardec.mega.service.api.CommentService;
 import com.gepardec.mega.service.api.StepEntryService;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import jakarta.inject.Inject;
 import jakarta.persistence.EntityNotFoundException;
 import org.junit.jupiter.api.Test;

src/test/java/com/gepardec/mega/service/impl/employee/EmployeeServiceImplTest.java

@@ -5,8 +5,8 @@
 import com.gepardec.mega.service.impl.EmployeeServiceImpl;
 import com.gepardec.mega.zep.ZepService;
 import com.gepardec.mega.zep.ZepServiceException;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import jakarta.inject.Inject;
 import org.assertj.core.api.SoftAssertions;
 import org.eclipse.microprofile.context.ManagedExecutor;

src/test/java/com/gepardec/mega/service/impl/init/StepEntrySyncServiceImplTest.java

@@ -11,8 +11,8 @@
 import com.gepardec.mega.service.api.StepService;
 import com.gepardec.mega.service.api.UserService;
 import com.gepardec.mega.service.impl.StepEntrySyncServiceImpl;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import jakarta.inject.Inject;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;

src/test/java/com/gepardec/mega/service/impl/monthlyreport/MonthlyReportServiceImplTest.java

@@ -20,8 +20,8 @@
 import com.gepardec.mega.service.helper.WarningCalculatorsManager;
 import com.gepardec.mega.service.impl.MonthlyReportServiceImpl;
 import com.gepardec.mega.zep.ZepService;
+import io.quarkus.test.InjectMock;
 import io.quarkus.test.junit.QuarkusTest;
-import io.quarkus.test.junit.mockito.InjectMock;
 import io.quarkus.test.security.TestSecurity;
 import io.quarkus.test.security.jwt.Claim;
 import io.quarkus.test.security.jwt.JwtSecurity;