fix: P4ADEV-2136 fix CVE (#18)

pagopa · Feb 24, 2025 · dc69faa · dc69faa
1 parent 7aaa858
commit dc69faa
Show file tree

Hide file tree

Showing 6 changed files with 234 additions and 238 deletions.
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -49,7 +49,7 @@ jobs:
           sarif_file: 'results.sarif'
       - name: CVE Description escaped extraction and print
         run: |
-          SCAN_RESULTS=$(jq -r 'try .runs[0].tool.driver.rules | map(.help.text) | join("\\n")' results.sarif)
+          SCAN_RESULTS=$(jq -r 'try .runs[0].tool.driver.rules | try map(.shortDescription.text) | join("\\n")' results.sarif)
           echo "CVE_CRITICAL=$(echo $SCAN_RESULTS | grep -o CRITICAL | wc -l)" >> $GITHUB_ENV
           echo "CVE_HIGH=$(echo $SCAN_RESULTS | grep -o HIGH | wc -l)" >> $GITHUB_ENV
           echo "CVE_MEDIUM=$(echo $SCAN_RESULTS | grep -o MEDIUM | wc -l)" >> $GITHUB_ENV
@@ -67,4 +67,4 @@ jobs:
       CVE_CRITICAL: ${{needs.BuildAndScan.outputs.CVE_CRITICAL}}
       CVE_HIGH: ${{needs.BuildAndScan.outputs.CVE_HIGH}}
       CVE_MEDIUM: ${{needs.BuildAndScan.outputs.CVE_MEDIUM}}
-    secrets: inherit
+    secrets: inherit
diff --git a/Dockerfile b/Dockerfile
@@ -3,11 +3,11 @@
 #
 # 🎯 Version Management
 #
-ARG CORRETTO_VERSION="21-alpine3.20"
-ARG CORRETTO_SHA="8b16834e7fabfc62d4c8faa22de5df97f99627f148058d52718054aaa4ea3674"
+ARG CORRETTO_VERSION="21-alpine3.21"
+ARG CORRETTO_SHA="1b53a05c5693b5452a0c41a39b1fa3b8e7d77aa37f325acc378b7928bc1d8253"
 ARG GRADLE_VERSION="8.10.2"
 ARG GRADLE_DOWNLOAD_SHA256="31c55713e40233a8303827ceb42ca48a47267a0ad4bab9177123121e71524c26"
-ARG APPINSIGHTS_VERSION="3.6.2"
+ARG APPINSIGHTS_VERSION="3.7.0"
 
 # 🌍 Timezone Configuration
 ARG TZ="Europe/Rome"

diff --git a/build.gradle.kts b/build.gradle.kts
@@ -1,6 +1,6 @@
 plugins {
   java
-  id("org.springframework.boot") version "3.4.1"
+  id("org.springframework.boot") version "3.4.3"
   id("io.spring.dependency-management") version "1.1.7"
   jacoco
   id("org.sonarqube") version "6.0.1.5171"
@@ -28,11 +28,11 @@ repositories {
   mavenCentral()
 }
 
-val springDocOpenApiVersion = "2.7.0"
+val springDocOpenApiVersion = "2.8.5"
 val openApiToolsVersion = "0.2.6"
-val micrometerVersion = "1.4.1"
-val postgresJdbcVersion = "42.7.4"
-val bouncycastleVersion = "1.79"
+val micrometerVersion = "1.4.3"
+val postgresJdbcVersion = "42.7.5"
+val bouncycastleVersion = "1.80"
 
 dependencies {
   implementation("org.springframework.boot:spring-boot-starter")
@@ -47,17 +47,13 @@ dependencies {
   implementation("org.springdoc:springdoc-openapi-starter-webmvc-ui:$springDocOpenApiVersion")
   implementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310")
   implementation("org.openapitools:jackson-databind-nullable:$openApiToolsVersion")
+  implementation("org.bouncycastle:bcprov-jdk18on:$bouncycastleVersion")
+  implementation("org.postgresql:postgresql:$postgresJdbcVersion")
 
   compileOnly("org.projectlombok:lombok")
   annotationProcessor("org.projectlombok:lombok")
   testAnnotationProcessor("org.projectlombok:lombok")
 
-  //security
-  implementation("org.bouncycastle:bcprov-jdk18on:$bouncycastleVersion")
-
-  //postgres jdbc
-  implementation("org.postgresql:postgresql:$postgresJdbcVersion")
-
   //	Testing
   testImplementation("org.springframework.boot:spring-boot-starter-test")
   testImplementation("org.mockito:mockito-core")

diff --git a/gradle.lockfile b/gradle.lockfile
@@ -2,8 +2,8 @@
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
 aopalliance:aopalliance:1.0=compileClasspath
-ch.qos.logback:logback-classic:1.5.12=compileClasspath
-ch.qos.logback:logback-core:1.5.12=compileClasspath
+ch.qos.logback:logback-classic:1.5.16=compileClasspath
+ch.qos.logback:logback-core:1.5.16=compileClasspath
 com.fasterxml.jackson.core:jackson-annotations:2.18.2=compileClasspath
 com.fasterxml.jackson.core:jackson-core:2.18.2=compileClasspath
 com.fasterxml.jackson.core:jackson-databind:2.18.2=compileClasspath
@@ -18,13 +18,13 @@ com.jayway.jsonpath:json-path:2.9.0=compileClasspath
 com.nimbusds:nimbus-jose-jwt:9.37.3=compileClasspath
 com.zaxxer:HikariCP:5.1.0=compileClasspath
 io.micrometer:context-propagation:1.1.2=compileClasspath
-io.micrometer:micrometer-commons:1.14.2=compileClasspath
-io.micrometer:micrometer-core:1.14.2=compileClasspath
-io.micrometer:micrometer-jakarta9:1.14.2=compileClasspath
-io.micrometer:micrometer-observation:1.14.2=compileClasspath
-io.micrometer:micrometer-registry-prometheus:1.14.2=compileClasspath
-io.micrometer:micrometer-tracing-bridge-otel:1.4.1=compileClasspath
-io.micrometer:micrometer-tracing:1.4.1=compileClasspath
+io.micrometer:micrometer-commons:1.14.4=compileClasspath
+io.micrometer:micrometer-core:1.14.4=compileClasspath
+io.micrometer:micrometer-jakarta9:1.14.4=compileClasspath
+io.micrometer:micrometer-observation:1.14.4=compileClasspath
+io.micrometer:micrometer-registry-prometheus:1.14.4=compileClasspath
+io.micrometer:micrometer-tracing-bridge-otel:1.4.3=compileClasspath
+io.micrometer:micrometer-tracing:1.4.3=compileClasspath
 io.opentelemetry.instrumentation:opentelemetry-instrumentation-api-incubator:2.9.0-alpha=compileClasspath
 io.opentelemetry.instrumentation:opentelemetry-instrumentation-api:2.9.0=compileClasspath
 io.opentelemetry.semconv:opentelemetry-semconv:1.25.0-alpha=compileClasspath
@@ -36,13 +36,13 @@ io.opentelemetry:opentelemetry-sdk-logs:1.43.0=compileClasspath
 io.opentelemetry:opentelemetry-sdk-metrics:1.43.0=compileClasspath
 io.opentelemetry:opentelemetry-sdk-trace:1.43.0=compileClasspath
 io.opentelemetry:opentelemetry-sdk:1.43.0=compileClasspath
-io.prometheus:prometheus-metrics-config:1.3.5=compileClasspath
-io.prometheus:prometheus-metrics-core:1.3.5=compileClasspath
-io.prometheus:prometheus-metrics-model:1.3.5=compileClasspath
-io.prometheus:prometheus-metrics-tracer-common:1.3.5=compileClasspath
-io.swagger.core.v3:swagger-annotations-jakarta:2.2.25=compileClasspath
-io.swagger.core.v3:swagger-core-jakarta:2.2.25=compileClasspath
-io.swagger.core.v3:swagger-models-jakarta:2.2.25=compileClasspath
+io.prometheus:prometheus-metrics-config:1.3.6=compileClasspath
+io.prometheus:prometheus-metrics-core:1.3.6=compileClasspath
+io.prometheus:prometheus-metrics-model:1.3.6=compileClasspath
+io.prometheus:prometheus-metrics-tracer-common:1.3.6=compileClasspath
+io.swagger.core.v3:swagger-annotations-jakarta:2.2.28=compileClasspath
+io.swagger.core.v3:swagger-core-jakarta:2.2.28=compileClasspath
+io.swagger.core.v3:swagger-models-jakarta:2.2.28=compileClasspath
 jakarta.activation:jakarta.activation-api:2.1.3=compileClasspath
 jakarta.annotation:jakarta.annotation-api:2.1.1=compileClasspath
 jakarta.persistence:jakarta.persistence-api:3.1.0=compileClasspath
@@ -53,65 +53,65 @@ org.antlr:antlr4-runtime:4.13.0=compileClasspath
 org.apache.commons:commons-lang3:3.17.0=compileClasspath
 org.apache.logging.log4j:log4j-api:2.24.3=compileClasspath
 org.apache.logging.log4j:log4j-to-slf4j:2.24.3=compileClasspath
-org.apache.tomcat.embed:tomcat-embed-core:10.1.34=compileClasspath
-org.apache.tomcat.embed:tomcat-embed-el:10.1.34=compileClasspath
-org.apache.tomcat.embed:tomcat-embed-websocket:10.1.34=compileClasspath
+org.apache.tomcat.embed:tomcat-embed-core:10.1.36=compileClasspath
+org.apache.tomcat.embed:tomcat-embed-el:10.1.36=compileClasspath
+org.apache.tomcat.embed:tomcat-embed-websocket:10.1.36=compileClasspath
 org.aspectj:aspectjweaver:1.9.22.1=compileClasspath
 org.atteo:evo-inflector:1.3=compileClasspath
-org.bouncycastle:bcprov-jdk18on:1.79=compileClasspath
-org.hibernate.orm:hibernate-core:6.6.4.Final=compileClasspath
+org.bouncycastle:bcprov-jdk18on:1.80=compileClasspath
+org.hibernate.orm:hibernate-core:6.6.8.Final=compileClasspath
 org.hibernate.validator:hibernate-validator:8.0.2.Final=compileClasspath
 org.jboss.logging:jboss-logging:3.6.1.Final=compileClasspath
 org.jspecify:jspecify:1.0.0=compileClasspath
 org.openapitools:jackson-databind-nullable:0.2.6=compileClasspath
-org.postgresql:postgresql:42.7.4=compileClasspath
+org.postgresql:postgresql:42.7.5=compileClasspath
 org.projectlombok:lombok:1.18.36=compileClasspath
 org.slf4j:jul-to-slf4j:2.0.16=compileClasspath
 org.slf4j:slf4j-api:2.0.16=compileClasspath
-org.springdoc:springdoc-openapi-starter-common:2.7.0=compileClasspath
-org.springdoc:springdoc-openapi-starter-webmvc-api:2.7.0=compileClasspath
-org.springdoc:springdoc-openapi-starter-webmvc-ui:2.7.0=compileClasspath
-org.springframework.boot:spring-boot-actuator-autoconfigure:3.4.1=compileClasspath
-org.springframework.boot:spring-boot-actuator:3.4.1=compileClasspath
-org.springframework.boot:spring-boot-autoconfigure:3.4.1=compileClasspath
-org.springframework.boot:spring-boot-starter-actuator:3.4.1=compileClasspath
-org.springframework.boot:spring-boot-starter-data-jpa:3.4.1=compileClasspath
-org.springframework.boot:spring-boot-starter-data-rest:3.4.1=compileClasspath
-org.springframework.boot:spring-boot-starter-jdbc:3.4.1=compileClasspath
-org.springframework.boot:spring-boot-starter-json:3.4.1=compileClasspath
-org.springframework.boot:spring-boot-starter-logging:3.4.1=compileClasspath
-org.springframework.boot:spring-boot-starter-oauth2-resource-server:3.4.1=compileClasspath
-org.springframework.boot:spring-boot-starter-tomcat:3.4.1=compileClasspath
-org.springframework.boot:spring-boot-starter-validation:3.4.1=compileClasspath
-org.springframework.boot:spring-boot-starter-web:3.4.1=compileClasspath
-org.springframework.boot:spring-boot-starter:3.4.1=compileClasspath
-org.springframework.boot:spring-boot:3.4.1=compileClasspath
-org.springframework.data:spring-data-commons:3.4.1=compileClasspath
-org.springframework.data:spring-data-jpa:3.4.1=compileClasspath
-org.springframework.data:spring-data-rest-core:4.4.1=compileClasspath
-org.springframework.data:spring-data-rest-webmvc:4.4.1=compileClasspath
+org.springdoc:springdoc-openapi-starter-common:2.8.5=compileClasspath
+org.springdoc:springdoc-openapi-starter-webmvc-api:2.8.5=compileClasspath
+org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.5=compileClasspath
+org.springframework.boot:spring-boot-actuator-autoconfigure:3.4.3=compileClasspath
+org.springframework.boot:spring-boot-actuator:3.4.3=compileClasspath
+org.springframework.boot:spring-boot-autoconfigure:3.4.3=compileClasspath
+org.springframework.boot:spring-boot-starter-actuator:3.4.3=compileClasspath
+org.springframework.boot:spring-boot-starter-data-jpa:3.4.3=compileClasspath
+org.springframework.boot:spring-boot-starter-data-rest:3.4.3=compileClasspath
+org.springframework.boot:spring-boot-starter-jdbc:3.4.3=compileClasspath
+org.springframework.boot:spring-boot-starter-json:3.4.3=compileClasspath
+org.springframework.boot:spring-boot-starter-logging:3.4.3=compileClasspath
+org.springframework.boot:spring-boot-starter-oauth2-resource-server:3.4.3=compileClasspath
+org.springframework.boot:spring-boot-starter-tomcat:3.4.3=compileClasspath
+org.springframework.boot:spring-boot-starter-validation:3.4.3=compileClasspath
+org.springframework.boot:spring-boot-starter-web:3.4.3=compileClasspath
+org.springframework.boot:spring-boot-starter:3.4.3=compileClasspath
+org.springframework.boot:spring-boot:3.4.3=compileClasspath
+org.springframework.data:spring-data-commons:3.4.3=compileClasspath
+org.springframework.data:spring-data-jpa:3.4.3=compileClasspath
+org.springframework.data:spring-data-rest-core:4.4.3=compileClasspath
+org.springframework.data:spring-data-rest-webmvc:4.4.3=compileClasspath
 org.springframework.hateoas:spring-hateoas:2.4.1=compileClasspath
 org.springframework.plugin:spring-plugin-core:3.0.0=compileClasspath
-org.springframework.security:spring-security-config:6.4.2=compileClasspath
-org.springframework.security:spring-security-core:6.4.2=compileClasspath
-org.springframework.security:spring-security-crypto:6.4.2=compileClasspath
-org.springframework.security:spring-security-oauth2-core:6.4.2=compileClasspath
-org.springframework.security:spring-security-oauth2-jose:6.4.2=compileClasspath
-org.springframework.security:spring-security-oauth2-resource-server:6.4.2=compileClasspath
-org.springframework.security:spring-security-web:6.4.2=compileClasspath
-org.springframework:spring-aop:6.2.1=compileClasspath
-org.springframework:spring-aspects:6.2.1=compileClasspath
-org.springframework:spring-beans:6.2.1=compileClasspath
-org.springframework:spring-context:6.2.1=compileClasspath
-org.springframework:spring-core:6.2.1=compileClasspath
-org.springframework:spring-expression:6.2.1=compileClasspath
-org.springframework:spring-jcl:6.2.1=compileClasspath
-org.springframework:spring-jdbc:6.2.1=compileClasspath
-org.springframework:spring-orm:6.2.1=compileClasspath
-org.springframework:spring-tx:6.2.1=compileClasspath
-org.springframework:spring-web:6.2.1=compileClasspath
-org.springframework:spring-webmvc:6.2.1=compileClasspath
-org.webjars:swagger-ui:5.18.2=compileClasspath
+org.springframework.security:spring-security-config:6.4.3=compileClasspath
+org.springframework.security:spring-security-core:6.4.3=compileClasspath
+org.springframework.security:spring-security-crypto:6.4.3=compileClasspath
+org.springframework.security:spring-security-oauth2-core:6.4.3=compileClasspath
+org.springframework.security:spring-security-oauth2-jose:6.4.3=compileClasspath
+org.springframework.security:spring-security-oauth2-resource-server:6.4.3=compileClasspath
+org.springframework.security:spring-security-web:6.4.3=compileClasspath
+org.springframework:spring-aop:6.2.3=compileClasspath
+org.springframework:spring-aspects:6.2.3=compileClasspath
+org.springframework:spring-beans:6.2.3=compileClasspath
+org.springframework:spring-context:6.2.3=compileClasspath
+org.springframework:spring-core:6.2.3=compileClasspath
+org.springframework:spring-expression:6.2.3=compileClasspath
+org.springframework:spring-jcl:6.2.3=compileClasspath
+org.springframework:spring-jdbc:6.2.3=compileClasspath
+org.springframework:spring-orm:6.2.3=compileClasspath
+org.springframework:spring-tx:6.2.3=compileClasspath
+org.springframework:spring-web:6.2.3=compileClasspath
+org.springframework:spring-webmvc:6.2.3=compileClasspath
+org.webjars:swagger-ui:5.18.3=compileClasspath
 org.webjars:webjars-locator-lite:1.0.1=compileClasspath
 org.yaml:snakeyaml:2.3=compileClasspath
 empty=