Updated dependencies to fix CVE-2024-7254 (#31)

* migrated to toml file * added dependabot.yml
th2-net · Sep 23, 2024 · 4eb9975 · 4eb9975
1 parent 561dab2
commit 4eb9975
Show file tree

Hide file tree

Showing 6 changed files with 108 additions and 45 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,20 @@
+version: 2
+updates:
+  - package-ecosystem: gradle
+    directory: /
+    reviewers:
+      - Nikita-Smirnov-Exactpro
+      - OptimumCode
+    labels:
+      - dependencies
+    schedule:
+      interval: daily
+  - package-ecosystem: github-actions
+    directory: /
+    reviewers:
+      - Nikita-Smirnov-Exactpro
+      - OptimumCode
+    labels:
+      - dependencies
+    schedule:
+      interval: daily
diff --git a/.github/workflows/ci-unwelcome-words.yml b/.github/workflows/ci-unwelcome-words.yml
@@ -1,20 +1,25 @@
 name: CI
 
-on: [push, pull_request]
+on:
+  pull_request:
 
 jobs:
   test:
+    if: github.actor != 'dependabot[bot]'
     runs-on: ubuntu-20.04
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
+      with:
+        ref: ${{ github.sha }}
+    # All the below is required because the repository with the action is private
     - name: Checkout tool
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
       with:
-        repository: exactpro-th2/ci-github-action
+        repository: th2-net/ci-github-action
         ref: master
         token: ${{ secrets.PAT_CI_ACTION }}
         path: ci-github-action
     - name: Run CI action
       uses: ./ci-github-action
       with:
-        ref: ${{ github.ref }}
+        ref: ${{ github.sha }}
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# TH2 'Bill of Materials' (BOM) project (4.7.0)
+# TH2 'Bill of Materials' (BOM) project (4.8.0)
 
 This project contains the list of dependencies with their respective versions that are compatible and can be used with each other.
 
@@ -66,6 +66,15 @@ In most cases it is not necessary, but it might be useful sometimes.
 
 # Release notes:
 
+## 4.8.0
+
+### Updated
+* netty 4.1.112.Final -> 4.1.113.Final
+* protobuf 3.25.4 -> 3.25.5 (fixed `CVE-2024-7254` vulnerability)
+* log4j 2.23.1 -> 2.24.0
+* amqp-client 5.21.0 -> 5.22.0
+* commons-io 2.16.1 -> `2.17.0`
+
 ## 4.7.0
 
 ### Updated

diff --git a/build.gradle b/build.gradle
@@ -4,23 +4,12 @@ import com.github.jk1.license.render.JsonReportRenderer
 plugins {
     id 'java-platform'
     id 'maven-publish'
-    id "io.github.gradle-nexus.publish-plugin" version "2.0.0"
+    alias(libs.plugins.publish.plugin)
     id 'signing'
-    id 'org.owasp.dependencycheck' version "10.0.4"
-    id "com.gorylenko.gradle-git-properties" version "2.4.2"
-    id 'com.github.jk1.dependency-license-report' version "2.9"
-    id 'de.undercouch.download' version "5.6.0"
-}
-
-ext {
-    slf4jVersion = '2.0.16'
-    log4jVersion = '2.23.1'
-    grpcVersion = '1.66.0'
-    protobufVersion = '3.25.4' // gRPC 1.66 libraries uses protobuf 3.+
-    jacksonVersion = '2.17.2'
-    prometheusVersion = '0.16.0'
-    cassandraDriver = '4.17.0'
-    nettyVersion = '4.1.112.Final'
+    alias(libs.plugins.dependencycheck)
+    alias(libs.plugins.gradle.git.properties)
+    alias(libs.plugins.dependency.license.report)
+    alias(libs.plugins.download)
 }
 
 group = 'com.exactpro.th2'
@@ -55,39 +44,39 @@ dependencyCheck {
 }
 
 dependencies {
-    api platform('org.jetbrains.kotlin:kotlin-bom:1.8.22')
-    api platform("io.grpc:grpc-bom:$grpcVersion")
-    api platform("com.fasterxml.jackson:jackson-bom:$jacksonVersion")
-    api platform("com.datastax.oss:java-driver-bom:$cassandraDriver")
-    api platform("io.netty:netty-bom:$nettyVersion")
-    api platform("org.apache.logging.log4j:log4j-bom:$log4jVersion")
-    api platform("org.slf4j:slf4j-bom:${slf4jVersion}")
+    api platform(libs.kotlin.bom)
+    api platform(libs.grpc.bom)
+    api platform(libs.jackson.bom)
+    api platform(libs.java.driver.bom)
+    api platform(libs.netty.bom)
+    api platform(libs.log4j.bom)
+    api platform(libs.slf4j.bom)
 
     constraints {
         // Libraries
-        api("com.rabbitmq:amqp-client:5.21.0")
+        api(libs.amqp.client)
 
-        api("org.jetbrains:annotations:24.1.0")
+        api(libs.annotations)
 
-        api("org.apache.commons:commons-text:1.12.0")
-        api("org.apache.commons:commons-lang3:3.17.0")
-        api('commons-io:commons-io:2.16.1')
-        api("commons-cli:commons-cli:1.9.0")
-        api("org.apache.commons:commons-collections4:4.4")
+        api(libs.commons.text)
+        api(libs.commons.lang3)
+        api(libs.commons.io)
+        api(libs.commons.cli)
+        api(libs.commons.collections4)
 
-        api("com.google.guava:guava:33.3.0-jre")
+        api(libs.guava)
 
-        api("com.google.protobuf:protobuf-java-util:${protobufVersion}")
-        api("com.google.protobuf:protoc:${protobufVersion}")
+        api(libs.protobuf.java.util)
+        api(libs.protoc)
 
         api("org.slf4j:slf4j-api")
 
         // Prometheus FIXME: remove when we have a facade in common
-        api("io.prometheus:simpleclient:${prometheusVersion}")
-        api("io.prometheus:simpleclient_hotspot:${prometheusVersion}")
-        api("io.prometheus:simpleclient_httpserver:${prometheusVersion}")
-        api("io.prometheus:simpleclient_log4j2:${prometheusVersion}")
-        api("io.prometheus:simpleclient_log4j:${prometheusVersion}")
+        api(libs.simpleclient)
+        api(libs.simpleclient.hotspot)
+        api(libs.simpleclient.httpserver)
+        api(libs.simpleclient.log4j2)
+        api(libs.simpleclient.log4j)
     }
 }
 

diff --git a/gradle.properties b/gradle.properties
@@ -1,4 +1,4 @@
-release_version=4.7.0
+release_version=4.8.0
 description='TH2 "Bill of Materials" (BOM) project'
 vcs_url=https://github.com/th2-net/th2-bom
 nvdApiKey=

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -0,0 +1,40 @@
+[versions]
+kotlin = "1.8.22"
+protobuf = "3.25.5" # gRPC 1.66 libraries uses protobuf 3.+
+prometheus = "0.16.0"
+
+[libraries]
+slf4j-bom = { group = "org.slf4j", name = "slf4j-bom", version = "2.0.16" }
+log4j-bom = { group = "org.apache.logging.log4j", name = "log4j-bom", version = "2.24.0" }
+
+netty-bom = { group = "io.netty", name = "netty-bom", version = "4.1.113.Final" }
+jackson-bom = { group = "com.fasterxml.jackson", name = "jackson-bom", version = "2.17.2" }
+java-driver-bom = { group = "com.datastax.oss", name = "java-driver-bom", version = "4.17.0" }
+
+amqp-client = { group = "com.rabbitmq", name = "amqp-client", version = "5.22.0" }
+annotations = { group = "org.jetbrains", name = "annotations", version = "24.1.0" }
+commons-text = { group = "org.apache.commons", name = "commons-text", version = "1.12.0" }
+commons-lang3 = { group = "org.apache.commons", name = "commons-lang3", version = "3.17.0" }
+commons-io = { group = "commons-io", name = "commons-io", version = "2.17.0" }
+commons-cli = { group = "commons-cli", name = "commons-cli", version = "1.9.0" }
+commons-collections4 = { group = "org.apache.commons", name = "commons-collections4", version = "4.4" }
+guava = { group = "com.google.guava", name = "guava", version = "33.3.0-jre" }
+
+grpc-bom = { group = "io.grpc", name = "grpc-bom", version = "1.66.0" }
+protobuf-java-util = { group = "com.google.protobuf", name = "protobuf-java-util", version.ref = "protobuf" }
+protoc = { group = "com.google.protobuf", name = "protoc", version.ref = "protobuf" }
+
+simpleclient = { group = "io.prometheus", name = "simpleclient", version.ref = "prometheus" }
+simpleclient-hotspot = { group = "io.prometheus", name = "simpleclient_hotspot", version.ref = "prometheus" }
+simpleclient-httpserver = { group = "io.prometheus", name = "simpleclient_httpserver", version.ref = "prometheus" }
+simpleclient-log4j2 = { group = "io.prometheus", name = "simpleclient_log4j2", version.ref = "prometheus" }
+simpleclient-log4j = { group = "io.prometheus", name = "simpleclient_log4j", version.ref = "prometheus" }
+
+kotlin-bom = { group = "org.jetbrains.kotlin", name = "kotlin-bom", version.ref = "kotlin" }
+
+[plugins]
+publish-plugin = { id = "io.github.gradle-nexus.publish-plugin", version = "2.0.0" }
+dependencycheck = { id = "org.owasp.dependencycheck", version = "10.0.4" }
+gradle-git-properties = { id = "com.gorylenko.gradle-git-properties", version = "2.4.2" }
+dependency-license-report = { id = "com.github.jk1.dependency-license-report", version = "2.9" }
+download = { id = "de.undercouch.download", version = "5.6.0" }