SpringBoot, Gradle, Java etc. version upgrades and add OWASP API key via gradle.properties

build.gradle

@@ -1,15 +1,15 @@
 plugins {
     id 'java'
-    id 'org.springframework.boot' version '3.0.0'
+    id 'org.springframework.boot' version '3.1.7'
-    id 'io.spring.dependency-management' version '1.1.0'
+    id 'io.spring.dependency-management' version '1.1.4'
-    id 'io.openapiprocessor.openapi-processor' version '2022.2'
+    id 'io.openapiprocessor.openapi-processor' version '2023.2'
-    id 'com.github.jk1.dependency-license-report' version '2.1'
+    id 'com.github.jk1.dependency-license-report' version '2.5'
-    id "org.owasp.dependencycheck" version "7.3.0"
+    id "org.owasp.dependencycheck" version "9.0.7"
-    id "com.diffplug.spotless" version "6.11.0"
+    id "com.diffplug.spotless" version "6.23.3"
     id 'jacoco'
-    id 'info.solidsoft.pitest' version '1.9.0'
+    id 'info.solidsoft.pitest' version '1.15.0'
     id 'se.patrikerdes.use-latest-versions' version '0.2.18'
-    id 'com.github.ben-manes.versions' version '0.43.0'
+    id 'com.github.ben-manes.versions' version '0.50.0'
 }
 
 group = 'net.hostsharing'
@@ -17,7 +17,7 @@ version = '0.0.1-SNAPSHOT'
 
 wrapper {
     distributionType = Wrapper.DistributionType.BIN
-    gradleVersion = '7.5'
+    gradleVersion = '8.5'
 }
 
 configurations {
@@ -42,7 +42,7 @@ repositories {
 
 java {
     toolchain {
-        languageVersion = JavaLanguageVersion.of(17)
+        languageVersion = JavaLanguageVersion.of(21)
     }
 }
 
@@ -58,23 +58,24 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-jdbc'
     implementation 'org.springframework.boot:spring-boot-starter-web'
     implementation 'org.springframework.boot:spring-boot-starter-validation'
-    implementation 'com.github.gavlyukovskiy:datasource-proxy-spring-boot-starter:1.8.1'
+    implementation 'com.github.gavlyukovskiy:datasource-proxy-spring-boot-starter:1.9.1'
-    implementation 'org.springdoc:springdoc-openapi:2.0.0-M7'
+    implementation 'org.springdoc:springdoc-openapi:2.3.0'
-    implementation 'org.liquibase:liquibase-core'
+    implementation 'org.liquibase:liquibase-core:4.25.1'
-    implementation 'com.vladmihalcea:hibernate-types-60:2.20.0'
+    implementation 'com.vladmihalcea:hibernate-types-60:2.21.1'
-    implementation 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.13.4'
+    implementation 'io.hypersistence:hypersistence-utils-hibernate-64:3.7.0'
-    implementation 'org.openapitools:jackson-databind-nullable:0.2.4'
+    implementation 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.16.1'
-    implementation 'org.apache.commons:commons-text:1.10.0'
+    implementation 'org.openapitools:jackson-databind-nullable:0.2.6'
-    implementation 'org.modelmapper:modelmapper:3.1.0'
+    implementation 'org.apache.commons:commons-text:1.11.0'
-    implementation 'org.iban4j:iban4j:3.2.3-RELEASE'
+    implementation 'org.modelmapper:modelmapper:3.2.0'
-    implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.2.0'
+    implementation 'org.iban4j:iban4j:3.2.7-RELEASE'
+    implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.3.0'
 
     compileOnly 'org.projectlombok:lombok'
     testCompileOnly 'org.projectlombok:lombok'
 
     developmentOnly 'org.springframework.boot:spring-boot-devtools'
 
-    runtimeOnly 'org.postgresql:postgresql'
+    runtimeOnly 'org.postgresql:postgresql:42.7.1'
 
     annotationProcessor 'org.projectlombok:lombok'
     testAnnotationProcessor 'org.projectlombok:lombok'
@@ -82,11 +83,12 @@ dependencies {
     testImplementation 'org.springframework.boot:spring-boot-starter-test'
     testImplementation 'org.testcontainers:testcontainers'
     testImplementation 'org.testcontainers:junit-jupiter'
+    testImplementation 'org.junit.jupiter:junit-jupiter'
     testImplementation 'org.testcontainers:postgresql'
-    testImplementation 'com.tngtech.archunit:archunit-junit5:1.0.0'
+    testImplementation 'com.tngtech.archunit:archunit-junit5:1.2.1'
     testImplementation 'io.rest-assured:spring-mock-mvc'
     testImplementation 'org.hamcrest:hamcrest-core:2.2'
-    testImplementation 'org.pitest:pitest-junit5-plugin:1.1.0'
+    testImplementation 'org.pitest:pitest-junit5-plugin:1.2.1'
 }
 
 dependencyManagement {
@@ -182,15 +184,20 @@ spotless {
         }
     }
 }
+project.tasks.spotlessJava.dependsOn(tasks.generateLicenseReport, tasks.processResources, tasks.processTestResources)
 project.tasks.check.dependsOn(spotlessCheck)
 
 // OWASP Dependency Security Test
 dependencyCheck {
-    cveValidForHours=4
+    nvd {
+        apiKey = project.property('OWASP_API_KEY') // set it in ~/.gradle/gradle.properties
+        delay = 16000
+    }
+    // cveValidForHours = 4
     format = 'ALL'
     suppressionFile = 'etc/owasp-dependency-check-suppression.xml'
     failOnError = true
-    failBuildOnCVSS = 7
+    failBuildOnCVSS = 5
 }
 project.tasks.check.dependsOn(dependencyCheckAnalyze)
 project.tasks.dependencyCheckAnalyze.doFirst { // Why not doLast? See README.md!

etc/allowed-licenses.json

@@ -8,6 +8,7 @@
 
         { "moduleLicense": "BSD License" },
         { "moduleLicense": "BSD-2-Clause" },
+        { "moduleLicense": "BSD-3-Clause" },
         { "moduleLicense": "The BSD License" },
 
         { "moduleLicense": "CDDL 1.1" },

etc/owasp-dependency-check-suppression.xml

@@ -14,4 +14,39 @@
         <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
         <cve>CVE-2022-42003</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+            We don't parse external XML.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.eclipse\.angus/angus\-activation@.*$</packageUrl>
+        <cpe>cpe:/a:eclipse:eclipse_ide</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+               We don't parse external XML.
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/jakarta\.activation/jakarta\.activation\-api@.*$</packageUrl>
+        <cpe>cpe:/a:eclipse:eclipse_ide</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+           Cyclic references are not possible if file comes in JSON text format.
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
+        <cpe>cpe:/a:fasterxml:jackson-databind</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+           As far as I see Criteria.parse(...) cannot be reached with external data.
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/com\.jayway\.jsonpath/json\-path@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-51074</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+           Internal tooling, not exposed to the Internet.
+       ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.pitest/pitest\-command\-line@.*$</packageUrl>
+        <cpe>cpe:/a:line:line</cpe>
+    </suppress>
 </suppressions>

gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.5-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.5-bin.zip
+networkTimeout=10000
+validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

gradlew

@@ -55,7 +55,7 @@
 #       Darwin, MinGW, and NonStop.
 #
 #   (3) This script is generated from the Groovy template
-#       https://github.com/gradle/gradle/blob/master/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
+#       https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt
 #       within the Gradle project.
 #
 #       You can find Gradle at https://github.com/gradle/gradle/.
@@ -80,13 +80,11 @@ do
     esac
 done
 
-APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
+# This is normally unused
-
+# shellcheck disable=SC2034
-APP_NAME="Gradle"
 APP_BASE_NAME=${0##*/}
-
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
-# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
-DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -133,22 +131,29 @@ location of your Java installation."
     fi
 else
     JAVACMD=java
-    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+    if ! command -v java >/dev/null 2>&1
+    then
+        die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
 
 Please set the JAVA_HOME variable in your environment to match the
 location of your Java installation."
+    fi
 fi
 
 # Increase the maximum file descriptors if we can.
 if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
     case $MAX_FD in #(
       max*)
+        # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC2039,SC3045
         MAX_FD=$( ulimit -H -n ) ||
             warn "Could not query maximum file descriptor limit"
     esac
     case $MAX_FD in  #(
       '' | soft) :;; #(
       *)
+        # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
+        # shellcheck disable=SC2039,SC3045
         ulimit -n "$MAX_FD" ||
             warn "Could not set maximum file descriptor limit to $MAX_FD"
     esac
@@ -193,11 +198,15 @@ if "$cygwin" || "$msys" ; then
     done
 fi
 
-# Collect all arguments for the java command;
+
-#   * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
-#     shell script including quotes and variable substitutions, so put them in
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
-#     double quotes to make sure that they get re-expanded; and
+
-#   * put everything else in single quotes, so that it's not re-expanded.
+# Collect all arguments for the java command:
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#     and any embedded shellness will be escaped.
+#   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
+#     treated as '${Hostname}' itself on the command line.
 
 set -- \
         "-Dorg.gradle.appname=$APP_BASE_NAME" \
@@ -205,6 +214,12 @@ set -- \
         org.gradle.wrapper.GradleWrapperMain \
         "$@"
 
+# Stop when "xargs" is not available.
+if ! command -v xargs >/dev/null 2>&1
+then
+    die "xargs is not available"
+fi
+
 # Use "xargs" to parse quoted args.
 #
 # With -n1 it outputs one arg per line, with the quotes and backslashes removed.

gradlew.bat

@@ -14,7 +14,7 @@
 @rem limitations under the License.
 @rem
 
-@if "%DEBUG%" == "" @echo off
+@if "%DEBUG%"=="" @echo off
 @rem ##########################################################################
 @rem
 @rem  Gradle startup script for Windows
@@ -25,7 +25,8 @@
 if "%OS%"=="Windows_NT" setlocal
 
 set DIRNAME=%~dp0
-if "%DIRNAME%" == "" set DIRNAME=.
+if "%DIRNAME%"=="" set DIRNAME=.
+@rem This is normally unused
 set APP_BASE_NAME=%~n0
 set APP_HOME=%DIRNAME%
 
@@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome
 
 set JAVA_EXE=java.exe
 %JAVA_EXE% -version >NUL 2>&1
-if "%ERRORLEVEL%" == "0" goto execute
+if %ERRORLEVEL% equ 0 goto execute
 
 echo.
 echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
@@ -75,13 +76,15 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar
 
 :end
 @rem End local scope for the variables with windows NT shell
-if "%ERRORLEVEL%"=="0" goto mainEnd
+if %ERRORLEVEL% equ 0 goto mainEnd
 
 :fail
 rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of
 rem the _cmd.exe /c_ return code!
-if  not "" == "%GRADLE_EXIT_CONSOLE%" exit 1
+set EXIT_CODE=%ERRORLEVEL%
-exit /b 1
+if %EXIT_CODE% equ 0 set EXIT_CODE=1
+if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE%
+exit /b %EXIT_CODE%
 
 :mainEnd
 if "%OS%"=="Windows_NT" endlocal

src/main/java/net/hostsharing/hsadminng/hs/office/sepamandate/HsOfficeSepaMandateEntity.java

@@ -54,6 +54,7 @@ public class HsOfficeSepaMandateEntity implements Stringifyable {
 
     @Column(name = "validity", columnDefinition = "daterange")
     @Type(PostgreSQLRangeType.class)
+    @Builder.Default
     private Range<LocalDate> validity = Range.infinite(LocalDate.class);
 
     public void setValidFrom(final LocalDate validFrom) {