dependency-versions-upgrade and exclusion (#144)

Co-authored-by: Michael Hoennig <michael@hoennig.de> Reviewed-on: #144 Reviewed-by: Marc Sandlus <marc.sandlus@hostsharing.net>
2025-01-09 09:28:30 +01:00 · 2025-01-09 09:28:30 +01:00 · a7ffee9348
commit a7ffee9348
parent 6b09ad0003
7 changed files with 32 additions and 21 deletions
--- a/README.md
+++ b/README.md
@ -109,7 +109,7 @@ Also try for example 'admin@xxx.example.com' or 'unknown@example.org'.

 If you want a formatted JSON output, you can pipe the result to `jq` or similar.

-And to see the full, currently implemented, API, open http://localhost:8080/swagger-ui/index.html.
+And to see the full, currently implemented, API, open http://localhost:8081/actuator/swagger-ui/index.html (uses management-port and thus bypasses authentication).

 If you still need to install some of these tools, find some hints in the next chapters. 

--- a/build.gradle
+++ b/build.gradle
@ -1,11 +1,11 @@
 plugins {
    id 'java'
-    id 'org.springframework.boot' version '3.3.4'
-    id 'io.spring.dependency-management' version '1.1.6'
+    id 'org.springframework.boot' version '3.3.7'
+    id 'io.spring.dependency-management' version '1.1.7'
    id 'io.openapiprocessor.openapi-processor' version '2023.2'
    id 'com.github.jk1.dependency-license-report' version '2.9'
-    id "org.owasp.dependencycheck" version "10.0.4"
-    id "com.diffplug.spotless" version "6.25.0"
+    id "org.owasp.dependencycheck" version "11.1.1"
+    id "com.diffplug.spotless" version "7.0.0"
    id 'jacoco'
    id 'info.solidsoft.pitest' version '1.15.0'
    id 'se.patrikerdes.use-latest-versions' version '0.2.18'
@ -60,25 +60,24 @@ dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-validation'
    implementation 'org.springframework.boot:spring-boot-starter-actuator'
    implementation 'org.springframework.boot:spring-boot-starter-security'
-    implementation 'com.github.gavlyukovskiy:datasource-proxy-spring-boot-starter:1.9.2'
+    implementation 'com.github.gavlyukovskiy:datasource-proxy-spring-boot-starter:1.10.0'
    implementation 'org.springdoc:springdoc-openapi:2.6.0'
    implementation 'org.postgresql:postgresql:42.7.4'
-    implementation 'org.liquibase:liquibase-core:4.29.2'
-    implementation 'io.hypersistence:hypersistence-utils-hibernate-63:3.8.3'
-    implementation 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.18.0'
+    implementation 'org.liquibase:liquibase-core:4.30.0'
+    implementation 'io.hypersistence:hypersistence-utils-hibernate-63:3.9.0'
+    implementation 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.18.2'
    implementation 'org.openapitools:jackson-databind-nullable:0.2.6'
-    implementation 'org.apache.commons:commons-text:1.12.0'
-    implementation 'net.java.dev.jna:jna:5.15.0'
-    implementation 'org.modelmapper:modelmapper:3.2.1'
+    implementation 'org.apache.commons:commons-text:1.13.0'
+    implementation 'net.java.dev.jna:jna:5.16.0'
+    implementation 'org.modelmapper:modelmapper:3.2.2'
    implementation 'org.iban4j:iban4j:3.2.10-RELEASE'
    implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0'
-    implementation 'org.webjars:swagger-ui:5.17.14'
    implementation 'org.reflections:reflections:0.10.2'

    compileOnly 'org.projectlombok:lombok'
    testCompileOnly 'org.projectlombok:lombok'

-    developmentOnly 'org.springframework.boot:spring-boot-devtools'
+    // FIXME: developmentOnly 'org.springframework.boot:spring-boot-devtools'

    annotationProcessor 'org.projectlombok:lombok'
    testAnnotationProcessor 'org.projectlombok:lombok'
@ -205,7 +204,7 @@ openApiGenerate.dependsOn processSpring
 spotless {
    java {
        removeUnusedImports()
-        indentWithSpaces(4)
+        leadingTabsToSpaces(4)
        endWithNewline()
        toggleOffOn()

--- a/etc/owasp-dependency-check-suppression.xml
+++ b/etc/owasp-dependency-check-suppression.xml
@ -9,8 +9,12 @@
    </suppress>
    <suppress>
        <notes><![CDATA[
-           Malicious HTTP redirect in JAXB on a REST-endpoint is not that dangerous.
+          file name: logback-core-1.5.12.jar
+          A successful attack requires the user to have write access to a configuration file or environment vars.
        ]]></notes>
-        <cve>CVE-2024-9329</cve>
+        <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback-core@.*$</packageUrl>
+        <cpe>cpe:/a:qos:logback</cpe>
+        <cve>CVE-2024-12798</cve>
    </suppress>
+
 </suppressions>
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@ -9,7 +9,7 @@ management:
        web:
            exposure:
                # HOWTO: view _clickable_ Spring Actuator (Micrometer) Metrics endpoints: http://localhost:8081/actuator/metric-links
-                include: info, health, metrics, metric-links
+                include: info, health, metrics, metric-links, mappings, openapi, swaggerui
    observations:
        annotations:
            enabled: true
@ -30,6 +30,10 @@ spring:
            hibernate:
                dialect: net.hostsharing.hsadminng.config.PostgresCustomDialect

+# keep this in sync with test/.../application.yml
+springdoc:
+    use-management-port: true
+
 liquibase:
    contexts: dev

--- a/src/test/java/net/hostsharing/hsadminng/config/WebSecurityConfigIntegrationTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/config/WebSecurityConfigIntegrationTest.java
@ -82,14 +82,14 @@ class WebSecurityConfigIntegrationTest {
    @Test
    public void shouldSupportSwaggerUi() {
        final var result = this.restTemplate.getForEntity(
-                "http://localhost:" + this.managementPort + "/swagger-ui/index.html", String.class);
+                "http://localhost:" + this.managementPort + "/actuator/swagger-ui/index.html", String.class);
        assertThat(result.getStatusCode()).isEqualTo(HttpStatus.OK);
    }

    @Test
    public void shouldSupportApiDocs() {
        final var result = this.restTemplate.getForEntity(
-                "http://localhost:" + this.managementPort + "/v3/api-docs/swagger-config", String.class);
+                "http://localhost:" + this.managementPort + "/actuator/v3/api-docs/swagger-config", String.class);
        assertThat(result.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND); // permitted but not configured
    }

--- a/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetControllerRestTest.java
+++ b/src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetControllerRestTest.java
@ -20,11 +20,11 @@ import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
 import org.springframework.boot.test.context.TestConfiguration;
-import org.springframework.boot.test.mock.mockito.MockBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Import;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.ActiveProfiles;
+import org.springframework.boot.test.mock.mockito.MockBean;
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
--- a/src/test/resources/application.yml
+++ b/src/test/resources/application.yml
@ -39,6 +39,10 @@ spring:
        change-log: classpath:/db/changelog/db.changelog-master.yaml
        contexts: tc,test,dev,pg_stat_statements

+# keep this in sync with main/.../application.yml
+springdoc:
+    use-management-port: true
+
 logging:
    level:
        liquibase: WARN