Merge pull request #109 from Onlineberatung/TSYSTEMS-140-fix-cve-issu…

…es-upgrade-to-java17

Tsystems 140 fix CVE issues upgrade to java17

.github/workflows/dockerImage.yml

@@ -27,7 +27,7 @@ jobs:
       - name: Setup JVM
         uses: actions/setup-java@v1
         with:
-          java-version: 11.0.10
+          java-version: 17.0.7
           java-package: jdk
           architecture: x64
 
@@ -63,7 +63,7 @@ jobs:
   push_to_registry:
     strategy:
       matrix:
-        registry: ["docker.pkg.github.com", "ghcr.io"]
+        registry: ["ghcr.io"]
     needs: [test]
     name: Push Docker image to GitHub Packages
     runs-on: ubuntu-latest

.github/workflows/feature-branch.yml

@@ -19,7 +19,7 @@ jobs:
     - name: Setup JVM
       uses: actions/setup-java@v1
       with:
-        java-version: 11.0.10
+        java-version: 17.0.7
         java-package: jdk
         architecture: x64
 

Dockerfile

@@ -1,4 +1,4 @@
-FROM adoptopenjdk/openjdk11
+FROM openjdk:17-oracle
 VOLUME ["/tmp","/log"]
 EXPOSE 8080
 ARG JAR_FILE

google_checks_light.xml

@@ -306,7 +306,6 @@
         </module>
         -->
         <module name="JavadocMethod">
-            <property name="scope" value="public"/>
             <property name="allowMissingParamTags" value="true"/>
             <property name="allowMissingReturnTag" value="true"/>
             <property name="allowedAnnotations" value="Override, Test"/>

pom.xml

@@ -16,20 +16,28 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.7.5</version>
-		<relativePath /> <!-- lookup parent from repository -->
+		<version>3.0.6</version>
+		<relativePath/>
 	</parent>
 
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-		<java.version>11</java.version>
+		<java.version>17</java.version>
 		<!-- force at least version 2.16 due to https://logging.apache.org/log4j/2.x/security.html -->
 		<log4j.version>2.17.1</log4j.version>
-		<openapi-generator-maven-plugin.version>6.2.1</openapi-generator-maven-plugin.version>
+		<openapi-generator-maven-plugin.version>6.6.0</openapi-generator-maven-plugin.version>
 		<springfox-swagger2.version>3.0.0</springfox-swagger2.version>
 		<jackson-databind-nullable.version>0.2.3</jackson-databind-nullable.version>
-		<spring.security>5.7.5</spring.security>
+		<spring-security.version>6.0.5</spring-security.version>
+		<maven.compiler.source>17</maven.compiler.source>
+		<maven.compiler.target>17</maven.compiler.target>
+		<hibernate.validator.version>8.0.0.Final</hibernate.validator.version>
+
+		<commons-lang3.version>3.11</commons-lang3.version>
+		<commons-text.version>1.10.0</commons-text.version>
+		<commons-io.version>2.6</commons-io.version>
+		<javax.ws.rs-api.version>2.1.1</javax.ws.rs-api.version>
 	</properties>
 
 	<dependencies>
@@ -47,8 +55,15 @@
 			<artifactId>spring-boot-starter-cache</artifactId>
 		</dependency>
 		<dependency>
-			<groupId>org.ehcache</groupId>
+			<groupId>net.sf.ehcache</groupId>
 			<artifactId>ehcache</artifactId>
+			<version>2.10.9.2</version>
+			<exclusions>
+				<exclusion>
+					<groupId>com.fasterxml.jackson.core</groupId>
+					<artifactId>jackson-databind</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>javax.cache</groupId>
@@ -58,7 +73,7 @@
 		<dependency>
 			<groupId>org.hibernate.validator</groupId>
 			<artifactId>hibernate-validator</artifactId>
-			<version>6.1.6.Final</version>
+			<version>${hibernate-validator.version}</version>
 		</dependency>
 
 		<!-- OpenApi/Swagger dependencies -->
@@ -72,6 +87,10 @@
 					<groupId>javax.mail</groupId>
 					<artifactId>mailapi</artifactId>
 				</exclusion>
+				<exclusion>
+					<groupId>com.sun.mail</groupId>
+					<artifactId>mailapi</artifactId>
+				</exclusion>
 			</exclusions>
 		</dependency>
 		<dependency>
@@ -81,24 +100,21 @@
 		</dependency>
 		<!-- SpringFox: generate YAML file from POJOs and generate documentation -->
 		<dependency>
-			<groupId>io.springfox</groupId>
-			<artifactId>springfox-swagger2</artifactId>
-			<version>${springfox-swagger2.version}</version>
-		</dependency>
-		<dependency>
-			<groupId>io.springfox</groupId>
-			<artifactId>springfox-bean-validators</artifactId>
-			<version>${springfox-swagger2.version}</version>
+			<groupId>io.swagger.core.v3</groupId>
+			<artifactId>swagger-annotations</artifactId>
+			<version>2.2.15</version>
 		</dependency>
+		<!-- SpringFox: generate YAML file from POJOs and generate documentation -->
+
 		<dependency>
-			<groupId>io.springfox</groupId>
-			<artifactId>springfox-swagger-ui</artifactId>
-			<version>${springfox-swagger2.version}</version>
+			<groupId>org.springdoc</groupId>
+			<artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
+			<version>2.4.0</version>
 		</dependency>
 		<dependency>
 			<groupId>javax.ws.rs</groupId>
 			<artifactId>javax.ws.rs-api</artifactId>
-			<version>2.1.1</version>
+			<version>${javax.ws.rs-api.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>javax.xml.ws</groupId>
@@ -108,7 +124,7 @@
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-core</artifactId>
-			<version>${spring.security}</version>
+			<version>${spring-security.version}</version>
 		</dependency>
 
 
@@ -129,17 +145,17 @@
 		<dependency>
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-lang3</artifactId>
-			<version>3.11</version>
+			<version>${commons-lang3.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-text</artifactId>
-			<version>1.10.0</version>
+			<version>${commons-text.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>commons-io</groupId>
 			<artifactId>commons-io</artifactId>
-			<version>2.6</version>
+			<version>${commons-io.version}</version>
 		</dependency>
 
 		<!-- Jsoup -->
@@ -153,7 +169,6 @@
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-thymeleaf</artifactId>
-			<version>2.3.5.RELEASE</version><!--$NO-MVN-MAN-VER$ -->
 		</dependency>
 
 		<!-- Test scope dependencies -->
@@ -167,18 +182,6 @@
 			<artifactId>spring-security-test</artifactId>
 			<scope>test</scope>
 		</dependency>
-		<dependency>
-			<artifactId>powermock-module-junit4</artifactId>
-			<groupId>org.powermock</groupId>
-			<scope>test</scope>
-			<version>2.0.2</version>
-		</dependency>
-		<dependency>
-			<artifactId>powermock-api-mockito2</artifactId>
-			<groupId>org.powermock</groupId>
-			<scope>test</scope>
-			<version>2.0.2</version>
-		</dependency>
 
 		<!-- Exchange -->
 		<dependency>
@@ -204,6 +207,11 @@
 			<version>3.3.0</version>
 		</dependency>
 
+		<dependency>
+			<groupId>org.apache.httpcomponents.client5</groupId>
+			<artifactId>httpclient5</artifactId>
+		</dependency>
+
 		<dependency>
 			<groupId>com.github.jknack</groupId>
 			<artifactId>handlebars</artifactId>
@@ -234,8 +242,17 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
+
+		<!-- test dependencies -->
+		<dependency>
+			<groupId>junit</groupId>
+			<artifactId>junit</artifactId>
+			<version>4.13.2</version>
+			<scope>test</scope>
+		</dependency>
 	</dependencies>
 
+
 	<build>
 		<finalName>${project.name}</finalName>
 		<resources>
@@ -264,9 +281,10 @@
 							<configOptions>
 								<interfaceOnly>true</interfaceOnly>
 								<sourceFolder>/</sourceFolder>
-									<ignoredDependencies>
+								<ignoredDependencies>
 										<ignoredDependency>javax.mail:mailapi:1.4.3</ignoredDependency>
-									</ignoredDependencies>
+								</ignoredDependencies>
+								<useSpringBoot3>true</useSpringBoot3>
 							</configOptions>
 							<inputSpec>${project.basedir}/api/mailservice.yaml</inputSpec>
 							<generatorName>spring</generatorName>

src/main/java/de/caritas/cob/mailservice/MailServiceApplication.java

@@ -9,5 +9,4 @@ public class MailServiceApplication {
   public static void main(String[] args) {
     SpringApplication.run(MailServiceApplication.class, args);
   }
-
 }

src/main/java/de/caritas/cob/mailservice/api/ApiDefaultResponseEntityExceptionHandler.java

@@ -1,13 +1,13 @@
 package de.caritas.cob.mailservice.api;
 
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.core.Ordered;
 import org.springframework.core.annotation.Order;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.ControllerAdvice;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.context.request.WebRequest;
-import lombok.extern.slf4j.Slf4j;
 
 @Slf4j
 @ControllerAdvice
@@ -18,15 +18,16 @@ public class ApiDefaultResponseEntityExceptionHandler {
    * "Catch all" respectively fallback for all controller error messages that are not specifically
    * retained by {@link ApiResponseEntityExceptionHandler}. For the caller side does not need to
    * know the exact error stack trace, this method catches the trace and logs it.
-   * 
+   *
    * @param ex
    * @param request
    * @return
    */
   @ExceptionHandler({RuntimeException.class})
-  public ResponseEntity<Object> handleInternal(final RuntimeException ex,
-      final WebRequest request) {
-    log.error("Default: MailService API: 500 Internal Server Error: {}",
+  public ResponseEntity<Object> handleInternal(
+      final RuntimeException ex, final WebRequest request) {
+    log.error(
+        "Default: MailService API: 500 Internal Server Error: {}",
         org.apache.commons.lang3.exception.ExceptionUtils.getStackTrace(ex));
 
     return new ResponseEntity<>(HttpStatus.INTERNAL_SERVER_ERROR);