This includes an upgrade to Spring Boot 2.5.5 which mainly includes bug fixes and version upgrades
This includes an upgrade to Kotlin 1.5.31 which is a bugfix release.
Plugin dependencies:
- org.jetbrains.kotlin.jvm:org.jetbrains.kotlin.jvm.gradle.plugin [1.5.30 -> 1.5.31]
Applied jar dependencies:
- org.springframework.boot:spring-boot-gradle-plugin [2.5.4 -> 2.5.5]
- org.jetbrains.kotlin:kotlin-gradle-plugin [1.5.30 -> 1.5.31]
- com.fasterxml.jackson.module:jackson-module-kotlin [2.12.4 -> 2.12.5]
- com.google.guava:guava [30.1.1-jre -> 31.0-jre]
Test dependencies:
- org.assertj:assertj-core [3.20.2 -> 3.21.0]
- org.junit.jupiter:junit-jupiter [5.8.0 -> 5.8.1]
- org.junit.vintage:junit-vintage-engine [5.7.2 -> 5.8.1]# 3.3.8
CVE-2020-0822 states: | An elevation of privilege vulnerability exists when the Windows Language Pack Installer improperly handles file operations, aka 'Windows Language Pack Installer Elevation of Privilege Vulnerability'.
This does not affect linux distributions so needs to be suppressed.
Plugin dependencies:
- com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin [0.15.0 -> 0.16.0]
- org.owasp:dependency-check-gradle [6.2.2 -> 6.3.1]
- org.jlleitschuh.gradle.ktlint:org.jlleitschuh.gradle.ktlint.gradle.plugin [10.1.0 -> 10.2.0]
Applied jar dependencies:
- org.jlleitschuh.gradle.ktlint:org.jlleitschuh.gradle.ktlint.gradle.plugin [10.1.0 -> 10.2.0]
- org.owasp:dependency-check-gradle [6.2.2 -> 6.3.1]
Test dependencies:
- org.junit.jupiter:junit-jupiter [5.7.2 -> 5.8.0]
- org.eclipse.jgit:org.eclipse.jgit [5.12.0.202106070339-r -> 5.13.0.202109080827-r]
This includes an upgrade to Spring Boot 2.5.4 which mainly includes bug fixes and version upgrades
This includes an upgrade to Kotlin 1.5.30 which is a bugfix release.
Plugin dependencies:
- kotlin-gradle-plugin [1.5.21 -> 1.5.30]
Applied jar dependencies:
- spring-boot-gradle-plugin [2.5.3 -> 2.5.4]
- kotlin-gradle-plugin [1.5.21 -> 1.5.30]
- com.fasterxml.jackson.module:jackson-module-kotlin [2.12.3 -> 2.12.4]
Test dependencies:
- org.mockito:mockito-junit-jupiter [3.11.2 -> 3.12.4]
- net.javacrumbs.json-unit:json-unit-assertj [2.27.0 -> 2.28.0]
- com.google.code.gson:gson [2.8.7 -> 2.8.8]
Apply suppression to lang-tag false positive as reported in nim library nim-lang/zip#54
This includes an upgrade to Spring Boot 2.5.3 which mainly includes bug fixes and version upgrades
This includes an upgrade to Kotlin 1.5.21 which is a bugfix release.
Plugin dependencies:
- kotlin-gradle-plugin [1.5.20 -> 1.5.21]
Applied jar dependencies:
- spring-boot-gradle-plugin [2.5.2 -> 2.5.3]
- kotlin-gradle-plugin [1.5.20 -> 1.5.21]
- com.fasterxml.jackson.module:jackson-module-kotlin [2.12.3 -> 2.12.4]
This includes an upgrade to Spring Boot 2.5.2 which mainly includes bug fixes and version upgrades
hmpps-auth (our oauth2 provider) is now able to url decode the client id / secret before testing them. This removes the issue we had with Spring Security 5.5.1 url encoding client id and client secret. Spring Boot 2.5.2 is now able to pull in Spring Security 5.5.1
Applied jar dependencies:
- spring-boot-gradle-plugin [2.5.0 -> 2.5.2]
- spring-security.version [5.5.0 -> 5.5.1]
This includes an upgrade to Spring Boot 2.5.2 which mainly includes bug fixes and version upgrades
Spring Boot 2.5.2 includes Spring Security 5.5.1 which now causes both the client id and client secret to be url encoded. This means that any client secrets containing special characters does not work anymore, as the oauth2 provider doesn't url decode the client id / secret before testing them.
The issue has been raised with Spring Security - spring-projects/spring-security#10018
This plugin now downgrades to version 5.5.0 automatically.
Note that the automatic upgrade will need to be removed once Spring Security resolve the problem of url encoding client id and client secret
Applied jar dependencies:
- spring-boot-gradle-plugin [2.5.0 -> 2.5.2]
A problem has been identified with the upgrade to Spring Boot 2.5.2, namely client secrets aren't being transmitted correctly to HMPPS Auth. The upgrade has therefore been reverted until we investigate further and provide a solution.
Applied jar dependencies:
- spring-boot-gradle-plugin [2.5.2 -> 2.5.0]
CVE-2021-45046 https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
We have bumped the version of log4j to 2.16.0 to prevent false positives for log4j for this and also CVE-2021-44228. Note that only log4j-core is actually vulnerable as only that jar file uses log4j to write log messages.
Netty prior to version 4.1.7.1.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.7.1.Final to receive a patch.
CVE-2021-44228 https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
With the OWASP dependency check now flagging the 2.14.1 version of log4j as vulnerable we have bumped the version of log4j to 2.15.0 to prevent this and other vulnerability scanning software flagging log4j as having the vulnerability. we have removed the .trivyignore file as no longer needed
Add .trivyignore file to suppress false positive for log4j.api (CVE-2021-44228) https://spring.io/blog/2021/12/10/log4j2-vulnerability-and-spring-boot
The .trivyignore file will need to be added to your repository so that the Trivy scan job will pick it up
This removes jcenter as a repository. In Feb 2021 it was announced that JFrog were planning to shut down JCenter. They have since decided to keep it as a read-only repository, but Gradle have still marked it as a deprecated repository so we should still look to migrate away.
If any projects were relying on packages only in JCenter, they should explicitly include it in the project's
build.gradle.kts like so:
repositories {
jcenter()
}Or consult Gradle's documentation here
The agent has been updated to 3.2.3: https://github.com/microsoft/ApplicationInsights-Java/releases/tag/3.2.3
Plugin dependencies:
- com.gradle.plugin-publish [0.16.0 -> 0.17.0]
- se.patrikerdes.use-latest-versions [0.2.17 -> 0.2.18]
- org.owasp.dependencycheck [6.4.1.1 -> 6.5.0.1]
Applied jar dependencies:
- org.owasp:dependency-check-gradle [6.4.1.1 -> 6.5.0.1]
- se.patrikerdes.use-latest-versions:se.patrikerdes.use-latest-versions.gradle.plugin [0.2.17 -> 0.2.18]
- com.microsoft.azure:applicationinsights-agent [3.2.0 -> 3.2.3]
Test dependencies:
- com.google.code.gson:gson [2.8.8 -> 2.8.9]
This includes a bugfix to the dependencycheck extension which was breaking the dependencycheck jobs in CircleCI.
Plugin dependencies:
- org.owasp.dependencycheck [6.3.2 -> 6.4.1.1]
Applied jar dependencies:
- org.owasp:dependency-check-gradle [6.3.2 -> 6.4.1.1]
This includes an upgrade to Spring Boot 2.5.6 which mainly includes bug fixes and version upgrades
Plugin dependencies:
- org.owasp.dependencycheck [6.3.2 -> 6.4.1] Build issue, both locally, and on CircleCI with 6.4.1.1. The owasp ReportGenerator file failed to compile
Applied jar dependencies:
- org.owasp:dependency-check-gradle [6.3.2 -> 6.4.1] Build issue, both locally, and on CircleCI with 6.4.1.1. The owasp ReportGenerator file failed to compile
This seems to be quite a big update to the application insights agent - https://github.com/microsoft/ApplicationInsights-Java/releases/tag/3.2.0.
Plugin dependencies:
- org.owasp.dependencycheck [6.3.1 -> 6.3.2]
Applied jar dependencies:
- org.owasp:dependency-check-gradle [6.3.1 -> 6.3.2]
- com.google.guava:guava [31.0-jre -> 31.0.1-jre]
- com.microsoft.azure:applicationinsights-agent [3.1.1 -> 3.2.0]
Test dependencies:
- org.mockito:mockito-junit-jupiter [3.12.4 -> 4.0.0]
This includes an upgrade to Spring Boot 2.5.2 which mainly includes bug fixes and version upgrades
This includes an upgrade to Kotlin 1.5.20 which is a bugfix release and introduces the lombok plugin.
Plugin dependencies:
- kotlin-gradle-plugin [1.5.0 -> 1.5.20]
- com.github.ben-manes.versions [0.38.0 -> 0.39.0]
- se.patrikerdes.use-latest-versions [0.2.16 -> 0.2.17]
- org.owasp.dependencycheck [6.1.6 -> 6.2.2]
- org.jlleitschuh.gradle.ktlint [10.0.0 -> 10.1.0]
Applied jar dependencies:
- spring-boot-gradle-plugin [2.5.0 -> 2.5.2]
- kotlin-gradle-plugin [1.5.10 -> 1.5.20]
- dependency-check-gradle [6.1.6 -> 6.2.2]
- gradle-versions-plugin [0.38.0 -> 0.39.0]
- se.patrikerdes.use-latest-versions.gradle.plugin [0.2.16 -> 0.2.17]
- org.jlleitschuh.gradle.ktlint.gradle.plugin [10.0.0 -> 10.1.0]
- com.microsoft.azure:applicationinsights-agent [3.1.0 -> 3.1.1]
Test dependencies:
- mockito-junit-jupiter [3.10.0 -> 3.11.2]
- assertj-core [3.19.0 -> 3.20.2]
- net.javacrumbs.json-unit:json-unit-assertj [2.26.0 -> 2.27.0]
- org.eclipse.jgit [5.11.1.202105131744-r -> 5.12.0.202106070339-r]
Since this is a minor Spring Boot release there are upgrade instructions to follow. spring.datasource has been renamed to spring.sql.init and /info is now protected by default.
To expose /info to public add
management.endpoints.web.exposure.include: health,info
to your application.yml. All applications based off the hmpps-template-kotlin will already have the necessary configuration.
This includes an upgrade to Kotlin 1.5.10 which is a bugfix release.
Plugin dependencies:
- spring-boot-gradle-plugin [2.4.5 -> 2.5.0]
- kotlin-gradle-plugin [1.5.0 -> 1.5.10]
Applied jar dependencies:
- org.junit.jupiter:junit-jupiter [5.7.1 -> 5.7.2]
- net.javacrumbs.json-unit:json-unit-assertj [2.25.0 -> 2.26.0]
- com.google.code.gson:gson [2.8.6 -> 2.8.7]
- com.fasterxml.jackson.module:jackson-module-kotlin [2.12.2 -> 2.12.3]
This contains a minor update to the application insights agent - https://github.com/microsoft/ApplicationInsights-Java/releases/tag/3.1.0.
This adds the http verb to the name field in app insights.
- org.mockito:mockito-junit-jupiter [3.9.0 -> 3.10.0]
- org.eclipse.jgit:org.eclipse.jgit [5.11.0.202103091610-r -> org.eclipse.jgit:5.11.1.202105131744-r]
- com.microsoft.azure:applicationinsights-agent [3.0.3 -> 3.1.0]
This includes an upgrade to Kotlin 1.5 including minor language enhancements such as firstNotNullOf and unsigned number types such as UInt. It also adds in a jvmTarget option of 16.
Plugin dependencies:
- org.owasp.dependencycheck [6.1.5 -> 6.1.6]
Applied jar dependencies:
- org.jetbrains.kotlin:kotlin-gradle-plugin [1.4.32 -> 1.5.0]
- com.gorylenko.gradle-git-properties.gradle.plugin [2.2.4 -> 2.3.1]
This includes an upgrade to Spring Boot 2.4.5 which mainly includes bug fixes and version upgrades
We fix the way the default target version of 11 is applied so that it can be overridden by individual projects.
Plugin dependencies:
- se.patrikerdes.use-latest-versions [0.2.15 -> 0.2.16]
Applied jar dependencies:
- org.springframework.boot:spring-boot-gradle-plugin [2.4.4 -> 2.4.5]
- org.mockito:mockito-junit-jupiter [3.8.0 -> 3.9.0]
Gradle upgrade [6.8.3 -> 7.0]
This contains a suppression for netty issue that is fixed in a newer version of netty, but not yet released by spring boot - see https://netty.io/news/2021/03/30/4-1-61-Final.html. We don't use netty for incoming requests and don't use codec-http2 to proxy http/2 either.
This contains a minor update to the application insights agent - https://github.com/microsoft/ApplicationInsights-Java/releases/tag/3.0.3. This fixes an issue with 1% of the telemetry calls using netty webclient not being correlated correctly.
- org.owasp.dependencycheck [6.1.4 -> 6.1.5]
- com.gorylenko.gradle-git-properties:com.gorylenko.gradle-git-properties.gradle.plugin [2.2.4 -> 2.3.0]
- com.microsoft.azure:applicationinsights-agent [3.0.2 -> 3.0.3]
Plugin dependencies:
- org.owasp.dependencycheck [6.1.3 -> 6.1.4]
- com.microsoft.azure:applicationinsights-logging-logback [2.6.2 -> 2.6.3]
Applied jar dependencies:
- com.fasterxml.jackson.module:jackson-module-kotlin [2.12.1 -> 2.12.2]
- com.google.guava:guava [30.1-jre -> 30.1.1-jre]
- com.microsoft.azure:applicationinsights-spring-boot-starter [2.6.2 -> 2.6.3]
- com.fasterxml.jackson.module:jackson-module-kotlin [2.12.1 -> 2.12.2]# 3.1.2
This includes an upgrade to Spring Boot 2.4.4 which mainly includes bug fixes and version upgrades
Plugin dependencies:
- kotlin("jvm") [1.4.30 -> 1.4.32]
- com.gradle.plugin-publish [0.12.0 -> 0.13.0]
- com.github.ben-manes.versions [0.36.0 -> 0.38.0]
- org.owasp.dependencycheck [6.1.1 -> 6.1.3]
- uk.gov.justice.hmpps.gradle [3.1.1 -> 3.1.2]
Applied jar dependencies:
- org.springframework.boot:spring-boot-gradle-plugin [2.4.3 -> 2.4.4]
- org.jetbrains.kotlin:kotlin-gradle-plugin [1.4.30 -> 1.4.32]
- org.owasp:dependency-check-gradle [6.1.1 -> 6.1.3]
- com.github.ben-manes:gradle-versions-plugin [0.36.0 -> 0.38.0]
- org.mockito:mockito-junit-jupiter [3.7.7 -> 3.8.0]
- net.javacrumbs.json-unit:json-unit-assertj [2.24.0 -> 2.25.0]
- org.eclipse.jgit:org.eclipse.jgit [5.10.0.202012080955-r -> 5.11.0.202103091610-r]
This includes an upgrade to Spring Boot 2.4.3 which mainly includes bug fixes and version upgrades
Plugin dependencies:
- org.owasp.dependencycheck [6.1.0 -> 6.1.1]
- org.jlleitschuh.gradle.ktlint [9.4.1 -> 10.0.0]
Applied jar dependencies:
- net.logstash.logback:logstash-logback-encoder [6.5 -> 6.6]
- com.fasterxml.jackson.module:jackson-module-kotlin [2.12.0 -> 2.12.1]
This includes an upgrade to Kotlin 1.4.30
We suppress CVE-2020-29582 for Kotlin 1.4.30, as only applicable for Kotlin before 1.4.21.
Plugin dependencies:
- org.owasp.dependencycheck [6.0.5 -> 6.1.0]
Fix a bug preventing multi-project builds.
Test dependencies:
- net.javacrumbs.json-unit:json-unit-assertj [2.21.1 -> 2.24.0]
This includes an upgrade to Application Insights Agent v3. No new version of the SDK has been released and this remains at 2.6.2. Using SDK 2.6.2 with agent 3.0.0 is a supported configuration.
Note that the environment variables the Application Insights agent accepts have changed. APPLICATION_INSIGHTS_IKEY is no longer supported.
It can be replaced by APPINSIGHTS_INSTRUMENTATIONKEY, or you can switch to using APPLICATIONINSIGHTS_CONNECTION_STRING and a connection string
which is the recommended method.
See here for details about connection strings.
The configuration file has moved from AI-Agent.xml to applicationinsights.json.
Attaching the application version number to all traces via the context no longer works - this can be worked around by making BUILD_NUMBER
available as an environment variable which is then picked up by the custom dimension configuration below. The ContextInitializer bean
can then be removed.
The WebTelemetryModule no longer listens to requests, so can't be used to augment the requests with custom information.
Instead a custom HandlerInterceptor has to be added instead to modify the request telemetry.
See https://github.com/ministryofjustice/offender-case-notes/pull/134/files for an example PR with the upgrade changes required, with
extra fixes for custom dimensions in https://github.com/ministryofjustice/offender-case-notes/pull/139/files.
Minimum suggested configuration file:
{
"role": {
"name": "application-name"
},
"customDimensions": {
"service.version": "${BUILD_NUMBER}"
},
"instrumentation": {
"logging": {
"level": "DEBUG"
}
},
"selfDiagnostics": {
"destination": "console"
}
}
Upgrade Spring Boot to version 2.4.2
- org.owasp.dependencycheck version [6.0.4 -> 6.0.5]
- org.springframework.boot:spring-boot-gradle-plugin [2.4.1 -> 2.4.2]
- org.jetbrains.kotlin:kotlin-gradle-plugin [1.4.21 -> 1.4.21-2]
- io.spring.dependency-management:io.spring.dependency-management.gradle.plugin [1.0.10.RELEASE -> 1.0.11.RELEASE]
Test dependencies:
- org.mockito:mockito-junit-jupiter [3.6.28 -> 3.7.7]
- org.assertj:assertj-core [3.18.1 -> 3.19.0]
- net.javacrumbs.json-unit:json-unit-assertj [2.22.0 -> 2.22.1]