update(deps): vuln reducing (#170)

* update(deps): vuln reducing * update deprecated java constructor * json to 20231013 * openapi to 1.7.0 * spring security to 6.2.0 * snake yaml to 2.2 * gradle to 8.4 * dep(build.gradle): update logback
navikt · Nov 27, 2023 · f7806ee · f7806ee
1 parent 50667b2
commit f7806ee
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 29 deletions.
diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml
@@ -30,7 +30,7 @@ jobs:
  build:
  name: Build and push Docker container
  needs: test
- if: github.event_name != 'pull_request'
+ if: github.actor == 'dependabot[bot]'
  runs-on: ubuntu-20.04
  outputs:
  "image": ${{ steps.docker-build-push.outputs.image }}

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -30,7 +30,7 @@ jobs:
  build:
  name: Build and push Docker container
  needs: test
- if: github.event_name != 'pull_request'
+ if: github.actor == 'dependabot[bot]'
  runs-on: ubuntu-20.04
  outputs:
  "image": ${{ steps.docker-build-push.outputs.image }}
@@ -48,17 +48,13 @@ jobs:
  - name: Build JAR
  run: ./gradlew bootJar -x test
 
- - name: Generate and output SBOM
- run: ./gradlew cyclonedxBom
-
  - name: Push docker image to GAR and sign image
  uses: nais/docker-build-push@v0
  id: docker-build-push
  with:
  team: aura
  identity_provider: ${{ secrets.NAIS_WORKLOAD_IDENTITY_PROVIDER }} # Provided as Organization Secret
  project_id: ${{ vars.NAIS_MANAGEMENT_PROJECT_ID }} # Provided as Organization Variable
- byosbom: build/reports/bom.json
 
  - name: Upload salsa
  uses: actions/upload-artifact@v3

diff --git a/build.gradle.kts b/build.gradle.kts
@@ -2,16 +2,18 @@ import org.gradle.api.tasks.testing.logging.TestLogEvent
 import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
 
 object Version {
+ const val springSecurity = "6.2.0"
+ const val snakeYaml = "2.2"
  const val mockk = "1.12.3"
  const val kotest = "5.4.2"
  const val apacheHttp = "4.5.12"
  const val gradleVersion = "7.4.1"
- const val json = "20220320"
+ const val json = "20231013"
  const val kotlinLoggin = "2.1.21"
- const val logbackStash = "7.0.1"
+ const val logbackStash = "7.4"
  const val mockOAuth2Server = "0.5.1"
  const val nimbus = "9.41"
- const val openapi = "1.6.6"
+ const val openapi = "1.7.0"
  const val unboundid = "6.0.3"
  const val wiremock = "3.0.1"
  const val wiremockCloud = "4.0.4"
@@ -30,11 +32,10 @@ plugins {
  kotlin("plugin.allopen") version kotlinVersion
  id("org.jmailen.kotlinter") version "3.10.0"
  id("com.github.ben-manes.versions") version "0.49.0"
- id("org.springframework.boot") version "3.1.5"
+ id("org.springframework.boot") version "3.2.0"
  id("org.jetbrains.kotlin.jvm") version kotlinVersion
  id("org.jetbrains.kotlin.plugin.spring") version kotlinVersion
  id("io.spring.dependency-management") version "1.1.4"
- id("org.cyclonedx.bom") version "1.7.4"
 }
 
 application {
@@ -74,19 +75,17 @@ dependencies {
  implementation("org.springframework.boot:spring-boot-starter-web")
  implementation("org.conscrypt:conscrypt-openjdk:2.5.2")
  implementation("org.springdoc:springdoc-openapi-ui:${Version.openapi}")
- implementation("org.yaml:snakeyaml")
+ implementation("org.yaml:snakeyaml:${Version.snakeYaml}")
  runtimeOnly("com.oracle.database.jdbc:ojdbc8")
 
  // test
  testImplementation("com.h2database:h2:${Version.h2}")
  testImplementation("no.nav.security:mock-oauth2-server:${Version.mockOAuth2Server}")
- //testImplementation("org.hibernate:hibernate-testing")
  testImplementation("org.springframework.boot:spring-boot-starter-test") {
  exclude(group = "com.vaadin.external.google", module = "android-json")
  exclude(module = "junit")
  }
- testImplementation("org.springframework.security:spring-security-test")
- //testImplementation("com.github.tomakehurst:wiremock-jre8:${Version.wiremock}")
+ testImplementation("org.springframework.security:spring-security-test:${Version.springSecurity}")
  testImplementation("org.springframework.cloud:spring-cloud-contract-wiremock:${Version.wiremockCloud}")
  testImplementation("org.junit.jupiter:junit-jupiter-api")
  testImplementation("io.kotest:kotest-assertions-core:${Version.kotest}")

diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.4.1-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
diff --git a/src/main/kotlin/no/nav/gandalf/accesstoken/IssuerConfig.kt b/src/main/kotlin/no/nav/gandalf/accesstoken/IssuerConfig.kt
@@ -10,6 +10,7 @@ import com.nimbusds.oauth2.sdk.OAuth2Error
 import com.nimbusds.oauth2.sdk.`as`.AuthorizationServerMetadata
 import mu.KotlinLogging
 import no.nav.gandalf.http.ProxyAwareResourceRetriever
+import org.springframework.util.ResourceUtils
 import java.net.URL
 
 private val log = KotlinLogging.logger { }
@@ -23,11 +24,10 @@ interface IssuerConfig {
  fun from(wellKnownUrl: String) = issuerConfig {
  log.info { "retrieve metadata from wellknown: $wellKnownUrl" }
  AuthorizationServerMetadata.parse(
- ProxyAwareResourceRetriever().retrieveResource(URL(wellKnownUrl)).content
+ ProxyAwareResourceRetriever().retrieveResource(wellKnownUrl.toUrl()).content
  ).let {
  WellKnown(
- it.issuer.toString(),
- it.jwkSetURI.toString()
+ it.issuer.toString(), it.jwkSetURI.toString()
  )
  }
  }
@@ -39,26 +39,24 @@ interface IssuerConfig {
  private fun issuerConfig(wellKnownFunction: () -> WellKnown): IssuerConfig = object : IssuerConfig {
  val wellKnown: WellKnown by lazy { wellKnownFunction.invoke() }
  val remoteJWKSet: RemoteJWKSet<SecurityContext?> by lazy {
- RemoteJWKSet<SecurityContext?>(URL(wellKnown.jwksUrl), ProxyAwareResourceRetriever())
+ RemoteJWKSet<SecurityContext?>(wellKnown.jwksUrl.toUrl(), ProxyAwareResourceRetriever())
  }
  override val issuer: String by lazy { wellKnownFunction.invoke().issuer }
  override fun getKeyByKeyId(keyId: String?): RSAKey = remoteJWKSet.getKeyByKeyId(keyId)
  }
 
  private fun RemoteJWKSet<SecurityContext?>.getKeyByKeyId(keyId: String?): RSAKey =
- get(keyId?.toJWKSelector(), null)?.firstOrNull()?.toRSAKey()
- ?: throw OAuthException(
- OAuth2Error.INVALID_REQUEST.setDescription(
- "Could not find matching keys in configuration for kid=$keyId"
- )
+ get(keyId?.toJWKSelector(), null)?.firstOrNull()?.toRSAKey() ?: throw OAuthException(
+ OAuth2Error.INVALID_REQUEST.setDescription(
+ "Could not find matching keys in configuration for kid=$keyId"
  )
+ )
 
  private fun String.toJWKSelector(): JWKSelector = JWKSelector(
- JWKMatcher.Builder()
- .keyType(KeyType.RSA)
- .keyID(this)
- .build()
+ JWKMatcher.Builder().keyType(KeyType.RSA).keyID(this).build()
  )
+
+ private fun String.toUrl(): URL = ResourceUtils.toURL(this)
  }
 
  private data class WellKnown(