Vulnerability fixes and updates to latest Conductor core (#24)

* Update to latest conductor core version, fix vulnerabilities by upgrading dependencies

* Minor formatting updates to readme

* Removed all known vulnerabilities with version upgrades

* Fix more vulnerabilities and classpath errors

README.md

@@ -71,8 +71,8 @@ docker pull orkesio/orkes-conductor-community:latest
 * **Group:** `io.orkes.conductor`
 * **Artifacts:** `orkes-conductor-community-{server,persistence,archive}`
 
-| Artifact    | Gradle                                                                            |
-|-------------|-----------------------------------------------------------------------------------|
+| Artifact    | Gradle                                                                              |
+|-------------|-------------------------------------------------------------------------------------|
 | server      | `implementation 'io.orkes.conductor:orkes-conductor-community-server:VERSION'`      |
 | persistence | `implementation 'io.orkes.conductor:orkes-conductor-community-persistence:VERSION'` |  
 | archive     | `implementation 'io.orkes.conductor:orkes-conductor-community-archive:VERSION'`     |
@@ -88,7 +88,7 @@ Use GitHub issue tracking for filing issues and Discussion Forum for any other q
 [Orkes](http://orkes.io) development team creates and maintains the Orkes-Conductor releases.
 
 ## License
-Copyright 2022 Orkes, Inc
+Copyright 2023 Orkes, Inc
 
 Licensed under Orkes Community License.  You may obtain a copy of the License at:
 ```

archive/build.gradle

@@ -43,7 +43,8 @@ dependencies {
     testImplementation "org.testcontainers:postgresql:${versions.revTestContainer}"
 
     //Fake data generator
-    testImplementation "com.github.javafaker:javafaker:1.0.2"
+    testImplementation ('com.github.javafaker:javafaker:1.0.2') { exclude module: 'snakeyaml' }
+//    testImplementation group: 'org.yaml', name: 'snakeyaml', version: '2.2'
 }
 
 test {

archive/src/main/java/io/orkes/conductor/dao/archive/ArchivedIndexDAO.java

@@ -13,7 +13,9 @@
 package io.orkes.conductor.dao.archive;
 
 import java.util.List;
+import java.util.Objects;
 import java.util.concurrent.CompletableFuture;
+import java.util.stream.Collectors;
 
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.context.annotation.Primary;
@@ -26,6 +28,7 @@
 import com.netflix.conductor.common.run.WorkflowSummary;
 import com.netflix.conductor.core.events.queue.Message;
 import com.netflix.conductor.dao.IndexDAO;
+import com.netflix.conductor.model.WorkflowModel;
 
 import lombok.extern.slf4j.Slf4j;
 
@@ -68,6 +71,53 @@ public SearchResult<String> searchWorkflows(
         return archiveDAO.searchWorkflows(query, freeText, start, count);
     }
 
+    @Override
+    public SearchResult<WorkflowSummary> searchWorkflowSummary(
+            String query, String freeText, int start, int count, List<String> sort) {
+        ScrollableSearchResult<String> results =
+                archiveDAO.searchWorkflows(query, freeText, start, count);
+        List<WorkflowSummary> workflowSummaryList =
+                results.getResults().stream()
+                        .map(wfId -> archiveDAO.getWorkflow(wfId, false))
+                        .filter(Objects::nonNull)
+                        .map(this::convertToWorkflowSummary)
+                        .collect(Collectors.toList());
+        return new SearchResult<>(results.getTotalHits(), workflowSummaryList);
+    }
+
+    private WorkflowSummary convertToWorkflowSummary(WorkflowModel wfModel) {
+        return new WorkflowSummary(wfModel.toWorkflow());
+    }
+
+    @Override
+    public CompletableFuture<Void> asyncRemoveTask(String workflowId, String taskId) {
+        log.debug("Task index is not maintained in this environment");
+        return CompletableFuture.completedFuture(null);
+    }
+
+    @Override
+    public CompletableFuture<Void> asyncUpdateTask(
+            String workflowId, String taskId, String[] keys, Object[] values) {
+        log.debug("Task index is not maintained in this environment");
+        return CompletableFuture.completedFuture(null);
+    }
+
+    @Override
+    public void updateTask(String workflowId, String taskId, String[] keys, Object[] values) {
+        throw new UnsupportedOperationException("Task index is not maintained in this environment");
+    }
+
+    @Override
+    public void removeTask(String workflowId, String taskId) {
+        throw new UnsupportedOperationException("Task index is not maintained in this environment");
+    }
+
+    @Override
+    public SearchResult<TaskSummary> searchTaskSummary(
+            String query, String freeText, int start, int count, List<String> sort) {
+        throw new UnsupportedOperationException("Task search is not supported in this environment");
+    }
+
     @Override
     public SearchResult<String> searchTasks(
             String query, String freeText, int start, int count, List<String> sort) {

archive/src/test/java/io/orkes/conductor/dao/postgres/PostgresDAOTestUtil.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Orkes, Inc.
+ * Copyright 2023 Orkes, Inc.
  * <p>
  * Licensed under the Orkes Community License (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at

build.gradle

@@ -15,20 +15,22 @@ ext {
     springBootVersion = '2.5.6'
 
     versions = [
-            revConductor            : '3.10.7',
+            revConductor            : '3.13.8',
             revTestContainer        : '1.17.2',
-            revGuava                : '30.0-jre',
+            revGuava                : '32.0.0-jre',
             log4j                   : '2.17.1',
-            revJedis                : '3.3.0',
+            revJedis                : '3.8.0',
             revMockServerClient     : '5.12.0',
             revCommonsLang          : '3.12.0',
             revLombok               : '1.18.24',
             revLucene               : '7.7.3',
             revSpectator            : '0.122.0',
-            revOpenapi              : '1.6.11',
-            revAwsSdk               : '1.12.153',
-            revProtoBuf             : '3.13.0',
+            revJsonPath             : '2.8.0',
+            revOpenapi              : '1.7.+',
+            revAwsSdk               : '1.12.549',
+            revProtoBuf             : '3.16.3',
             revRarefiedRedis        : '0.0.17',
+            revOrkesProtos          : '0.9.2',
             revOrkesQueues          : '1.0.6'
     ]
 }
@@ -73,6 +75,16 @@ subprojects {
     }
 
     dependencies {
+
+        implementation('net.minidev:json-smart') {
+            version {
+                strictly '2.4.10'
+            }
+        }
+
+        implementation 'com.amazonaws:aws-java-sdk-s3:1.12.548'
+        implementation "redis.clients:jedis:${versions.revJedis}"
+
         implementation "org.apache.logging.log4j:log4j-core:${versions.log4j}!!"
         implementation "org.apache.logging.log4j:log4j-api:${versions.log4j}!!"
         implementation "org.apache.logging.log4j:log4j-slf4j-impl:${versions.log4j}!!"
@@ -86,6 +98,25 @@ subprojects {
         implementation "org.apache.commons:commons-lang3:${versions.revCommonsLang}"
     }
 
+    allprojects {
+        configurations.all {
+            resolutionStrategy.eachDependency { DependencyResolveDetails details ->
+                if (details.requested.group == 'com.fasterxml.jackson.core') {
+                    details.useVersion '2.15.2'
+                }
+                if (details.requested.group == 'com.fasterxml.jackson.dataformat') {
+                    details.useVersion '2.15.2'
+                }
+                if (details.requested.group == 'org.yaml') {
+                    details.useVersion '2.2'
+                }
+                if (details.requested.group == 'io.netty' && details.requested.version == '4.1.70.Final') {
+                    details.useVersion "4.1.94.Final"
+                }
+            }
+        }
+    }
+
     dependencyManagement {
         imports {
             mavenBom(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)

docker/DockerfileStandalone

@@ -1,4 +1,4 @@
-FROM alpine:3.16.2
+FROM alpine:3.18.3
 MAINTAINER Orkes Inc <[email protected]>
 
 # Install software required to run conductor stack

persistence/src/main/java/com/netflix/conductor/redis/config/AnyRedisCondition.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Orkes, Inc.
+ * Copyright 2023 Orkes, Inc.
  * <p>
  * Licensed under the Orkes Community License (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at

persistence/src/main/java/com/netflix/conductor/redis/config/InMemoryRedisConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Orkes, Inc.
+ * Copyright 2023 Orkes, Inc.
  * <p>
  * Licensed under the Orkes Community License (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ -45,6 +45,7 @@ public JedisMock jedisMock() {
 
     @Bean
     public JedisCommands jedisCommands() {
+        //noinspection SpringConfigurationProxyMethods
         return new JedisStandalone(jedisPool());
     }
 
@@ -62,6 +63,7 @@ public Jedis getResource() {
     @Bean
     public OrkesJedisProxy OrkesJedisProxy() {
         System.out.println("OrkesJedisProxy created");
+        //noinspection SpringConfigurationProxyMethods
         return new OrkesJedisProxy(jedisPool());
     }
 }

persistence/src/main/java/com/netflix/conductor/redis/config/RedisClusterConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Orkes, Inc.
+ * Copyright 2023 Orkes, Inc.
  * <p>
  * Licensed under the Orkes Community License (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ -28,6 +28,7 @@
 import com.netflix.dyno.connectionpool.Host;
 
 import redis.clients.jedis.HostAndPort;
+import redis.clients.jedis.Jedis;
 import redis.clients.jedis.Protocol;
 
 @Configuration(proxyBeanMethods = false)
@@ -41,7 +42,7 @@ public class RedisClusterConfiguration {
 
     @Bean
     public JedisCluster getJedisCluster(RedisProperties properties) {
-        GenericObjectPoolConfig<?> genericObjectPoolConfig = new GenericObjectPoolConfig<>();
+        GenericObjectPoolConfig<Jedis> genericObjectPoolConfig = new GenericObjectPoolConfig<>();
         genericObjectPoolConfig.setMaxTotal(properties.getMaxConnectionsPerHost());
         ConfigurationHostSupplier hostSupplier = new ConfigurationHostSupplier(properties);
         Set<HostAndPort> hosts =

persistence/src/main/java/com/netflix/conductor/redis/config/RedisSentinelConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Orkes, Inc.
+ * Copyright 2023 Orkes, Inc.
  * <p>
  * Licensed under the Orkes Community License (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at
@@ -27,6 +27,7 @@
 import com.netflix.conductor.redis.jedis.JedisSentinel;
 import com.netflix.dyno.connectionpool.Host;
 
+import redis.clients.jedis.Jedis;
 import redis.clients.jedis.JedisSentinelPool;
 import redis.clients.jedis.Protocol;
 
@@ -38,7 +39,7 @@ public class RedisSentinelConfiguration {
 
     @Bean
     protected JedisSentinel getJedisSentinel(RedisProperties properties) {
-        GenericObjectPoolConfig<?> genericObjectPoolConfig = new GenericObjectPoolConfig<>();
+        GenericObjectPoolConfig<Jedis> genericObjectPoolConfig = new GenericObjectPoolConfig<>();
         genericObjectPoolConfig.setMinIdle(properties.getMinIdleConnections());
         genericObjectPoolConfig.setMaxIdle(properties.getMaxIdleConnections());
         genericObjectPoolConfig.setMaxTotal(properties.getMaxConnectionsPerHost());

persistence/src/main/java/com/netflix/conductor/redis/config/RedisStandaloneConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2020 Orkes, Inc.
+ * Copyright 2023 Orkes, Inc.
  * <p>
  * Licensed under the Orkes Community License (the "License"); you may not use this file except in compliance with
  * the License. You may obtain a copy of the License at

persistence/src/main/java/com/netflix/conductor/redis/dao/RedisMetadataDAO.java

@@ -283,6 +283,27 @@ public List<WorkflowDef> getAllWorkflowDefs() {
         return workflows;
     }
 
+    @Override
+    public List<WorkflowDef> getAllWorkflowDefsLatestVersions() {
+        List<WorkflowDef> workflows = new LinkedList<>();
+
+        // Get all definitions latest versions from WORKFLOW_DEF_NAMES
+        recordRedisDaoRequests("getAllWorkflowLatestVersionsDefs");
+        Set<String> wfNames = orkesJedisProxy.smembers(nsKey(WORKFLOW_DEF_NAMES));
+        int size = 0;
+        // Place all workflows into the Priority Queue. The PQ will allow us to grab the latest
+        // version of the workflows.
+        for (String wfName : wfNames) {
+            WorkflowDef def = getLatestWorkflowDef(wfName).orElse(null);
+            if (def != null) {
+                workflows.add(def);
+                size += def.toString().length();
+            }
+        }
+        recordRedisDaoPayloadSize("getAllWorkflowLatestVersionsDefs", size, "n/a", "n/a");
+        return workflows;
+    }
+
     private void _createOrUpdate(WorkflowDef workflowDef) {
         if (isNull(workflowDef.getUpdateTime())) {
             workflowDef.setUpdateTime(System.currentTimeMillis());