Merge remote-tracking branch 'upstream/master' into v3.0

.gitignore

@@ -4,4 +4,7 @@
 /application.yml
 /.project
 *.gz
+.project
+.classpath
+.settings
 

Jenkinsfile

@@ -3,6 +3,7 @@ pipeline {
     agent {
         kubernetes {
             yamlFile 'kubernetesPod.yaml'
+            workspaceVolume dynamicPVC(accessModes: 'ReadWriteOnce', requestsSize: '40Gi')
         }
     }
 
@@ -20,7 +21,7 @@ pipeline {
 
                      configFileProvider([configFile(fileId: 'maven-settings-rsb', variable: 'MAVEN_SETTINGS_RSB')]) {
 
-                         sh 'mvn -B -s $MAVEN_SETTINGS_RSB -U clean deploy'
+                         sh 'mvn -B -s $MAVEN_SETTINGS_RSB -Dmaven.repo.local=/home/jenkins/agent/m2 -U clean deploy'
 
                      }
                 }

LICENSE_HEADER

@@ -1,6 +1,6 @@
 ShinyProxy
 
-Copyright (C) 2016-2021 Open Analytics
+Copyright (C) 2016-2023 Open Analytics
 
 ===========================================================================
 

README.md

@@ -18,7 +18,7 @@ Open Source Enterprise Deployment for Shiny Apps
 
 Learn more at https://shinyproxy.io
 
-#### (c) Copyright Open Analytics NV, 2016-2021 - Apache License 2.0
+#### (c) Copyright Open Analytics NV, 2016-2023 - Apache License 2.0
 
 ## Building from source
 
@@ -33,7 +33,7 @@ The build will result in a single `.jar` file that is made available in the `tar
 ## Running the application
 
 ```
-java -jar shinyproxy-2.3.0.jar
+java -jar shinyproxy-3.0.0.jar
 ```
 
 Navigate to http://localhost:8080 to access the application.  If the default configuration is used, authentication will be done against the LDAP server at *ldap.forumsys.com*; to log in one can use the user name "tesla" and password "password".
@@ -42,4 +42,3 @@ Navigate to http://localhost:8080 to access the application.  If the default con
 ## Further information
 
 https://shinyproxy.io
-

kubernetesPod.yaml

@@ -1,12 +1,30 @@
 apiVersion: v1
 kind: Pod
 metadata:
+  name: shinyproxy
   labels:
     ci: shinyproxy-build
 spec:
+  securityContext:
+    fsGroup: 65534
   containers:
-   - name: containerproxy-build
-     image: 196229073436.dkr.ecr.eu-west-1.amazonaws.com/openanalytics/containerproxy-build 
-     command:
-     - cat
-     tty: true	
+    - name: containerproxy-build
+      image: 196229073436.dkr.ecr.eu-west-1.amazonaws.com/openanalytics/containerproxy-build
+      securityContext:
+        privileged: true
+      command: [ "sh" ]
+      args: [ "/usr/src/app/docker-entrypoint.sh" ]
+      tty: true
+      volumeMounts:
+        - name: workspace-volume
+          subPath: docker
+          mountPath: /var/lib/docker
+      resources:
+        requests:
+          ephemeral-storage: "20Gi"
+          memory: "2Gi"
+          cpu: "1.0"
+        limits:
+          memory: "4Gi"
+          cpu: "1.5"
+          ephemeral-storage: "20Gi"

owasp-suppression.xml

@@ -2,14 +2,27 @@
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <!--
         https://nvd.nist.gov/vuln/detail/CVE-2018-1258
-        Vulnerability only applies when using spring-framework 5.0.5 -> we are not using that version.
+        Vulnerability only applies to old spring-framework versions.
     -->
     <suppress>
-        <!--        <notes><![CDATA[-->
-        <!--   file name: spring-security-ldap-5.3.9.RELEASE.jar-->
-        <!--   ]]></notes>-->
-        <!--        <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-ldap@.*$</packageUrl>-->
         <cve>CVE-2018-1258</cve>
+        <cve>CVE-2013-4152</cve>
+        <cve>CVE-2013-7315</cve>
+        <cve>CVE-2014-0054</cve>
+        <cve>CVE-2016-1000027</cve>
+        <cve>CVE-2018-11039</cve>
+        <cve>CVE-2018-11040</cve>
+        <cve>CVE-2018-1257</cve>
+        <cve>CVE-2020-5421</cve>
+        <cve>CVE-2022-22950</cve>
+        <cve>CVE-2022-22965</cve>
+        <cve>CVE-2022-22968</cve>
+        <cve>CVE-2022-22970</cve>
+        <cve>CVE-2022-22976</cve>
+        <cve>CVE-2022-22978</cve>
+        <cve>CVE-2019-3772</cve>
+        <cve>CVE-2022-27772</cve>
+        <cve>CVE-2020-5408</cve>
     </suppress>
 
     <!--
@@ -33,6 +46,21 @@
         <cve>CVE-2020-14359</cve>
     </suppress>
 
+    <!--
+        https://nvd.nist.gov/vuln/detail/CVE-2020-14359
+        Only applies to Keycloak (server) not the keycloak libraries.
+    -->
+    <suppress>
+        <cve>CVE-2021-20323</cve>
+        <cve>CVE-2021-3632</cve>
+        <cve>CVE-2021-3637</cve>
+        <cve>CVE-2021-3827</cve>
+        <cve>CVE-2021-3856</cve>
+        <cve>CVE-2021-4133</cve>
+        <cve>CVE-2022-1245</cve>
+        <cve>CVE-2022-1466</cve>
+    </suppress>
+
 
     <!--
         https://nvd.nist.gov/vuln/detail/CVE-2020-8908
@@ -61,13 +89,14 @@
     </suppress>
 
 
-    <!--
-        https://nvd.nist.gov/vuln/detail/CVE-2021-29425
-        Only applies to Apache Commons IO before 2.7, but we are using 2.7. (however somewhere this version is referred).
-    -->
     <suppress>
-        <sha1>7e39112810f6096061c43504188d18edc7d7eece</sha1>
+        <!--
+            https://nvd.nist.gov/vuln/detail/CVE-2021-29425
+            Only applies to Apache Commons IO before 2.7, but we are using 2.7. (however somewhere this version is referred).
+        -->
         <cve>CVE-2021-29425</cve>
+        <!-- Applies to commons-net, but this is not used -->
+        <cve>CVE-2021-37533</cve>
     </suppress>
 
 
@@ -78,4 +107,25 @@
     <suppress>
         <cve>CVE-2015-5258</cve>
     </suppress>
+
+    <!-- Only applies to old Undertow/Jboss versions -->
+    <suppress>
+        <cve>CVE-2016-7046</cve>
+        <cve>CVE-2016-6311</cve>
+    </suppress>
+
+    <!-- H2: not relevant -->
+    <suppress>
+        <cve>CVE-2022-45868</cve>
+    </suppress>
+
+    <!-- xercesImpl: not related to xercesImpl-->
+    <suppress>
+        <cve>CVE-2017-10355</cve>
+    </suppress>
+
+    <suppress>
+        <!-- Related to nim lang, not Java-->
+        <cve>CVE-2020-23171</cve>
+    </suppress>
 </suppressions>