From 6cd734e1ff14e66e6bfbad787ef5b61767a1e729 Mon Sep 17 00:00:00 2001 From: Bastiaan Date: Wed, 15 May 2024 19:43:15 +0200 Subject: [PATCH 1/3] bugfix --- .../radarbase/management/security/ClaimsTokenEnhancer.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/main/java/org/radarbase/management/security/ClaimsTokenEnhancer.java b/src/main/java/org/radarbase/management/security/ClaimsTokenEnhancer.java index 0f208ea20..affb45357 100644 --- a/src/main/java/org/radarbase/management/security/ClaimsTokenEnhancer.java +++ b/src/main/java/org/radarbase/management/security/ClaimsTokenEnhancer.java @@ -19,6 +19,7 @@ import org.springframework.beans.factory.annotation.Value; import org.springframework.boot.actuate.audit.AuditEvent; import org.springframework.boot.actuate.audit.AuditEventRepository; +import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.oauth2.common.DefaultOAuth2AccessToken; import org.springframework.security.oauth2.common.OAuth2AccessToken; import org.springframework.security.oauth2.provider.OAuth2Authentication; @@ -51,7 +52,8 @@ public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, String principalName = authentication.getName(); - if (authentication.getPrincipal() instanceof Principal) { + if (authentication.getPrincipal() instanceof Principal || + authentication.getPrincipal() instanceof UserDetails) { // add the 'sub' claim in accordance with JWT spec additionalInfo.put("sub", principalName); From 4eb97022b07716e0bfab67f9101b9300735d3cd5 Mon Sep 17 00:00:00 2001 From: Bastiaan Date: Wed, 5 Jun 2024 13:51:14 +0200 Subject: [PATCH 2/3] Run CI on v0.8 --- .github/workflows/codeql.yml | 89 +++++++++++++++++++++++++++++++ .github/workflows/main.yml | 11 ++-- .github/workflows/pre-release.yml | 24 ++++++--- .github/workflows/release.yml | 18 ++----- 4 files changed, 116 insertions(+), 26 deletions(-) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..ce8883459 --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,89 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL" + +on: + push: + branches: [ "main", "dev" ] + pull_request: + branches: [ "main", "dev" ] + schedule: + - cron: '24 21 * * 0' + +jobs: + analyze: + name: Analyze + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners + # Consider using larger runners for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }} + permissions: + # required for all workflows + security-events: write + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + language: [ 'java-kotlin' ] + # CodeQL supports [ 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' ] + # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - uses: actions/setup-java@v4 + with: + distribution: 'temurin' # See 'Supported distributions' for available options + java-version: '17' + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v3 + with: + languages: ${{ matrix.language }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + + # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v3 + + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + + # If the Autobuild fails above, remove it and uncomment the following three lines. + # modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance. + + # - run: | + # echo "Run, Build Application using script" + # ./location_of_script_within_repo/buildscript.sh + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 659c55f72..1730f1acf 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -4,7 +4,7 @@ name: Main # Run in master and dev branches and in all pull requests to those branches on: push: - branches: [ master, dev ] + branches: [ master, dev, v0.8 ] pull_request: {} env: @@ -35,16 +35,17 @@ jobs: distribution: temurin java-version: 17 + - name: Setup Gradle + uses: gradle/gradle-build-action@v2 + - name: Cache uses: actions/cache@v3 with: path: | ${{ steps.yarn-cache-dir-path.outputs.dir }} - ~/.gradle/caches - ~/.gradle/wrapper - key: ${{ runner.os }}-java-${{ hashFiles('**/build.gradle', '**/gradle.properties', '**/yarn.lock', '.yarnrc.yml') }} + key: ${{ runner.os }}-node-${{ hashFiles('**/build.gradle', '**/gradle.properties', '**/yarn.lock', '.yarnrc.yml') }} restore-keys: | - ${{ runner.os }}-java- + ${{ runner.os }}-node- - name: Install Yarn dependencies run: yarn install diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml index cc6f5d142..3efa72be0 100644 --- a/.github/workflows/pre-release.yml +++ b/.github/workflows/pre-release.yml @@ -33,21 +33,31 @@ jobs: distribution: temurin java-version: 17 + - name: Setup Gradle + uses: gradle/gradle-build-action@v2 + - name: Cache uses: actions/cache@v3 with: path: | ${{ steps.yarn-cache-dir-path.outputs.dir }} - ~/.gradle/caches - ~/.gradle/wrapper - key: ${{ runner.os }}-java-${{ hashFiles('**/build.gradle', '**/gradle.properties', '**/yarn.lock') }} + key: ${{ runner.os }}-rc-node-${{ hashFiles('**/build.gradle', '**/gradle.properties', '**/yarn.lock') }} restore-keys: | - ${{ runner.os }}-java- + ${{ runner.os }}-rc-node- + ${{ runner.os }}-node- + + - name: Install Yarn dependencies + run: yarn install + + - name: Yarn build + run: yarn build:prod + + - name: Yarn check + run: yarn test # Compile the code - - name: Install dependencies - run: | - yarn install + - name: Compile java + run: ./gradlew assemble - name: End to end tests id: e2e diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2e8421d74..9a544d4d7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -23,32 +23,22 @@ jobs: with: node-version: 16 - - name: Get yarn cache directory path - id: yarn-cache-dir-path - run: echo "dir=.yarn/cache" >> $GITHUB_OUTPUT - - uses: actions/setup-java@v3 with: distribution: temurin java-version: 17 - - name: Cache - uses: actions/cache@v3 + - name: Setup Gradle + uses: gradle/gradle-build-action@v2 with: - path: | - ${{ steps.yarn-cache-dir-path.outputs.dir }} - ~/.gradle/caches - ~/.gradle/wrapper - key: ${{ runner.os }}-java-${{ hashFiles('**/build.gradle', '**/gradle.properties', '**/yarn.lock') }} - restore-keys: | - ${{ runner.os }}-java- + cache-disabled: true - name: Compile code run: ./gradlew assemble # Upload it to GitHub - name: Upload to GitHub - uses: AButler/upload-release-assets@v2.0 + uses: AButler/upload-release-assets@v2.0.2 with: files: '*/build/libs/*' repo-token: ${{ secrets.GITHUB_TOKEN }} From 911f1f4934636c942663610f1d9ff428704047c6 Mon Sep 17 00:00:00 2001 From: Bastiaan Date: Wed, 5 Jun 2024 15:27:39 +0200 Subject: [PATCH 3/3] security updates --- .snyk | 57 +++++++++++++++++++++++++++++++++-------------- build.gradle | 6 ++--- gradle.properties | 2 +- tslint.json | 3 --- 4 files changed, 44 insertions(+), 24 deletions(-) diff --git a/.snyk b/.snyk index 733c1ec02..b4e375d8e 100644 --- a/.snyk +++ b/.snyk @@ -2,25 +2,48 @@ version: v1.25.0 # ignores vulnerabilities until expiry date; change duration by modifying expiry date ignore: - SNYK-JAVA-ORGECLIPSEJETTY-5958847: - - '*': - reason: Only used in tests - expires: 2025-05-07T10:08:57.000Z - created: 2024-05-08T10:08:57.000Z - SNYK-JAVA-IONETTY-5953332: - - '*': - reason: Only used in load tests - expires: 2025-05-07T10:08:57.000Z - created: 2024-05-08T10:08:57.000Z SNYK-JAVA-ORGYAML-2806360: - '*': reason: Not using YAML for user-facing code - expires: 2024-05-07T10:09:27.027Z - created: 2023-05-08T10:09:27.030Z - SNYK-JAVA-ORGSPRINGFRAMEWORKBOOT-5441321: + expires: 2025-01-01T00:00:00.000Z + SNYK-JAVA-ORGYAML-6056527: + - '*': + reason: Not using YAML for user-facing code + expires: 2025-01-01T00:00:00.000Z + SNYK-JAVA-CHQOSLOGBACK-6094942: + - '*': + reason: Pending spring security update + expires: 2025-01-01T00:00:00.000Z + SNYK-JAVA-CHQOSLOGBACK-6097492: + - '*': + reason: Pending spring security update + expires: 2025-01-01T00:00:00.000Z + SNYK-JAVA-CHQOSLOGBACK-6094943: + - '*': + reason: Pending spring security update + expires: 2025-01-01T00:00:00.000Z + SNYK-JAVA-CHQOSLOGBACK-6097493: + - '*': + reason: Pending spring security update + expires: 2025-01-01T00:00:00.000Z + SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790: + - '*': + reason: Pending spring security update + expires: 2025-01-01T00:00:00.000Z + SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586: + - '*': + reason: Pending spring security update + expires: 2025-01-01T00:00:00.000Z + SNYK-JAVA-ORGSPRINGFRAMEWORKSECURITY-6457293: + - '*': + reason: Pending spring security update + expires: 2025-01-01T00:00:00.000Z + SNYK-JAVA-ORGJBOSSXNIO-6403375: + - '*': + reason: Pending spring security update + expires: 2025-01-01T00:00:00.000Z + SNYK-JAVA-COMNIMBUSDS-6247633: - '*': - reason: Not hosting in CloudFoundry - expires: 2024-05-07T10:09:52.346Z - created: 2023-05-08T10:09:52.353Z + reason: Pending spring security update + expires: 2025-01-01T00:00:00.000Z patch: {} -severityThreshold: high diff --git a/build.gradle b/build.gradle index 9d7acf284..6acc14e1a 100644 --- a/build.gradle +++ b/build.gradle @@ -182,9 +182,9 @@ dependencies { } implementation ("org.springframework.boot:spring-boot-starter-undertow") // Fix vulnerabilities - runtimeOnly("io.undertow:undertow-websockets-jsr:2.2.25.Final") - runtimeOnly("io.undertow:undertow-servlet:2.2.25.Final") - runtimeOnly("io.undertow:undertow-core:2.2.25.Final") + runtimeOnly("io.undertow:undertow-websockets-jsr:${undertow_version}") + runtimeOnly("io.undertow:undertow-servlet:${undertow_version}") + runtimeOnly("io.undertow:undertow-core:${undertow_version}") implementation "org.springframework.boot:spring-boot-starter-thymeleaf" runtimeOnly("org.thymeleaf:thymeleaf:${thymeleaf_version}") diff --git a/gradle.properties b/gradle.properties index ca4299f67..9dfa9af61 100644 --- a/gradle.properties +++ b/gradle.properties @@ -27,7 +27,7 @@ springfox_version=2.6.1 spring_boot_version=2.7.15 gatling_version=3.10.0 mapstruct_version=1.4.2.Final -undertow_version=1.4.10.Final +undertow_version=2.2.32.Final yarn_version=1.22.15 spring_data_envers_version=2.5.6 jackson_version=2.13.4 diff --git a/tslint.json b/tslint.json index 72dd9dfa7..8fcf6cfdc 100644 --- a/tslint.json +++ b/tslint.json @@ -1,7 +1,4 @@ { - "rulesDirectory": [ - "node_modules/codelyzer" - ], "rules": { "class-name": true, "comment-format": [