Merge pull request #1160 from catenax-ng/chore/xxx-reduce-security-fi…

…ndings

chore(security): xxx bumps

.github/workflows/publish-documentation.yaml

@@ -127,7 +127,7 @@ jobs:
           mv docs/src/diagram-replacer/assets/ docs/target/generated-docs/assets/
 
       - name: GitHub Pages action
-        uses: peaceiris/actions-gh-pages@v3.9.3
+        uses: peaceiris/actions-gh-pages@v4.0.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: "./docs/target/generated-docs"

.github/workflows/trivy.yml

@@ -72,7 +72,7 @@ jobs:
         run: docker build -t localhost:5000/traceability-foss:fe_${{ github.sha }} -f ./frontend/Dockerfile .
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.18.0
+        uses: aquasecurity/trivy-action@0.19.0
         with:
           trivyignores: "./.github/workflows/.trivyignore"
           image-ref: 'localhost:5000/traceability-foss:fe_${{ github.sha }}'
@@ -132,7 +132,7 @@ jobs:
           ref: ${{needs.prepare-env.outputs.check_sha}}
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@0.18.0
+        uses: aquasecurity/trivy-action@0.19.0
         with:
           trivyignores: "./.github/workflows/.trivyignore"
           scan-type: "config"
@@ -178,7 +178,7 @@ jobs:
           tags: localhost:5000/traceability-foss:trivy
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.18.0
+        uses: aquasecurity/trivy-action@0.19.0
         with:
           image-ref: localhost:5000/traceability-foss:trivy
           trivyignores: "./.github/workflows/.trivyignore"

CHANGELOG.md

@@ -17,6 +17,13 @@ _**For better traceability add the corresponding GitHub issue number in each cha
 - #636 migrate to digital-twin-registry version 0.4.9 from 0.3.22
 - #622 Added functionallity to edit existing notifications within CREATED state
 - #602 use digitalTwinType instead of semanticId to determine asBuilt or asPlanned assets
+- bump ch.qos.logback:logback-core from 1.4.14 to 1.5.4
+- bump peaceiris/actions-gh-pages from 3.9.3 to 4.0.0
+- bump aquasecurity/trivy-action from 0.18.0 to 0.19.0
+- bump org.springframework.cloud:spring-cloud-dependencies from 2023.0.0 to 2023.0.1
+- bump org.awaitility:awaitility from 3.0.0 to 4.2.1
+- bump org.asciidoctor:asciidoctorj-diagram from 2.2.13 to 2.3.0
+- bump io.cucumber:cucumber-bom from 7.15.0 to 7.16.1
 
 ## [10.8.2 - 05.04.2024]
 ### Removed

DEPENDENCIES_BACKEND

@@ -1,5 +1,7 @@
 maven/mavencentral/ch.qos.logback/logback-classic/1.4.14, EPL-1.0 OR LGPL-2.1-only, approved, #3435
+maven/mavencentral/ch.qos.logback/logback-classic/1.5.4, EPL-1.0 AND LGPL-2.1-only, approved, #13282
 maven/mavencentral/ch.qos.logback/logback-core/1.4.14, EPL-1.0 OR LGPL-2.1-only, approved, #3373
+maven/mavencentral/ch.qos.logback/logback-core/1.5.4, EPL-1.0 AND LGPL-2.1-only, approved, #13283
 maven/mavencentral/com.apicatalog/titanium-json-ld/1.3.2, Apache-2.0, approved, #8912
 maven/mavencentral/com.auth0/java-jwt/4.4.0, MIT, approved, #8459
 maven/mavencentral/com.carrotsearch.thirdparty/simple-xml-safe/2.7.1, Apache-2.0, approved, clearlydefined
@@ -74,21 +76,21 @@ maven/mavencentral/commons-logging/commons-logging/1.3.0, Apache-2.0, approved,
 maven/mavencentral/commons-validator/commons-validator/1.7, Apache-2.0, approved, clearlydefined
 maven/mavencentral/dev.failsafe/failsafe-okhttp/3.3.2, Apache-2.0, approved, #9178
 maven/mavencentral/dev.failsafe/failsafe/3.3.2, Apache-2.0, approved, #9268
-maven/mavencentral/io.cucumber/ci-environment/10.0.0, MIT, approved, #13863
-maven/mavencentral/io.cucumber/cucumber-core/7.15.0, MIT AND (Apache-2.0 AND MIT), approved, #13859
-maven/mavencentral/io.cucumber/cucumber-expressions/17.0.1, MIT, approved, #13858
-maven/mavencentral/io.cucumber/cucumber-gherkin-messages/7.15.0, MIT, approved, clearlydefined
-maven/mavencentral/io.cucumber/cucumber-gherkin/7.15.0, MIT, approved, clearlydefined
-maven/mavencentral/io.cucumber/cucumber-java/7.15.0, MIT, approved, clearlydefined
-maven/mavencentral/io.cucumber/cucumber-junit-platform-engine/7.15.0, MIT, approved, clearlydefined
-maven/mavencentral/io.cucumber/cucumber-plugin/7.15.0, MIT, approved, clearlydefined
-maven/mavencentral/io.cucumber/datatable/7.15.0, MIT, approved, #13862
-maven/mavencentral/io.cucumber/docstring/7.15.0, MIT, approved, clearlydefined
-maven/mavencentral/io.cucumber/gherkin/26.2.0, MIT, approved, clearlydefined
-maven/mavencentral/io.cucumber/html-formatter/20.4.0, Apache-2.0 AND CC-BY-4.0 AND MIT AND OFL-1.1, approved, #13864
-maven/mavencentral/io.cucumber/junit-xml-formatter/0.2.0, MIT, approved, #11043
-maven/mavencentral/io.cucumber/messages/22.0.0, MIT, approved, clearlydefined
-maven/mavencentral/io.cucumber/tag-expressions/6.0.0, MIT, approved, #13860
+maven/mavencentral/io.cucumber/ci-environment/10.0.1, MIT, approved, #13863
+maven/mavencentral/io.cucumber/cucumber-core/7.16.1, MIT, restricted, clearlydefined
+maven/mavencentral/io.cucumber/cucumber-expressions/17.1.0, unknown, restricted, none
+maven/mavencentral/io.cucumber/cucumber-gherkin-messages/7.16.1, MIT, approved, clearlydefined
+maven/mavencentral/io.cucumber/cucumber-gherkin/7.16.1, MIT, approved, clearlydefined
+maven/mavencentral/io.cucumber/cucumber-java/7.16.1, MIT, approved, clearlydefined
+maven/mavencentral/io.cucumber/cucumber-junit-platform-engine/7.16.1, MIT, approved, clearlydefined
+maven/mavencentral/io.cucumber/cucumber-plugin/7.16.1, MIT, approved, clearlydefined
+maven/mavencentral/io.cucumber/datatable/7.16.1, , restricted, clearlydefined
+maven/mavencentral/io.cucumber/docstring/7.16.1, MIT, approved, clearlydefined
+maven/mavencentral/io.cucumber/gherkin/28.0.0, unknown, restricted, none
+maven/mavencentral/io.cucumber/html-formatter/21.3.0, unknown, restricted, none
+maven/mavencentral/io.cucumber/junit-xml-formatter/0.3.0, unknown, restricted, none
+maven/mavencentral/io.cucumber/messages/24.1.0, , restricted, clearlydefined
+maven/mavencentral/io.cucumber/tag-expressions/6.1.0, , restricted, clearlydefined
 maven/mavencentral/io.github.classgraph/classgraph/4.8.149, MIT, approved, CQ22530
 maven/mavencentral/io.github.resilience4j/resilience4j-annotations/2.1.0, Apache-2.0, approved, #10171
 maven/mavencentral/io.github.resilience4j/resilience4j-bulkhead/2.1.0, Apache-2.0, approved, #10172
@@ -189,7 +191,7 @@ maven/mavencentral/org.apiguardian/apiguardian-api/1.1.2, Apache-2.0, approved,
 maven/mavencentral/org.aspectj/aspectjweaver/1.9.21, Apache-2.0 AND BSD-3-Clause AND EPL-1.0 AND BSD-3-Clause AND Apache-1.1, approved, #7695
 maven/mavencentral/org.assertj/assertj-core/3.24.2, Apache-2.0, approved, #6161
 maven/mavencentral/org.attoparser/attoparser/2.0.7.RELEASE, Apache-2.0, approved, CQ18900
-maven/mavencentral/org.awaitility/awaitility/3.0.0, Apache-2.0, approved, #11042
+maven/mavencentral/org.awaitility/awaitility/4.2.1, Apache-2.0, approved, #14178
 maven/mavencentral/org.bitbucket.b_c/jose4j/0.9.4, Apache-2.0, approved, #4707
 maven/mavencentral/org.bouncycastle/bcpkix-jdk18on/1.76, MIT, approved, #9825
 maven/mavencentral/org.bouncycastle/bcprov-jdk18on/1.76, MIT AND CC0-1.0, approved, #9827
@@ -321,7 +323,6 @@ maven/mavencentral/org.glassfish.jersey.media/jersey-media-multipart/3.1.3, EPL-
 maven/mavencentral/org.glassfish.jersey.media/jersey-media-multipart/3.1.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey
 maven/mavencentral/org.glassfish/jakarta.json/2.0.1, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jsonp
 maven/mavencentral/org.hamcrest/hamcrest-core/2.2, BSD-3-Clause, approved, clearlydefined
-maven/mavencentral/org.hamcrest/hamcrest-library/2.2, BSD-3-Clause, approved, CQ22925
 maven/mavencentral/org.hamcrest/hamcrest/2.2, BSD-3-Clause, approved, clearlydefined
 maven/mavencentral/org.hdrhistogram/HdrHistogram/2.1.12, BSD-2-Clause OR LicenseRef-Public-Domain, approved, CQ13192
 maven/mavencentral/org.hibernate.common/hibernate-commons-annotations/6.0.6.Final, LGPL-2.1-only, approved, #6962
@@ -356,7 +357,6 @@ maven/mavencentral/org.latencyutils/LatencyUtils/2.0.3, BSD-2-Clause, approved,
 maven/mavencentral/org.mockito/mockito-core/5.7.0, MIT AND (Apache-2.0 AND MIT) AND Apache-2.0, approved, #11424
 maven/mavencentral/org.mockito/mockito-junit-jupiter/5.7.0, MIT, approved, #11423
 maven/mavencentral/org.mozilla/rhino/1.7.7.2, MPL-2.0 AND BSD-3-Clause AND ISC, approved, CQ16320
-maven/mavencentral/org.objenesis/objenesis/2.5.1, Apache-2.0, approved, clearlydefined
 maven/mavencentral/org.objenesis/objenesis/3.3, Apache-2.0, approved, clearlydefined
 maven/mavencentral/org.openapitools/jackson-databind-nullable/0.2.6, Apache-2.0, approved, #3294
 maven/mavencentral/org.opentest4j/opentest4j/1.3.0, Apache-2.0, approved, #9713
@@ -370,7 +370,6 @@ maven/mavencentral/org.rnorth.duct-tape/duct-tape/1.0.8, MIT, approved, clearlyd
 maven/mavencentral/org.skyscreamer/jsonassert/1.5.1, Apache-2.0, approved, clearlydefined
 maven/mavencentral/org.slf4j/jul-to-slf4j/2.0.12, MIT, approved, #7698
 maven/mavencentral/org.slf4j/slf4j-api/2.0.12, MIT, approved, #5915
-maven/mavencentral/org.slf4j/slf4j-api/2.0.7, MIT, approved, #5915
 maven/mavencentral/org.springdoc/springdoc-openapi-starter-common/2.0.4, Apache-2.0, approved, #5920
 maven/mavencentral/org.springdoc/springdoc-openapi-starter-webmvc-api/2.0.4, Apache-2.0, approved, #5950
 maven/mavencentral/org.springdoc/springdoc-openapi-starter-webmvc-ui/2.0.4, Apache-2.0, approved, #5923

pom.xml

@@ -64,11 +64,11 @@ SPDX-License-Identifier: Apache-2.0
         <!-- versions for 3rd party dependecies -->
         <eclipse-dash-ip.version>1.1.0</eclipse-dash-ip.version>
         <nimbus-jose-jwt.version>9.37.3</nimbus-jose-jwt.version>
-        <ascii-doctor-j-diagram.version>2.2.13</ascii-doctor-j-diagram.version>
+        <ascii-doctor-j-diagram.version>2.3.0</ascii-doctor-j-diagram.version>
         <ascii-dcotor-j.version>2.5.8</ascii-dcotor-j.version>
         <auth-0-java-jwt.version>4.4.0</auth-0-java-jwt.version>
         <jruby.version>9.4.3.0</jruby.version>
-        <spring-cloud.version>2023.0.0</spring-cloud.version>
+        <spring-cloud.version>2023.0.1</spring-cloud.version>
         <jetbrains-annotation.version>24.1.0</jetbrains-annotation.version>
         <findbugs-jsr305.version>3.0.2</findbugs-jsr305.version>
         <swagger-annotation.version>1.6.12</swagger-annotation.version>
@@ -84,9 +84,9 @@ SPDX-License-Identifier: Apache-2.0
         <commons-collections.version>4.4</commons-collections.version>
         <lombok.version>1.18.30</lombok.version>
         <json-unit-assertj.version>3.2.2</json-unit-assertj.version>
-        <cucumber.version>7.15.0</cucumber.version>
+        <cucumber.version>7.16.1</cucumber.version>
         <junit-bom.version>5.10.2</junit-bom.version>
-        <awaitility.version>3.0.0</awaitility.version>
+        <awaitility.version>4.2.1</awaitility.version>
         <irs-client-lib.version>1.8.0</irs-client-lib.version>
         <json-schema-validator.version>5.4.0</json-schema-validator.version>
         <!-- Sonar related properties -->

tx-cucumber-tests/src/test/java/org/eclipse/tractusx/traceability/test/TraceabilityTestStepDefinition.java

@@ -28,15 +28,15 @@
 import io.cucumber.java.en.Then;
 import io.cucumber.java.en.When;
 import lombok.extern.slf4j.Slf4j;
-import org.awaitility.Duration;
+import notification.request.UpdateNotificationStatusRequest;
+import notification.response.NotificationIdResponse;
+import notification.response.NotificationResponse;
+import org.awaitility.Durations;
 import org.eclipse.tractusx.traceability.test.exteption.MissingStepDefinitionException;
 import org.eclipse.tractusx.traceability.test.tooling.TraceXEnvironmentEnum;
 import org.eclipse.tractusx.traceability.test.tooling.rest.RestProvider;
 import org.eclipse.tractusx.traceability.test.validator.NotificationValidator;
 import org.hamcrest.Matchers;
-import notification.request.UpdateNotificationStatusRequest;
-import notification.response.NotificationIdResponse;
-import notification.response.NotificationResponse;
 
 import java.time.Instant;
 import java.util.Arrays;
@@ -116,7 +116,7 @@ public void iCreateQualityInvestigation(DataTable dataTable) {
     @When("I check, if quality investigation has proper values")
     public void iCheckIfQualityInvestigationHasProperValues(DataTable dataTable) {
         await()
-                .atMost(Duration.FIVE_MINUTES)
+                .atMost(Durations.FIVE_MINUTES)
                 .pollInterval(1, TimeUnit.SECONDS)
                 .ignoreExceptions()
                 .until(() -> {
@@ -161,7 +161,7 @@ public void iCloseQualityAlert() {
     public void iCanSeeNotificationWasReceived() {
         System.out.println("searching for notificationDescription: " + notificationDescription);
         final NotificationResponse notification = await()
-                .atMost(Duration.FIVE_MINUTES)
+                .atMost(Durations.FIVE_MINUTES)
                 .pollInterval(1, TimeUnit.SECONDS)
                 .until(() -> {
                             final List<NotificationResponse> result = restProvider.getReceivedNotifications();
@@ -270,7 +270,7 @@ public void iCreateQualityAlert(DataTable dataTable) {
     @When("I check, if quality alert has proper values")
     public void iCheckIfQualityAlertHasProperValues(DataTable dataTable) {
         await()
-                .atMost(Duration.FIVE_MINUTES)
+                .atMost(Durations.FIVE_MINUTES)
                 .pollInterval(1, TimeUnit.SECONDS)
                 .ignoreExceptions()
                 .until(() -> {
@@ -297,7 +297,7 @@ public void iApproveQualityAlert() {
     public void iCanSeeQualityAlertWasReceived() {
         System.out.println("searching for notificationDescription: " + notificationDescription);
         final NotificationResponse notification = await()
-                .atMost(Duration.FIVE_MINUTES)
+                .atMost(Durations.FIVE_MINUTES)
                 .pollInterval(1, TimeUnit.SECONDS)
                 .until(() -> {
                             final List<NotificationResponse> result = restProvider.getReceivedNotifications();

tx-cucumber-tests/src/test/java/org/eclipse/tractusx/traceability/test/tooling/rest/RestProvider.java

@@ -31,17 +31,17 @@
 import io.restassured.response.ValidatableResponse;
 import io.restassured.specification.RequestSpecification;
 import lombok.Getter;
-import org.apache.http.HttpStatus;
-import org.awaitility.Duration;
-import org.eclipse.tractusx.traceability.test.tooling.EnvVariablesResolver;
-import org.eclipse.tractusx.traceability.test.tooling.NotificationTypeEnum;
-import org.eclipse.tractusx.traceability.test.tooling.TraceXEnvironmentEnum;
 import notification.request.NotificationSeverityRequest;
 import notification.request.StartNotificationRequest;
-import notification.request.UpdateNotificationStatusTransitionRequest;
 import notification.request.UpdateNotificationStatusRequest;
+import notification.request.UpdateNotificationStatusTransitionRequest;
 import notification.response.NotificationIdResponse;
 import notification.response.NotificationResponse;
+import org.apache.http.HttpStatus;
+import org.awaitility.Durations;
+import org.eclipse.tractusx.traceability.test.tooling.EnvVariablesResolver;
+import org.eclipse.tractusx.traceability.test.tooling.NotificationTypeEnum;
+import org.eclipse.tractusx.traceability.test.tooling.TraceXEnvironmentEnum;
 
 import java.time.Instant;
 import java.util.List;
@@ -121,7 +121,7 @@ public NotificationIdResponse createNotification(
 
     public void approveNotification(final Long notificationId) {
         await()
-                .atMost(Duration.FIVE_MINUTES)
+                .atMost(Durations.FIVE_MINUTES)
                 .pollInterval(10, TimeUnit.SECONDS)
                 .ignoreExceptions()
                 .until(() -> {
@@ -159,7 +159,7 @@ public void cancelNotification(final Long notificationId) {
 
     public void closeNotification(final Long notificationId) {
         await()
-                .atMost(Duration.FIVE_MINUTES)
+                .atMost(Durations.FIVE_MINUTES)
                 .pollInterval(10, TimeUnit.SECONDS)
                 .ignoreExceptions()
                 .until(() -> {
@@ -190,7 +190,7 @@ public void updateNotification(final Long notificationId,
                 .build();
 
         await()
-                .atMost(Duration.FIVE_MINUTES)
+                .atMost(Durations.FIVE_MINUTES)
                 .pollInterval(10, TimeUnit.SECONDS)
                 .ignoreExceptions()
                 .until(() -> {

tx-models/pom.xml

@@ -80,12 +80,12 @@ SPDX-License-Identifier: Apache-2.0
         <dependency>
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-classic</artifactId>
-            <version>1.4.14</version>
+            <version>1.5.4</version>
         </dependency>
         <dependency>
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-core</artifactId>
-            <version>1.4.14</version>
+            <version>1.5.4</version>
         </dependency>
         <dependency>
             <groupId>org.mockito</groupId>