From a47c64aadf77edbd5431e0d1162405e3257a0f54 Mon Sep 17 00:00:00 2001 From: Martin Maul Date: Fri, 12 Apr 2024 08:35:47 +0200 Subject: [PATCH 1/3] chore(security): xxx bumps --- .github/workflows/publish-documentation.yaml | 2 +- .github/workflows/trivy.yml | 6 +++--- pom.xml | 8 ++++---- .../test/TraceabilityTestStepDefinition.java | 16 ++++++++-------- .../test/tooling/rest/RestProvider.java | 18 +++++++++--------- tx-models/pom.xml | 4 ++-- 6 files changed, 27 insertions(+), 27 deletions(-) diff --git a/.github/workflows/publish-documentation.yaml b/.github/workflows/publish-documentation.yaml index 23cda5c496..1416e3302b 100644 --- a/.github/workflows/publish-documentation.yaml +++ b/.github/workflows/publish-documentation.yaml @@ -127,7 +127,7 @@ jobs: mv docs/src/diagram-replacer/assets/ docs/target/generated-docs/assets/ - name: GitHub Pages action - uses: peaceiris/actions-gh-pages@v3.9.3 + uses: peaceiris/actions-gh-pages@v4.0.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} publish_dir: "./docs/target/generated-docs" diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 78b168fc3d..e5a000eb9d 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -72,7 +72,7 @@ jobs: run: docker build -t localhost:5000/traceability-foss:fe_${{ github.sha }} -f ./frontend/Dockerfile . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.18.0 + uses: aquasecurity/trivy-action@0.19.0 with: trivyignores: "./.github/workflows/.trivyignore" image-ref: 'localhost:5000/traceability-foss:fe_${{ github.sha }}' @@ -132,7 +132,7 @@ jobs: ref: ${{needs.prepare-env.outputs.check_sha}} - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@0.18.0 + uses: aquasecurity/trivy-action@0.19.0 with: trivyignores: "./.github/workflows/.trivyignore" scan-type: "config" @@ -178,7 +178,7 @@ jobs: tags: localhost:5000/traceability-foss:trivy - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.18.0 + uses: aquasecurity/trivy-action@0.19.0 with: image-ref: localhost:5000/traceability-foss:trivy trivyignores: "./.github/workflows/.trivyignore" diff --git a/pom.xml b/pom.xml index b10f88747f..1a973b4380 100644 --- a/pom.xml +++ b/pom.xml @@ -64,11 +64,11 @@ SPDX-License-Identifier: Apache-2.0 1.1.0 9.37.3 - 2.2.13 + 2.3.0 2.5.8 4.4.0 9.4.3.0 - 2023.0.0 + 2023.0.1 24.1.0 3.0.2 1.6.12 @@ -84,9 +84,9 @@ SPDX-License-Identifier: Apache-2.0 4.4 1.18.30 3.2.2 - 7.15.0 + 7.16.1 5.10.2 - 3.0.0 + 4.2.1 1.8.0 5.4.0 diff --git a/tx-cucumber-tests/src/test/java/org/eclipse/tractusx/traceability/test/TraceabilityTestStepDefinition.java b/tx-cucumber-tests/src/test/java/org/eclipse/tractusx/traceability/test/TraceabilityTestStepDefinition.java index 67d71d2ab1..b5f24dfe3f 100644 --- a/tx-cucumber-tests/src/test/java/org/eclipse/tractusx/traceability/test/TraceabilityTestStepDefinition.java +++ b/tx-cucumber-tests/src/test/java/org/eclipse/tractusx/traceability/test/TraceabilityTestStepDefinition.java @@ -28,15 +28,15 @@ import io.cucumber.java.en.Then; import io.cucumber.java.en.When; import lombok.extern.slf4j.Slf4j; -import org.awaitility.Duration; +import notification.request.UpdateNotificationStatusRequest; +import notification.response.NotificationIdResponse; +import notification.response.NotificationResponse; +import org.awaitility.Durations; import org.eclipse.tractusx.traceability.test.exteption.MissingStepDefinitionException; import org.eclipse.tractusx.traceability.test.tooling.TraceXEnvironmentEnum; import org.eclipse.tractusx.traceability.test.tooling.rest.RestProvider; import org.eclipse.tractusx.traceability.test.validator.NotificationValidator; import org.hamcrest.Matchers; -import notification.request.UpdateNotificationStatusRequest; -import notification.response.NotificationIdResponse; -import notification.response.NotificationResponse; import java.time.Instant; import java.util.Arrays; @@ -116,7 +116,7 @@ public void iCreateQualityInvestigation(DataTable dataTable) { @When("I check, if quality investigation has proper values") public void iCheckIfQualityInvestigationHasProperValues(DataTable dataTable) { await() - .atMost(Duration.FIVE_MINUTES) + .atMost(Durations.FIVE_MINUTES) .pollInterval(1, TimeUnit.SECONDS) .ignoreExceptions() .until(() -> { @@ -161,7 +161,7 @@ public void iCloseQualityAlert() { public void iCanSeeNotificationWasReceived() { System.out.println("searching for notificationDescription: " + notificationDescription); final NotificationResponse notification = await() - .atMost(Duration.FIVE_MINUTES) + .atMost(Durations.FIVE_MINUTES) .pollInterval(1, TimeUnit.SECONDS) .until(() -> { final List result = restProvider.getReceivedNotifications(); @@ -270,7 +270,7 @@ public void iCreateQualityAlert(DataTable dataTable) { @When("I check, if quality alert has proper values") public void iCheckIfQualityAlertHasProperValues(DataTable dataTable) { await() - .atMost(Duration.FIVE_MINUTES) + .atMost(Durations.FIVE_MINUTES) .pollInterval(1, TimeUnit.SECONDS) .ignoreExceptions() .until(() -> { @@ -297,7 +297,7 @@ public void iApproveQualityAlert() { public void iCanSeeQualityAlertWasReceived() { System.out.println("searching for notificationDescription: " + notificationDescription); final NotificationResponse notification = await() - .atMost(Duration.FIVE_MINUTES) + .atMost(Durations.FIVE_MINUTES) .pollInterval(1, TimeUnit.SECONDS) .until(() -> { final List result = restProvider.getReceivedNotifications(); diff --git a/tx-cucumber-tests/src/test/java/org/eclipse/tractusx/traceability/test/tooling/rest/RestProvider.java b/tx-cucumber-tests/src/test/java/org/eclipse/tractusx/traceability/test/tooling/rest/RestProvider.java index 86b6eece90..c2e307e6f2 100644 --- a/tx-cucumber-tests/src/test/java/org/eclipse/tractusx/traceability/test/tooling/rest/RestProvider.java +++ b/tx-cucumber-tests/src/test/java/org/eclipse/tractusx/traceability/test/tooling/rest/RestProvider.java @@ -31,17 +31,17 @@ import io.restassured.response.ValidatableResponse; import io.restassured.specification.RequestSpecification; import lombok.Getter; -import org.apache.http.HttpStatus; -import org.awaitility.Duration; -import org.eclipse.tractusx.traceability.test.tooling.EnvVariablesResolver; -import org.eclipse.tractusx.traceability.test.tooling.NotificationTypeEnum; -import org.eclipse.tractusx.traceability.test.tooling.TraceXEnvironmentEnum; import notification.request.NotificationSeverityRequest; import notification.request.StartNotificationRequest; -import notification.request.UpdateNotificationStatusTransitionRequest; import notification.request.UpdateNotificationStatusRequest; +import notification.request.UpdateNotificationStatusTransitionRequest; import notification.response.NotificationIdResponse; import notification.response.NotificationResponse; +import org.apache.http.HttpStatus; +import org.awaitility.Durations; +import org.eclipse.tractusx.traceability.test.tooling.EnvVariablesResolver; +import org.eclipse.tractusx.traceability.test.tooling.NotificationTypeEnum; +import org.eclipse.tractusx.traceability.test.tooling.TraceXEnvironmentEnum; import java.time.Instant; import java.util.List; @@ -121,7 +121,7 @@ public NotificationIdResponse createNotification( public void approveNotification(final Long notificationId) { await() - .atMost(Duration.FIVE_MINUTES) + .atMost(Durations.FIVE_MINUTES) .pollInterval(10, TimeUnit.SECONDS) .ignoreExceptions() .until(() -> { @@ -159,7 +159,7 @@ public void cancelNotification(final Long notificationId) { public void closeNotification(final Long notificationId) { await() - .atMost(Duration.FIVE_MINUTES) + .atMost(Durations.FIVE_MINUTES) .pollInterval(10, TimeUnit.SECONDS) .ignoreExceptions() .until(() -> { @@ -190,7 +190,7 @@ public void updateNotification(final Long notificationId, .build(); await() - .atMost(Duration.FIVE_MINUTES) + .atMost(Durations.FIVE_MINUTES) .pollInterval(10, TimeUnit.SECONDS) .ignoreExceptions() .until(() -> { diff --git a/tx-models/pom.xml b/tx-models/pom.xml index e8a3ab1199..6ba893e2c0 100644 --- a/tx-models/pom.xml +++ b/tx-models/pom.xml @@ -80,12 +80,12 @@ SPDX-License-Identifier: Apache-2.0 ch.qos.logback logback-classic - 1.4.14 + 1.5.4 ch.qos.logback logback-core - 1.4.14 + 1.5.4 org.mockito From d54f6c0fb5fc69d18675a27c57b1811b491a147c Mon Sep 17 00:00:00 2001 From: Martin Maul Date: Fri, 12 Apr 2024 09:04:22 +0200 Subject: [PATCH 2/3] chore(security): xxx dash update --- DEPENDENCIES_BACKEND | 37 ++++++++++++++++++------------------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/DEPENDENCIES_BACKEND b/DEPENDENCIES_BACKEND index 8146b72f7c..0dba29e070 100644 --- a/DEPENDENCIES_BACKEND +++ b/DEPENDENCIES_BACKEND @@ -1,5 +1,7 @@ maven/mavencentral/ch.qos.logback/logback-classic/1.4.14, EPL-1.0 OR LGPL-2.1-only, approved, #3435 +maven/mavencentral/ch.qos.logback/logback-classic/1.5.4, EPL-1.0 AND LGPL-2.1-only, approved, #13282 maven/mavencentral/ch.qos.logback/logback-core/1.4.14, EPL-1.0 OR LGPL-2.1-only, approved, #3373 +maven/mavencentral/ch.qos.logback/logback-core/1.5.4, EPL-1.0 AND LGPL-2.1-only, approved, #13283 maven/mavencentral/com.apicatalog/titanium-json-ld/1.3.2, Apache-2.0, approved, #8912 maven/mavencentral/com.auth0/java-jwt/4.4.0, MIT, approved, #8459 maven/mavencentral/com.carrotsearch.thirdparty/simple-xml-safe/2.7.1, Apache-2.0, approved, clearlydefined @@ -74,21 +76,21 @@ maven/mavencentral/commons-logging/commons-logging/1.3.0, Apache-2.0, approved, maven/mavencentral/commons-validator/commons-validator/1.7, Apache-2.0, approved, clearlydefined maven/mavencentral/dev.failsafe/failsafe-okhttp/3.3.2, Apache-2.0, approved, #9178 maven/mavencentral/dev.failsafe/failsafe/3.3.2, Apache-2.0, approved, #9268 -maven/mavencentral/io.cucumber/ci-environment/10.0.0, MIT, approved, #13863 -maven/mavencentral/io.cucumber/cucumber-core/7.15.0, MIT AND (Apache-2.0 AND MIT), approved, #13859 -maven/mavencentral/io.cucumber/cucumber-expressions/17.0.1, MIT, approved, #13858 -maven/mavencentral/io.cucumber/cucumber-gherkin-messages/7.15.0, MIT, approved, clearlydefined -maven/mavencentral/io.cucumber/cucumber-gherkin/7.15.0, MIT, approved, clearlydefined -maven/mavencentral/io.cucumber/cucumber-java/7.15.0, MIT, approved, clearlydefined -maven/mavencentral/io.cucumber/cucumber-junit-platform-engine/7.15.0, MIT, approved, clearlydefined -maven/mavencentral/io.cucumber/cucumber-plugin/7.15.0, MIT, approved, clearlydefined -maven/mavencentral/io.cucumber/datatable/7.15.0, MIT, approved, #13862 -maven/mavencentral/io.cucumber/docstring/7.15.0, MIT, approved, clearlydefined -maven/mavencentral/io.cucumber/gherkin/26.2.0, MIT, approved, clearlydefined -maven/mavencentral/io.cucumber/html-formatter/20.4.0, Apache-2.0 AND CC-BY-4.0 AND MIT AND OFL-1.1, approved, #13864 -maven/mavencentral/io.cucumber/junit-xml-formatter/0.2.0, MIT, approved, #11043 -maven/mavencentral/io.cucumber/messages/22.0.0, MIT, approved, clearlydefined -maven/mavencentral/io.cucumber/tag-expressions/6.0.0, MIT, approved, #13860 +maven/mavencentral/io.cucumber/ci-environment/10.0.1, MIT, approved, #13863 +maven/mavencentral/io.cucumber/cucumber-core/7.16.1, MIT, restricted, clearlydefined +maven/mavencentral/io.cucumber/cucumber-expressions/17.1.0, unknown, restricted, none +maven/mavencentral/io.cucumber/cucumber-gherkin-messages/7.16.1, MIT, approved, clearlydefined +maven/mavencentral/io.cucumber/cucumber-gherkin/7.16.1, MIT, approved, clearlydefined +maven/mavencentral/io.cucumber/cucumber-java/7.16.1, MIT, approved, clearlydefined +maven/mavencentral/io.cucumber/cucumber-junit-platform-engine/7.16.1, MIT, approved, clearlydefined +maven/mavencentral/io.cucumber/cucumber-plugin/7.16.1, MIT, approved, clearlydefined +maven/mavencentral/io.cucumber/datatable/7.16.1, , restricted, clearlydefined +maven/mavencentral/io.cucumber/docstring/7.16.1, MIT, approved, clearlydefined +maven/mavencentral/io.cucumber/gherkin/28.0.0, unknown, restricted, none +maven/mavencentral/io.cucumber/html-formatter/21.3.0, unknown, restricted, none +maven/mavencentral/io.cucumber/junit-xml-formatter/0.3.0, unknown, restricted, none +maven/mavencentral/io.cucumber/messages/24.1.0, , restricted, clearlydefined +maven/mavencentral/io.cucumber/tag-expressions/6.1.0, , restricted, clearlydefined maven/mavencentral/io.github.classgraph/classgraph/4.8.149, MIT, approved, CQ22530 maven/mavencentral/io.github.resilience4j/resilience4j-annotations/2.1.0, Apache-2.0, approved, #10171 maven/mavencentral/io.github.resilience4j/resilience4j-bulkhead/2.1.0, Apache-2.0, approved, #10172 @@ -189,7 +191,7 @@ maven/mavencentral/org.apiguardian/apiguardian-api/1.1.2, Apache-2.0, approved, maven/mavencentral/org.aspectj/aspectjweaver/1.9.21, Apache-2.0 AND BSD-3-Clause AND EPL-1.0 AND BSD-3-Clause AND Apache-1.1, approved, #7695 maven/mavencentral/org.assertj/assertj-core/3.24.2, Apache-2.0, approved, #6161 maven/mavencentral/org.attoparser/attoparser/2.0.7.RELEASE, Apache-2.0, approved, CQ18900 -maven/mavencentral/org.awaitility/awaitility/3.0.0, Apache-2.0, approved, #11042 +maven/mavencentral/org.awaitility/awaitility/4.2.1, Apache-2.0, approved, #14178 maven/mavencentral/org.bitbucket.b_c/jose4j/0.9.4, Apache-2.0, approved, #4707 maven/mavencentral/org.bouncycastle/bcpkix-jdk18on/1.76, MIT, approved, #9825 maven/mavencentral/org.bouncycastle/bcprov-jdk18on/1.76, MIT AND CC0-1.0, approved, #9827 @@ -321,7 +323,6 @@ maven/mavencentral/org.glassfish.jersey.media/jersey-media-multipart/3.1.3, EPL- maven/mavencentral/org.glassfish.jersey.media/jersey-media-multipart/3.1.5, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jersey maven/mavencentral/org.glassfish/jakarta.json/2.0.1, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jsonp maven/mavencentral/org.hamcrest/hamcrest-core/2.2, BSD-3-Clause, approved, clearlydefined -maven/mavencentral/org.hamcrest/hamcrest-library/2.2, BSD-3-Clause, approved, CQ22925 maven/mavencentral/org.hamcrest/hamcrest/2.2, BSD-3-Clause, approved, clearlydefined maven/mavencentral/org.hdrhistogram/HdrHistogram/2.1.12, BSD-2-Clause OR LicenseRef-Public-Domain, approved, CQ13192 maven/mavencentral/org.hibernate.common/hibernate-commons-annotations/6.0.6.Final, LGPL-2.1-only, approved, #6962 @@ -356,7 +357,6 @@ maven/mavencentral/org.latencyutils/LatencyUtils/2.0.3, BSD-2-Clause, approved, maven/mavencentral/org.mockito/mockito-core/5.7.0, MIT AND (Apache-2.0 AND MIT) AND Apache-2.0, approved, #11424 maven/mavencentral/org.mockito/mockito-junit-jupiter/5.7.0, MIT, approved, #11423 maven/mavencentral/org.mozilla/rhino/1.7.7.2, MPL-2.0 AND BSD-3-Clause AND ISC, approved, CQ16320 -maven/mavencentral/org.objenesis/objenesis/2.5.1, Apache-2.0, approved, clearlydefined maven/mavencentral/org.objenesis/objenesis/3.3, Apache-2.0, approved, clearlydefined maven/mavencentral/org.openapitools/jackson-databind-nullable/0.2.6, Apache-2.0, approved, #3294 maven/mavencentral/org.opentest4j/opentest4j/1.3.0, Apache-2.0, approved, #9713 @@ -370,7 +370,6 @@ maven/mavencentral/org.rnorth.duct-tape/duct-tape/1.0.8, MIT, approved, clearlyd maven/mavencentral/org.skyscreamer/jsonassert/1.5.1, Apache-2.0, approved, clearlydefined maven/mavencentral/org.slf4j/jul-to-slf4j/2.0.12, MIT, approved, #7698 maven/mavencentral/org.slf4j/slf4j-api/2.0.12, MIT, approved, #5915 -maven/mavencentral/org.slf4j/slf4j-api/2.0.7, MIT, approved, #5915 maven/mavencentral/org.springdoc/springdoc-openapi-starter-common/2.0.4, Apache-2.0, approved, #5920 maven/mavencentral/org.springdoc/springdoc-openapi-starter-webmvc-api/2.0.4, Apache-2.0, approved, #5950 maven/mavencentral/org.springdoc/springdoc-openapi-starter-webmvc-ui/2.0.4, Apache-2.0, approved, #5923 From 3d4dfcc8c4547c576e98e1d1a9a2e4b730e7a7e9 Mon Sep 17 00:00:00 2001 From: Martin Maul Date: Fri, 12 Apr 2024 09:10:20 +0200 Subject: [PATCH 3/3] chore(security): xxx changelog --- CHANGELOG.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 77395a931b..2e33c5b263 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,13 @@ _**For better traceability add the corresponding GitHub issue number in each cha - #636 migrate to digital-twin-registry version 0.4.9 from 0.3.22 - #622 Added functionallity to edit existing notifications within CREATED state - #602 use digitalTwinType instead of semanticId to determine asBuilt or asPlanned assets +- bump ch.qos.logback:logback-core from 1.4.14 to 1.5.4 +- bump peaceiris/actions-gh-pages from 3.9.3 to 4.0.0 +- bump aquasecurity/trivy-action from 0.18.0 to 0.19.0 +- bump org.springframework.cloud:spring-cloud-dependencies from 2023.0.0 to 2023.0.1 +- bump org.awaitility:awaitility from 3.0.0 to 4.2.1 +- bump org.asciidoctor:asciidoctorj-diagram from 2.2.13 to 2.3.0 +- bump io.cucumber:cucumber-bom from 7.15.0 to 7.16.1 ## [10.8.2 - 05.04.2024] ### Removed