From bc5547d302a174fdcbac3bff6ab21f52d1e2503a Mon Sep 17 00:00:00 2001
From: Sergio del Amo <sergio.delamo@softamo.com>
Date: Mon, 23 Dec 2024 11:40:12 +0100
Subject: [PATCH 1/7] logging 1.5.1

---
 gradle/libs.versions.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index df22ec196..94205b773 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -28,7 +28,7 @@ awaitility = '4.2.2'
 
 micronaut-grpc = "4.8.0"
 micronaut-jackson-xml = "4.5.0"
-micronaut-logging = "1.4.0"
+micronaut-logging = "1.5.1"
 micronaut-reactor = "3.6.0"
 micronaut-rxjava3 = "3.6.0"
 micronaut-serde = "2.13.0"

From d1a4860997c701dc3504dc596f97cf3259e4f18c Mon Sep 17 00:00:00 2001
From: Sergio del Amo <sergio.delamo@softamo.com>
Date: Mon, 23 Dec 2024 11:45:49 +0100
Subject: [PATCH 2/7] use jetty verison defined in servlet

---
 gcp-function-http-test/build.gradle | 1 +
 gradle/libs.versions.toml           | 3 +--
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/gcp-function-http-test/build.gradle b/gcp-function-http-test/build.gradle
index 44519f81b..1afbd5e65 100644
--- a/gcp-function-http-test/build.gradle
+++ b/gcp-function-http-test/build.gradle
@@ -8,6 +8,7 @@ dependencies {
     api(projects.micronautGcpFunctionHttp)
 
     implementation(mnServlet.micronaut.servlet.core)
+    implementation(platform(mnServlet.boms.jetty))
     implementation(libs.jetty.servlet)
 
     testAnnotationProcessor(mn.micronaut.inject.java)
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 94205b773..d91ce77d6 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -19,7 +19,6 @@ brave-propagation-stackdriver = "2.2.6"
 kotlin = '1.9.25'
 cloudevents-api = "2.5.0"
 
-jetty-servlet = "11.0.24"
 logback-json-classic = "0.1.5"
 zipkin-sender-stackdriver = "1.1.1"
 system-stubs-core = "2.1.7"
@@ -79,7 +78,7 @@ google-auth-library-credentials = { module = "com.google.auth:google-auth-librar
 
 grpc-auth = { module = "io.grpc:grpc-auth" }
 grpc-netty-shaded = { module = "io.grpc:grpc-netty-shaded" }
-jetty-servlet = { module = "org.eclipse.jetty:jetty-servlet", version.ref = "jetty-servlet" }
+jetty-servlet = { module = "org.eclipse.jetty:jetty-servlet" }
 kotlin-stdlib-jdk8 = { module = "org.jetbrains.kotlin:kotlin-stdlib-jdk8", version.ref = "kotlin" }
 kotlin-reflect = { module = "org.jetbrains.kotlin:kotlin-reflect", version.ref = "kotlin" }
 logback-json-classic = { module = "ch.qos.logback.contrib:logback-json-classic", version.ref = "logback-json-classic" }

From a210bdbec073895dec3ed3d325dac0f928fbcf2b Mon Sep 17 00:00:00 2001
From: Sergio del Amo <sergio.delamo@softamo.com>
Date: Mon, 23 Dec 2024 11:40:26 +0100
Subject: [PATCH 3/7] apply sonatype scan gradle plugin

---
 buildSrc/build.gradle.kts                           |  1 +
 .../io.micronaut.build.internal.gcp-module.gradle   | 13 +++++++++++++
 gradle/libs.versions.toml                           |  2 ++
 3 files changed, 16 insertions(+)

diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts
index 0746372a2..b86acb5ee 100644
--- a/buildSrc/build.gradle.kts
+++ b/buildSrc/build.gradle.kts
@@ -11,4 +11,5 @@ dependencies {
     implementation(libs.gradle.micronaut)
     implementation(libs.kotlin.gradle.plugin)
     implementation(libs.kotlin.gradle.allopen)
+    implementation(libs.sonatype.scan)
 }
diff --git a/buildSrc/src/main/groovy/io.micronaut.build.internal.gcp-module.gradle b/buildSrc/src/main/groovy/io.micronaut.build.internal.gcp-module.gradle
index 68627e5f8..0a0b454b7 100644
--- a/buildSrc/src/main/groovy/io.micronaut.build.internal.gcp-module.gradle
+++ b/buildSrc/src/main/groovy/io.micronaut.build.internal.gcp-module.gradle
@@ -1,4 +1,17 @@
 plugins {
     id("io.micronaut.build.internal.gcp-base")
     id("io.micronaut.build.internal.module")
+    id("org.sonatype.gradle.plugins.scan")
+}
+String ossIndexUsername = System.getenv("OSS_INDEX_USERNAME") ?: project.properties["ossIndexUsername"]
+String ossIndexPassword = System.getenv("OSS_INDEX_PASSWORD") ?: project.properties["ossIndexPassword"]
+boolean sonatypePluginConfigured = ossIndexUsername != null && ossIndexPassword != null
+if (sonatypePluginConfigured) {
+ossIndexAudit {
+    username = ossIndexUsername
+    password = ossIndexPassword
+    excludeCoordinates = [
+            "org.eclipse.jetty:jetty-http:11.0.24" // no version of Jetty 11 patched https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty/jetty-http
+    ]
+}
 }
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index d91ce77d6..06cafbe5d 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -37,6 +37,7 @@ micronaut-test = "4.5.0"
 micronaut-discovery = "4.5.0"
 micronaut-test-resources="2.7.0"
 micronaut-validation = "4.8.0"
+sonatype-scan = "2.8.3"
 
 # Micronaut
 micronaut-gradle-plugin = "4.4.4"
@@ -85,6 +86,7 @@ logback-json-classic = { module = "ch.qos.logback.contrib:logback-json-classic",
 zipkin-sender-stackdriver = { module = "io.zipkin.gcp:zipkin-sender-stackdriver", version.ref = "zipkin-sender-stackdriver" }
 awaitility = { module = 'org.awaitility:awaitility', version.ref = 'awaitility' }
 system-stubs-core = { module = "uk.org.webcompere:system-stubs-core", version.ref = "system-stubs-core" }
+sonatype-scan = { module = "org.sonatype.gradle.plugins:scan-gradle-plugin", version.ref = "sonatype-scan" }
 
 # Plugins
 gradle-micronaut = { module = "io.micronaut.gradle:micronaut-gradle-plugin", version.ref = "micronaut-gradle-plugin" }

From 3bfe7466e38bcd91ab88dc6eb23300de9c6e4c6d Mon Sep 17 00:00:00 2001
From: Sergio del Amo <sergio.delamo@softamo.com>
Date: Mon, 23 Dec 2024 11:52:26 +0100
Subject: [PATCH 4/7] force version of logback classic from micronaut logging

logback.json.classic still has a dependency to a vulnerable dependency
---
 gcp-logging/build.gradle.kts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gcp-logging/build.gradle.kts b/gcp-logging/build.gradle.kts
index 57fdcf76c..82f70a0d3 100644
--- a/gcp-logging/build.gradle.kts
+++ b/gcp-logging/build.gradle.kts
@@ -5,7 +5,10 @@ plugins {
 dependencies {
     compileOnly(projects.micronautGcpTracing)
     api(projects.micronautGcpCommon)
-    implementation(libs.logback.json.classic)
+    implementation(libs.logback.json.classic) {
+        exclude(group = "ch.qos.logback", module = "logback-classic")
+    }
+    implementation(mnLogging.logback.classic)
     implementation(mn.micronaut.json.core)
     testAnnotationProcessor(mn.micronaut.inject.java)
     testImplementation(mnTestResources.testcontainers.core)

From 2c148ccfb632042ed6d0fd04c9bd47cdea182187 Mon Sep 17 00:00:00 2001
From: Sergio del Amo <sergio.delamo@softamo.com>
Date: Mon, 23 Dec 2024 11:52:35 +0100
Subject: [PATCH 5/7] add exclude coordinates

---
 .../main/groovy/io.micronaut.build.internal.gcp-module.gradle  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/buildSrc/src/main/groovy/io.micronaut.build.internal.gcp-module.gradle b/buildSrc/src/main/groovy/io.micronaut.build.internal.gcp-module.gradle
index 0a0b454b7..abd7184fb 100644
--- a/buildSrc/src/main/groovy/io.micronaut.build.internal.gcp-module.gradle
+++ b/buildSrc/src/main/groovy/io.micronaut.build.internal.gcp-module.gradle
@@ -11,7 +11,8 @@ ossIndexAudit {
     username = ossIndexUsername
     password = ossIndexPassword
     excludeCoordinates = [
-            "org.eclipse.jetty:jetty-http:11.0.24" // no version of Jetty 11 patched https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty/jetty-http
+            "org.eclipse.jetty:jetty-http:11.0.24", // no version of Jetty 11 patched https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty/jetty-http
+            "org.threeten:threetenbp:1.7.0", // no version patched https://ossindex.sonatype.org/component/pkg:maven/org.threeten/threetenbp
     ]
 }
 }

From ddc2a0df8302afbcb2cf46983fb4ee3e0dd70f04 Mon Sep 17 00:00:00 2001
From: Sergio del Amo <sergio.delamo@softamo.com>
Date: Mon, 23 Dec 2024 12:40:56 +0100
Subject: [PATCH 6/7] sonatype scan

---
 .github/workflows/gradle.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
index 571e79a24..93e9389da 100644
--- a/.github/workflows/gradle.yml
+++ b/.github/workflows/gradle.yml
@@ -58,6 +58,11 @@ jobs:
         run: |
           [ -f ./setup.sh ] && ./setup.sh || [ ! -f ./setup.sh ]
 
+      - name: "🚔 Sonatype Scan"
+        id: sonatypescan
+        run: |
+          ./gradlew ossIndexAudit --no-parallel
+
       - name: "🛠 Build with Gradle"
         id: gradle
         run: |

From 95879935b47d5538d1cf7eaeaf26deb2059f8885 Mon Sep 17 00:00:00 2001
From: Sergio del Amo <sergio.delamo@softamo.com>
Date: Tue, 7 Jan 2025 16:23:23 +0100
Subject: [PATCH 7/7] add env variables

---
 .github/workflows/gradle.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
index 93e9389da..9bebc3e30 100644
--- a/.github/workflows/gradle.yml
+++ b/.github/workflows/gradle.yml
@@ -30,6 +30,8 @@ jobs:
       PREDICTIVE_TEST_SELECTION: "${{ github.event_name == 'pull_request' && 'true' || 'false' }}"
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }}
+      OSS_INDEX_PASSWORD: ${{ secrets.OSS_INDEX_PASSWORD }}
     steps:
        # https://github.com/actions/virtual-environments/issues/709
       - name: "🗑 Free disk space"