added Snyk monitor and snyk clean up after PR closed/merged (#1646)

* added snyk monitor and clean up

* used jdk 11 and add options

* Update snyk-cli-scan.yml

added explicit mvn package prepare for snyk

* Update snyk-cli-scan.yml

* use jdk 8

* added .snyk.ignore.example and .snyk

* triggered by branch 4.x

* address a few high CVEs identified by snyk scan

* ignore graal-sdk CVE for now until we can move off java8

* clean up snyk yaml files

* JAVA-3050: Upgrade Netty 4.1.94 to address recent CVEs

osgi-tests/BundleOptions.java
- since netty-4.1.78, netty-handler additionally depends on netty-transport-native-unix-common so we need to pull that in when configuring pax exam

---------

Co-authored-by: weideng1 <[email protected]>
Co-authored-by: Henry Hughes <[email protected]>

.github/workflows/snyk-cli-scan.yml

@@ -0,0 +1,47 @@
+name: 🔬 Snyk cli SCA
+
+on:
+  push:
+    branches: [ 4.x ]
+  pull_request:
+    branches: [ 4.x ]
+  workflow_dispatch:
+
+env:
+  SNYK_SEVERITY_THRESHOLD_LEVEL: high
+
+jobs:
+  snyk-cli-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Git checkout
+        uses: actions/checkout@v3
+
+      - name: prepare for snyk scan
+        uses: datastax/shared-github-actions/actions/snyk-prepare@main
+
+      - name: Set up JDK 8
+        uses: actions/setup-java@v3
+        with:
+          distribution: 'temurin'
+          java-version: '8'
+          cache: maven
+
+      - name: run maven install prepare for snyk
+        run: |
+          mvn -B -V install -DskipTests -Dmaven.javadoc.skip=true
+
+      - name: snyk scan java
+        uses: datastax/shared-github-actions/actions/snyk-scan-java@main
+        with:
+          directories: .
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          SNYK_ORG_ID: ${{ secrets.SNYK_ORG_ID }}
+          extra-snyk-options: "-DskipTests -Dmaven.javadoc.skip=true"
+
+      - name: Snyk scan result
+        uses: datastax/shared-github-actions/actions/snyk-process-scan-results@main
+        with:
+          gh_repo_token: ${{ secrets.GITHUB_TOKEN }}
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+          SNYK_ORG_ID: ${{ secrets.SNYK_ORG_ID }}

.github/workflows/snyk-pr-cleanup.yml

@@ -0,0 +1,16 @@
+name: 🗑️ Snyk PR cleanup - merged/closed
+
+on:
+  pull_request:
+    types:
+      - closed
+    branches:
+      - snyk-monitor
+  workflow_dispatch:
+
+jobs:
+  snyk_project_cleanup_when_pr_closed:
+    uses: datastax/shared-github-actions/.github/workflows/snyk-pr-cleanup.yml@main
+    secrets:
+      snyk_token: ${{ secrets.SNYK_TOKEN }}
+      snyk_org_id: ${{ secrets.SNYK_ORG_ID }}

.snyk

@@ -0,0 +1,19 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.22.2
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-JAVA-ORGGRAALVMSDK-2767964:
+    - '*':
+        reason: cannot upgrade to graal-sdk 22.1.0+ until we move off Java8, which is slated for later this year
+        expires: 2024-01-10T00:00:00.000Z
+        created: 2023-06-21T00:00:00.000Z
+  SNYK-JAVA-ORGGRAALVMSDK-2769618:
+    - '*':
+        reason: cannot upgrade to graal-sdk 22.1.0+ until we move off Java8, which is slated for later this year
+        expires: 2024-01-10T00:00:00.000Z
+        created: 2023-06-21T00:00:00.000Z
+  SNYK-JAVA-ORGGRAALVMSDK-5457933:
+    - '*':
+        reason: cannot upgrade to graal-sdk 22.1.0+ until we move off Java8, which is slated for later this year
+        expires: 2024-01-10T00:00:00.000Z
+        created: 2023-06-21T00:00:00.000Z

.snyk.ignore.example

@@ -0,0 +1,9 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.22.2
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-PYTHON-URLLIB3-1533435:
+    - '*':
+        reason: state your ignore reason here
+        expires: 2030-01-01T00:00:00.000Z
+        created: 2022-03-21T00:00:00.000Z

osgi-tests/src/test/java/com/datastax/oss/driver/internal/osgi/support/BundleOptions.java

@@ -91,6 +91,7 @@ public static CompositeOption nettyBundles() {
             mavenBundle("io.netty", "netty-codec").versionAsInProject(),
             mavenBundle("io.netty", "netty-common").versionAsInProject(),
             mavenBundle("io.netty", "netty-transport").versionAsInProject(),
+            mavenBundle("io.netty", "netty-transport-native-unix-common").versionAsInProject(),
             mavenBundle("io.netty", "netty-resolver").versionAsInProject());
   }
 

pom.xml

@@ -47,21 +47,21 @@
     <config.version>1.4.1</config.version>
     <hdrhistogram.version>2.1.12</hdrhistogram.version>
     <metrics.version>4.1.18</metrics.version>
-    <netty.version>4.1.77.Final</netty.version>
+    <netty.version>4.1.94.Final</netty.version>
     <esri.version>1.2.1</esri.version>
     <!--
     When upgrading TinkerPop please upgrade the version matrix in
     manual/core/integration/README.md
     -->
-    <tinkerpop.version>3.5.3</tinkerpop.version>
+    <tinkerpop.version>3.5.6</tinkerpop.version>
     <slf4j.version>1.7.26</slf4j.version>
     <reactive-streams.version>1.0.3</reactive-streams.version>
-    <json.version>20210307</json.version>
+    <json.version>20230227</json.version>
     <jackson.version>2.13.2</jackson.version>
     <jackson-databind.version>2.13.2.2</jackson-databind.version>
     <legacy-jackson.version>1.9.12</legacy-jackson.version>
     <!-- optional dependencies -->
-    <snappy.version>1.1.7.3</snappy.version>
+    <snappy.version>1.1.10.1</snappy.version>
     <lz4.version>1.7.1</lz4.version>
     <!-- test dependencies -->
     <assertj.version>3.19.0</assertj.version>
@@ -73,7 +73,7 @@
     <pax-exam.version>4.13.4</pax-exam.version>
     <simulacron.version>0.11.0</simulacron.version>
     <jsr353-api.version>1.1.4</jsr353-api.version>
-    <jersey.version>2.28</jersey.version>
+    <jersey.version>2.31</jersey.version>
     <hk2.version>2.5.0</hk2.version>
     <jax-rs.version>2.1.1</jax-rs.version>
     <jsr353-ri.version>1.1.4</jsr353-ri.version>