catenax-ng · ds-jhartmann · Apr 10, 2024 · Apr 10, 2024 · Apr 10, 2024 · Apr 10, 2024
diff --git a/.config/.trivyignore b/.config/.trivyignore
@@ -1,8 +0,0 @@
-# Only relevant if UNWRAP_SINGLE_VALUE_ARRAYS is activated, which is not the case here.
-CVE-2022-42003
-
-# HttpInvokerServiceExporter is not loaded as a bean in the IRS.
-CVE-2016-1000027
-
-# Vulnerability method not in IRS codebase (Files.createTempDir from guava). https://github.com/google/guava/issues/2575
-CVE-2023-2976

diff --git a/DEPENDENCIES b/DEPENDENCIES
diff --git a/Dockerfile b/Dockerfile
@@ -51,14 +51,11 @@ RUN --mount=type=cache,target=/root/.m2 mvn -B clean package -pl :$BUILD_TARGET
 # Copy the jar and build image
 FROM eclipse-temurin:17-jre-alpine AS irs-api
 
-ARG UID=10000
-ARG GID=3000
-
 WORKDIR /app
 
 COPY --chmod=755 --from=maven /build/irs-api/target/irs-api-*-exec.jar app.jar
 
-USER ${UID}:${GID}
+USER 10000:3000
 
 ENTRYPOINT ["java", "-Djava.util.logging.config.file=./logging.properties", "-jar", "app.jar"]
 

diff --git a/irs-api/pom.xml b/irs-api/pom.xml
@@ -46,10 +46,6 @@
             <groupId>io.minio</groupId>
             <artifactId>minio</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.xerial.snappy</groupId>
-            <artifactId>snappy-java</artifactId>
-        </dependency>
         <dependency>
             <groupId>com.squareup.okhttp3</groupId>
             <artifactId>okhttp</artifactId>
@@ -100,8 +96,18 @@
                     <artifactId>json-smart</artifactId>
                     <groupId>net.minidev</groupId>
                 </exclusion>
+                <exclusion>
+                    <artifactId>nimbus-jose-jwt</artifactId>
+                    <groupId>com.nimbusds</groupId>
+                </exclusion>
             </exclusions>
         </dependency>
+        <!-- Update nimbus-jose-jwt manually to avoid vulnerability CVE-2023-52428; can be removed after Spring updates their dependency -->
+        <dependency>
+            <groupId>com.nimbusds</groupId>
+            <artifactId>nimbus-jose-jwt</artifactId>
+            <version>9.37.3</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-security</artifactId>

diff --git a/irs-common/pom.xml b/irs-common/pom.xml
@@ -67,10 +67,6 @@
             <groupId>io.minio</groupId>
             <artifactId>minio</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.xerial.snappy</groupId>
-            <artifactId>snappy-java</artifactId>
-        </dependency>
         <dependency>
             <groupId>com.squareup.okio</groupId>
             <artifactId>okio-jvm</artifactId>

diff --git a/irs-policy-store/pom.xml b/irs-policy-store/pom.xml
@@ -38,10 +38,6 @@
             <groupId>io.minio</groupId>
             <artifactId>minio</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.xerial.snappy</groupId>
-            <artifactId>snappy-java</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-security</artifactId>

diff --git a/irs-testing/pom.xml b/irs-testing/pom.xml
@@ -103,6 +103,18 @@
         <dependency>
             <groupId>org.testcontainers</groupId>
             <artifactId>testcontainers</artifactId>
+            <exclusions>
+                <exclusion>
+                    <artifactId>commons-compress</artifactId>
+                    <groupId>org.apache.commons</groupId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <!-- Update commons-compress manually to avoid vulnerability CVE-2024-26308, CVE-2024-25710; can be removed after testcontainers updates their dependency -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>${commons-compress.version}</version>
         </dependency>
         <dependency>
             <groupId>org.testcontainers</groupId>

diff --git a/pom.xml b/pom.xml
@@ -80,31 +80,31 @@
         <springdoc.version>2.2.0</springdoc.version>
         <micrometer.version>1.11.4</micrometer.version>
         <datafaker.version>1.9.0</datafaker.version>
-        <json-unit-assertj.version>2.36.1</json-unit-assertj.version>
+        <json-unit-assertj.version>3.2.7</json-unit-assertj.version>
         <gatling.version>3.9.5</gatling.version>
         <resilience4j.version>2.1.0</resilience4j.version>
-        <minio.version>8.5.6</minio.version>
+        <minio.version>8.5.9</minio.version>
         <rest-assured.version>5.4.0</rest-assured.version>
         <awaitility.version>4.2.0</awaitility.version>
         <jsonassert.version>1.5.1</jsonassert.version>
         <junit-bom.version>5.9.2</junit-bom.version>
         <cucumber-bom.version>7.11.1</cucumber-bom.version>
         <snakeyaml.version>2.0</snakeyaml.version>
-        <commons-validator.version>1.7</commons-validator.version>
-        <swagger-annotations.version>2.2.16</swagger-annotations.version>
+        <commons-validator.version>1.8.0</commons-validator.version>
+        <swagger-annotations.version>2.2.18</swagger-annotations.version>
         <edc.version>0.2.1</edc.version>
         <okio-jvm.version>3.5.0</okio-jvm.version>
         <bc-jdk18on.version>1.76</bc-jdk18on.version>
-        <wiremock-standalone.version>3.3.1</wiremock-standalone.version>
-        <jsoup.version>1.16.1</jsoup.version>
+        <wiremock-standalone.version>3.5.2</wiremock-standalone.version>
+        <jsoup.version>1.17.2</jsoup.version>
         <jsonschemafriend.version>0.12.4</jsonschemafriend.version>
-        <commons-io.version>2.14.0</commons-io.version>
+        <commons-io.version>2.16.1</commons-io.version>
         <commons-lang3.version>3.12.0</commons-lang3.version>
-        <okhttp.version>4.10.0</okhttp.version>
+        <okhttp.version>4.12.0</okhttp.version>
         <jackson-databind.version>2.15.1</jackson-databind.version>
         <junit-jupiter-engine.version>5.9.2</junit-jupiter-engine.version>
-        <json-smart.version>2.4.10</json-smart.version>
-        <testcontainers-bom.version>1.19.1</testcontainers-bom.version>
+        <json-smart.version>2.5.1</json-smart.version>
+        <testcontainers-bom.version>1.19.7</testcontainers-bom.version>
 
         <!-- Plugins -->
         <findsecbugs-plugin.version>1.12.0</findsecbugs-plugin.version>
@@ -123,6 +123,7 @@
         <maven-gpg-plugin.version>3.1.0</maven-gpg-plugin.version>
         <license-tool-plugin.version>1.1.0</license-tool-plugin.version>
         <snappy-java.version>1.1.10.5</snappy-java.version>
+        <commons-compress.version>1.26.1</commons-compress.version>
     </properties>
 
     <dependencyManagement>
@@ -136,22 +137,6 @@
                 <groupId>io.minio</groupId>
                 <artifactId>minio</artifactId>
                 <version>${minio.version}</version>
-                <exclusions>
-                    <exclusion>
-                        <groupId>org.bouncycastle</groupId>
-                        <artifactId>bcprov-jdk15on</artifactId>
-                    </exclusion>
-                    <exclusion>
-                        <artifactId>snappy-java</artifactId>
-                        <groupId>org.xerial.snappy</groupId>
-                    </exclusion>
-                </exclusions>
-            </dependency>
-            <!-- Update snappy-java manually to avoid vulnerability CVE-2023-43642; can be removed after Minio updates their dependency -->
-            <dependency>
-                <groupId>org.xerial.snappy</groupId>
-                <artifactId>snappy-java</artifactId>
-                <version>${snappy-java.version}</version>
             </dependency>
         </dependencies>
     </dependencyManagement>