Merge pull request #82 from catenax-ng/vulnerability-fix

[fix|sde-backend] build image security vulnerability fix v2.3.3
eclipse-tractusx · Dec 6, 2023 · 79334b1 · 79334b1
2 parents 75307a6 + 4589f3e
commit 79334b1
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 4 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,9 +2,10 @@
 All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
-## [Unreleased] 
+## [2.3.3] - 2023-12-06
 ### Fixed
 - fixed veracode security in app CVE-2023-46589 and CVE-2023-34053 .
+- build base image version.
 
 ## [2.3.2] - 2023-12-01
 ### Fixed
@@ -256,7 +257,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 - Compliance with Catena-X Guidelines
 - Integration with Digital Twin registry service.
 
-[unreleased]: https://github.com/eclipse-tractusx/managed-simple-data-exchanger-backend/compare/v2.3.2...main
+[unreleased]: https://github.com/eclipse-tractusx/managed-simple-data-exchanger-backend/compare/v2.3.3...main
+[2.3.3]: https://github.com/eclipse-tractusx/managed-simple-data-exchanger-backend/compare/v2.3.2...v2.3.3
 [2.3.2]: https://github.com/eclipse-tractusx/managed-simple-data-exchanger-backend/compare/v2.3.1...v2.3.2
 [2.3.1]: https://github.com/eclipse-tractusx/managed-simple-data-exchanger-backend/compare/v2.3.0...v2.3.1
 [2.3.0]: https://github.com/eclipse-tractusx/managed-simple-data-exchanger-backend/compare/v2.2.0...v2.3.0

diff --git a/DEPENDENCIES b/DEPENDENCIES
@@ -150,7 +150,7 @@ maven/mavencentral/org.springframework/spring-orm/6.0.9, Apache-2.0, approved, #
 maven/mavencentral/org.springframework/spring-test/6.0.9, Apache-2.0, approved, #7003
 maven/mavencentral/org.springframework/spring-tx/6.0.9, Apache-2.0, approved, #5926
 maven/mavencentral/org.springframework/spring-web/6.0.14, Apache-2.0, approved, #5942
-maven/mavencentral/org.springframework/spring-webmvc/6.0.9, Apache-2.0, approved, #5944
+maven/mavencentral/org.springframework/spring-webmvc/6.0.14, Apache-2.0, approved, #5944
 maven/mavencentral/org.webjars/swagger-ui/4.15.5, Apache-2.0 AND MIT, approved, #5921
 maven/mavencentral/org.webjars/webjars-locator-core/0.52, MIT, approved, clearlydefined
 maven/mavencentral/org.xmlunit/xmlunit-core/2.9.1, Apache-2.0, approved, #6272

diff --git a/build/Dockerfile b/build/Dockerfile
@@ -18,7 +18,7 @@
 # SPDX-License-Identifier: Apache-2.0
 ################################################################################
 # our base build image
-FROM maven:3.9.0-eclipse-temurin-19 AS build
+FROM maven:3.9.5-eclipse-temurin-17 AS build
 
 # copy the project files
 COPY ../pom.xml ./pom.xml

diff --git a/pom.xml b/pom.xml
@@ -103,6 +103,10 @@
 					<groupId>org.springframework</groupId>
 					<artifactId>spring-web</artifactId>
 				</exclusion>
+				<exclusion>
+					<groupId>org.springframework</groupId>
+					<artifactId>spring-webmvc</artifactId>
+				</exclusion>
 			</exclusions>
 		</dependency>
 		<dependency>
@@ -115,6 +119,11 @@
 			<artifactId>spring-web</artifactId>
 			<version>6.0.14</version>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-webmvc</artifactId>
+			<version>6.0.14</version>
+		</dependency>
 		<dependency>
 			<groupId>ch.qos.logback</groupId>
 			<artifactId>logback-classic</artifactId>