fix(DockerFile): Fix trivy scan

eclipse-tractusx · Nov 17, 2023 · 0c85619 · 0c85619
1 parent 3533fdd
commit 0c85619
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 18 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -19,6 +19,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fix health check for trivy scan on docker image
 - Fix vulnerability find on spring security core 6.1.1
 - Fix vulnerability find on spring web flux 3.1.2
+- Fix vulnerability with exclusion of bouncycastle lib on spring security
+- Fix vulnerability find on owasp antisamy 1.7.3
 
 ### Added
 - Added docker registry workflow

diff --git a/DEPENDENCIES b/DEPENDENCIES
@@ -76,26 +76,25 @@ maven/mavencentral/org.apache.logging.log4j/log4j-to-slf4j/2.20.0, Apache-2.0, a
 maven/mavencentral/org.apache.tomcat.embed/tomcat-embed-core/10.1.15, Apache-2.0 AND (EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0) AND (CDDL-1.0 OR GPL-2.0-only WITH Classpath-exception-2.0) AND W3C AND CC0-1.0, approved, #5949
 maven/mavencentral/org.apache.tomcat.embed/tomcat-embed-el/10.1.15, Apache-2.0, approved, #6997
 maven/mavencentral/org.apache.tomcat.embed/tomcat-embed-websocket/10.1.15, Apache-2.0, approved, #7920
-maven/mavencentral/org.apache.xmlgraphics/batik-constants/1.16, Apache-2.0, approved, #4276
-maven/mavencentral/org.apache.xmlgraphics/batik-css/1.16, Apache-2.0, approved, #4289
-maven/mavencentral/org.apache.xmlgraphics/batik-i18n/1.16, Apache-2.0, approved, #4282
-maven/mavencentral/org.apache.xmlgraphics/batik-shared-resources/1.16, Apache-2.0, approved, #4290
-maven/mavencentral/org.apache.xmlgraphics/batik-util/1.16, Apache-2.0, approved, #4279
-maven/mavencentral/org.apache.xmlgraphics/xmlgraphics-commons/2.7, Apache-2.0, approved, #3367
+maven/mavencentral/org.apache.xmlgraphics/batik-constants/1.17, Apache-2.0, approved, #10158
+maven/mavencentral/org.apache.xmlgraphics/batik-css/1.17, Apache-2.0, approved, #10141
+maven/mavencentral/org.apache.xmlgraphics/batik-i18n/1.17, Apache-2.0, approved, #10154
+maven/mavencentral/org.apache.xmlgraphics/batik-shared-resources/1.17, Apache-2.0, approved, #10147
+maven/mavencentral/org.apache.xmlgraphics/batik-util/1.17, Apache-2.0, approved, #10150
+maven/mavencentral/org.apache.xmlgraphics/xmlgraphics-commons/2.9, Apache-2.0, approved, #10159
 maven/mavencentral/org.apiguardian/apiguardian-api/1.1.0, Apache-2.0, approved, clearlydefined
 maven/mavencentral/org.aspectj/aspectjweaver/1.9.20, EPL-1.0, approved, tools.aspectj
-maven/mavencentral/org.bouncycastle/bcpkix-jdk15on/1.69, MIT, approved, clearlydefined
-maven/mavencentral/org.bouncycastle/bcprov-jdk15on/1.69, MIT, approved, clearlydefined
-maven/mavencentral/org.bouncycastle/bcutil-jdk15on/1.69, MIT, approved, clearlydefined
+maven/mavencentral/org.bouncycastle/bcpkix-jdk18on/1.73, MIT, approved, #7892
+maven/mavencentral/org.bouncycastle/bcutil-jdk18on/1.73, MIT, approved, #7894
 maven/mavencentral/org.hibernate.orm/hibernate-core/6.2.6.Final, LGPL-2.1-only AND Apache-2.0 AND MIT AND CC-PDDC AND (EPL-2.0 OR BSD-3-Clause), approved, #9121
 maven/mavencentral/org.hibernate.validator/hibernate-validator/8.0.1.Final, Apache-2.0, approved, clearlydefined
-maven/mavencentral/org.htmlunit/neko-htmlunit/3.1.0, Apache-2.0, approved, clearlydefined
+maven/mavencentral/org.htmlunit/neko-htmlunit/3.6.0, Apache-2.0, approved, clearlydefined
 maven/mavencentral/org.jboss.logging/jboss-logging/3.5.3.Final, Apache-2.0, approved, #9471
 maven/mavencentral/org.liquibase/liquibase-core/4.23.0, Apache-2.0, approved, #9650
 maven/mavencentral/org.mapstruct/mapstruct/1.5.5.Final, Apache-2.0, approved, #6277
 maven/mavencentral/org.openapitools/jackson-databind-nullable/0.2.6, Apache-2.0, approved, #3294
 maven/mavencentral/org.ow2.asm/asm/9.3, BSD-3-Clause, approved, clearlydefined
-maven/mavencentral/org.owasp.antisamy/antisamy/1.7.3, BSD-3-Clause, approved, clearlydefined
+maven/mavencentral/org.owasp.antisamy/antisamy/1.7.4, BSD-3-Clause, approved, clearlydefined
 maven/mavencentral/org.owasp.esapi/esapi/2.5.2.0, BSD-3-Clause AND CC-BY-SA-3.0 AND LicenseRef-Public-Domain, approved, #6274
 maven/mavencentral/org.postgresql/postgresql/42.6.0, BSD-2-Clause AND Apache-2.0, approved, #9159
 maven/mavencentral/org.projectlombok/lombok/1.18.28, MIT AND LicenseRef-Public-Domain, approved, CQ23907
@@ -124,10 +123,10 @@ maven/mavencentral/org.springframework.boot/spring-boot-starter-web/3.1.5, Apach
 maven/mavencentral/org.springframework.boot/spring-boot-starter-webflux/3.1.5, Apache-2.0, approved, #9739
 maven/mavencentral/org.springframework.boot/spring-boot-starter/3.1.5, Apache-2.0, approved, #9349
 maven/mavencentral/org.springframework.boot/spring-boot/3.1.5, Apache-2.0, approved, #9352
-maven/mavencentral/org.springframework.cloud/spring-cloud-commons/4.0.3, Apache-2.0, approved, #7292
-maven/mavencentral/org.springframework.cloud/spring-cloud-context/4.0.3, Apache-2.0, approved, #7306
-maven/mavencentral/org.springframework.cloud/spring-cloud-starter-bootstrap/4.0.3, Apache-2.0, approved, clearlydefined
-maven/mavencentral/org.springframework.cloud/spring-cloud-starter/4.0.3, Apache-2.0, approved, #7299
+maven/mavencentral/org.springframework.cloud/spring-cloud-commons/4.0.4, Apache-2.0, approved, #7292
+maven/mavencentral/org.springframework.cloud/spring-cloud-context/4.0.4, Apache-2.0, approved, #7306
+maven/mavencentral/org.springframework.cloud/spring-cloud-starter-bootstrap/4.0.4, Apache-2.0, approved, clearlydefined
+maven/mavencentral/org.springframework.cloud/spring-cloud-starter/4.0.4, Apache-2.0, approved, #7299
 maven/mavencentral/org.springframework.data/spring-data-commons/3.1.5, Apache-2.0, approved, #8805
 maven/mavencentral/org.springframework.data/spring-data-jpa/3.1.5, Apache-2.0, approved, #9120
 maven/mavencentral/org.springframework.security.oauth/spring-security-oauth2/2.5.2.RELEASE, Apache-2.0, approved, clearlydefined
@@ -138,7 +137,7 @@ maven/mavencentral/org.springframework.security/spring-security-oauth2-client/6.
 maven/mavencentral/org.springframework.security/spring-security-oauth2-core/6.1.5, Apache-2.0, approved, #9741
 maven/mavencentral/org.springframework.security/spring-security-oauth2-jose/6.1.5, Apache-2.0, approved, #9345
 maven/mavencentral/org.springframework.security/spring-security-oauth2-resource-server/6.1.5, Apache-2.0, approved, #8798
-maven/mavencentral/org.springframework.security/spring-security-rsa/1.0.11.RELEASE, Apache-2.0, approved, CQ20647
+maven/mavencentral/org.springframework.security/spring-security-rsa/1.0.12.RELEASE, Apache-2.0, approved, CQ20647
 maven/mavencentral/org.springframework.security/spring-security-web/6.1.1, Apache-2.0, approved, #9800
 maven/mavencentral/org.springframework/spring-aop/6.0.13, Apache-2.0, approved, #5940
 maven/mavencentral/org.springframework/spring-aspects/6.0.13, Apache-2.0, approved, #5930

diff --git a/Dockerfile b/Dockerfile
@@ -27,7 +27,7 @@ RUN mvn clean package -DskipTests
 
 #CMD exec /bin/bash -c "trap : TERM INT; sleep infinity & wait"
 # Copy the jar and build image
-FROM eclipse-temurin:17-jre-alpine AS value-added-service
+FROM eclipse-temurin:21-jre-alpine AS value-added-service
 
 ARG UID=1000
 ARG GID=1000
@@ -40,6 +40,7 @@ WORKDIR /app
 
 COPY --chown=${UID}:${GID} --from=maven target/value-added-service-*.jar app.jar
 
+
 # Adding wget for the health check
 RUN apk --no-cache add wget
 

diff --git a/pom.xml b/pom.xml
@@ -41,7 +41,7 @@
         <spring-boot.version>3.1.5</spring-boot.version>
         <org.zalando.problem-spring-web>0.26.0</org.zalando.problem-spring-web>
         <org.springdoc.springdoc-openapi-ui>2.1.0</org.springdoc.springdoc-openapi-ui>
-        <org.springframework.cloud>4.0.3</org.springframework.cloud>
+        <org.springframework.cloud>4.0.4</org.springframework.cloud>
         <sonar.host.url>https://sonarcloud.io</sonar.host.url>
         <sonar.coverage.jacoco.xmlReportPaths>${project.reporting.outputDirectory}/target/jacoco-report/jacoco.xml
         </sonar.coverage.jacoco.xmlReportPaths>
@@ -71,6 +71,8 @@
         <spring-core-version>6.0.8</spring-core-version>
         <spring-security-core-version>6.1.5</spring-security-core-version>
         <springdoc-openapi-starter-webmvc-ui>2.1.0</springdoc-openapi-starter-webmvc-ui>
+        <org.owasp.antisamy>1.7.4</org.owasp.antisamy>
+        <io.projectreactor.netty>1.1.13</io.projectreactor.netty>
     </properties>
 
     <pluginRepositories>
@@ -120,6 +122,16 @@
                 <artifactId>spring-security-core</artifactId>
                 <version>${spring-security-core-version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.owasp.antisamy</groupId>
+                <artifactId>antisamy</artifactId>
+                <version>${org.owasp.antisamy}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.projectreactor.netty</groupId>
+                <artifactId>reactor-netty-http</artifactId>
+                <version>${io.projectreactor.netty}</version>
+            </dependency>
         </dependencies>
 
     </dependencyManagement>
@@ -220,7 +232,14 @@
             <groupId>org.springframework.cloud</groupId>
             <artifactId>spring-cloud-starter-bootstrap</artifactId>
             <version>${org.springframework.cloud}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcprov-jdk18on</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
+
         <dependency>
             <groupId>org.owasp.esapi</groupId>
             <artifactId>esapi</artifactId>