From 6099b24d56414b140386868fddfefc357398e63b Mon Sep 17 00:00:00 2001
From: "fabio.d.mota" <fabio.d.mota@cgi.com>
Date: Tue, 14 Nov 2023 23:05:07 +0000
Subject: [PATCH] fix(DockerFile): Fix trivy scan

---
 CHANGELOG.md     |  2 ++
 DEPENDENCIES     | 31 +++++++++++++++----------------
 DOCKER_NOTICE.md |  2 +-
 Dockerfile       |  6 ++----
 README.md        |  6 +++---
 pom.xml          | 21 ++++++++++++++++++++-
 6 files changed, 43 insertions(+), 25 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ee71939..84e18a3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fix health check for trivy scan on docker image
 - Fix vulnerability find on spring security core 6.1.1
 - Fix vulnerability find on spring web flux 3.1.2
+- Fix vulnerability with exclusion of bouncycastle lib on spring security
+- Fix vulnerability find on owasp antisamy 1.7.3
 
 ### Added
 - Added docker registry workflow
diff --git a/DEPENDENCIES b/DEPENDENCIES
index 11971ee..612400a 100644
--- a/DEPENDENCIES
+++ b/DEPENDENCIES
@@ -76,26 +76,25 @@ maven/mavencentral/org.apache.logging.log4j/log4j-to-slf4j/2.20.0, Apache-2.0, a
 maven/mavencentral/org.apache.tomcat.embed/tomcat-embed-core/10.1.15, Apache-2.0 AND (EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0) AND (CDDL-1.0 OR GPL-2.0-only WITH Classpath-exception-2.0) AND W3C AND CC0-1.0, approved, #5949
 maven/mavencentral/org.apache.tomcat.embed/tomcat-embed-el/10.1.15, Apache-2.0, approved, #6997
 maven/mavencentral/org.apache.tomcat.embed/tomcat-embed-websocket/10.1.15, Apache-2.0, approved, #7920
-maven/mavencentral/org.apache.xmlgraphics/batik-constants/1.16, Apache-2.0, approved, #4276
-maven/mavencentral/org.apache.xmlgraphics/batik-css/1.16, Apache-2.0, approved, #4289
-maven/mavencentral/org.apache.xmlgraphics/batik-i18n/1.16, Apache-2.0, approved, #4282
-maven/mavencentral/org.apache.xmlgraphics/batik-shared-resources/1.16, Apache-2.0, approved, #4290
-maven/mavencentral/org.apache.xmlgraphics/batik-util/1.16, Apache-2.0, approved, #4279
-maven/mavencentral/org.apache.xmlgraphics/xmlgraphics-commons/2.7, Apache-2.0, approved, #3367
+maven/mavencentral/org.apache.xmlgraphics/batik-constants/1.17, Apache-2.0, approved, #10158
+maven/mavencentral/org.apache.xmlgraphics/batik-css/1.17, Apache-2.0, approved, #10141
+maven/mavencentral/org.apache.xmlgraphics/batik-i18n/1.17, Apache-2.0, approved, #10154
+maven/mavencentral/org.apache.xmlgraphics/batik-shared-resources/1.17, Apache-2.0, approved, #10147
+maven/mavencentral/org.apache.xmlgraphics/batik-util/1.17, Apache-2.0, approved, #10150
+maven/mavencentral/org.apache.xmlgraphics/xmlgraphics-commons/2.9, Apache-2.0, approved, #10159
 maven/mavencentral/org.apiguardian/apiguardian-api/1.1.0, Apache-2.0, approved, clearlydefined
 maven/mavencentral/org.aspectj/aspectjweaver/1.9.20, EPL-1.0, approved, tools.aspectj
-maven/mavencentral/org.bouncycastle/bcpkix-jdk15on/1.69, MIT, approved, clearlydefined
-maven/mavencentral/org.bouncycastle/bcprov-jdk15on/1.69, MIT, approved, clearlydefined
-maven/mavencentral/org.bouncycastle/bcutil-jdk15on/1.69, MIT, approved, clearlydefined
+maven/mavencentral/org.bouncycastle/bcpkix-jdk18on/1.73, MIT, approved, #7892
+maven/mavencentral/org.bouncycastle/bcutil-jdk18on/1.73, MIT, approved, #7894
 maven/mavencentral/org.hibernate.orm/hibernate-core/6.2.6.Final, LGPL-2.1-only AND Apache-2.0 AND MIT AND CC-PDDC AND (EPL-2.0 OR BSD-3-Clause), approved, #9121
 maven/mavencentral/org.hibernate.validator/hibernate-validator/8.0.1.Final, Apache-2.0, approved, clearlydefined
-maven/mavencentral/org.htmlunit/neko-htmlunit/3.1.0, Apache-2.0, approved, clearlydefined
+maven/mavencentral/org.htmlunit/neko-htmlunit/3.6.0, Apache-2.0, approved, clearlydefined
 maven/mavencentral/org.jboss.logging/jboss-logging/3.5.3.Final, Apache-2.0, approved, #9471
 maven/mavencentral/org.liquibase/liquibase-core/4.23.0, Apache-2.0, approved, #9650
 maven/mavencentral/org.mapstruct/mapstruct/1.5.5.Final, Apache-2.0, approved, #6277
 maven/mavencentral/org.openapitools/jackson-databind-nullable/0.2.6, Apache-2.0, approved, #3294
 maven/mavencentral/org.ow2.asm/asm/9.3, BSD-3-Clause, approved, clearlydefined
-maven/mavencentral/org.owasp.antisamy/antisamy/1.7.3, BSD-3-Clause, approved, clearlydefined
+maven/mavencentral/org.owasp.antisamy/antisamy/1.7.4, BSD-3-Clause, approved, clearlydefined
 maven/mavencentral/org.owasp.esapi/esapi/2.5.2.0, BSD-3-Clause AND CC-BY-SA-3.0 AND LicenseRef-Public-Domain, approved, #6274
 maven/mavencentral/org.postgresql/postgresql/42.6.0, BSD-2-Clause AND Apache-2.0, approved, #9159
 maven/mavencentral/org.projectlombok/lombok/1.18.28, MIT AND LicenseRef-Public-Domain, approved, CQ23907
@@ -124,10 +123,10 @@ maven/mavencentral/org.springframework.boot/spring-boot-starter-web/3.1.5, Apach
 maven/mavencentral/org.springframework.boot/spring-boot-starter-webflux/3.1.5, Apache-2.0, approved, #9739
 maven/mavencentral/org.springframework.boot/spring-boot-starter/3.1.5, Apache-2.0, approved, #9349
 maven/mavencentral/org.springframework.boot/spring-boot/3.1.5, Apache-2.0, approved, #9352
-maven/mavencentral/org.springframework.cloud/spring-cloud-commons/4.0.3, Apache-2.0, approved, #7292
-maven/mavencentral/org.springframework.cloud/spring-cloud-context/4.0.3, Apache-2.0, approved, #7306
-maven/mavencentral/org.springframework.cloud/spring-cloud-starter-bootstrap/4.0.3, Apache-2.0, approved, clearlydefined
-maven/mavencentral/org.springframework.cloud/spring-cloud-starter/4.0.3, Apache-2.0, approved, #7299
+maven/mavencentral/org.springframework.cloud/spring-cloud-commons/4.0.4, Apache-2.0, approved, #7292
+maven/mavencentral/org.springframework.cloud/spring-cloud-context/4.0.4, Apache-2.0, approved, #7306
+maven/mavencentral/org.springframework.cloud/spring-cloud-starter-bootstrap/4.0.4, Apache-2.0, approved, clearlydefined
+maven/mavencentral/org.springframework.cloud/spring-cloud-starter/4.0.4, Apache-2.0, approved, #7299
 maven/mavencentral/org.springframework.data/spring-data-commons/3.1.5, Apache-2.0, approved, #8805
 maven/mavencentral/org.springframework.data/spring-data-jpa/3.1.5, Apache-2.0, approved, #9120
 maven/mavencentral/org.springframework.security.oauth/spring-security-oauth2/2.5.2.RELEASE, Apache-2.0, approved, clearlydefined
@@ -138,7 +137,7 @@ maven/mavencentral/org.springframework.security/spring-security-oauth2-client/6.
 maven/mavencentral/org.springframework.security/spring-security-oauth2-core/6.1.5, Apache-2.0, approved, #9741
 maven/mavencentral/org.springframework.security/spring-security-oauth2-jose/6.1.5, Apache-2.0, approved, #9345
 maven/mavencentral/org.springframework.security/spring-security-oauth2-resource-server/6.1.5, Apache-2.0, approved, #8798
-maven/mavencentral/org.springframework.security/spring-security-rsa/1.0.11.RELEASE, Apache-2.0, approved, CQ20647
+maven/mavencentral/org.springframework.security/spring-security-rsa/1.0.12.RELEASE, Apache-2.0, approved, CQ20647
 maven/mavencentral/org.springframework.security/spring-security-web/6.1.1, Apache-2.0, approved, #9800
 maven/mavencentral/org.springframework/spring-aop/6.0.13, Apache-2.0, approved, #5940
 maven/mavencentral/org.springframework/spring-aspects/6.0.13, Apache-2.0, approved, #5930
diff --git a/DOCKER_NOTICE.md b/DOCKER_NOTICE.md
index 0bf2339..5f98e4d 100644
--- a/DOCKER_NOTICE.md
+++ b/DOCKER_NOTICE.md
@@ -13,7 +13,7 @@ Eclipse Tractus-X product(s) installed within the image:
 
 **Used base image**
 
-- [eclipse-temurin:17-jre-alpine](https://github.com/adoptium/containers)
+- [eclipse-temurin:21-jre-alpine](https://github.com/adoptium/containers)
 - Official Eclipse Temurin DockerHub page: https://hub.docker.com/_/eclipse-temurin
 - Eclipse Temurin Project: https://projects.eclipse.org/projects/adoptium.temurin
 - Additional information about the Eclipse Temurin images: https://github.com/docker-library/repo-info/tree/master/repos/eclipse-temurin
diff --git a/Dockerfile b/Dockerfile
index 8198b7d..cd40c18 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -27,7 +27,7 @@ RUN mvn clean package -DskipTests
 
 #CMD exec /bin/bash -c "trap : TERM INT; sleep infinity & wait"
 # Copy the jar and build image
-FROM eclipse-temurin:17-jre-alpine AS value-added-service
+FROM eclipse-temurin:21-jre-alpine AS value-added-service
 
 ARG UID=1000
 ARG GID=1000
@@ -40,14 +40,12 @@ WORKDIR /app
 
 COPY --chown=${UID}:${GID} --from=maven target/value-added-service-*.jar app.jar
 
-# Adding wget for the health check
-RUN apk --no-cache add wget
 
 USER ${UID}:${GID}
 
 # Health check instruction
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
-  CMD wget --quiet --tries=1 --spider http://localhost:8080/actuator/health || exit 1
+  CMD curl -f http://localhost:8080/actuator/health || exit 1
 
 # set the startup command to run your binary
 CMD ["java", "-jar", "./app.jar"]
diff --git a/README.md b/README.md
index 49e3e80..c1c9090 100644
--- a/README.md
+++ b/README.md
@@ -24,12 +24,12 @@ You can find the leading repository with all deploy and info on [value added ser
 ## Container images
 
 This application provides container images for demonstration purposes.
-The base image used, to build this demo application image is `eclipse-temurin:17-jre-alpine`
+The base image used, to build this demo application image is `eclipse-temurin:21-jre-alpine`
 
 Docker Hub:
 
 * [eclipse-temurin](https://hub.docker.com/_/eclipse-temurin)
-* [17-jre-alpine](https://hub.docker.com/layers/library/eclipse-temurin/17-jre-alpine/images/sha256-02c04793fa49ad5cd193c961403223755f9209a67894622e05438598b32f210e?context=explore)
+* [21-jre-alpine](https://hub.docker.com/layers/library/eclipse-temurin/21-jre-alpine/images/sha256-02c04793fa49ad5cd193c961403223755f9209a67894622e05438598b32f210e?context=explore)
 
 Source:
 
@@ -51,7 +51,7 @@ Source:
 
 ### Prerequisites
 
-* JDK 17
+* JDK 21
 * Maven 'Spring Boot is compatible with Apache Maven 3.5 or above'
 
 ### Profile Configurations
diff --git a/pom.xml b/pom.xml
index 30f1f26..787a9a4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -41,7 +41,7 @@
         <spring-boot.version>3.1.5</spring-boot.version>
         <org.zalando.problem-spring-web>0.26.0</org.zalando.problem-spring-web>
         <org.springdoc.springdoc-openapi-ui>2.1.0</org.springdoc.springdoc-openapi-ui>
-        <org.springframework.cloud>4.0.3</org.springframework.cloud>
+        <org.springframework.cloud>4.0.4</org.springframework.cloud>
         <sonar.host.url>https://sonarcloud.io</sonar.host.url>
         <sonar.coverage.jacoco.xmlReportPaths>${project.reporting.outputDirectory}/target/jacoco-report/jacoco.xml
         </sonar.coverage.jacoco.xmlReportPaths>
@@ -71,6 +71,8 @@
         <spring-core-version>6.0.8</spring-core-version>
         <spring-security-core-version>6.1.5</spring-security-core-version>
         <springdoc-openapi-starter-webmvc-ui>2.1.0</springdoc-openapi-starter-webmvc-ui>
+        <org.owasp.antisamy>1.7.4</org.owasp.antisamy>
+        <io.projectreactor.netty>1.1.13</io.projectreactor.netty>
     </properties>
 
     <pluginRepositories>
@@ -120,6 +122,16 @@
                 <artifactId>spring-security-core</artifactId>
                 <version>${spring-security-core-version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.owasp.antisamy</groupId>
+                <artifactId>antisamy</artifactId>
+                <version>${org.owasp.antisamy}</version>
+            </dependency>
+            <dependency>
+                <groupId>io.projectreactor.netty</groupId>
+                <artifactId>reactor-netty-http</artifactId>
+                <version>${io.projectreactor.netty}</version>
+            </dependency>
         </dependencies>
 
     </dependencyManagement>
@@ -220,7 +232,14 @@
             <groupId>org.springframework.cloud</groupId>
             <artifactId>spring-cloud-starter-bootstrap</artifactId>
             <version>${org.springframework.cloud}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.bouncycastle</groupId>
+                    <artifactId>bcprov-jdk18on</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
+
         <dependency>
             <groupId>org.owasp.esapi</groupId>
             <artifactId>esapi</artifactId>