DTSRD-3619 (#1117)

* - remedy for CVE-2024-22233 - gradle 8.10.2 - spring-boot 3.3.4 - typo * removed unused lib * moved fortify lib into own runtime config
hmcts · Oct 28, 2024 · 840194b · 840194b
1 parent 7117ef6
commit 840194b
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 5 deletions.
diff --git a/build.gradle b/build.gradle
@@ -19,7 +19,7 @@ plugins {
     id "info.solidsoft.pitest" version '1.15.0'
     id 'io.spring.dependency-management' version '1.1.6'
     id 'org.sonarqube' version '5.1.0.4882'
-    id 'org.springframework.boot' version '3.3.2'
+    id 'org.springframework.boot' version '3.3.4'
     id "org.flywaydb.flyway" version "9.22.3"
     id 'au.com.dius.pact' version '4.1.7'// do not change, otherwise serenity report fails
     id 'org.owasp.dependencycheck' version '10.0.3'
@@ -149,6 +149,14 @@ sourceSets {
         }
         resources.srcDir file('src/pactTest/resources')
     }
+    fortifyTest {
+        java {
+            compileClasspath += main.output
+            runtimeClasspath += main.output
+            srcDir file('src/Test/java')
+        }
+        resources.srcDir file('src/test/resources')
+    }
 }
 
 idea {
@@ -172,6 +180,8 @@ configurations {
     contractTestRuntimeOnly.extendsFrom testRuntime
     pactTestImplementation.extendsFrom testCompile
     pactTestRuntime.extendsFrom testRuntime
+    fortifyTestImplementation.extendsFrom testCompile
+    fortifyTestRuntimeOnly.extendsFrom testRuntime
     testCompile.exclude group: 'ch.qos.logback', module: 'logback-classic'
     testCompile.exclude group: 'ch.qos.logback', module: 'logback-core'
     compile.exclude group: 'ch.qos.logback', module: 'logback-classic'
@@ -271,7 +281,7 @@ task runProviderPactVerification(type: Test) {
 
 task fortifyScan(type: JavaExec)  {
   mainClass.set("uk.gov.hmcts.fortifyclient.FortifyClientMainApp")
-  classpath += sourceSets.test.runtimeClasspath
+  classpath += sourceSets.fortifyTest.runtimeClasspath
   jvmArgs = ['--add-opens=java.base/java.lang.reflect=ALL-UNNAMED']
   // This is a temporary fix to prevent the nightly build from failing if the Fortify scan detects issues
   ignoreExitValue = true
@@ -492,7 +502,8 @@ dependencies {
     testImplementation group: 'com.squareup.okhttp3', name: 'okhttp', version: '4.12.0'
 
     testImplementation group: 'com.github.mifmif', name: 'generex', version: '1.0.2'
-    testImplementation 'com.github.hmcts:fortify-client:1.4.3:all'
+
+    fortifyTestRuntimeOnly 'com.github.hmcts:fortify-client:1.4.3:all'
 
     contractTestImplementation group: 'au.com.dius.pact.provider', name: 'junit5', version: versions.pact_version
     contractTestImplementation group: 'au.com.dius.pact.provider', name: 'spring', version: versions.pact_version
@@ -541,6 +552,9 @@ dependencies {
 
     pactTestImplementation sourceSets.main.runtimeClasspath
     pactTestImplementation sourceSets.test.runtimeClasspath
+
+    fortifyTestImplementation sourceSets.main.runtimeClasspath
+    fortifyTestImplementation sourceSets.test.runtimeClasspath
 }
 
 rootProject.tasks.named("processFunctionalTestResources") {
@@ -606,6 +620,14 @@ configurations.all {
             details.useVersion versions.okio
         }
     }
+
+    resolutionStrategy.eachDependency { details ->
+        // Remedy for CVE-2024-22233 - remove once spring-boot transitively uses version >= 6.1.14
+        if (details.requested.group == 'org.springframework'
+                && (details.requested.version == '6.1.12' || details.requested.version == '6.1.13')) {
+            details.useVersion "6.1.14"
+        }
+    }
 }
 
 dependencies {
@@ -622,5 +644,5 @@ dependencies {
 // this is required to force Java running on the Azure Windows Server OS into using
 // UTF-8 as the default character set instead of windows-1252 which causes issues.
 // this setting only applies when running via gradle bootRun -- see web.config for the
-// java flag that configures the deployed appllications
+// java flag that configures the deployed applications
 applicationDefaultJvmArgs = ["-Dfile.encoding=UTF-8"]
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.9-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.10.2-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME