Merge pull request #30670 from gsmet/2.16.1-backports-1

2.16.1 backports 1

CONTRIBUTING.md

@@ -48,6 +48,7 @@ fixes, documentation, examples... But first, read this page (including the small
 * [Extensions](#extensions)
     + [Descriptions](#descriptions)
     + [Update dependencies to extensions](#update-dependencies-to-extensions)
+    + [Check security vulnerabilities](#check-security-vulnerabilities)
 * [The small print](#the-small-print)
 * [Frequently Asked Questions](#frequently-asked-questions)
 
@@ -694,6 +695,12 @@ were changed by the script.
 When removing an extension make sure to also remove all dependencies to it from all `pom.xml`. It's easy to miss this as
 long as the extension artifact is still present in your local Maven repository.
 
+### Check security vulnerabilities
+
+When adding a new extension or updating the dependencies of an existing one,
+it is recommended to run in the extension directory the [OWASP Dependency Check](https://jeremylong.github.io/DependencyCheck) with `mvn -Dowasp-check`
+so that known security vulnerabilities in the extension dependencies can be detected early.
+
 ## The small print
 
 This project is an open source project, please act responsibly, be nice, polite and enjoy!

bom/application/pom.xml

@@ -85,7 +85,7 @@
         <plexus-component-annotations.version>2.1.0</plexus-component-annotations.version>
         <graal-sdk.version>22.3.0</graal-sdk.version>
         <graal-svm.version>${graal-sdk.version}</graal-svm.version>
-        <gizmo.version>1.5.0.Final</gizmo.version>
+        <gizmo.version>1.6.0.Final</gizmo.version>
         <jackson-bom.version>2.14.1</jackson-bom.version>
         <commons-logging-jboss-logging.version>1.0.0.Final</commons-logging-jboss-logging.version>
         <commons-lang3.version>3.12.0</commons-lang3.version>
@@ -124,7 +124,7 @@
         <postgresql-jdbc.version>42.5.1</postgresql-jdbc.version>
         <mariadb-jdbc.version>3.1.1</mariadb-jdbc.version>
         <mysql-jdbc.version>8.0.30</mysql-jdbc.version>
-        <mssql-jdbc.version>11.2.0.jre11</mssql-jdbc.version>
+        <mssql-jdbc.version>11.2.3.jre11</mssql-jdbc.version>
         <adal4j.version>1.6.7</adal4j.version>
         <oracle-jdbc.version>21.5.0.0</oracle-jdbc.version>
         <derby-jdbc.version>10.14.2.0</derby-jdbc.version>
@@ -134,15 +134,15 @@
         <junit.jupiter.version>5.9.1</junit.jupiter.version>
         <junit-pioneer.version>1.5.0</junit-pioneer.version>
         <testng.version>6.14.2</testng.version>
-        <infinispan.version>14.0.5.Final</infinispan.version>
+        <infinispan.version>14.0.6.Final</infinispan.version>
         <infinispan.protostream.version>4.5.1.Final</infinispan.protostream.version>
         <caffeine.version>3.1.1</caffeine.version>
         <netty.version>4.1.86.Final</netty.version>
         <brotli4j.version>1.8.0</brotli4j.version>
         <reactive-streams.version>1.0.3</reactive-streams.version>
         <jboss-logging.version>3.5.0.Final</jboss-logging.version>
         <mutiny.version>1.8.0</mutiny.version>
-        <kafka3.version>3.3.1</kafka3.version>
+        <kafka3.version>3.3.2</kafka3.version>
         <lz4.version>1.8.0</lz4.version> <!-- dependency of the kafka-clients that could be overridden by other imported BOMs in the platform -->
         <snappy.version>1.1.8.4</snappy.version>
         <strimzi-test-container.version>0.100.0</strimzi-test-container.version>
@@ -181,7 +181,7 @@
         <jna.version>5.8.0</jna.version><!-- should satisfy both testcontainers and mongodb -->
         <antlr.version>4.10.1</antlr.version><!-- needs to align with same property in build-parent/pom.xml -->
         <quarkus-security.version>1.1.4.Final</quarkus-security.version>
-        <keycloak.version>20.0.2</keycloak.version>
+        <keycloak.version>20.0.3</keycloak.version>
         <logstash-gelf.version>1.15.0</logstash-gelf.version>
         <checker-qual.version>3.29.0</checker-qual.version>
         <error-prone-annotations.version>2.17.0</error-prone-annotations.version>

build-parent/pom.xml

@@ -101,7 +101,7 @@
 
         <!-- The image to use for tests that run Keycloak -->
         <!-- IMPORTANT: If this is changed you must also update bom/application/pom.xml and KeycloakBuildTimeConfig/DevServicesConfig in quarkus-oidc/deployment to match the version -->
-        <keycloak.version>20.0.2</keycloak.version>
+        <keycloak.version>20.0.3</keycloak.version>
         <keycloak.wildfly.version>19.0.3</keycloak.wildfly.version>
         <keycloak.docker.image>quay.io/keycloak/keycloak:${keycloak.version}</keycloak.docker.image>
         <keycloak.docker.legacy.image>quay.io/keycloak/keycloak:${keycloak.wildfly.version}-legacy</keycloak.docker.legacy.image>
@@ -176,6 +176,7 @@
 
         <!-- google cloud functions invoker-->
         <gcf-invoker.version>1.1.1</gcf-invoker.version>
+        <owasp-dependency-check-plugin.version>7.4.4</owasp-dependency-check-plugin.version>
     </properties>
 
     <dependencyManagement>
@@ -723,6 +724,17 @@
                         </execution>
                     </executions>
                 </plugin>
+                <plugin>
+                    <groupId>org.owasp</groupId>
+                    <artifactId>dependency-check-maven</artifactId>
+                    <version>${owasp-dependency-check-plugin.version}</version>
+                    <configuration>
+                        <!-- Disable Net Analyzer -->
+                        <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
+                        <nugetconfAnalyzerEnabled>false</nugetconfAnalyzerEnabled>
+                        <nuspecAnalyzerEnabled>false</nuspecAnalyzerEnabled>
+                    </configuration>
+                </plugin>
             </plugins>
         </pluginManagement>
     </build>
@@ -1239,7 +1251,17 @@
                 </plugins>
             </build>
         </profile>
-
+        <profile>
+            <id>owasp-check</id>
+            <activation>
+                <property>
+                    <name>owasp-check</name>
+                </property>
+            </activation>
+            <build>
+                <defaultGoal>dependency-check:check</defaultGoal>
+            </build>
+        </profile>
         <profile>
             <id>Windows</id>
             <activation>

core/deployment/src/main/java/io/quarkus/deployment/builditem/SuppressNonRuntimeConfigChangedWarningBuildItem.java

@@ -6,7 +6,7 @@
  * Allows extensions to suppress the runtime warning that Quarkus emits on startup when a non-runtime configuration
  * options is different at runtime than build time.
  * An example usage of this is when a user provides some test value in {@code application.properties}
- * for a build-time only property and only provides the actual value on the command line when building Quarkus.
+ * for a build-time only property and only provides the actual value on the command line when starting Quarkus.
  * In such a case we don't want the value set at build time to be revealed at runtime as it could be sensitive.
  */
 public final class SuppressNonRuntimeConfigChangedWarningBuildItem extends MultiBuildItem {

core/deployment/src/main/java/io/quarkus/deployment/configuration/BuildTimeConfigurationReader.java

@@ -876,33 +876,34 @@ private Converter<?> getConverter(SmallRyeConfig config, Field field, ConverterT
 
         /**
          * We collect all properties from eligible ConfigSources, because Config#getPropertyNames exclude the active
-         * profiled properties, meaning that the property is written in the default config source without the profile
-         * prefix. This may cause issues if we run with a different profile and fallback to defaults.
+         * profiled properties (the property name omits the active profile prefix). If we record properties as is, we
+         * can have an issue when running in a different profile from the one recorded. This list includes all available
+         * properties in all profiles (active or not), so it is safe to fall back to different default on another
+         * profile.
          * <br>
-         * We also filter the properties coming from the System with the registered roots, because we don't want to
+         * We also filter the properties coming from System or Env with the registered roots, because we don't want to
          * record properties set by the compiling JVM (or other properties that are only related to the build).
-         * <br>
-         * Properties coming from the Environment are ignored.
          */
         private Set<String> getAllProperties(final Set<String> registeredRoots) {
             Set<String> properties = new HashSet<>();
+            for (String property : config.getPropertyNames()) {
+                properties.add(property);
+            }
+
             for (ConfigSource configSource : config.getConfigSources()) {
-                // This is a BuildTimeSysPropConfigSource
-                if (configSource instanceof SysPropConfigSource) {
-                    for (String propertyName : configSource.getProperties().keySet()) {
-                        NameIterator ni = new NameIterator(propertyName);
+                if (configSource instanceof SysPropConfigSource || configSource instanceof EnvConfigSource) {
+                    for (String property : configSource.getPropertyNames()) {
+                        NameIterator ni = new NameIterator(property);
                         if (ni.hasNext() && PropertiesUtil.isPropertyInRoot(registeredRoots, ni)) {
-                            properties.add(propertyName);
+                            properties.add(property);
+                        } else {
+                            properties.remove(property);
                         }
                     }
                 } else {
-                    // The BuildTimeEnvConfigSource returns an empty Set
                     properties.addAll(configSource.getPropertyNames());
                 }
             }
-            for (String propertyName : config.getPropertyNames()) {
-                properties.add(propertyName);
-            }
             return properties;
         }
 

core/deployment/src/main/java/io/quarkus/deployment/ide/IdeProcessor.java

@@ -102,10 +102,10 @@ public EffectiveIdeBuildItem effectiveIde(LaunchModeBuildItem launchModeBuildIte
                             }
                         }
                     }
-                    if (matches.size() == 1) {
-                        result = matches.get(0);
-                    } else if (matches.size() == 0 && runningIdes.size() > 0) {
+                    if ((matches.size() == 0 && runningIdes.size() > 0)) {
                         result = runningIdes.iterator().next();
+                    } else if (matches.size() >= 1) {
+                        result = matches.get(0);
                     }
                 }
             }

core/deployment/src/main/java/io/quarkus/deployment/pkg/NativeConfig.java

@@ -213,7 +213,7 @@ public boolean isContainerBuild() {
      * The docker image to use to do the image build. It can be one of `graalvm`, `mandrel`, or the full image path, e.g.
      * {@code quay.io/quarkus/ubi-quarkus-mandrel-builder-image:22.3-java17}.
      */
-    @ConfigItem(defaultValue = "${platform.quarkus.native.builder-image}")
+    @ConfigItem(defaultValue = "${platform.quarkus.native.builder-image}", defaultValueDocumentation = "mandrel")
     public String builderImage;
 
     public String getEffectiveBuilderImage() {
@@ -241,11 +241,20 @@ public String getEffectiveBuilderImage() {
     public Optional<List<String>> containerRuntimeOptions;
 
     /**
-     * If the resulting image should allow VM introspection
+     * If the resulting image should allow VM introspection.
+     *
+     * @deprecated Use {@code quarkus.native.monitoring} instead.
      */
     @ConfigItem
+    @Deprecated
     public boolean enableVmInspection;
 
+    /**
+     * Enable monitoring options that allow the VM to be inspected at run time.
+     */
+    @ConfigItem
+    public Optional<List<MonitoringOption>> monitoring;
+
     /**
      * If full stack traces are enabled in the resulting image
      */
@@ -452,4 +461,11 @@ public static enum BuilderImageProvider {
         GRAALVM,
         MANDREL;
     }
+
+    public enum MonitoringOption {
+        HEAPDUMP,
+        JVMSTAT,
+        JFR,
+        ALL
+    }
 }

core/deployment/src/main/java/io/quarkus/deployment/pkg/steps/NativeImageBuildStep.java

@@ -14,6 +14,7 @@
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
@@ -623,6 +624,7 @@ public Builder setNativeImageName(String nativeImageName) {
                 return this;
             }
 
+            @SuppressWarnings("deprecation")
             public NativeImageInvokerInfo build() {
                 List<String> nativeImageArgs = new ArrayList<>();
                 boolean enableSslNative = false;
@@ -824,6 +826,14 @@ public NativeImageInvokerInfo build() {
                 if (nativeConfig.enableVmInspection) {
                     nativeImageArgs.add("-H:+AllowVMInspection");
                 }
+
+                if (nativeConfig.monitoring.isPresent()) {
+                    List<NativeConfig.MonitoringOption> monitoringOptions = nativeConfig.monitoring.get();
+                    if (!monitoringOptions.isEmpty()) {
+                        nativeImageArgs.add("--enable-monitoring=" + monitoringOptions.stream()
+                                .map(o -> o.name().toLowerCase(Locale.ROOT)).collect(Collectors.joining(",")));
+                    }
+                }
                 if (nativeConfig.autoServiceLoaderRegistration) {
                     nativeImageArgs.add("-H:+UseServiceLoaderFeature");
                     //When enabling, at least print what exactly is being added: