From 1bb0f4dcb55d0620b0a7ad48db6a894047653239 Mon Sep 17 00:00:00 2001 From: "Rodriguez,Hector (IT EDP)" Date: Tue, 4 Feb 2025 14:08:47 +0100 Subject: [PATCH 01/14] Updated Spring version --- build.gradle | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index a1548945..96f91514 100644 --- a/build.gradle +++ b/build.gradle @@ -99,7 +99,10 @@ dependencies { implementation('org.springframework.security:spring-security-oauth2-core') implementation('org.springframework.security:spring-security-oauth2-client') implementation('org.springframework.security:spring-security-oauth2-jose') - implementation('org.springframework.security.oauth:spring-security-oauth2:2.5.0.RELEASE') + implementation('org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE') { + exclude(group: 'org.springframework', module: 'spring-beans') + } + implementation('org.springframework:spring-beans:5.3.18.RELEASE') implementation('io.fabric8:openshift-client:5.12.1') { exclude(group: 'org.slf4j', module: 'slf4j-api') From d2c5537428aa53bcaf4405f9407a35361a8d5233 Mon Sep 17 00:00:00 2001 From: "Rodriguez,Hector (IT EDP)" Date: Tue, 4 Feb 2025 14:14:15 +0100 Subject: [PATCH 02/14] Updated Spring version --- build.gradle | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index 96f91514..988d8445 100644 --- a/build.gradle +++ b/build.gradle @@ -83,7 +83,7 @@ dependencies { implementation('org.springframework.boot:spring-boot-starter-mail') implementation('org.springframework.boot:spring-boot-starter-security') //security framework - implementation('org.springframework.boot:spring-boot-starter-thymeleaf') + implementation('org.springframework.boot:spring-boot-stgit pusharter-thymeleaf') //templating for frontend implementation('org.springframework.boot:spring-boot-starter-web') runtimeOnly('org.springframework.boot:spring-boot-devtools') @@ -102,9 +102,9 @@ dependencies { implementation('org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE') { exclude(group: 'org.springframework', module: 'spring-beans') } - implementation('org.springframework:spring-beans:5.3.18.RELEASE') + implementation('org.springframework:spring-beans:5.3.18') - implementation('io.fabric8:openshift-client:5.12.1') { + implementation('io.fabric8:openshift-client:5.12.1') {git exclude(group: 'org.slf4j', module: 'slf4j-api') exclude(group: 'org.slf4j', module: 'slf4j-log4j12') } From 1e1ff8cba6b9a51c19d8d79438b9225ab96b68af Mon Sep 17 00:00:00 2001 From: "Rodriguez,Hector (IT EDP)" Date: Tue, 4 Feb 2025 14:18:22 +0100 Subject: [PATCH 03/14] Fix file --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 988d8445..c6df0358 100644 --- a/build.gradle +++ b/build.gradle @@ -104,7 +104,7 @@ dependencies { } implementation('org.springframework:spring-beans:5.3.18') - implementation('io.fabric8:openshift-client:5.12.1') {git + implementation('io.fabric8:openshift-client:5.12.1') { exclude(group: 'org.slf4j', module: 'slf4j-api') exclude(group: 'org.slf4j', module: 'slf4j-log4j12') } From b6cdd6e40f2fe3ebd6e9b24e103f7af87e42dbd1 Mon Sep 17 00:00:00 2001 From: "Rodriguez,Hector (IT EDP)" Date: Tue, 4 Feb 2025 14:19:32 +0100 Subject: [PATCH 04/14] Fix file --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index c6df0358..c2171730 100644 --- a/build.gradle +++ b/build.gradle @@ -83,7 +83,7 @@ dependencies { implementation('org.springframework.boot:spring-boot-starter-mail') implementation('org.springframework.boot:spring-boot-starter-security') //security framework - implementation('org.springframework.boot:spring-boot-stgit pusharter-thymeleaf') + implementation('org.springframework.boot:spring-boot-starter-thymeleaf') //templating for frontend implementation('org.springframework.boot:spring-boot-starter-web') runtimeOnly('org.springframework.boot:spring-boot-devtools') From 8a1a669c38e147460263ecf42d926527799ad2da Mon Sep 17 00:00:00 2001 From: "Rodriguez,Hector (IT EDP)" Date: Tue, 4 Feb 2025 18:05:47 +0100 Subject: [PATCH 05/14] Updated versions --- build.gradle | 7 ++----- gradle/wrapper/gradle-wrapper.properties | 2 +- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/build.gradle b/build.gradle index c2171730..f984119f 100644 --- a/build.gradle +++ b/build.gradle @@ -19,7 +19,7 @@ buildscript { } plugins { - id 'org.springframework.boot' version '2.4.1' + id 'org.springframework.boot' version '2.5.12' id 'io.spring.dependency-management' version '1.0.10.RELEASE' id 'java' id 'maven-publish' @@ -99,10 +99,7 @@ dependencies { implementation('org.springframework.security:spring-security-oauth2-core') implementation('org.springframework.security:spring-security-oauth2-client') implementation('org.springframework.security:spring-security-oauth2-jose') - implementation('org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE') { - exclude(group: 'org.springframework', module: 'spring-beans') - } - implementation('org.springframework:spring-beans:5.3.18') + implementation('org.springframework.security.oauth:spring-security-oauth2:2.5.0.RELEASE') implementation('io.fabric8:openshift-client:5.12.1') { exclude(group: 'org.slf4j', module: 'slf4j-api') diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index 4d9ca164..28ff446a 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,5 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-6.7.1-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-6.8.1-bin.zip zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists From 1c3009035136a190f7636a3666fc32c1e43ef620 Mon Sep 17 00:00:00 2001 From: "Vazquez,Brais (IT EDP)" Date: Wed, 5 Feb 2025 09:08:35 +0100 Subject: [PATCH 06/14] Update Github actions version and add dependabot for updating them wekly --- .github/dependabot.yml | 13 +++++++++++++ .github/workflows/changelog-enforcer.yml | 4 ++-- .github/workflows/codeql-analysis.yml | 8 ++++---- .github/workflows/gradle.yml | 8 ++++---- 4 files changed, 23 insertions(+), 10 deletions(-) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..9c253b31 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +# Set update schedule for GitHub Actions + +version: 2 +updates: + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + # Check for updates to GitHub Actions every week + interval: "weekly" + labels: + - "dependencies" + - "skip changelog" \ No newline at end of file diff --git a/.github/workflows/changelog-enforcer.yml b/.github/workflows/changelog-enforcer.yml index 4ce32064..b701b2b4 100644 --- a/.github/workflows/changelog-enforcer.yml +++ b/.github/workflows/changelog-enforcer.yml @@ -8,8 +8,8 @@ jobs: changelog: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - uses: dangoslen/changelog-enforcer@v2 + - uses: actions/checkout@v4 + - uses: dangoslen/changelog-enforcer@v3 with: changeLogPath: 'CHANGELOG.md' skipLabels: 'skip changelog' diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e72b952d..9d977073 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -13,7 +13,7 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v4 with: # We must fetch at least the immediate parents so that if this is # a pull request then we can checkout the head. @@ -26,11 +26,11 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v2 # Build - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: distribution: 'adopt' # See 'Supported distributions' for available options java-version: '11' @@ -39,4 +39,4 @@ jobs: NO_NEXUS: true - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v2 diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index f53a2244..fdd1a242 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -8,8 +8,8 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v1 - - uses: actions/setup-node@v1 + - uses: actions/checkout@v4 + - uses: actions/setup-node@v3 with: node-version: '12.x' - name: Install NPM @@ -17,7 +17,7 @@ jobs: - name: Build provisioning-app FE run: cd client && npm run build:prod - name: Set up JDK 11 - uses: actions/setup-java@v2 + uses: actions/setup-java@v3 with: distribution: 'adopt' # See 'Supported distributions' for available options java-version: '11' @@ -25,7 +25,7 @@ jobs: run: ./gradlew clean spotlessCheck build env: NO_NEXUS: true - - uses: actions/cache@v1 + - uses: actions/cache@v3 with: path: ~/.gradle/caches key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }} From 756299e486a603b1e0c7029cac4df6dca9cf881e Mon Sep 17 00:00:00 2001 From: "Vazquez,Brais (IT EDP)" Date: Wed, 5 Feb 2025 09:49:44 +0100 Subject: [PATCH 07/14] added snapshot tag generation --- .github/workflows/push-image.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/push-image.sh b/.github/workflows/push-image.sh index 7ba19d6e..3e85e6f8 100755 --- a/.github/workflows/push-image.sh +++ b/.github/workflows/push-image.sh @@ -29,6 +29,8 @@ case $GIT_REF in DOCKERTAG="${GIT_REF/refs\/heads\//}" ;; refs/tags/v?(+([0-9]).)+([0-9]).*([0-9]) ) DOCKERTAG="${GIT_REF/refs\/tags\/v/}" ;; + refs/tags/v?(+([0-9]).)+([0-9]).*([0-9])-snapshot ) + DOCKERTAG='snapshot' ;; * ) DOCKERTAG='none' ;; esac From 143ffb7e638d784136384a5861fdf8fe6bcbba4d Mon Sep 17 00:00:00 2001 From: "Vazquez,Brais (IT EDP)" Date: Wed, 5 Feb 2025 09:51:06 +0100 Subject: [PATCH 08/14] changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 21d8ec50..2a51da7d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ ## Unreleased +- Fix CVE 2022 22965 ([#754](https://github.com/opendevstack/ods-provisioning-app/pull/754)) + ### Changed ## [4.2.0] - 2023-11-02 From 1748a3413377030feaa9b4d2c8424d8303465e4d Mon Sep 17 00:00:00 2001 From: "Vazquez,Brais (IT EDP)" Date: Wed, 5 Feb 2025 13:38:28 +0100 Subject: [PATCH 09/14] updated base image to use redhat ubi and update OS package on build --- docker/Dockerfile | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 585d6743..d6052470 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,4 +1,11 @@ -FROM adoptopenjdk/openjdk11:ubi-jre +FROM registry.access.redhat.com/ubi9/openjdk-11 + +USER root + +RUN microdnf upgrade -y && \ + microdnf clean all + +USER 1001 COPY files/entrypoint.sh /usr/local/bin/ COPY app.jar app.jar From 9f25a13b8cb2b8947528c1bff599f1e0267010be Mon Sep 17 00:00:00 2001 From: "Vazquez,Brais (IT EDP)" Date: Wed, 5 Feb 2025 15:43:41 +0100 Subject: [PATCH 10/14] fix folder permision --- docker/Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index d6052470..163c1993 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -5,6 +5,9 @@ USER root RUN microdnf upgrade -y && \ microdnf clean all +RUN chown -c 1001:0 $JAVA_HOME/lib/security/cacerts \ + && chmod -c g+w $JAVA_HOME/lib/security/cacerts + USER 1001 COPY files/entrypoint.sh /usr/local/bin/ @@ -14,8 +17,6 @@ EXPOSE 8080 ENV CA_CERT none -RUN chmod g+w /opt/java/openjdk/lib/security/cacerts - VOLUME /opt/provision/history VOLUME /config VOLUME /opt/provision/ca_cert From 140b6c4dc9167066e2c68076b6670c969fe99144 Mon Sep 17 00:00:00 2001 From: "Vazquez,Brais (IT EDP)" Date: Wed, 5 Feb 2025 16:05:52 +0100 Subject: [PATCH 11/14] changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2a51da7d..d85929b1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## Unreleased -- Fix CVE 2022 22965 ([#754](https://github.com/opendevstack/ods-provisioning-app/pull/754)) +- Fix CVE 2022 22965, switch base image to UBI 9 ([#754](https://github.com/opendevstack/ods-provisioning-app/pull/754)) ### Changed From 1677e75511e4b6bf9a5129c98755a328baf487c5 Mon Sep 17 00:00:00 2001 From: "Vazquez,Brais (IT EDP)" Date: Thu, 6 Feb 2025 15:05:16 +0100 Subject: [PATCH 12/14] restore dockerfile --- docker/Dockerfile | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 163c1993..585d6743 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,14 +1,4 @@ -FROM registry.access.redhat.com/ubi9/openjdk-11 - -USER root - -RUN microdnf upgrade -y && \ - microdnf clean all - -RUN chown -c 1001:0 $JAVA_HOME/lib/security/cacerts \ - && chmod -c g+w $JAVA_HOME/lib/security/cacerts - -USER 1001 +FROM adoptopenjdk/openjdk11:ubi-jre COPY files/entrypoint.sh /usr/local/bin/ COPY app.jar app.jar @@ -17,6 +7,8 @@ EXPOSE 8080 ENV CA_CERT none +RUN chmod g+w /opt/java/openjdk/lib/security/cacerts + VOLUME /opt/provision/history VOLUME /config VOLUME /opt/provision/ca_cert From 5d8afc8b9e0f80b69cc1e8cac2204895169f74e8 Mon Sep 17 00:00:00 2001 From: "Vazquez,Brais (IT EDP)" Date: Thu, 6 Feb 2025 15:09:07 +0100 Subject: [PATCH 13/14] changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d85929b1..2a51da7d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## Unreleased -- Fix CVE 2022 22965, switch base image to UBI 9 ([#754](https://github.com/opendevstack/ods-provisioning-app/pull/754)) +- Fix CVE 2022 22965 ([#754](https://github.com/opendevstack/ods-provisioning-app/pull/754)) ### Changed From 16c7b4115af22494ac54c8073c5deb6689dba96f Mon Sep 17 00:00:00 2001 From: brais <26645694+BraisVQ@users.noreply.github.com> Date: Tue, 25 Mar 2025 09:11:25 +0100 Subject: [PATCH 14/14] Update CHANGELOG for release 4.3.0 --- CHANGELOG.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2a51da7d..25acd664 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,9 +2,12 @@ ## Unreleased -- Fix CVE 2022 22965 ([#754](https://github.com/opendevstack/ods-provisioning-app/pull/754)) -### Changed +## [4.3.0] - 2025-03-25 + +### Fixed + +- Fix CVE 2022 22965 ([#754](https://github.com/opendevstack/ods-provisioning-app/pull/754)) ## [4.2.0] - 2023-11-02