diff --git a/CHANGELOG.md b/CHANGELOG.md index af46883f..90391172 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,8 @@ ## Unreleased ### Fixed +- Fix Vuls (CVE-2023-44487 & CVE-2025-31650), update springboot and tomcat ([#763](https://github.com/opendevstack/ods-provisioning-app/pull/763)) + ## [4.4.0] - 2026-02-25 ### Fixed diff --git a/build.gradle b/build.gradle index eb7674e3..4a2908a0 100644 --- a/build.gradle +++ b/build.gradle @@ -19,8 +19,8 @@ buildscript { } plugins { - id 'org.springframework.boot' version '2.5.12' - id 'io.spring.dependency-management' version '1.0.10.RELEASE' + id 'org.springframework.boot' version '2.7.18' + id 'io.spring.dependency-management' version '1.1.4' id 'java' id 'maven-publish' id 'jacoco' @@ -33,6 +33,10 @@ group = 'prov' version = '0.0.1-SNAPSHOT' sourceCompatibility = 1.11 +// Override managed Tomcat version to address CVE-2025-31650 (fixed in 9.0.104) +// Spring Boot 2.7.x uses Tomcat 9.x; 10.x/11.x require Spring Boot 3.x +ext['tomcat.version'] = '9.0.104' + repositories { if (!no_nexus) { println("INFO: using nexus repositories, because property no_nexus=$no_nexus and nexus_url=${nexus_url}") diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties index 7f89c584..38d5c807 100644 --- a/src/main/resources/application.properties +++ b/src/main/resources/application.properties @@ -10,6 +10,10 @@ logging.level.org.opendevstack=DEBUG # NOTE: this path is for local environemrnt. Do not forget to set in production to a different path logging.file.path=./build/logs +# Spring Boot 2.6+ disallows circular bean references by default. +# Required for WebSecurityConfigurerAdapter-based security configuration. +spring.main.allow-circular-references=true + #server port server.port=8080 server.error.include-stacktrace=never diff --git a/src/test/java/org/opendevstack/provision/controller/ProjectApiControllerTest.java b/src/test/java/org/opendevstack/provision/controller/ProjectApiControllerTest.java index 47183c30..2c7ac2f8 100644 --- a/src/test/java/org/opendevstack/provision/controller/ProjectApiControllerTest.java +++ b/src/test/java/org/opendevstack/provision/controller/ProjectApiControllerTest.java @@ -530,7 +530,7 @@ public void addProjectInLegacyFormatErrorsOut() throws Exception { @Test public void validateProjectWithProjectExists() throws Exception { - when(jiraAdapter.projectKeyExists(isNotNull(String.class))).thenReturn(true); + when(jiraAdapter.projectKeyExists(isNotNull())).thenReturn(true); mockMvc .perform( @@ -543,7 +543,7 @@ public void validateProjectWithProjectExists() throws Exception { @Test public void validateProjectWithProjectNotExists() throws Exception { - when(jiraAdapter.projectKeyExists(isNotNull(String.class))).thenReturn(false); + when(jiraAdapter.projectKeyExists(isNotNull())).thenReturn(false); mockMvc .perform( @@ -556,7 +556,7 @@ public void validateProjectWithProjectNotExists() throws Exception { @Test public void validateKeyWithKeyExists() throws Exception { - when(jiraAdapter.projectKeyExists(isNotNull(String.class))).thenReturn(true); + when(jiraAdapter.projectKeyExists(isNotNull())).thenReturn(true); mockMvc .perform( get("/api/v2/project/key/validate") @@ -568,7 +568,7 @@ public void validateKeyWithKeyExists() throws Exception { @Test public void validateKeyWithKeyNotExists() throws Exception { - when(jiraAdapter.projectKeyExists(isNotNull(String.class))).thenReturn(false); + when(jiraAdapter.projectKeyExists(isNotNull())).thenReturn(false); mockMvc .perform( @@ -581,7 +581,7 @@ public void validateKeyWithKeyNotExists() throws Exception { @Test public void generateKey() throws Exception { - when(jiraAdapter.buildProjectKey(isNotNull(String.class))).thenReturn("PROJ"); + when(jiraAdapter.buildProjectKey(isNotNull())).thenReturn("PROJ"); mockMvc .perform(