Security rem 3.0 kwa 1579

Author: iankrintz

.circleci/config.yml

@@ -15,7 +15,7 @@ defaultsWithElasticsearch: &defaultsWithElasticsearch
     - GRADLE_USER_HOME: /home/circleci/repo/.gradle_home
   docker:
     - image: circleci/openjdk:11-jdk # primary container to issue gradle commands from
-    - image: docker.elastic.co/elasticsearch/elasticsearch:7.17.5
+    - image: docker.elastic.co/elasticsearch/elasticsearch:7.17.9
       environment:
         - cluster.name: elasticsearch-test
         - xpack.security.enabled: false

build.gradle.kts

@@ -52,7 +52,7 @@ plugins {
     // https://docs.spring.io/spring-boot/docs/current/gradle-plugin/reference/html/
     // - A Gradle plugin that allows you to package executable jar or war archives,
     //   run Spring Boot applications, and use the dependency management provided by spring-boot-dependencies
-    id("org.springframework.boot").version("2.7.0").apply(false)
+    id("org.springframework.boot").version("2.7.9").apply(false)
 
     // Gogradle plugin
     // https://github.com/gogradle/gogradle
@@ -301,6 +301,20 @@ subprojects {
                     }
                 }
 
+                if (requested.group == "org.yaml" && requested.name == "snakeyaml") {
+                    if(requested.version!! < "1.33") {
+                        useVersion(Versions.SNAKE_YAML)
+                        because("multiple CVEs for versions < 1.33")
+                    }
+                }
+
+                if (requested.group == "org.apache.httpcomponents" && requested.name == "httpclient") {
+                    if(requested.version!! < "4.5.14") {
+                        useVersion("4.5.14")
+                        because("multiple CVEs for versions < 4.5.13")
+                    }
+                }
+
                 if (requested.group == "org.apache.avro" && requested.name == "avro") {
                     if(requested.version!! < "2.0") {
                         useVersion(Versions.AVRO)

buildSrc/src/main/kotlin/utils.kt

@@ -21,15 +21,15 @@ object Versions {
     const val NODE: String = "14.17.0"
     const val NPM: String = "8.4.1"
 
-    const val ELASTIC: String = "7.17.5"
-    const val CONFLUENT: String = "7.1.5"
+    const val ELASTIC: String = "7.17.9"
+    const val CONFLUENT: String = "7.3.2"
     const val KAFKA: String = "${CONFLUENT}-ccs"
     const val SPRING_KAFKA: String = "3.1.2.RELEASE"
     const val AVRO: String = "1.11.1"
 
     const val GROOVY: String = "3.0.9"
     const val SPOCK: String = "2.2-M1-groovy-3.0"
-    const val ELASTIC_SERVER: String = "7.17.5" // When changed update references to ElasticsearchVersion and ./circleci/config.yml. This used by TestContainers.
+    const val ELASTIC_SERVER: String = "7.17.9" // When changed update references to ElasticsearchVersion and ./circleci/config.yml. This used by TestContainers.
     const val TEST_CONTAINERS: String = "1.16.3"
     const val OPEN_SAML = "3.4.3"
     const val LOGBACK = "1.4.4"
@@ -38,10 +38,10 @@ object Versions {
     const val JUNIT = "4.12"
     const val AUTH0_JAVA_JWT = "3.4.1"
     const val PAC4J = "4.5.5"
-    const val SNAKE_YAML = "1.30"
+    const val SNAKE_YAML = "1.33"
     const val REACTOR_BOM = "Dysprosium-SR7"
     const val JSONP = "2.0.0-RC2"
-    const val JACKSON_CORE = "2.13.3" // A lot of other dependencies bring this in though.
+    const val JACKSON_CORE = "2.14.2" // A lot of other dependencies bring this in though.
 
     const val ONESTOP_SCHEMAS: String = "0.7.6"
 }

kafka-common/build.gradle

@@ -20,7 +20,7 @@ dependencies {
 
   // reactor release train BOM governs reactor dependency versions
   implementation(platform("io.projectreactor:reactor-bom:${Versions.REACTOR_BOM}"))
-  implementation("io.projectreactor.netty:reactor-netty:1.0.16")
+  implementation("io.projectreactor.netty:reactor-netty:1.0.28")
 
   testImplementation("org.codehaus.groovy:groovy:${Versions.GROOVY}")
   testImplementation("org.spockframework:spock-core:${Versions.SPOCK}")

registry/build.gradle

@@ -46,7 +46,6 @@ dependencies {
   testImplementation("org.spockframework:spock-spring:${Versions.SPOCK}")
   testImplementation("org.spockframework:spock-core:${Versions.SPOCK}")
   testImplementation("org.codehaus.groovy.modules.http-builder:http-builder:0.7.1")
-  testImplementation("org.springframework.boot:spring-boot-starter-test")
   testImplementation("org.springframework.kafka:spring-kafka-test:2.9.5")
   testImplementation("org.apache.kafka:kafka-streams-test-utils:${Versions.KAFKA}")
   testImplementation("org.apache.kafka:kafka-clients:${Versions.KAFKA}:test")

registry/src/test/groovy/org/cedar/onestop/registry/service/KafkaBeanConfigSpec.groovy

@@ -7,6 +7,7 @@ import spock.lang.Specification
 import spock.lang.Unroll
 
 import java.util.concurrent.CompletableFuture
+import java.util.concurrent.TimeUnit
 
 import static org.apache.kafka.streams.KafkaStreams.State.*
 
@@ -37,6 +38,8 @@ class KafkaBeanConfigSpec extends Specification {
 
     then:
     noExceptionThrown()
+    // the test future sometimes hasn't completed by the time we check that it is done, so take a short nap
+    sleep(1000)
     testFuture.isDone()
   }