All upgrades. Tests still need to be fixed.

Author: JPelletierNOAA

build.gradle.kts

@@ -302,15 +302,15 @@ subprojects {
                 }
 
                 if (requested.group == "org.apache.avro" && requested.name == "avro") {
-                    if(requested.version!! < Versions.AVRO) {
+                    if(requested.version!! < "2.0") {
                         useVersion(Versions.AVRO)
                         because("latest avro does not depend on vulnerable jackson-mapper-asl which has not been updated since 2013")
                     }
                 }
 
                 if (requested.group == "org.apache.logging.log4j" && requested.name == "log4j-api") {
-                    if (requested.version!! < "2.11.2") {
-                        useVersion("2.13.3")
+                    if (requested.version!! < "2.13") {
+                        useVersion("2.17.2")
                         because("fixes vulnerability in 2.11.1 and before")
                     }
                 }
@@ -343,6 +343,13 @@ subprojects {
                     }
                 }
 
+                if (requested.group == "org.apache.commons" && requested.name == "commons-compress") {
+                    if (requested.version!! < "2.0") {
+                        useVersion("1.21")
+                        because("fixes CVE-2021-36090, CVE-2021-35516, CVE-2021-35515, CVE-2021-35517: Crafty ZIPs")
+                    }
+                }
+
                 if (requested.group == "org.jasig.cas.client" && requested.name == "cas-client-core") {
                     if (requested.version!! <= "3.5.0") {
                         useVersion("3.6.0")
@@ -381,8 +388,18 @@ subprojects {
                             " for this commit to take effect: " +
                             "https://github.com/reactor/reactor-netty/commit/857277287671d5b40708064b3afef1a7ae7b7a47")
                 }
+                if (requested.group.startsWith("junit") &&
+                        requested.name == "junit" &&
+                        requested.version!! < "4.2") {
+                    useVersion("4.13.2")
+                    because("Fixes CVE-2020-15250: Local information for the test rule TemporaryFolder.")
+                }
             }
         }
 
     }
 }
+
+subprojects {
+    tasks.register<DependencyReportTask>("allDeps") {}
+}

buildSrc/src/main/kotlin/utils.kt

@@ -25,7 +25,7 @@ object Versions {
     const val CONFLUENT: String = "7.1.3"
     const val KAFKA: String = "3.1.2"
     const val SPRING_KAFKA: String = "3.1.2.RELEASE"
-    const val AVRO: String = "1.11.0"
+    const val AVRO: String = "1.11.1"
 
     const val GROOVY: String = "3.0.9"
     const val SPOCK: String = "2.2-M1-groovy-3.0"

elastic-common/build.gradle

@@ -17,7 +17,7 @@ dependencies {
     // implementation 'com.mapbox.mapboxsdk:mapbox-sdk-geojson:5.3.0' // TODO use this with EsMapping.kt and schemas for geojson object?
 
     testImplementation("org.codehaus.groovy:groovy:${Versions.GROOVY}")
-    testImplementation("junit:junit:4.12")
+    testImplementation("junit:junit:4.13.2")
     testImplementation("org.springframework.boot:spring-boot-starter-test")
     testImplementation("org.testcontainers:testcontainers:${Versions.TEST_CONTAINERS}")
     testImplementation("org.testcontainers:elasticsearch:${Versions.TEST_CONTAINERS}")

owasp-suppressions.xml

@@ -1,6 +1,14 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 
+  <suppress>
+     <notes><![CDATA[
+     file name: tomcat-embed-core:9.0.63
+     Vunerability is specific to an example in the original project, which is not included in the distribution.
+     ]]></notes>
+     <cve>CVE-2022-34305</cve>
+  </suppress>
+
   <suppress>
      <notes><![CDATA[
      file name: lodash:4.17.15

parsalyzer/src/test/groovy/org/cedar/onestop/parsalyzer/stream/StreamParsalyzerSpec.groovy

@@ -48,7 +48,6 @@ class StreamParsalyzerSpec extends Specification {
     TestOutputTopic outputTopic = driver.createOutputTopic(Topics.parsedTopic(testType), STRING_DESERIALIZER, AVRO_DESERIALIZER)
 
     when:
-    throw new Exception("${input.getClass()}")
     inputTopic.pipeInput(key, input)
     // driver.pipeInput(inputFactory.create(testChangelog, key, input))
 

registry/build.gradle

@@ -9,7 +9,7 @@ configurations {
   integrationTestImplementation.extendsFrom testImplementation
   integrationTestRuntime.extendsFrom testRuntime
   integrationTestRuntimeOnly.extendsFrom testRuntimeOnly
-  
+
   schemaDefinitions
 }
 
@@ -33,10 +33,10 @@ dependencies {
   implementation("org.hibernate.validator:hibernate-validator:6.0.2.Final")
 
   // -- CAS Authentication --
-  implementation "org.pac4j:spring-webmvc-pac4j:3.2.0"
-  implementation "org.pac4j:pac4j-cas:3.8.3"
+  implementation "org.pac4j:spring-webmvc-pac4j:4.0.1"
+  implementation "org.pac4j:pac4j-cas:${Versions.PAC4J}"
 
-  //used to copy schema definitions to generate openAPI 
+  //used to copy schema definitions to generate openAPI
   schemaDefinitions ("com.github.cedardevs.schemas:schemas-core:${Versions.ONESTOP_SCHEMAS}")
 
   compileOnly("org.springframework.boot:spring-boot-starter-tomcat")
@@ -172,4 +172,4 @@ repositories {
     url 'https://repo.maven.apache.org/maven2'
     name 'Maven Central'
   }
-}
+}