From 91f5f502c553ae05c6d0287bffae1afb6153e05c Mon Sep 17 00:00:00 2001
From: Sergio del Amo <sergio.delamo@softamo.com>
Date: Wed, 15 Jan 2025 17:23:33 +0100
Subject: [PATCH] Sonatype Scan Gradle Plugin (#77)

---
 buildSrc/build.gradle                            |  1 +
 ...naut.build.internal.langchain4j-module.gradle | 16 +++++++++++++++-
 gradle/libs.versions.toml                        | 11 ++++++++++-
 .../build.gradle.kts                             |  7 +------
 .../build.gradle.kts                             | 10 ++--------
 .../build.gradle.kts                             |  1 +
 .../build.gradle.kts                             |  1 +
 .../build.gradle.kts                             |  1 +
 micronaut-langchain4j-vertexai/build.gradle.kts  |  1 +
 settings.gradle.kts                              |  1 +
 10 files changed, 34 insertions(+), 16 deletions(-)

diff --git a/buildSrc/build.gradle b/buildSrc/build.gradle
index 21e3c45..2fdd54a 100644
--- a/buildSrc/build.gradle
+++ b/buildSrc/build.gradle
@@ -9,4 +9,5 @@ repositories {
 
 dependencies {
     implementation libs.gradle.micronaut
+    implementation(libs.sonatype.scan)
 }
diff --git a/buildSrc/src/main/groovy/io.micronaut.build.internal.langchain4j-module.gradle b/buildSrc/src/main/groovy/io.micronaut.build.internal.langchain4j-module.gradle
index d13aae0..d5962f9 100644
--- a/buildSrc/src/main/groovy/io.micronaut.build.internal.langchain4j-module.gradle
+++ b/buildSrc/src/main/groovy/io.micronaut.build.internal.langchain4j-module.gradle
@@ -1,9 +1,23 @@
 plugins {
     id 'io.micronaut.build.internal.langchain4j-base'
     id "io.micronaut.build.internal.module"
+    id("org.sonatype.gradle.plugins.scan")
+}
+String ossIndexUsername = System.getenv("OSS_INDEX_USERNAME") ?: project.properties["ossIndexUsername"]
+String ossIndexPassword = System.getenv("OSS_INDEX_PASSWORD") ?: project.properties["ossIndexPassword"]
+boolean sonatypePluginConfigured = ossIndexUsername != null && ossIndexPassword != null
+if (sonatypePluginConfigured) {
+    ossIndexAudit {
+        username = ossIndexUsername
+        password = ossIndexPassword
+        excludeCoordinates = [
+                "org.threeten:threetenbp:1.6.9", // no version patched https://ossindex.sonatype.org/component/pkg:maven/org.threeten/threetenbp
+        ]
+    }
 }
 
-dependencies {}
+dependencies {
+}
 
 micronautBuild {
     binaryCompatibility {
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index 2713b64..90da56d 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -17,7 +17,7 @@
 
 [versions]
 micronaut = "4.7.11"
-micronaut-platform = "4.6.3"
+micronaut-platform = "4.7.4"
 micronaut-docs = "2.0.0"
 micronaut-mongodb = "5.4.0"
 micronaut-neo4j = "6.8.0"
@@ -31,16 +31,24 @@ micronaut-test-resources = "2.7.2"
 micronaut-logging = "1.5.1"
 micronaut-gradle-plugin = "4.4.5"
 micronaut-sourcegen = "1.6.1"
+micronaut-grpc = "4.8.0"
 groovy = "4.0.23"
 spock = "2.3-groovy-4.0"
 awaitility = "4.2.2"
+#TODO remove when non vulnerable versions exists
+commons-compress = "1.26.0"
+org-json = "20231013"
 
 # Managed versions appear in the BOM
 managed-langchain4j = "0.36.2"
+sonatype-scan = "3.0.0"
 
 [libraries]
+org-json = { module = 'org.json:json', version.ref = 'org-json'  }
+commons-compress = { module = 'org.apache.commons:commons-compress', version.ref = 'commons-compress'  }
 micronaut-core = { module = 'io.micronaut:micronaut-core-bom', version.ref = 'micronaut'  }
 micronaut-redis = { module = 'io.micronaut.redis:micronaut-redis-bom', version.ref = 'micronaut-redis' }
+micronaut-grpc = { module = 'io.micronaut.grpc:micronaut-grpc-bom', version.ref = 'micronaut-grpc' }
 micronaut-mongodb = { module = 'io.micronaut.mongodb:micronaut-mongo-bom', version.ref = 'micronaut-mongodb' }
 micronaut-opensearch = { module = 'io.micronaut.opensearch:micronaut-opensearch-bom', version.ref = 'micronaut-opensearch' }
 micronaut-elasticsearch = { module = 'io.micronaut.elasticsearch:micronaut-elasticsearch-bom', version.ref = 'micronaut-elasticsearch' }
@@ -80,6 +88,7 @@ boms-langchain4j = { module = "dev.langchain4j:langchain4j-bom", version.ref = "
 
 # Plugins
 gradle-micronaut = { module = "io.micronaut.gradle:micronaut-gradle-plugin", version.ref = "micronaut-gradle-plugin" }
+sonatype-scan = { module = "org.sonatype.gradle.plugins:scan-gradle-plugin", version.ref = "sonatype-scan" }
 
 [bundles]
 
diff --git a/micronaut-langchain4j-ollama-testresource/build.gradle.kts b/micronaut-langchain4j-ollama-testresource/build.gradle.kts
index 4de5ddb..773cc7a 100644
--- a/micronaut-langchain4j-ollama-testresource/build.gradle.kts
+++ b/micronaut-langchain4j-ollama-testresource/build.gradle.kts
@@ -13,11 +13,6 @@ dependencies {
     testImplementation(mnTest.micronaut.test.junit5)
     testRuntimeOnly(mnTestResources.micronaut.test.resources.embedded)
     testRuntimeOnly(mnTest.junit.jupiter.engine)
+    implementation(libs.commons.compress) // declare the apache commons compress directly as the version from langchain4j has a security vulnerability
 }
 
-micronautBuild {
-    // new module, so disable binary check for now
-    binaryCompatibility {
-        enabled.set(false)
-    }
-}
diff --git a/micronaut-langchain4j-qdrant-testresource/build.gradle.kts b/micronaut-langchain4j-qdrant-testresource/build.gradle.kts
index 3c44712..ef4e695 100644
--- a/micronaut-langchain4j-qdrant-testresource/build.gradle.kts
+++ b/micronaut-langchain4j-qdrant-testresource/build.gradle.kts
@@ -11,14 +11,8 @@ dependencies {
     api(mnTestResources.micronaut.test.resources.testcontainers)
     implementation("org.testcontainers:qdrant")
     implementation(libs.langchain4j.qdrant)
-    testImplementation(mnTest.micronaut.test.junit5)
+    implementation(mnGrpc.protobuf.java) // apply com.google.protobuf:protobuf-java directly because the version brought transitively contains a vulnerable version.
+    implementation(libs.commons.compress) // declare the apache commons compress directly as the version from langchain4j has a security vulnerability
     testRuntimeOnly(mnTestResources.micronaut.test.resources.embedded)
     testRuntimeOnly(mnTest.junit.jupiter.engine)
 }
-
-micronautBuild {
-    // new module, so disable binary check for now
-    binaryCompatibility {
-        enabled.set(false)
-    }
-}
diff --git a/micronaut-langchain4j-store-qdrant/build.gradle.kts b/micronaut-langchain4j-store-qdrant/build.gradle.kts
index 8f31ff6..ef668b5 100644
--- a/micronaut-langchain4j-store-qdrant/build.gradle.kts
+++ b/micronaut-langchain4j-store-qdrant/build.gradle.kts
@@ -4,6 +4,7 @@ plugins {
 
 dependencies {
     api(libs.langchain4j.qdrant)
+    implementation(mnGrpc.protobuf.java) // apply com.google.protobuf:protobuf-java directly because the version brought transitively contains a vulnerable version.
     testImplementation(mnSerde.micronaut.serde.jackson)
     testImplementation(libs.langchain4j.embeddings.all.minilm.l6.v2)
     testRuntimeOnly(mnTestResources.micronaut.test.resources.embedded)
diff --git a/micronaut-langchain4j-store-redis/build.gradle.kts b/micronaut-langchain4j-store-redis/build.gradle.kts
index 87008e4..7110321 100644
--- a/micronaut-langchain4j-store-redis/build.gradle.kts
+++ b/micronaut-langchain4j-store-redis/build.gradle.kts
@@ -4,4 +4,5 @@ plugins {
 
 dependencies {
     implementation(libs.langchain4j.redis)
+    implementation(libs.org.json) //force a version without CVE
 }
diff --git a/micronaut-langchain4j-vertexai-gemini/build.gradle.kts b/micronaut-langchain4j-vertexai-gemini/build.gradle.kts
index e04720a..fcd585b 100644
--- a/micronaut-langchain4j-vertexai-gemini/build.gradle.kts
+++ b/micronaut-langchain4j-vertexai-gemini/build.gradle.kts
@@ -4,4 +4,5 @@ plugins {
 
 dependencies {
     implementation(libs.langchain4j.vertex.ai.gemini)
+    implementation(mnGrpc.protobuf.java) // apply com.google.protobuf:protobuf-java directly because the version brought transitively contains a vulnerable version.
 }
diff --git a/micronaut-langchain4j-vertexai/build.gradle.kts b/micronaut-langchain4j-vertexai/build.gradle.kts
index b5d1700..a0f9bf1 100644
--- a/micronaut-langchain4j-vertexai/build.gradle.kts
+++ b/micronaut-langchain4j-vertexai/build.gradle.kts
@@ -4,4 +4,5 @@ plugins {
 
 dependencies {
     implementation(libs.langchain4j.vertex.ai)
+    implementation(mnGrpc.protobuf.java) // apply com.google.protobuf:protobuf-java directly because the version brought transitively contains a vulnerable version.
 }
diff --git a/settings.gradle.kts b/settings.gradle.kts
index 01c00df..5ee83ea 100644
--- a/settings.gradle.kts
+++ b/settings.gradle.kts
@@ -63,6 +63,7 @@ configure<io.micronaut.build.MicronautBuildSettingsExtension> {
     importMicronautCatalog("micronaut-neo4j")
     importMicronautCatalog("micronaut-opensearch")
     importMicronautCatalog("micronaut-redis")
+    importMicronautCatalog("micronaut-grpc")
     importMicronautCatalog("micronaut-serde")
     importMicronautCatalog("micronaut-sql")
     // importMicronautCatalog("micronaut-validation")