Merge remote-tracking branch 'origin/main' into upgrade-wiremock-3.6.0

# Conflicts:
#	build.gradle

.github/workflows/gradle.yml

@@ -21,12 +21,12 @@ jobs:
       JDK_VERSION:  ${{ matrix.jdk }}
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
 
     - name: Set up JDK
-      uses: actions/setup-java@v2
+      uses: actions/setup-java@v4
       with:
         java-version: ${{ matrix.jdk }}
         distribution: 'temurin'
@@ -43,3 +43,18 @@ jobs:
 
     - name: Test with Gradle
       run: ./gradlew check --stacktrace --no-daemon
+
+  gradle-scan:
+    name: Snyk gradle scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Snyk to check build.gradle for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: test
+          args: --severity-threshold=high --org=f310ee2f-5552-444d-84ee-ec8c44c33adb

.github/workflows/release.yml

@@ -38,3 +38,17 @@ jobs:
           OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }}
           OSSRH_GPG_SECRET_KEY: ${{ secrets.OSSRH_GPG_SECRET_KEY }}
           OSSRH_GPG_SECRET_KEY_PASSWORD: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }}
+
+  gradle-monitor:
+    name: Snyk gradle monitor
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Snyk to monitor build.gradle for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          command: monitor
+          args: --org=f310ee2f-5552-444d-84ee-ec8c44c33adb --project-name=wiremock-jwt-extension --policy-path=.snyk

.sdkmanrc

@@ -0,0 +1,3 @@
+# Enable auto-env through the sdkman_auto_env config
+# Add key=value pairs of SDKs to use below
+java=11.0.18-tem

.snyk

@@ -0,0 +1,15 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+  SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744:
+    - '*':
+        reason: No fix available
+        expires: 2025-09-13T11:22:43.997Z
+        created: 2024-09-13T11:22:43.999Z
+  'snyk:lic:maven:junit:junit:EPL-1.0':
+    - '*':
+        reason: Not relevant, we do not repackage junit
+        expires: 2034-09-13T12:29:48.476Z
+        created: 2024-09-13T12:29:48.481Z
+patch: {}

build.gradle

@@ -12,7 +12,7 @@ plugins {
   id 'eclipse'
   id 'project-report'
   id 'com.diffplug.spotless' version '6.21.0'
-  id 'org.wiremock.tools.gradle.wiremock-extension-convention' version '0.2.0'
+  id 'org.wiremock.tools.gradle.wiremock-extension-convention' version '0.3.0'
 }
 
 repositories {
@@ -22,7 +22,7 @@ repositories {
 
 ext {
   versions = [
-      wiremock    : "3.6.0",
+      wiremock    : "3.9.1",
       jwt         : '4.4.0',
       jose4j      : '0.9.6',
   ]
@@ -56,12 +56,21 @@ ext {
 
 dependencies {
   api "org.wiremock:wiremock:$versions.wiremock"
-  implementation "com.auth0:auth0:2.10.0"
+  implementation "com.auth0:auth0:2.12.0"
   implementation "com.auth0:java-jwt:$versions.jwt"
   implementation "com.auth0:jwks-rsa:0.22.1"
   implementation "org.bitbucket.b_c:jose4j:$versions.jose4j"
-  implementation 'org.apache.commons:commons-lang3:3.14.0'
-  implementation 'commons-codec:commons-codec:1.16.0'
+  implementation 'org.apache.commons:commons-lang3:3.17.0'
+  implementation 'commons-codec:commons-codec:1.17.1'
+
+  constraints {
+    implementation('com.fasterxml.jackson.core:jackson-core:2.15.0') {
+      because 'version 2.14.2 brought in transitively by com.auth0:[email protected] has CWE-400'
+    }
+    implementation('org.apache.commons:commons-compress:1.26.0') {
+      because 'version 1.24.0 brought in transitively by org.wiremock:wiremock:3.9.1 has CVE-2024-25710'
+    }
+  }
 }
 
 shadowJar {

src/test/java/org/wiremock/extension/jwt/JwtHelperAcceptanceTest.java

@@ -223,7 +223,7 @@ void returns_JSON_web_key_for_RSA256_public_key() {
 
     JwkRsaKeyProvider keyProvider =
         new JwkRsaKeyProvider(
-            new ApacheBackedHttpClient(HttpClientFactory.createClient()), wm.baseUrl());
+            new ApacheBackedHttpClient(HttpClientFactory.createClient(), false), wm.baseUrl());
 
     String body = getForTemplate("{{{jwt alg='RS256'}}}");
     DecodedJWT jwt = JWT.decode(body);