From 05835644f1c9a1da1bc757a459df2d31d8e9aa93 Mon Sep 17 00:00:00 2001 From: Robert Elliot Date: Fri, 13 Sep 2024 11:49:11 +0100 Subject: [PATCH 1/9] fix: upgrade wiremock to remove vulnerability WireMock 3.9.1 updates the transitive dependency on jackson to one without https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-7569538 --- build.gradle | 2 +- .../org/wiremock/extension/jwt/JwtHelperAcceptanceTest.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index 6704bb2..ec17d32 100644 --- a/build.gradle +++ b/build.gradle @@ -22,7 +22,7 @@ repositories { ext { versions = [ - wiremock : "3.5.2", + wiremock : "3.9.1", jwt : '4.4.0', jose4j : '0.9.6', ] diff --git a/src/test/java/org/wiremock/extension/jwt/JwtHelperAcceptanceTest.java b/src/test/java/org/wiremock/extension/jwt/JwtHelperAcceptanceTest.java index 69e2fd2..cc3650b 100644 --- a/src/test/java/org/wiremock/extension/jwt/JwtHelperAcceptanceTest.java +++ b/src/test/java/org/wiremock/extension/jwt/JwtHelperAcceptanceTest.java @@ -223,7 +223,7 @@ void returns_JSON_web_key_for_RSA256_public_key() { JwkRsaKeyProvider keyProvider = new JwkRsaKeyProvider( - new ApacheBackedHttpClient(HttpClientFactory.createClient()), wm.baseUrl()); + new ApacheBackedHttpClient(HttpClientFactory.createClient(), false), wm.baseUrl()); String body = getForTemplate("{{{jwt alg='RS256'}}}"); DecodedJWT jwt = JWT.decode(body); From d5b4601830191dff0201f9d6cee8c6c7fda8661a Mon Sep 17 00:00:00 2001 From: Robert Elliot Date: Fri, 13 Sep 2024 11:50:14 +0100 Subject: [PATCH 2/9] chore: Upgrade dependencies com.auth0:auth0 2.10.0 -> 2.12.0 org.apache.commons:commons-lang3 3.14.0 -> 3.17.0 commons-codec:commons-codec 1.16.0 -> 1.17.1 --- build.gradle | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/build.gradle b/build.gradle index ec17d32..97adbcf 100644 --- a/build.gradle +++ b/build.gradle @@ -56,12 +56,12 @@ ext { dependencies { api "org.wiremock:wiremock:$versions.wiremock" - implementation "com.auth0:auth0:2.10.0" + implementation "com.auth0:auth0:2.12.0" implementation "com.auth0:java-jwt:$versions.jwt" implementation "com.auth0:jwks-rsa:0.22.1" implementation "org.bitbucket.b_c:jose4j:$versions.jose4j" - implementation 'org.apache.commons:commons-lang3:3.14.0' - implementation 'commons-codec:commons-codec:1.16.0' + implementation 'org.apache.commons:commons-lang3:3.17.0' + implementation 'commons-codec:commons-codec:1.17.1' } shadowJar { From 3d0a19b2c198e89465871fc826b4efa0f2c061dd Mon Sep 17 00:00:00 2001 From: Robert Elliot Date: Fri, 13 Sep 2024 11:51:13 +0100 Subject: [PATCH 3/9] chore: Add .sdkmanrc For those who use SDKMAN! (https://sdkman.io/) --- .sdkmanrc | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 .sdkmanrc diff --git a/.sdkmanrc b/.sdkmanrc new file mode 100644 index 0000000..7112338 --- /dev/null +++ b/.sdkmanrc @@ -0,0 +1,3 @@ +# Enable auto-env through the sdkman_auto_env config +# Add key=value pairs of SDKs to use below +java=11.0.18-tem From f3713d1f39d2e92f299f4a2349c368defc99ad05 Mon Sep 17 00:00:00 2001 From: Robert Elliot Date: Fri, 13 Sep 2024 12:14:31 +0100 Subject: [PATCH 4/9] chore: Fix transitive vulnerability in jackson Set the minimum version to 2.15.0. Version 2.14.2 brought in transitively by com.auth0:auth0@2.12.0 has CWE-400. A gradle constraint does not fix the version, just sets a minimum version: https://www.linen.dev/s/gradle-community/t/22694678/hi-snyk-has-revealed-that-some-deeply-nested-transitive-depe#e46476e5-70e1-49a7-a72f-fa5453374e42 --- build.gradle | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/build.gradle b/build.gradle index 97adbcf..a0000a5 100644 --- a/build.gradle +++ b/build.gradle @@ -62,6 +62,12 @@ dependencies { implementation "org.bitbucket.b_c:jose4j:$versions.jose4j" implementation 'org.apache.commons:commons-lang3:3.17.0' implementation 'commons-codec:commons-codec:1.17.1' + + constraints { + implementation('com.fasterxml.jackson.core:jackson-core:2.15.0') { + because 'version 2.14.2 brought in transitively by com.auth0:auth0@2.12.0 has CWE-400' + } + } } shadowJar { From 2f5d882e0c07520d073efbeef8202277b946f240 Mon Sep 17 00:00:00 2001 From: Robert Elliot Date: Fri, 13 Sep 2024 12:25:09 +0100 Subject: [PATCH 5/9] chore: Ignore unfixable vulnerability As of kotlin-stdlib version 1.4.21, the vulnerable functions have been marked as deprecated. Due to still being usable, this advisory is kept as "unfixed". But we can't fix it so ignore it for a year. --- .snyk | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .snyk diff --git a/.snyk b/.snyk new file mode 100644 index 0000000..9f76929 --- /dev/null +++ b/.snyk @@ -0,0 +1,10 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +# ignores vulnerabilities until expiry date; change duration by modifying expiry date +ignore: + SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744: + - '*': + reason: None Given + expires: 2025-09-13T11:22:43.997Z + created: 2024-09-13T11:22:43.999Z +patch: {} From 1ea817b82eb813d86049b05c951ddcffe7806fd8 Mon Sep 17 00:00:00 2001 From: Robert Elliot Date: Fri, 13 Sep 2024 13:30:29 +0100 Subject: [PATCH 6/9] chore: Ignore unfixable vulnerability --- .snyk | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.snyk b/.snyk index 9f76929..0f7c1d8 100644 --- a/.snyk +++ b/.snyk @@ -4,7 +4,12 @@ version: v1.25.0 ignore: SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744: - '*': - reason: None Given + reason: No fix available expires: 2025-09-13T11:22:43.997Z created: 2024-09-13T11:22:43.999Z + 'snyk:lic:maven:junit:junit:EPL-1.0': + - '*': + reason: Not relevant, we do not repackage junit + expires: 2034-09-13T12:29:48.476Z + created: 2024-09-13T12:29:48.481Z patch: {} From a2fad10f2f231aadcee9900ffdf3dabeae9ac9be Mon Sep 17 00:00:00 2001 From: Robert Elliot Date: Fri, 13 Sep 2024 13:31:18 +0100 Subject: [PATCH 7/9] chore: Fix transitive vulnerability in commons-compress Set the minimum version to 1.26.0. Version 1.24.0 brought in transitively by org.wiremock:wiremock:3.9.1 has CVE-2024-25710. A gradle constraint does not fix the version, just sets a minimum version: https://www.linen.dev/s/gradle-community/t/22694678/hi-snyk-has-revealed-that-some-deeply-nested-transitive-depe#e46476e5-70e1-49a7-a72f-fa5453374e42 --- build.gradle | 3 +++ 1 file changed, 3 insertions(+) diff --git a/build.gradle b/build.gradle index a0000a5..2990637 100644 --- a/build.gradle +++ b/build.gradle @@ -67,6 +67,9 @@ dependencies { implementation('com.fasterxml.jackson.core:jackson-core:2.15.0') { because 'version 2.14.2 brought in transitively by com.auth0:auth0@2.12.0 has CWE-400' } + implementation('org.apache.commons:commons-compress:1.26.0') { + because 'version 1.24.0 brought in transitively by org.wiremock:wiremock:3.9.1 has CVE-2024-25710' + } } } From 9a0ca95a099aeff48fdfc60bfb70ba48b129f138 Mon Sep 17 00:00:00 2001 From: Robert Elliot Date: Fri, 13 Sep 2024 13:31:48 +0100 Subject: [PATCH 8/9] wiremock-extension-convention plugin 0.2.0 -> 0.3.0 --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 2990637..90074f1 100644 --- a/build.gradle +++ b/build.gradle @@ -12,7 +12,7 @@ plugins { id 'eclipse' id 'project-report' id 'com.diffplug.spotless' version '6.21.0' - id 'org.wiremock.tools.gradle.wiremock-extension-convention' version '0.2.0' + id 'org.wiremock.tools.gradle.wiremock-extension-convention' version '0.3.0' } repositories { From 0684bf1f1a9c471dcedb848983141af2815bc078 Mon Sep 17 00:00:00 2001 From: Robert Elliot Date: Fri, 13 Sep 2024 13:44:56 +0100 Subject: [PATCH 9/9] Add snyk to GHA --- .github/workflows/gradle.yml | 19 +++++++++++++++++-- .github/workflows/release.yml | 14 ++++++++++++++ 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index 841cdad..64f462d 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -21,12 +21,12 @@ jobs: JDK_VERSION: ${{ matrix.jdk }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK - uses: actions/setup-java@v2 + uses: actions/setup-java@v4 with: java-version: ${{ matrix.jdk }} distribution: 'temurin' @@ -43,3 +43,18 @@ jobs: - name: Test with Gradle run: ./gradlew check --stacktrace --no-daemon + + gradle-scan: + name: Snyk gradle scan + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Run Snyk to check build.gradle for vulnerabilities + uses: snyk/actions/gradle-jdk17@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: test + args: --severity-threshold=high --org=f310ee2f-5552-444d-84ee-ec8c44c33adb diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d7bd2f1..5d12eea 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,3 +38,17 @@ jobs: OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }} OSSRH_GPG_SECRET_KEY: ${{ secrets.OSSRH_GPG_SECRET_KEY }} OSSRH_GPG_SECRET_KEY_PASSWORD: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} + + gradle-monitor: + name: Snyk gradle monitor + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run Snyk to monitor build.gradle for vulnerabilities + uses: snyk/actions/gradle-jdk17@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: monitor + args: --org=f310ee2f-5552-444d-84ee-ec8c44c33adb --project-name=wiremock-jwt-extension --policy-path=.snyk