dependency-versions-upgrade and exclusion (#144)

Co-authored-by: Michael Hoennig <michael@hoennig.de>
Reviewed-on: https://dev.hostsharing.net/hostsharing/hs.hsadmin.ng/pulls/144
Reviewed-by: Marc Sandlus <marc.sandlus@hostsharing.net>

README.md

@@ -109,7 +109,7 @@ Also try for example 'admin@xxx.example.com' or 'unknown@example.org'.
 
 If you want a formatted JSON output, you can pipe the result to `jq` or similar.
 
-And to see the full, currently implemented, API, open http://localhost:8080/swagger-ui/index.html.
+And to see the full, currently implemented, API, open http://localhost:8081/actuator/swagger-ui/index.html (uses management-port and thus bypasses authentication).
 
 If you still need to install some of these tools, find some hints in the next chapters. 
 

build.gradle

@@ -1,11 +1,11 @@
 plugins {
     id 'java'
-    id 'org.springframework.boot' version '3.3.4'
+    id 'org.springframework.boot' version '3.3.7'
-    id 'io.spring.dependency-management' version '1.1.6'
+    id 'io.spring.dependency-management' version '1.1.7'
     id 'io.openapiprocessor.openapi-processor' version '2023.2'
     id 'com.github.jk1.dependency-license-report' version '2.9'
-    id "org.owasp.dependencycheck" version "10.0.4"
+    id "org.owasp.dependencycheck" version "11.1.1"
-    id "com.diffplug.spotless" version "6.25.0"
+    id "com.diffplug.spotless" version "7.0.0"
     id 'jacoco'
     id 'info.solidsoft.pitest' version '1.15.0'
     id 'se.patrikerdes.use-latest-versions' version '0.2.18'
@@ -60,25 +60,24 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-validation'
     implementation 'org.springframework.boot:spring-boot-starter-actuator'
     implementation 'org.springframework.boot:spring-boot-starter-security'
-    implementation 'com.github.gavlyukovskiy:datasource-proxy-spring-boot-starter:1.9.2'
+    implementation 'com.github.gavlyukovskiy:datasource-proxy-spring-boot-starter:1.10.0'
     implementation 'org.springdoc:springdoc-openapi:2.6.0'
     implementation 'org.postgresql:postgresql:42.7.4'
-    implementation 'org.liquibase:liquibase-core:4.29.2'
+    implementation 'org.liquibase:liquibase-core:4.30.0'
-    implementation 'io.hypersistence:hypersistence-utils-hibernate-63:3.8.3'
+    implementation 'io.hypersistence:hypersistence-utils-hibernate-63:3.9.0'
-    implementation 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.18.0'
+    implementation 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.18.2'
     implementation 'org.openapitools:jackson-databind-nullable:0.2.6'
-    implementation 'org.apache.commons:commons-text:1.12.0'
+    implementation 'org.apache.commons:commons-text:1.13.0'
-    implementation 'net.java.dev.jna:jna:5.15.0'
+    implementation 'net.java.dev.jna:jna:5.16.0'
-    implementation 'org.modelmapper:modelmapper:3.2.1'
+    implementation 'org.modelmapper:modelmapper:3.2.2'
     implementation 'org.iban4j:iban4j:3.2.10-RELEASE'
     implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0'
-    implementation 'org.webjars:swagger-ui:5.17.14'
     implementation 'org.reflections:reflections:0.10.2'
 
     compileOnly 'org.projectlombok:lombok'
     testCompileOnly 'org.projectlombok:lombok'
 
-    developmentOnly 'org.springframework.boot:spring-boot-devtools'
+    // FIXME: developmentOnly 'org.springframework.boot:spring-boot-devtools'
 
     annotationProcessor 'org.projectlombok:lombok'
     testAnnotationProcessor 'org.projectlombok:lombok'
@@ -205,7 +204,7 @@ openApiGenerate.dependsOn processSpring
 spotless {
     java {
         removeUnusedImports()
-        indentWithSpaces(4)
+        leadingTabsToSpaces(4)
         endWithNewline()
         toggleOffOn()
 

etc/owasp-dependency-check-suppression.xml

@@ -9,8 +9,12 @@
     </suppress>
     <suppress>
         <notes><![CDATA[
-           Malicious HTTP redirect in JAXB on a REST-endpoint is not that dangerous.
+          file name: logback-core-1.5.12.jar
+          A successful attack requires the user to have write access to a configuration file or environment vars.
         ]]></notes>
-        <cve>CVE-2024-9329</cve>
+        <packageUrl regex="true">^pkg:maven/ch\.qos\.logback/logback-core@.*$</packageUrl>
+        <cpe>cpe:/a:qos:logback</cpe>
+        <cve>CVE-2024-12798</cve>
     </suppress>
+
 </suppressions>

src/main/resources/application.yml

@@ -9,7 +9,7 @@ management:
         web:
             exposure:
                 # HOWTO: view _clickable_ Spring Actuator (Micrometer) Metrics endpoints: http://localhost:8081/actuator/metric-links
-                include: info, health, metrics, metric-links
+                include: info, health, metrics, metric-links, mappings, openapi, swaggerui
     observations:
         annotations:
             enabled: true
@@ -30,6 +30,10 @@ spring:
             hibernate:
                 dialect: net.hostsharing.hsadminng.config.PostgresCustomDialect
 
+# keep this in sync with test/.../application.yml
+springdoc:
+    use-management-port: true
+
 liquibase:
     contexts: dev
 

src/test/java/net/hostsharing/hsadminng/config/WebSecurityConfigIntegrationTest.java

@@ -82,14 +82,14 @@ class WebSecurityConfigIntegrationTest {
     @Test
     public void shouldSupportSwaggerUi() {
         final var result = this.restTemplate.getForEntity(
-                "http://localhost:" + this.managementPort + "/swagger-ui/index.html", String.class);
+                "http://localhost:" + this.managementPort + "/actuator/swagger-ui/index.html", String.class);
         assertThat(result.getStatusCode()).isEqualTo(HttpStatus.OK);
     }
 
     @Test
     public void shouldSupportApiDocs() {
         final var result = this.restTemplate.getForEntity(
-                "http://localhost:" + this.managementPort + "/v3/api-docs/swagger-config", String.class);
+                "http://localhost:" + this.managementPort + "/actuator/v3/api-docs/swagger-config", String.class);
         assertThat(result.getStatusCode()).isEqualTo(HttpStatus.NOT_FOUND); // permitted but not configured
     }
 

src/test/java/net/hostsharing/hsadminng/hs/hosting/asset/HsHostingAssetControllerRestTest.java

@@ -20,11 +20,11 @@ import org.junit.runner.RunWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
 import org.springframework.boot.test.context.TestConfiguration;
-import org.springframework.boot.test.mock.mockito.MockBean;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Import;
 import org.springframework.http.MediaType;
 import org.springframework.test.context.ActiveProfiles;
+import org.springframework.boot.test.mock.mockito.MockBean;
 import org.springframework.test.context.junit4.SpringRunner;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;

src/test/resources/application.yml

@@ -39,6 +39,10 @@ spring:
         change-log: classpath:/db/changelog/db.changelog-master.yaml
         contexts: tc,test,dev,pg_stat_statements
 
+# keep this in sync with main/.../application.yml
+springdoc:
+    use-management-port: true
+
 logging:
     level:
         liquibase: WARN