From 4e98b25408305f7c1e907a6acaeea06830bb93ac Mon Sep 17 00:00:00 2001
From: Katherine Chen <katherine.chen@thetradedesk.com>
Date: Wed, 6 Mar 2024 14:02:59 +1100
Subject: [PATCH 1/2] Address HIGH vulnerabilities

---
 .github/workflows/release-docker-image.yaml | 5 +++++
 .trivyignore                                | 6 ++++++
 Dockerfile                                  | 2 +-
 pom.xml                                     | 6 +++---
 4 files changed, 15 insertions(+), 4 deletions(-)
 create mode 100644 .trivyignore

diff --git a/.github/workflows/release-docker-image.yaml b/.github/workflows/release-docker-image.yaml
index e8803b7..365311a 100644
--- a/.github/workflows/release-docker-image.yaml
+++ b/.github/workflows/release-docker-image.yaml
@@ -11,6 +11,10 @@ on:
         - Minor
         - Patch
         - Snapshot
+      vulnerability_severity:
+        description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. Must be one of ['CRITICAL', 'CRITICAL,HIGH' or 'CRITICAL,HIGH,MEDIUM'] (without space in between).
+        type: string
+        default: 'CRITICAL,HIGH'
 
 jobs:
   Image:
@@ -18,4 +22,5 @@ jobs:
     with: 
       release_type: ${{ inputs.release_type }}
       cloud_provider: default
+      vulnerability_severity: ${{ inputs.vulnerability_severity }}
     secrets: inherit
diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000..13023a3
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,6 @@
+# List any vulnerability that are to be accepted
+# See https://aquasecurity.github.io/trivy/v0.35/docs/vulnerability/examples/filter/ 
+# for more details
+# e.g. 
+# CVE-2022-3996
+CVE-2023-52425
diff --git a/Dockerfile b/Dockerfile
index 471e6b4..20681e8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM eclipse-temurin@sha256:de8e6219ff5360811a453a9237713679a9d9106ba5150290ef37fb23e246ce7d
+FROM eclipse-temurin@sha256:d7a82981336958683f147f17396fe2219cb1072a5853e8a8ef16d07f0535343a
 
 WORKDIR /app
 EXPOSE 8088
diff --git a/pom.xml b/pom.xml
index fd7a1ff..298e930 100644
--- a/pom.xml
+++ b/pom.xml
@@ -13,7 +13,7 @@
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <vertx.version>4.3.8</vertx.version>
+        <vertx.version>4.5.3</vertx.version>
         <!-- check micrometer.version vertx-micrometer-metrics consumes before bumping up -->
         <micrometer.version>1.1.0</micrometer.version>
         <uid2-shared.version>7.1.0-8e67b3a537</uid2-shared.version>
@@ -93,12 +93,12 @@
         <dependency>
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-core</artifactId>
-            <version>1.3.5</version>
+            <version>1.4.12</version>
         </dependency>
         <dependency>
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-classic</artifactId>
-            <version>1.3.5</version>
+            <version>1.4.12</version>
         </dependency>
         <dependency>
             <groupId>com.github.loki4j</groupId>

From e074d7c3c73784ff4dca0435ada9868b3e28f9da Mon Sep 17 00:00:00 2001
From: Katherine Chen <katherine.chen@thetradedesk.com>
Date: Wed, 6 Mar 2024 15:32:07 +1100
Subject: [PATCH 2/2] Add jira ticket

---
 .trivyignore | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.trivyignore b/.trivyignore
index 13023a3..3df38b5 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -3,4 +3,6 @@
 # for more details
 # e.g. 
 # CVE-2022-3996
+
+# https://atlassian.thetradedesk.com/jira/browse/UID2-2927
 CVE-2023-52425