From 7becf614eea7ed2194c7e25edf1796e3ec8a0c79 Mon Sep 17 00:00:00 2001 From: snyk-bot Date: Sat, 23 Mar 2024 14:09:09 +0000 Subject: [PATCH 1/2] fix: pom.xml to reduce vulnerabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586 - https://snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790 --- pom.xml | 568 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 284 insertions(+), 284 deletions(-) diff --git a/pom.xml b/pom.xml index f959faba..4d3164ec 100644 --- a/pom.xml +++ b/pom.xml @@ -1,287 +1,287 @@ - + - 4.0.0 - - com.aidanwhiteley - books - 0.30.4-RELEASE - jar - - Books Microservice - A simple project to remind myself what books Ive read recently! Also a technology sampler using the - latest Spring Boot, oauth based logons, JWTs, stateless in the HTTP layer, Spring Boot admin, Mongo, Docker and docker-compose - - - - Aidan Whiteley - - - https://github.com/aidanwhiteley/books - - https://github.com/aidanwhiteley/books - - - - Apache 2.0 - - - - - org.springframework.boot - spring-boot-starter-parent - 3.1.4 - - - - - UTF-8 - UTF-8 - 21 - 2022.0.4 - - com.aidanwhiteley:books - aidanwhiteley-github - https://sonarcloud.io - ${project.build.directory}/site/jacoco/jacoco.xml - - - - - org.springframework.boot - spring-boot-starter-security - - - org.springframework.boot - spring-boot-starter-webflux - - - org.springframework.security - spring-security-oauth2-client - - - - org.springframework.security - spring-security-oauth2-jose - - - org.springframework.boot - spring-boot-starter-actuator - - - org.springframework.boot - spring-boot-starter-data-mongodb - - - - org.springframework.boot - spring-boot-starter-web - - - org.springframework.boot - spring-boot-starter-json - - - org.springframework.boot - spring-boot-starter-aop - - - org.springframework.boot - spring-boot-starter-mail - - - org.springframework.boot - spring-boot-starter-validation - - - org.projectlombok - lombok - true - - - io.jsonwebtoken - jjwt - 0.12.2 - - - - com.rometools - rome - 2.1.0 - - - - - org.springframework.cloud - spring-cloud-starter-netflix-eureka-client - - - - org.glassfish.jaxb - jaxb-runtime - - - - - de.codecentric - spring-boot-admin-starter-client - 3.1.7 - - - - org.springframework.boot - spring-boot-starter-test - test - - - org.junit.vintage - junit-vintage-engine - - - - - de.bwaldvogel - mongo-java-server - 1.44.0 - - - com.icegreen - greenmail - 2.0.0 - test - - - - org.springframework.cloud - spring-cloud-contract-wiremock - test - - - io.gatling.highcharts - gatling-charts-highcharts - 3.9.5 - test - - - com.jayway.jsonpath - json-path - 2.8.0 - test - - - - org.springdoc - springdoc-openapi-starter-webmvc-ui - 2.2.0 - - - - - - - - - org.springframework.cloud - spring-cloud-starter-parent - ${spring-cloud.version} - pom - import - - - - - - - - org.springframework.boot - spring-boot-maven-plugin - - true - - - - - build-info - - - - - - io.github.git-commit-id - git-commit-id-maven-plugin - 6.0.0 - - - org.apache.maven.plugins - maven-compiler-plugin - 3.11.0 - - ${java.version} - - -Xlint:all,-options,-path,-processing - - - - - org.jacoco - jacoco-maven-plugin - 0.8.10 - - - - prepare-agent - - - - report - test - - report - - - - - - /com/aidanwhiteley/books/domain/googlebooks/**/* - - - - - - - io.gatling - gatling-maven-plugin - 4.6.0 - - - - - com.google.cloud.tools - jib-maven-plugin - 3.4.0 - - - openjdk:21-jdk - - - - aidanwhiteley/books-api-java - - ${project.version} - - - - - 8080 - - - - - - - - + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> + 4.0.0 + + com.aidanwhiteley + books + 0.30.4-RELEASE + jar + + Books Microservice + A simple project to remind myself what books Ive read recently! Also a technology sampler using the + latest Spring Boot, oauth based logons, JWTs, stateless in the HTTP layer, Spring Boot admin, Mongo, Docker and docker-compose + + + + Aidan Whiteley + + + https://github.com/aidanwhiteley/books + + https://github.com/aidanwhiteley/books + + + + Apache 2.0 + + + + + org.springframework.boot + spring-boot-starter-parent + 3.1.4 + + + + + UTF-8 + UTF-8 + 21 + 2022.0.4 + + com.aidanwhiteley:books + aidanwhiteley-github + https://sonarcloud.io + ${project.build.directory}/site/jacoco/jacoco.xml + + + + + org.springframework.boot + spring-boot-starter-security + + + org.springframework.boot + spring-boot-starter-webflux + + + org.springframework.security + spring-security-oauth2-client + + + + org.springframework.security + spring-security-oauth2-jose + + + org.springframework.boot + spring-boot-starter-actuator + + + org.springframework.boot + spring-boot-starter-data-mongodb + + + + org.springframework.boot + spring-boot-starter-web + + + org.springframework.boot + spring-boot-starter-json + + + org.springframework.boot + spring-boot-starter-aop + + + org.springframework.boot + spring-boot-starter-mail + + + org.springframework.boot + spring-boot-starter-validation + + + org.projectlombok + lombok + true + + + io.jsonwebtoken + jjwt + 0.12.2 + + + + com.rometools + rome + 2.1.0 + + + + + org.springframework.cloud + spring-cloud-starter-netflix-eureka-client + + + + org.glassfish.jaxb + jaxb-runtime + + + + + de.codecentric + spring-boot-admin-starter-client + 3.2.3 + + + + org.springframework.boot + spring-boot-starter-test + test + + + org.junit.vintage + junit-vintage-engine + + + + + de.bwaldvogel + mongo-java-server + 1.44.0 + + + com.icegreen + greenmail + 2.0.0 + test + + + + org.springframework.cloud + spring-cloud-contract-wiremock + test + + + io.gatling.highcharts + gatling-charts-highcharts + 3.9.5 + test + + + com.jayway.jsonpath + json-path + 2.8.0 + test + + + + org.springdoc + springdoc-openapi-starter-webmvc-ui + 2.2.0 + + + + + + + + + org.springframework.cloud + spring-cloud-starter-parent + ${spring-cloud.version} + pom + import + + + + + + + + org.springframework.boot + spring-boot-maven-plugin + + true + + + + + build-info + + + + + + io.github.git-commit-id + git-commit-id-maven-plugin + 6.0.0 + + + org.apache.maven.plugins + maven-compiler-plugin + 3.11.0 + + ${java.version} + + -Xlint:all,-options,-path,-processing + + + + + org.jacoco + jacoco-maven-plugin + 0.8.10 + + + + prepare-agent + + + + report + test + + report + + + + + + /com/aidanwhiteley/books/domain/googlebooks/**/* + + + + + + + io.gatling + gatling-maven-plugin + 4.6.0 + + + + + com.google.cloud.tools + jib-maven-plugin + 3.4.0 + + + openjdk:21-jdk + + + + aidanwhiteley/books-api-java + + ${project.version} + + + + + 8080 + + + + + + + + \ No newline at end of file From e4d7dc45860494158707e60cafbdbc1f4f9db105 Mon Sep 17 00:00:00 2001 From: Aidan Whiteley Date: Mon, 15 Apr 2024 12:08:38 +0100 Subject: [PATCH 2/2] Suppress unwanted logging in a test --- ...eOAuth2AuthorizationRequestRepositoryTest.java | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/src/test/java/com/aidanwhiteley/books/controller/config/HttpCookieOAuth2AuthorizationRequestRepositoryTest.java b/src/test/java/com/aidanwhiteley/books/controller/config/HttpCookieOAuth2AuthorizationRequestRepositoryTest.java index c664cc31..da741eef 100644 --- a/src/test/java/com/aidanwhiteley/books/controller/config/HttpCookieOAuth2AuthorizationRequestRepositoryTest.java +++ b/src/test/java/com/aidanwhiteley/books/controller/config/HttpCookieOAuth2AuthorizationRequestRepositoryTest.java @@ -1,12 +1,16 @@ package com.aidanwhiteley.books.controller.config; +import ch.qos.logback.classic.Level; +import ch.qos.logback.classic.LoggerContext; import com.aidanwhiteley.books.controller.exceptions.JwtAuthAuzException; +import com.aidanwhiteley.books.util.JwtAuthenticationUtils; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.ObjectMapper; import jakarta.servlet.http.Cookie; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.Test; import org.mockito.Mockito; +import org.slf4j.LoggerFactory; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest; @@ -76,11 +80,16 @@ void testAuthToJsonProcessingException() throws Exception { authorizationUri(DUMMY_TEXT_NOT_TESTED).build(); ObjectMapper om = mock(ObjectMapper.class); - when(om.writeValueAsString(any())).thenThrow(new JsonProcessingException("Dummy message for write") {}); - when(om.readValue(anyString(), eq(OAuth2AuthorizationRequest.class))).thenThrow(new JsonProcessingException("Dummy message for read") {}); + when(om.writeValueAsString(any())).thenThrow(new JsonProcessingException("This is an expected exception for this test") {}); + when(om.readValue(anyString(), eq(OAuth2AuthorizationRequest.class))). + thenThrow(new JsonProcessingException("This is another expected exception for this test") {}); HttpCookieOAuth2AuthorizationRequestRepository repo = new HttpCookieOAuth2AuthorizationRequestRepository(om); + // We dont want expected exception logs cluttering up test logs + LoggerContext context = (LoggerContext) LoggerFactory.getILoggerFactory(); + context.getLogger(HttpCookieOAuth2AuthorizationRequestRepository.class).setLevel(Level.valueOf("OFF")); + assertThrows(JwtAuthAuzException.class, () -> repo.saveAuthorizationRequest(authorizationRequest, request, response)); @@ -89,6 +98,8 @@ void testAuthToJsonProcessingException() throws Exception { assertThrows(JwtAuthAuzException.class, () -> repo.loadAuthorizationRequest(request)); + context.getLogger(HttpCookieOAuth2AuthorizationRequestRepository.class).setLevel(Level.valueOf("WARN")); + verify(om, times(1)).writeValueAsString(authorizationRequest); }