Skip to content

Commit

Permalink
Merge pull request #139 from DataBiosphere/dependabot/gradle/develop/…
Browse files Browse the repository at this point in the history 
…minor-patch-dependencies-9aab8ab27a

[DCJ-7]: #minor 11 dependency updates
  • Loading branch information
@okotsopoulos
okotsopoulos authored Apr 4, 2024
2 parents 62a5cbd + 12f3e83 commit a871c53
Show file tree
Hide file tree
Showing 18 changed files with 175 additions and 150 deletions.
33 changes: 33 additions & 0 deletions DEVELOPMENT.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,39 @@ match the values in the sql file above:
For folks working on Terra, the Stairway configuration is embedded within the component
configuration, so these steps are included in component developer setup.

## SourceClear

[SourceClear](https://srcclr.github.io) is a static analysis tool that scans a project's Java
dependencies for known vulnerabilities. If you are working on addressing dependency vulnerabilities
in response to a SourceClear finding, you may want to run a scan off of a feature branch and/or local code.

### Github Action

You can trigger Stairway's SCA scan on demand via its
[Github Action](https://github.com/broadinstitute/dsp-appsec-sourceclear-github-actions/actions/workflows/z-manual-stairway.yml),
and optionally specify a Github ref (branch, tag, or SHA) to check out from the repo to scan. By default,
the scan is run off of Stairway's `develop` branch.

High-level results are outputted in the Github Actions run.

### Running Locally

You will need to get the API token from Vault before running the Gradle `srcclr` task.

```sh
export SRCCLR_API_TOKEN=$(vault read -field=api_token secret/secops/ci/srcclr/gradle-agent)
./gradlew srcclr
```

High-level results are outputted to the terminal.

### Veracode

Full results including dependency graphs are uploaded to
[Veracode](https://sca.analysiscenter.veracode.com/workspaces/jppForw/projects/904886/issues)
(if running off of a feature branch, navigate to Project Details > Selected Branch > Change to select your feature branch).
You can request a Veracode account to view full results from #dsp-infosec-champions.

## Deploying to Artifactory

For Broad-Verily development, you can publish the stairway library to Broad's Artifactory instance
Expand Down
1 change: 1 addition & 0 deletions buildSrc/build.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,5 @@ repositories {

dependencies {
implementation group: 'com.diffplug.spotless', name: 'spotless-plugin-gradle', version: '6.25.0'
implementation group: 'com.srcclr.gradle', name: 'com.srcclr.gradle.gradle.plugin', version: '3.1.12'
}
5 changes: 5 additions & 0 deletions buildSrc/src/main/groovy/stairway.library-conventions.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ plugins {
id 'maven-publish'
id 'com.jfrog.artifactory'
id 'stairway.java-conventions'
id 'com.srcclr.gradle'
}

java {
Expand All @@ -28,3 +29,7 @@ publishing {
}
}
}

srcclr {
scope = "runtimeClasspath"
}
2 changes: 1 addition & 1 deletion gradle/wrapper/gradle-wrapper.properties
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-7.4.1-all.zip
distributionUrl=https\://services.gradle.org/distributions/gradle-7.6.4-all.zip
zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists
22 changes: 8 additions & 14 deletions stairctl/build.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,28 +2,22 @@ plugins {
id 'application'
id 'stairway.java-conventions'

id 'io.spring.dependency-management' version '1.0.13.RELEASE'
id 'org.springframework.boot' version '2.7.3'
id 'io.spring.dependency-management' version '1.1.4'
id 'org.springframework.boot' version '3.2.4'
}

version = gradle.version
mainClassName = 'bio.terra.stairctl.Application'

dependencies {
// Unversioned dependencies may be derived from Spring dependency manager
implementation project(":stairway")

implementation group: 'org.apache.commons', name: 'commons-dbcp2', version: '2.12.0'
implementation group: 'org.apache.commons', name: 'commons-pool2', version: '2.12.0'
implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.14.0'

// JSON processing
ext {
jackson = '2.16.2'
}
implementation group: 'com.fasterxml.jackson.core', name: 'jackson-core', version: "${jackson}"
implementation group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-jsr310', version: "${jackson}"
implementation group: 'org.apache.commons', name: 'commons-dbcp2'
implementation group: 'org.apache.commons', name: 'commons-pool2'
implementation group: 'org.apache.commons', name: 'commons-lang3'

// Spring
implementation group: 'org.springframework.boot', name: 'spring-boot-starter' // version from spring-boot-plugin
implementation group: 'org.springframework.shell', name: 'spring-shell-starter', version: '2.1.1'
implementation group: 'org.springframework.boot', name: 'spring-boot-starter'
implementation group: 'org.springframework.shell', name: 'spring-shell-starter', version: '3.2.3'
}
2 changes: 1 addition & 1 deletion stairctl/src/main/java/bio/terra/stairctl/commands/Output.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
import bio.terra.stairway.Control;
import bio.terra.stairway.Control.FlightMapEntry;
import bio.terra.stairway.Control.LogEntry;
import jakarta.annotation.Nullable;
import java.time.Duration;
import java.time.Instant;
import java.util.ArrayList;
Expand All @@ -16,7 +17,6 @@
import org.apache.commons.lang3.tuple.Pair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.lang.Nullable;

public class Output {
private static final Logger logger = LoggerFactory.getLogger(Output.class);
Expand Down
18 changes: 5 additions & 13 deletions stairway-azure/build.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,21 +6,13 @@ dependencies {
api project(':stairway')

implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.14.0'
implementation group: 'org.apache.commons', name: 'commons-collections4', version: '4.4'

// JSON processing
ext {
jackson = '2.16.2'
}
implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: "${jackson}"
implementation group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-jdk8', version: "${jackson}"
implementation group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-jsr310', version: "${jackson}"
implementation group: 'com.fasterxml.jackson.module', name: 'jackson-module-parameter-names', version: "${jackson}"
implementation group: 'org.openapitools', name: 'jackson-databind-nullable', version: '0.2.6'

//Azure service bus dependencies
implementation 'com.azure:azure-messaging-servicebus:7.14.0-beta.1'
implementation 'com.azure:azure-identity:1.10.4'
implementation 'com.azure:azure-messaging-servicebus:7.16.0-beta.1'
implementation 'com.azure:azure-identity:1.11.4'
// Azure dependencies pull in out-of-date, vulnerable io.netty dependencies.
// If they update them in a future release, this may be removed:
implementation platform('io.netty:netty-bom:4.1.108.Final')

testImplementation 'org.mockito:mockito-junit-jupiter:5.11.0'
}
Expand Down
16 changes: 1 addition & 15 deletions stairway-gcp/build.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,23 +6,9 @@ dependencies {
api project(':stairway')

implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.14.0'
implementation group: 'org.apache.commons', name: 'commons-collections4', version: '4.4'

// JSON processing
ext {
jackson = '2.16.2'
}
implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: "${jackson}"
implementation group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-jdk8', version: "${jackson}"
implementation group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-jsr310', version: "${jackson}"
implementation group: 'com.fasterxml.jackson.module', name: 'jackson-module-parameter-names', version: "${jackson}"
implementation group: 'org.openapitools', name: 'jackson-databind-nullable', version: '0.2.6'

// Google dependencies
constraints {
implementation group: 'com.google.guava', name: 'guava', version: '33.0.0-jre' // "-jre" for Java 8 or higher
}
implementation platform('com.google.cloud:libraries-bom:26.0.0') // use common bom
implementation platform('com.google.cloud:libraries-bom:26.35.0') // use common bom
implementation group: 'com.google.cloud', name: 'google-cloud-pubsub'
}

Expand Down
29 changes: 13 additions & 16 deletions stairway/build.gradle
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,32 +9,29 @@ dependencies {
implementation group: 'org.apache.commons', name: 'commons-collections4', version: '4.4'

// JSON processing
ext {
jackson = '2.16.2'
}
implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: "${jackson}"
implementation group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-guava', version: "${jackson}"
implementation group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-jdk8', version: "${jackson}"
implementation group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-jsr310', version: "${jackson}"
implementation group: 'com.fasterxml.jackson.module', name: 'jackson-module-parameter-names', version: "${jackson}"
implementation platform('com.fasterxml.jackson:jackson-bom:2.17.0')
implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind'
implementation group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-guava'
implementation group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-jdk8'
implementation group: 'com.fasterxml.jackson.datatype', name: 'jackson-datatype-jsr310'
implementation group: 'com.fasterxml.jackson.module', name: 'jackson-module-parameter-names'
implementation group: 'org.openapitools', name: 'jackson-databind-nullable', version: '0.2.6'

// Spring
implementation group: 'org.springframework', name: 'spring-web', version: '6.1.4'
implementation group: 'org.springframework', name: 'spring-web', version: '6.1.5'

// Annotations
implementation group: 'jakarta.annotation', name: 'jakarta.annotation-api', version: '2.1.1'

// Database
implementation group: 'org.liquibase', name: 'liquibase-core', version: '4.8.0'
implementation group: 'org.yaml', name: 'snakeyaml', version: '1.27'
implementation group: 'org.liquibase', name: 'liquibase-core', version: '4.27.0'

// Google dependencies
constraints {
implementation group: 'com.google.guava', name: 'guava', version: '33.0.0-jre' // "-jre" for Java 8 or higher
}
implementation platform('com.google.cloud:libraries-bom:26.0.0') // use common bom
implementation platform('com.google.cloud:libraries-bom:26.35.0') // use common bom
implementation group: 'com.google.cloud', name: 'google-cloud-pubsub'

// File handling during testing
testImplementation group: 'commons-io', name: 'commons-io', version: '2.15.1'
testImplementation group: 'commons-io', name: 'commons-io', version: '2.16.0'
}

apply from: "$rootDir/gradle/test.gradle"
Loading

0 comments on commit a871c53

Please sign in to comment.