From 8140d825de962157356582658c9fbed9c83ff3b9 Mon Sep 17 00:00:00 2001 From: "reportportal.io" Date: Fri, 1 Mar 2024 14:30:41 +0000 Subject: [PATCH 1/5] [Gradle Release Plugin] - new version commit: '5.11.1'. --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index 13ad7aca..b95f8c22 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,4 +1,4 @@ -version=5.11.0 +version=5.11.1 description=Unified Authorization Trap for all ReportPortal's Services dockerPrepareEnvironment= dockerJavaOpts=-Xmx512m -XX:+UseG1GC -XX:InitiatingHeapOccupancyPercent=70 -Djava.security.egd=file:/dev/./urandom From 4e14cb5c99f4d93540cfe6555c0c8c32c9b2a5c4 Mon Sep 17 00:00:00 2001 From: Ivan Kustau <86599591+IvanKustau@users.noreply.github.com> Date: Thu, 28 Mar 2024 12:10:18 +0300 Subject: [PATCH 2/5] EPMRPP-89927 || Security vulnerabilities fix (#305) * EPMRPP-89927 || Fix security vulnerabilities * EPMRPP-89927 || Update logback core version * EPMRPP-89927 || Remove comment from build.gradle * EPMRPP-89927 || Update libs version --- build.gradle | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/build.gradle b/build.gradle index 50f8294b..4e90d804 100644 --- a/build.gradle +++ b/build.gradle @@ -33,7 +33,7 @@ ext['log4j2.version'] = '2.21.1' dependencyManagement { imports { - mavenBom('com.epam.reportportal:commons-bom:5.11.2') + mavenBom(releaseMode ? 'com.epam.reportportal:commons-bom:' + '5.11.2' : 'com.github.reportportal:commons-bom:8603a03b4f') } } @@ -43,15 +43,15 @@ dependencies { implementation 'com.epam.reportportal:commons-rules' implementation 'com.epam.reportportal:commons-model' } else { - implementation 'com.epam.reportportal:commons-dao' + implementation 'com.github.reportportal:commons-dao:586c730aaf' implementation 'com.epam.reportportal:commons-rules' implementation 'com.epam.reportportal:commons-model' } - //Fix CVE-2021-41079, CVE-2022-23181, CVE-2021-33037, CVE-2021-30640, CVE-2022-42252 - implementation 'org.apache.tomcat.embed:tomcat-embed-core:9.0.82' - implementation 'org.apache.tomcat.embed:tomcat-embed-el:9.0.82' - implementation 'org.apache.tomcat.embed:tomcat-embed-websocket:9.0.82' + //Fix CVE-2021-41079, CVE-2022-23181, CVE-2021-33037, CVE-2021-30640, CVE-2022-42252, CVE-2023-46589, CVE-2024-24549 + implementation 'org.apache.tomcat.embed:tomcat-embed-core:9.0.86' + implementation 'org.apache.tomcat.embed:tomcat-embed-el:9.0.86' + implementation 'org.apache.tomcat.embed:tomcat-embed-websocket:9.0.86' //Fix CVE-2020-15522 implementation 'org.bouncycastle:bcprov-jdk15on:1.69' //Fix CVE-2015-7501, CVE-2015-4852 @@ -67,6 +67,10 @@ dependencies { implementation 'org.springframework.boot:spring-boot-starter-actuator' implementation 'org.springframework.boot:spring-boot-starter-security' implementation 'org.springframework.boot:spring-boot-starter-amqp' + //Fix CVE-2023-34050 + implementation 'org.springframework.amqp:spring-amqp:2.4.17' + //Fix CVE CVE-2023-20860 + implementation 'org.springframework:spring-webmvc:5.3.26' ///// Security //https://nvd.nist.gov/vuln/detail/CVE-2020-5407 AND https://nvd.nist.gov/vuln/detail/CVE-2020-5408 @@ -76,6 +80,8 @@ dependencies { // implementation 'org.springframework.security:spring-security-oauth2-client' + //Fix CVE-2023-1370 + implementation 'net.minidev:json-smart:2.4.10' //Fix CVE-2022-22969 implementation 'org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE' implementation 'org.springframework.security:spring-security-jwt:1.0.11.RELEASE' @@ -84,12 +90,18 @@ dependencies { implementation 'org.springframework.security.extensions:spring-security-saml2-core:2.0.0.M31' // Temporary fix of https://nvd.nist.gov/vuln/detail/CVE-2019-12400 implementation 'org.apache.santuario:xmlsec:3.0.3' + //Fix CVE-2015-7501, CVE-2015-4852 + implementation 'org.apache.commons:commons-collections4:4.4' + + //Fix CVE-2023-6378, CVE-2023-6481, CVE-2023-6378, CVE-2023-6481 + implementation 'ch.qos.logback:logback-classic:1.2.13' + implementation 'ch.qos.logback:logback-core:1.2.13' implementation 'org.apache.tika:tika-core' implementation 'javax.inject:javax.inject:1' implementation 'io.springfox:springfox-swagger2' - implementation 'org.apache.commons:commons-compress:1.21' + implementation 'org.apache.commons:commons-compress:1.26.0' implementation 'org.cryptacular:cryptacular:1.1.4' // TODO: snakeyaml 2.0 supported by Spring Boot 3 only implementation 'org.yaml:snakeyaml:1.33' From 2e6e1088469bb47a9bbef51594cbe9f157e18c7c Mon Sep 17 00:00:00 2001 From: Ivan_Kustau Date: Tue, 9 Apr 2024 16:42:31 +0300 Subject: [PATCH 3/5] Update release versions --- .github/workflows/release.yml | 2 +- build.gradle | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1b0523c4..8cfaa291 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,7 +11,7 @@ on: env: GH_USER_NAME: github.actor - RELEASE_VERSION: 5.11.0 + RELEASE_VERSION: 5.11.1 jobs: release: diff --git a/build.gradle b/build.gradle index 4e90d804..3a5962e7 100644 --- a/build.gradle +++ b/build.gradle @@ -33,7 +33,7 @@ ext['log4j2.version'] = '2.21.1' dependencyManagement { imports { - mavenBom(releaseMode ? 'com.epam.reportportal:commons-bom:' + '5.11.2' : 'com.github.reportportal:commons-bom:8603a03b4f') + mavenBom(releaseMode ? 'com.epam.reportportal:commons-bom:' + '5.11.7' : 'com.github.reportportal:commons-bom:b929af1e08') } } @@ -43,7 +43,7 @@ dependencies { implementation 'com.epam.reportportal:commons-rules' implementation 'com.epam.reportportal:commons-model' } else { - implementation 'com.github.reportportal:commons-dao:586c730aaf' + implementation 'com.github.reportportal:commons-dao:4d7eaa4841' implementation 'com.epam.reportportal:commons-rules' implementation 'com.epam.reportportal:commons-model' } @@ -69,8 +69,9 @@ dependencies { implementation 'org.springframework.boot:spring-boot-starter-amqp' //Fix CVE-2023-34050 implementation 'org.springframework.amqp:spring-amqp:2.4.17' - //Fix CVE CVE-2023-20860 - implementation 'org.springframework:spring-webmvc:5.3.26' + //Fix CVE-2023-40827, CVE-2023-40828, CVE-2023-40826 + implementation 'org.springframework:spring-webmvc:5.3.33' + implementation 'org.springframework:spring-web:5.3.33' ///// Security //https://nvd.nist.gov/vuln/detail/CVE-2020-5407 AND https://nvd.nist.gov/vuln/detail/CVE-2020-5408 From e570ddbfbc1ff4a1a1852fbc11b3ebd099f94bdf Mon Sep 17 00:00:00 2001 From: Ivan_Kustau Date: Wed, 10 Apr 2024 13:47:14 +0300 Subject: [PATCH 4/5] Update release versions --- build.gradle | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.gradle b/build.gradle index 3a5962e7..c7a74394 100644 --- a/build.gradle +++ b/build.gradle @@ -33,7 +33,7 @@ ext['log4j2.version'] = '2.21.1' dependencyManagement { imports { - mavenBom(releaseMode ? 'com.epam.reportportal:commons-bom:' + '5.11.7' : 'com.github.reportportal:commons-bom:b929af1e08') + mavenBom(releaseMode ? 'com.epam.reportportal:commons-bom:' + '5.11.7' : 'com.epam.reportportal:commons-bom:5.11.7') } } @@ -43,7 +43,7 @@ dependencies { implementation 'com.epam.reportportal:commons-rules' implementation 'com.epam.reportportal:commons-model' } else { - implementation 'com.github.reportportal:commons-dao:4d7eaa4841' + implementation 'com.epam.reportportal:commons-dao' implementation 'com.epam.reportportal:commons-rules' implementation 'com.epam.reportportal:commons-model' } From 33e440dae345efaa9467eaa66d2e084b20054dfc Mon Sep 17 00:00:00 2001 From: "reportportal.io" Date: Thu, 18 Apr 2024 12:46:37 +0000 Subject: [PATCH 5/5] [Gradle Release Plugin] - new version commit: '5.11.2'. --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index b95f8c22..f0f30d46 100644 --- a/gradle.properties +++ b/gradle.properties @@ -1,4 +1,4 @@ -version=5.11.1 +version=5.11.2 description=Unified Authorization Trap for all ReportPortal's Services dockerPrepareEnvironment= dockerJavaOpts=-Xmx512m -XX:+UseG1GC -XX:InitiatingHeapOccupancyPercent=70 -Djava.security.egd=file:/dev/./urandom