From 0471348cffa022cf355ebccd3e04928e058fa495 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Reynard?= Date: Fri, 27 Mar 2026 17:01:22 +0100 Subject: [PATCH 1/4] Update dependency versions and revise constraints in build.gradle.kts - Upgraded `org.springframework.boot` to `3.5.5`. - Updated and added constraints for `undertow-core` and related modules to address CVEs. - Replaced forced dependencies for `jedis` and `lettucemod`. - Removed outdated forced dependencies. - Adjusted exclusions for `spring-data-redis` dependency. --- build.gradle.kts | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/build.gradle.kts b/build.gradle.kts index 53844e2cc..238417b23 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -39,7 +39,7 @@ plugins { kotlin("plugin.spring") version kotlinVersion apply false id("pl.allegro.tech.build.axion-release") version "1.18.18" id("com.diffplug.spotless") version "7.0.3" - id("org.springframework.boot") version "3.4.9" apply false + id("org.springframework.boot") version "3.5.5" apply false id("project-report") id("org.owasp.dependencycheck") version "12.1.0" id("com.github.jk1.dependency-license-report") version "2.9" @@ -126,10 +126,12 @@ allprojects { all { resolutionStrategy { force("com.redis.om:redis-om-spring:0.9.10") - force("com.google.code.gson:gson:2.13.1") - force("io.netty:netty-handler:4.2.4.Final") - force("ch.qos.logback:logback-core:1.5.20") - force("org.springframework.security:spring-security-core:6.5.5") + force("redis.clients:jedis:5.2.0") + force("com.redis:lettucemod:4.3.0") + // force("com.google.code.gson:gson:2.13.1") + // force("io.netty:netty-handler:4.2.4.Final") + // force("ch.qos.logback:logback-core:1.5.20") + // force("org.springframework.security:spring-security-core:6.5.5") } } } @@ -280,9 +282,7 @@ subprojects { implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core:$kotlinCoroutinesVersion") implementation( - platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)) { - constraints { implementation("org.springframework:spring-core:6.2.12") } - } + platform(org.springframework.boot.gradle.plugin.SpringBootPlugin.BOM_COORDINATES)) implementation("org.springframework.boot:spring-boot-starter-actuator") implementation("io.micrometer:micrometer-registry-prometheus") @@ -290,7 +290,12 @@ subprojects { exclude(group = "org.springframework.boot", module = "spring-boot-starter-tomcat") } implementation("org.springframework.boot:spring-boot-starter-undertow") { - constraints { implementation("io.undertow:undertow-core:2.3.20.Final") } + // CVE-2025-12543, CVE-2024-3884, CVE-2024-4027 + constraints { + implementation("io.undertow:undertow-core:2.3.24.Final") + implementation("io.undertow:undertow-servlet:2.3.24.Final") + implementation("io.undertow:undertow-websockets-jsr:2.3.24.Final") + } } implementation("com.fasterxml.jackson.module:jackson-module-kotlin:$jacksonModuleKotlinVersion") // https://mvnrepository.com/artifact/jakarta.validation/jakarta.validation-api @@ -308,7 +313,9 @@ subprojects { implementation("org.apache.commons:commons-csv:$commonsCsvVersion") implementation("com.redis.om:redis-om-spring:${redisOmSpringVersion}") - implementation("org.springframework.data:spring-data-redis") + implementation("org.springframework.data:spring-data-redis") { + exclude(group = "redis.clients", module = "jedis") + } implementation("org.springframework:spring-jdbc") implementation("org.postgresql:postgresql") From ba35604a2a477c040c89eecdca7155f9f7a84ffb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Reynard?= Date: Mon, 30 Mar 2026 10:17:10 +0200 Subject: [PATCH 2/4] Update `org.springframework.boot` to 3.5.13 and remove unused dependencies - Upgraded `org.springframework.boot` plugin to `3.5.13`. - Removed commented-out forced dependencies and outdated CVE references for cleanup. --- build.gradle.kts | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/build.gradle.kts b/build.gradle.kts index 238417b23..b0260211e 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -39,7 +39,7 @@ plugins { kotlin("plugin.spring") version kotlinVersion apply false id("pl.allegro.tech.build.axion-release") version "1.18.18" id("com.diffplug.spotless") version "7.0.3" - id("org.springframework.boot") version "3.5.5" apply false + id("org.springframework.boot") version "3.5.13" apply false id("project-report") id("org.owasp.dependencycheck") version "12.1.0" id("com.github.jk1.dependency-license-report") version "2.9" @@ -128,10 +128,6 @@ allprojects { force("com.redis.om:redis-om-spring:0.9.10") force("redis.clients:jedis:5.2.0") force("com.redis:lettucemod:4.3.0") - // force("com.google.code.gson:gson:2.13.1") - // force("io.netty:netty-handler:4.2.4.Final") - // force("ch.qos.logback:logback-core:1.5.20") - // force("org.springframework.security:spring-security-core:6.5.5") } } } @@ -290,7 +286,6 @@ subprojects { exclude(group = "org.springframework.boot", module = "spring-boot-starter-tomcat") } implementation("org.springframework.boot:spring-boot-starter-undertow") { - // CVE-2025-12543, CVE-2024-3884, CVE-2024-4027 constraints { implementation("io.undertow:undertow-core:2.3.24.Final") implementation("io.undertow:undertow-servlet:2.3.24.Final") From 81cd13cbb4a867094150b35a66287e1b0468fab1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Reynard?= Date: Mon, 30 Mar 2026 10:38:00 +0200 Subject: [PATCH 3/4] Update `redis-om-spring` to version 0.9.11 - Updated `redisOmSpringVersion` to `0.9.11` in `build.gradle.kts`. - Adjusted forced dependency version for `redis-om-spring` to align with the update. --- build.gradle.kts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/build.gradle.kts b/build.gradle.kts index b0260211e..bcfdc30ca 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -59,7 +59,7 @@ version = scmVersion.version // Dependencies version val kotlinJvmTarget = 21 val cosmotechApiCommonVersion = "2.0.4" -val redisOmSpringVersion = "0.9.10" +val redisOmSpringVersion = "0.9.11" val kotlinCoroutinesVersion = "1.10.2" val oktaSpringBootVersion = "3.0.7" val springDocVersion = "2.8.12" @@ -125,7 +125,7 @@ allprojects { configurations { all { resolutionStrategy { - force("com.redis.om:redis-om-spring:0.9.10") + force("com.redis.om:redis-om-spring:0.9.11") force("redis.clients:jedis:5.2.0") force("com.redis:lettucemod:4.3.0") } From 09bcefb1725913325348d6784c13fd9045667812 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Reynard?= Date: Mon, 30 Mar 2026 11:20:41 +0200 Subject: [PATCH 4/4] Update GitHub Actions workflow to use latest actions and improve compatibility - Upgraded `actions/checkout` to `v6`, `actions/setup-java` to `v5`, and `gradle/actions/setup-gradle` to `v5`. - Updated `aquasecurity/trivy-action` to `v0.35.0` and `github/codeql-action/upload-sarif` to `v4`. - Enhanced artifact upload process by upgrading `actions/upload-artifact` to `v6`. - Improved container login support with `docker/login-action` upgraded to `v3.6.0`. --- .github/workflows/build_test_package.yml | 26 ++++++++++++------------ 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/build_test_package.yml b/.github/workflows/build_test_package.yml index ae39dcb19..666c6fc58 100644 --- a/.github/workflows/build_test_package.yml +++ b/.github/workflows/build_test_package.yml @@ -22,18 +22,18 @@ jobs: if: github.event_name != 'pull_request_target' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - name: Set up JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@v5 with: distribution: 'temurin' java-version: '21' - name: Setup Gradle - uses: gradle/actions/setup-gradle@v4 + uses: gradle/actions/setup-gradle@v5 with: - gradle-version: '8.12' + gradle-version: '8.14' cache-disabled: true - name: Build with Gradle @@ -376,25 +376,25 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: # Fetch all tags since Gradle project version is built upon SCM fetch-depth: 0 - name: Set up JDK - uses: actions/setup-java@v4 + uses: actions/setup-java@v5 with: distribution: "temurin" java-version: "21" - name: Retrieve branch or tag name id: refvar - run: echo "::set-output name=gitRefName::${GITHUB_REF#refs/*/}" + run: echo "gitRefName=${GITHUB_REF#refs/*/}" >> "${GITHUB_OUTPUT}" - name: Setup Gradle - uses: gradle/actions/setup-gradle@v4 + uses: gradle/actions/setup-gradle@v5 with: - gradle-version: '8.12' + gradle-version: '8.14' cache-disabled: true - name: Build local Container Image for scanning @@ -404,7 +404,7 @@ jobs: -Djib.to.image=com.cosmotech/cosmotech-api:${{ github.sha }} - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.35.0 id: scan # Add TRIVY_DB_REPOSITORY due to ratelimit issue # https://github.com/aquasecurity/trivy-action/issues/389 @@ -423,20 +423,20 @@ jobs: output: "trivy-results.sarif" - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 with: sarif_file: "trivy-results.sarif" - name: Archive container image scan report if: ${{ always() }} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: container-image-scan-report path: "trivy-results.sarif" retention-days: 3 - name: Login to GitHub Container Registry - uses: docker/login-action@v3.3.0 + uses: docker/login-action@v3.6.0 if: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/') }} with: registry: ghcr.io