[DEVEDSB-1797] Patch high vulnerabilities reported by Snyk (#183)

* Upgrade logback to latet version

* Fix CVE-2023-32697 vulnerability for jdbc:sqlite

* Fix error when runnin app

* Fix vulnerabilities: CVE-2023-5072, CVE-2022-45688 and CVSS 7.5 for org:json

* Fix vulnerabilities: CVE-2020-36518 for jackson:databind introducing through twilio

* Apply suggestions from code review

Co-authored-by: Jose Luis Leon <joseluis5000l@gmail.com>

---------

Co-authored-by: Jose Luis Leon <joseluis5000l@gmail.com>

Author: lopenchi

build.gradle

@@ -9,7 +9,6 @@ plugins {
 
 sourceCompatibility = 1.8
 targetCompatibility = 1.8
-ext['logbackVersion'] = '1.1.11'
 ext['springBootVer'] = '2.2.6.RELEASE'
 
 
@@ -31,25 +30,32 @@ configurations {
 dependencies {
     implementation(group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1')
     implementation(group: 'javax.el', name:'javax.el-api', version:'3.0.0')
-    // Groovy
-    implementation(group:'org.codehaus.groovy', name:'groovy-all', version:'3.0.8')
 
     // Spring
     implementation(group:'org.springframework.boot', name:'spring-boot-starter-data-jpa', version:"${springBootVer}")
     implementation(group:'org.springframework.boot', name:'spring-boot-starter-security', version:"${springBootVer}")
-    implementation(group:'net.rakugakibox.spring.boot', name:'logback-access-spring-boot-starter', version:'2.8.0')
+    implementation(group:'net.rakugakibox.spring.boot', name:'logback-access-spring-boot-starter', version:'2.11.0')
 
     implementation(group:'com.authy', name:'authy-java', version:'1.5.1')
-    implementation(group:'com.twilio.sdk', name:'twilio', version:'8.11.0')
-    implementation(group:'org.xerial', name:'sqlite-jdbc', version:'3.34.0')
+    implementation(group:'com.twilio.sdk', name:'twilio', version:'8.31.1')
+    implementation(group:'org.xerial', name:'sqlite-jdbc', version:'3.41.2.2')
 
     testImplementation(group: 'junit', name:'junit', version:'4.13.2')
     testImplementation(group:'org.springframework.boot', name:'spring-boot-starter-test', version:"${springBootVer}")
-    
+    // Groovy
+    testImplementation (group: 'org.apache.groovy', name: 'groovy-all', version: '4.0.15', ext: 'pom')
+
+    // Constraints
+    constraints {
+        implementation('org.json:json:20231013') {
+          because("version defined in authy-java (transitive dependency) has vulnerabilities issues")
+        }
+    }
+
     // Spock
     testImplementation(group:'org.spockframework', name:'spock-core', version:'2.0-M4-groovy-3.0')
     testImplementation(group:'org.spockframework', name:'spock-spring', version:'2.0-M4-groovy-3.0')
-    testRuntime(group:'cglib', name:'cglib-nodep', version:'3.3.0')
+    testRuntimeOnly(group:'cglib', name:'cglib-nodep', version:'3.3.0')
 }
 
 test {

src/test/groovy/com/twilio/accountsecurity/controllers/PhoneVerificationControllerSpec.groovy

@@ -1,10 +1,11 @@
 package com.twilio.accountsecurity.controllers
 
+import com.fasterxml.jackson.core.JsonFactoryBuilder
 import com.twilio.accountsecurity.controllers.requests.PhoneVerificationStartRequest
 import com.twilio.accountsecurity.controllers.requests.PhoneVerificationVerifyRequest
 import com.twilio.accountsecurity.exceptions.PhoneVerificationException
 import com.twilio.accountsecurity.services.PhoneVerificationService
-import groovy.json.JsonBuilder
+import org.json.JSONObject
 import org.springframework.http.MediaType
 import org.springframework.test.web.servlet.MockMvc
 import spock.lang.Specification
@@ -30,7 +31,7 @@ class PhoneVerificationControllerSpec extends Specification {
     def "start - returns 200"() {
         given:
         def request = new PhoneVerificationStartRequest(phone, via)
-        def requestBody = new JsonBuilder(request).toString()
+        def requestBody = new JSONObject(request).toString()
         1 * phoneVerificationService.start(phone, via)
 
         when:
@@ -46,7 +47,7 @@ class PhoneVerificationControllerSpec extends Specification {
     def "start - returns 500 for PhoneVerificationException"() {
         given:
         def request = new PhoneVerificationStartRequest(phone, via)
-        def requestBody = new JsonBuilder(request).toString()
+        def requestBody = new JSONObject(request).toString()
         1 * phoneVerificationService.start(phone, via) >> {
             throw new PhoneVerificationException('message')
         }
@@ -65,7 +66,7 @@ class PhoneVerificationControllerSpec extends Specification {
     def "verify - returns 200"() {
         given:
         def httpRequest = new PhoneVerificationVerifyRequest(phone, token)
-        def requestBody = new JsonBuilder(httpRequest).toString()
+        def requestBody = new JSONObject(httpRequest).toString()
         1 * phoneVerificationService.verify(phone, token)
 
         expect:
@@ -80,7 +81,7 @@ class PhoneVerificationControllerSpec extends Specification {
     def "verify - returns 500 for PhoneVerificationException"() {
         given:
         def httpRequest = new PhoneVerificationVerifyRequest(phone, token)
-        def requestBody = new JsonBuilder(httpRequest).toString()
+        def requestBody = new JSONObject(httpRequest).toString()
         1 * phoneVerificationService.verify(phone, token) >> {
             throw new PhoneVerificationException('message')
         }

src/test/groovy/com/twilio/accountsecurity/controllers/RegisterControllerSpec.groovy

@@ -1,22 +1,15 @@
 package com.twilio.accountsecurity.controllers
 
 import com.twilio.accountsecurity.controllers.requests.UserRegisterRequest
-import com.twilio.accountsecurity.exceptions.TokenVerificationException
 import com.twilio.accountsecurity.exceptions.UserExistsException
 import com.twilio.accountsecurity.services.RegisterService
-import groovy.json.JsonBuilder
-import org.springframework.http.MediaType
-import org.springframework.mock.web.MockHttpServletRequest
 import org.springframework.test.web.servlet.MockMvc
-import org.springframework.test.web.servlet.request.RequestPostProcessor
 import spock.lang.Specification
 import spock.lang.Subject
 
 import javax.servlet.ServletException
 import javax.servlet.http.HttpServletRequest
-import java.security.Principal
 
-import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup
 
 class RegisterControllerSpec extends Specification {