patched docker container and resolved issue with maven shade plugin with spring-boot-starter-parent

kenny-ezirim · kenny-ezirim · commit 2b0b72a0fc12 · 2022-11-01T22:23:27.000Z
diff --git a/Dockerfile b/Dockerfile
@@ -18,6 +18,7 @@ RUN apt-get update \
     zlib1g-dev
 
 RUN apt -y update
+ 
 
 ARG OPENSSL_VERSION=1.1.1q
 ARG PYTHON=python3
@@ -69,17 +70,27 @@ RUN find / -depth -name surefire -type d -exec rm -r "{}" \;
 # comment out if need to use maven utilities
 RUN rm /usr/share/java/maven-shared-utils.jar
 
+# remove wagon-http-shaded jar file with vulnerabilities associated with org.jsoup:jsoup
+RUN rm /usr/share/java/wagon-http-shaded-3.3.4.jar
+
 # remove plexus-utils directory because plexus-utils has vulnerabilities
 # comment out if need to use maven utilities
 RUN find / -depth -name plexus-utils -type d -exec rm -r "{}" \;
 
 # remove old version of json-smart with vulnerability
-RUN find / -depth -name json-smart -type d -exec rm -r "{}/2.3" \;
+# RUN find / -depth -name json-smart -type d -exec rm -r "{}/2.3" \;
 
 # remove old version of commons-compress with vulnerability
-RUN find / -depth -name commons-compress -type d -exec rm -r "{}/1.18" \;
+RUN find / -depth -name commons-compress -type d -exec rm -r "{}/1.20" \;
+
+# remove jar files from common-io v2.5 and 2.6 both have vulnerabilities
+RUN find / -name commons-io*2.5.jar -type f -exec rm "{}" \;
+RUN find / -name commons-io*2.6.jar -type f -exec rm "{}" \;
 
 # remove old version of spring-core with vulnerability
-RUN find / -depth -name spring-core -type d -exec rm -r "{}/5.1.19.RELEASE" \;
+# RUN find / -depth -name spring-core -type d -exec rm -r "{}/5.1.19.RELEASE" \;
+
+# remove jackson-databind
+RUN find / -name jackson-databind -type d -exec rm -r "{}/2.13.3" \;
 
 ENTRYPOINT ["/usr/local/bin/serve.sh"]
diff --git a/pom.xml b/pom.xml
@@ -19,7 +19,7 @@
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>2.1.18.RELEASE</version>
+    <version>2.7.0</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <groupId>org.amazonaws.sagemaker</groupId>
@@ -39,7 +39,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-shade-plugin</artifactId>
-        <version>3.4.0</version>
+        <version>3.4.1</version>
         <executions>
           <execution>
             <phase>package</phase>
@@ -190,6 +190,11 @@
         </exclusion>
       </exclusions>
     </dependency>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter</artifactId>
+      <version>2.7.5</version>
+    </dependency>
     <dependency>
       <groupId>org.powermock</groupId>
       <artifactId>powermock-api-mockito2</artifactId>
@@ -385,6 +390,11 @@
       <artifactId>jsoup</artifactId>
       <version>1.15.3</version>
     </dependency>
+    <dependency>
+      <groupId>ch.qos.logback</groupId>
+      <artifactId>logback-core</artifactId>
+      <version>1.2.11</version>
+    </dependency>
   </dependencies>
   <properties>
     <java.version>1.8</java.version>
