Add an automated vulnerability check (#86)

A3a3e1 · web-flow · commit b6855799a48b · 2022-05-04T20:31:08.000+03:00
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -79,13 +79,15 @@ jobs:
       - checkout
       - restore_cache:
           key: gradle-{{ checksum "build.gradle" }}
-
       - run: ./gradlew downloadDependencies --daemon
       - save_cache:
           key: gradle-{{ checksum "build.gradle" }}
           paths:
             - ~/.gradle/caches
             - ~/.gradle/wrapper
+      - run:
+          name: Audit Dependencies
+          command: ./gradlew dependencyCheckAnalyze
       - run:
           name: Run Unit Tests
           command: ./gradlew test --daemon
@@ -129,4 +131,4 @@ workflows:
             branches:
               ignore: /.*/
             tags:
-              only: /^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/
+              only: /^([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9A-Za-z-]+(?:\.[0-9A-Za-z-]+)*))?(?:\+[0-9A-Za-z-]+)?$/
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,6 @@
+## 2.5.3 (May 06, 2022)
+* Add an automated vulnerability check
+
 ## 2.5.2 (April 08, 2022)
 * Updated the Sailor version to 3.3.9
 
diff --git a/build.gradle b/build.gradle
@@ -3,6 +3,7 @@ apply plugin: 'java'
 apply plugin: 'idea'
 apply plugin: 'eclipse'
 apply plugin: 'groovy'
+apply plugin: org.owasp.dependencycheck.gradle.DependencyCheckPlugin
 
 sourceSets {
     integrationTest {
@@ -59,18 +60,38 @@ dependencies {
     // The following 3 dependencies are to workaround this: https://github.com/elasticio/sailor-jvm/issues/59
     compile 'com.fasterxml.jackson.core:jackson-core:2.10.1'
     compile 'com.fasterxml.jackson.core:jackson-annotations:2.10.1'
-    compile 'com.fasterxml.jackson.core:jackson-databind:2.10.1'
+    compile 'com.fasterxml.jackson.core:jackson-databind:2.13.2.2'
     compile 'com.google.code.gson:gson:2.8.6'
     compile 'com.microsoft.sqlserver:mssql-jdbc:6.4.0.jre8'
     compile 'io.elastic:sailor-jvm:3.3.9'
-    compile 'mysql:mysql-connector-java:8.0.20'
-    compile 'org.postgresql:postgresql:42.2.18'
+    compile 'mysql:mysql-connector-java:8.0.29'
+    compile 'org.postgresql:postgresql:42.2.25'
 
     testCompile 'io.github.cdimascio:java-dotenv:5.1.0'
     testCompile 'org.hsqldb:hsqldb:2.0.0'
     testCompile 'org.spockframework:spock-core:1.1-groovy-2.4'
 }
 
+check.dependsOn dependencyCheckAnalyze
+
+dependencyCheck {
+    format = 'ALL'
+    // Dependency Check script will fail in case there are critical (9.0-10.0) vulnerabilities.
+    // It should be configured to 7 (high and critical), but so far is not possible as 'axis' library
+    // and log4j issues which does not have any updates that solve the problem
+    failBuildOnCVSS = 7
+    suppressionFile='./dependencyCheck-suppression.xml'
+}
+
+buildscript {
+    repositories {
+        mavenCentral()
+    }
+    dependencies {
+        classpath 'org.owasp:dependency-check-gradle:6.0.3'
+    }
+}
+
 wrapper {
     gradleVersion = '5.4.1'
 }
diff --git a/component.json b/component.json
@@ -1,8 +1,7 @@
 {
   "title": "Database",
   "description": "Database JDBC connector",
-  "version": "2.5.2",
-  "buildType": "docker",
+  "version": "2.5.3",
   "credentials": {
     "verifier": "io.elastic.jdbc.JdbcCredentialsVerifier",
     "fields": {
diff --git a/dependencyCheck-suppression.xml b/dependencyCheck-suppression.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress>
+    <notes><![CDATA[
+      file name: logback-jackson-0.1.5.jar
+      ]]>
+    </notes>
+    <packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/logback\-jackson@.*$</packageUrl>
+    <cve>CVE-2017-5929</cve>
+    <cve>CVE-2021-42550</cve>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+      file name: logback-json-classic-0.1.5.jar
+      ]]>
+    </notes>
+    <packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/logback\-json\-classic@.*$</packageUrl>
+    <cpe>cpe:/a:qos:logback</cpe>
+  </suppress>
+  <suppress>
+    <notes><![CDATA[
+      file name: logback-json-core-0.1.5.jar
+      ]]>
+    </notes>
+    <packageUrl regex="true">^pkg:maven/ch\.qos\.logback\.contrib/logback\-json\-core@.*$</packageUrl>
+    <cpe>cpe:/a:qos:logback</cpe>
+  </suppress>
+</suppressions>
diff --git a/src/test/groovy/io/elastic/jdbc/integration/actions/insert_action/InsertActionMySQLSpec.groovy b/src/test/groovy/io/elastic/jdbc/integration/actions/insert_action/InsertActionMySQLSpec.groovy
@@ -68,6 +68,6 @@ class InsertActionMySQLSpec extends Specification {
 
     expect:
     records.size() == 1
-    records.get(0) == '{id=1, name=Taurus, radius=12, destination=null, visible=true, createdat=2015-02-19 10:10:10.0, diameter=24}'
+    records.get(0) == '{id=1, name=Taurus, radius=12, destination=null, visible=true, createdat=2015-02-19T10:10:10, diameter=24}'
   }
 }
diff --git a/src/test/groovy/io/elastic/jdbc/integration/actions/upsert_row_by_primary_key/UpsertRowByPrimaryKeyMySQLSpec.groovy b/src/test/groovy/io/elastic/jdbc/integration/actions/upsert_row_by_primary_key/UpsertRowByPrimaryKeyMySQLSpec.groovy
@@ -116,7 +116,7 @@ class UpsertRowByPrimaryKeyMySQLSpec extends Specification {
 
     expect:
     records.size() == 1
-    records.get(0) == '{id=1, name=Taurus, date=2015-02-19 10:10:10.0, radius=123, destination=null, visible=true, ' +
+    records.get(0) == '{id=1, name=Taurus, date=2015-02-19T10:10:10, radius=123, destination=null, visible=true, ' +
             'visibledate=null}'
   }
 

Original file line number	Diff line number	Diff line change
`@@ -68,6 +68,6 @@ class InsertActionMySQLSpec extends Specification {`
`68`	`68`
`69`	`69`	`expect:`
`70`	`70`	`records.size() == 1`
`71`		`- records.get(0) == '{id=1, name=Taurus, radius=12, destination=null, visible=true, createdat=2015-02-19 10:10:10.0, diameter=24}'`
	`71`	`+ records.get(0) == '{id=1, name=Taurus, radius=12, destination=null, visible=true, createdat=2015-02-19T10:10:10, diameter=24}'`
`72`	`72`	`}`
`73`	`73`	`}`
Original file line number	Diff line number	Diff line change
`@@ -116,7 +116,7 @@ class UpsertRowByPrimaryKeyMySQLSpec extends Specification {`
`116`	`116`
`117`	`117`	`expect:`
`118`	`118`	`records.size() == 1`
`119`		`- records.get(0) == '{id=1, name=Taurus, date=2015-02-19 10:10:10.0, radius=123, destination=null, visible=true, ' +`
	`119`	`+ records.get(0) == '{id=1, name=Taurus, date=2015-02-19T10:10:10, radius=123, destination=null, visible=true, ' +`
`120`	`120`	`'visibledate=null}'`
`121`	`121`	`}`
`122`	`122`