Merge pull request #967 from RADAR-base/security/update

[Security] Vulnerability fixes and prepare for v2.1.5 release

build.gradle

@@ -34,7 +34,7 @@ apply plugin: 'io.spring.dependency-management'
 
 allprojects {
     group 'org.radarbase'
-    version '2.1.4' // project version
+    version '2.1.5' // project version
 
     // The comment on the previous line is only there to identify the project version line easily
     // with a sed command, to auto-update the version number with the prepare-release-branch.sh
@@ -145,8 +145,12 @@ if (project.hasProperty('prod')) {
     apply from: 'gradle/profile_dev.gradle'
 }
 
-//ext.moduleDescription = 'Management Portal application'
 ext.findbugAnnotationVersion = '3.0.2'
+// Versions passed to Spring Boot dependency plugin
+ext['jackson.version'] = "${jackson_version}"
+ext['undertow.version'] = "${undertow_version}"
+ext['spring-security.version'] = "${spring_security_version}"
+ext['logback.version'] = "1.2.13" // Cannot upgrade this to 1.3.x or 1.4.x; causes Scala error.
 
 dependencies {
     implementation("org.jetbrains.kotlin:kotlin-reflect:${kotlin_version}")
@@ -188,9 +192,9 @@ dependencies {
     runtimeOnly "org.hsqldb:hsqldb:${hsqldb_version}"
 
     // Fix vulnerabilities
-    runtimeOnly("io.undertow:undertow-websockets-jsr:2.2.25.Final")
-    runtimeOnly("io.undertow:undertow-servlet:2.2.25.Final")
-    runtimeOnly("io.undertow:undertow-core:2.2.25.Final")
+    runtimeOnly("io.undertow:undertow-websockets-jsr")
+    runtimeOnly("io.undertow:undertow-servlet")
+    runtimeOnly("io.undertow:undertow-core")
 
     implementation "org.springframework.boot:spring-boot-starter-thymeleaf"
     runtimeOnly("org.thymeleaf:thymeleaf:${thymeleaf_version}")
@@ -257,7 +261,7 @@ tasks.register('cleanResources', Delete) {
 }
 
 wrapper {
-    gradleVersion '8.3'
+    gradleVersion '8.8'
 }
 
 tasks.register('stage') {

gradle.properties

@@ -12,6 +12,7 @@ springdoc_version=1.6.15
 spring_boot_version=2.7.15
 spring_framework_version=5.3.27
 spring_data_version=2021.2.5
+spring_security_version=5.7.12
 thymeleaf_version=3.1.2.RELEASE
 spring_session_version=2021.2.0
 gatling_version=3.8.4
@@ -24,7 +25,7 @@ javax_activation=1.1.1
 mockito_version=4.8.1
 mockito_kotlin_version=5.1.0
 slf4j_version=2.0.7
-logback_version=1.4.11
+logback_version=1.4.14
 oauth_jwt_version=4.4.0
 junit_version=5.10.0
 okhttp_version=4.10.0
@@ -38,6 +39,7 @@ kotlin_version=1.9.10
 micrometer_version=1.12.3
 hibernate_orm_version=6.4.4.Final
 hibernate_validator_version=8.0.0.Final
+undertow_version=2.2.34.Final
 
 kotlin.code.style=official
 org.gradle.vfs.watch=true

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.3-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.8-bin.zip
 networkTimeout=10000
 validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME

package.json

@@ -1,6 +1,6 @@
 {
   "name": "management-portal",
-  "version": "2.1.4",
+  "version": "2.1.5",
   "description": "Description for ManagementPortal",
   "private": true,
   "cacheDirectories": [

radar-auth/build.gradle

@@ -15,7 +15,13 @@ targetCompatibility = JavaVersion.VERSION_11
 description = 'Library for authentication and authorization of JWT tokens issued by the RADAR platform'
 
 dependencies {
-    api group: 'com.auth0', name: 'java-jwt', version: oauth_jwt_version
+    api("com.auth0:java-jwt:${oauth_jwt_version}") {
+        constraints {
+            implementation("com.fasterxml.jackson.core:jackson-databind:${jackson_version}") {
+                because("Software vulnerability exists in lower versions")
+            }
+        }
+    }
     api(platform("org.jetbrains.kotlinx:kotlinx-coroutines-bom:$coroutines_version"))
     api("org.jetbrains.kotlinx:kotlinx-coroutines-core:$coroutines_version")