build.gradle

plugins {
    id 'io.spring.dependency-management' version '1.1.4'
    id 'org.springframework.boot' version '2.5.15'
    id 'java'
    id 'java-library'
    id "org.owasp.dependencycheck" version "9.0.9"
}

apply from: 'project-properties.gradle'
//apply from: "$scriptsUrl/build-docker.gradle"
apply from: "$scriptsUrl/build-info.gradle"
apply from: "$scriptsUrl/build-commons.gradle"
//apply from: "$scriptsUrl/build-quality.gradle"
apply from: "$scriptsUrl/release-service.gradle"
apply from: "$scriptsUrl/signing.gradle"

repositories {
    mavenCentral { url "https://repo1.maven.org/maven2" }
    if (!releaseMode) {
        maven { url 'https://jitpack.io' }
    }
}

ext['spring-boot.version'] = '2.5.15'
//https://nvd.nist.gov/vuln/detail/CVE-2020-10683 (dom4j 2.1.3 version dependency) AND https://nvd.nist.gov/vuln/detail/CVE-2019-14900
ext['hibernate.version'] = '5.4.18.Final'
//https://nvd.nist.gov/vuln/detail/CVE-2020-10693
ext['hibernate-validator.version'] = '6.1.5.Final'
//https://nvd.nist.gov/vuln/detail/CVE-2020-13692
//ext['postgresql.version'] = '42.2.13'
//https://nvd.nist.gov/vuln/detail/CVE-2020-9488
ext['log4j2.version'] = '2.21.1'


dependencies {
    //Fix CVE-2021-41079, CVE-2022-23181, CVE-2021-33037, CVE-2021-30640, CVE-2022-42252, CVE-2023-46589, CVE-2024-24549
    implementation 'org.apache.tomcat.embed:tomcat-embed-core:9.0.86'
    implementation 'org.apache.tomcat.embed:tomcat-embed-el:9.0.86'
    implementation 'org.apache.tomcat.embed:tomcat-embed-websocket:9.0.86'
    //Fix CVE-2015-7501, CVE-2015-4852
    implementation 'org.apache.commons:commons-collections4:4.4'
    //Fix CVE-2018-10237
    implementation 'com.google.guava:guava:33.3.0-jre'
    //Fix CVE-2020-13956
    api 'org.apache.httpcomponents:httpclient:4.5.14'
    //Fix CVE-2022-40152
    api 'com.fasterxml.woodstox:woodstox-core:6.5.1'
    implementation('org.springframework.boot:spring-boot-starter-data-jpa') {
        exclude group: 'org.hibernate', module: 'hibernate-core'
    }
    implementation 'org.postgresql:postgresql:42.7.3'
    api 'org.jasypt:jasypt:1.9.3'
    api 'org.springframework.boot:spring-boot-starter-web'
    implementation 'org.springframework.boot:spring-boot-starter-actuator'
    api 'org.springframework.boot:spring-boot-starter-security'
    implementation 'org.springframework.boot:spring-boot-starter-amqp'
    //Fix CVE-2023-34050
    implementation 'org.springframework.amqp:spring-amqp:2.4.17'
    //Fix CVE-2023-40827, CVE-2023-40828, CVE-2023-40826
    implementation 'org.springframework:spring-webmvc:5.3.39'
    implementation 'org.springframework:spring-web:5.3.39'
    implementation "org.apache.commons:commons-lang3:${commonsLangVersion}"
    implementation 'net.coobird:thumbnailator:0.4.20'
    implementation("org.apache.tika:tika-core:3.0.0")

    implementation "software.amazon.awssdk:aws-core:${aws}"
    implementation "software.amazon.awssdk:sts:${aws}"
    api "org.apache.jclouds.api:s3:${jclouds}" // 2.6.0 switched to jakarta annotations!
    implementation "org.apache.jclouds.provider:aws-s3:${jclouds}"
    implementation "org.apache.jclouds.api:filesystem:${jclouds}"
    api('commons-validator:commons-validator:1.6') {
        exclude group: 'commons-beanutils', module: 'commons-beanutils'
    }

    ///// Security
    //https://nvd.nist.gov/vuln/detail/CVE-2020-5407 AND https://nvd.nist.gov/vuln/detail/CVE-2020-5408
    implementation 'org.springframework.security:spring-security-core:5.8.16'
    implementation 'org.springframework.security:spring-security-config:5.8.16'
    implementation 'org.springframework.security:spring-security-web:5.8.16'
    implementation 'org.springframework:spring-jdbc:5.3.33'
    //

    api 'org.springframework.security:spring-security-oauth2-client'
    //Fix CVE-2023-1370
    implementation 'net.minidev:json-smart:2.4.10'
    //Fix CVE-2022-22969
    api 'org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE'
    implementation 'org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE'
    implementation 'org.springframework.security:spring-security-jwt:1.1.1.RELEASE'
    //Fix CVE-2020-15522 in org.springframework.security:spring-security-jwt:1.1.1.RELEASE
    implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
    implementation 'org.springframework.security:spring-security-ldap'
    // TODO: consider migration to spring-security-saml2-service-provider
    implementation 'org.springframework.security.extensions:spring-security-saml2-core:2.0.0.M31'
    implementation 'commons-collections:commons-collections:3.2.2'
    //Temporary fix of https://nvd.nist.gov/vuln/detail/CVE-2019-12400
    implementation 'org.apache.santuario:xmlsec:3.0.3'
    //Fix CVE-2015-7501, CVE-2015-4852
    implementation 'org.apache.commons:commons-collections4:4.4'

    //Fix CVE-2023-6378, CVE-2023-6481, CVE-2023-6378, CVE-2023-6481
    implementation 'ch.qos.logback:logback-classic:1.2.13'
    implementation 'ch.qos.logback:logback-core:1.2.13'


    api 'javax.inject:javax.inject:1'
    implementation 'org.springdoc:springdoc-openapi-ui:1.7.0'
    api 'org.apache.commons:commons-compress:1.26.0'
    implementation 'org.cryptacular:cryptacular:1.1.4'
    // TODO: snakeyaml 2.0 supported by Spring Boot 2.7 and 3.X only
    // We don't user application.yml, so it's safe to use 2.2
    implementation 'org.yaml:snakeyaml:2.2'
    implementation 'org.hibernate:hibernate-core:5.6.15.Final'
    implementation 'org.springframework:spring-core:5.3.39'
    implementation "com.rabbitmq:http-client:5.2.0"

    // add lombok support
    compileOnly "org.projectlombok:lombok:${lombokVersion}"
    annotationProcessor "org.projectlombok:lombok:${lombokVersion}"
    testCompileOnly "org.projectlombok:lombok:${lombokVersion}"
    testAnnotationProcessor "org.projectlombok:lombok:${lombokVersion}"

    testImplementation 'org.springframework.boot:spring-boot-starter-test'
    testImplementation 'org.flywaydb.flyway-test-extensions:flyway-spring-test:6.1.0'

    // testImplementation 'org.springframework.boot:spring-boot-testcontainers:' // spring boot 3.1+
    // compileOnly("org.springframework.boot:spring-boot-devtools")
    implementation platform("org.testcontainers:testcontainers-bom:${testContainers}")
    testImplementation "org.testcontainers:junit-jupiter:${testContainers}"
    testImplementation "org.testcontainers:postgresql:${testContainers}"
    testImplementation("org.testcontainers:minio:${testContainers}")

}

tasks.register('updateSubmodule', Exec) {
    commandLine 'git', 'submodule', 'update', '--init'
}

processResources {
    dependsOn(gitInfo)
    filesMatching('application.properties') {
        expand(project.properties)
    }
}

tasks.withType(JavaCompile).configureEach {
    sourceCompatibility = JavaVersion.VERSION_21
    targetCompatibility = JavaVersion.VERSION_21
    options.encoding = "UTF-8"
    options.compilerArgs << "-parameters"
    options.debug = true
    options.debugOptions.debugLevel = "source,lines,vars"
}

bootJar {
    System.getenv().containsKey("K8S") ? getArchiveFileName().set('app.jar') : archiveClassifier.set('exec')
}
jar.enabled(true)
jar.archiveClassifier.set('')

test {
    jvmArgs '--add-opens=java.base/java.lang=ALL-UNNAMED' // TODO: remove in Spring Boot 3
    useJUnitPlatform()
    testLogging {
        events = ["failed"]
        exceptionFormat = "short"
    }
}

publish.dependsOn build
publish.mustRunAfter build

tasks.preTagCommit.enabled = false
tasks.updateVersion.enabled = false
tasks.commitNewVersion.enabled = false