Merge pull request #15 from Onlineberatung/develop

merge
virtualidentityag · Oct 27, 2022 · f84fb14 · f84fb14
2 parents c0273c8 + 3987750
commit f84fb14
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 58 deletions.
diff --git a/.github/workflows/securityScan.yml b/.github/workflows/securityScan.yml
@@ -0,0 +1,23 @@
+name: Run trivy security scan
+on:
+  push:
+    branches:
+      - '*'
+      - '*'
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in fs mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'table'
+          exit-code: 1
+          severity: CRITICAL
diff --git a/pom.xml b/pom.xml
@@ -14,7 +14,7 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.3.7.RELEASE</version>
+		<version>2.5.12</version>
 		<relativePath/>
 	</parent>
 
@@ -24,7 +24,17 @@
 		<java.version>11</java.version>
 		<keycloak.version>17.0.0</keycloak.version>
 		<!-- force at least version 2.16 due to https://logging.apache.org/log4j/2.x/security.html -->
-		<log4j.version>2.16.0</log4j.version>
+		<log4j.version>2.19.0</log4j.version>
+		<openapi-generator-maven-plugin.version>6.2.0</openapi-generator-maven-plugin.version>
+		<springfox-boot-starter.version>3.0.0</springfox-boot-starter.version>
+		<jackson-databind-nullable.version>0.2.3</jackson-databind-nullable.version>
+		<spring-swagger-ui.version>2.10.0</spring-swagger-ui.version>
+		<spring-security-core.version>5.7.3</spring-security-core.version>
+		<ehcache.version>2.10.6</ehcache.version>
+		<javax.ws.rs-api.version>2.1.1</javax.ws.rs-api.version>
+		<java-jwt.version>3.12.1</java-jwt.version>
+		<commons-lang3.version>3.11</commons-lang3.version>
+		<commons-collections4.version>4.4</commons-collections4.version>
 	</properties>
 
 	<dependencies>
@@ -45,41 +55,43 @@
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-cache</artifactId>
 		</dependency>
+		<!-- Spring dependencies -->
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-core</artifactId>
+			<version>${spring-security-core.version}</version>
+		</dependency>
+
+		<!-- caching dependencies -->
 		<dependency>
 			<groupId>net.sf.ehcache</groupId>
 			<artifactId>ehcache</artifactId>
-			<version>2.10.6</version>
+			<version>${ehcache.version}</version>
 		</dependency>
 
 		<!-- OpenApi/Swagger dependencies -->
 		<dependency>
 			<groupId>org.openapitools</groupId>
 			<artifactId>openapi-generator-maven-plugin</artifactId>
-			<version>5.1.1</version>
+			<version>${openapi-generator-maven-plugin.version}</version>
 			<scope>provided</scope>
 		</dependency>
 		<dependency>
 			<groupId>org.openapitools</groupId>
 			<artifactId>jackson-databind-nullable</artifactId>
-			<version>0.2.1</version>
+			<version>${jackson-databind-nullable.version}</version>
 		</dependency>
 		<!-- SpringFox: generate YAML file from POJOs and generate documentation -->
 		<dependency>
 			<groupId>io.springfox</groupId>
-			<artifactId>springfox-swagger2</artifactId>
-			<version>2.9.2</version>
-		</dependency>
-		<dependency>
-			<groupId>io.springfox</groupId>
-			<artifactId>springfox-bean-validators</artifactId>
-			<version>2.9.2</version>
+			<artifactId>springfox-boot-starter</artifactId>
+			<version>${springfox-boot-starter.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>io.springfox</groupId>
 			<artifactId>springfox-swagger-ui</artifactId>
-			<version>2.9.2</version>
+			<version>${spring-swagger-ui.version}</version>
 		</dependency>
-
 		<!-- Keycloak dependencies -->
 		<dependency>
 			<groupId>org.keycloak</groupId>
@@ -94,14 +106,14 @@
 		<dependency>
 			<groupId>javax.ws.rs</groupId>
 			<artifactId>javax.ws.rs-api</artifactId>
-			<version>2.1.1</version>
+			<version>${javax.ws.rs-api.version}</version>
 		</dependency>
 
 		<!-- JWT builder dependency -->
 		<dependency>
 			<groupId>com.auth0</groupId>
 			<artifactId>java-jwt</artifactId>
-			<version>3.12.1</version>
+			<version>${java-jwt.version}</version>
 		</dependency>
 
 		<!-- Lombok dependencies -->
@@ -115,12 +127,12 @@
 		<dependency>
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-lang3</artifactId>
-			<version>3.11</version>
+			<version>${commons-lang3.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>org.apache.commons</groupId>
 			<artifactId>commons-collections4</artifactId>
-			<version>4.4</version>
+			<version>${commons-collections4.version}</version>
 		</dependency>
 
 		<!-- Test dependencies -->

diff --git a/...n/java/de/caritas/cob/videoservice/api/controller/CustomSwaggerApiResourceController.java b/...n/java/de/caritas/cob/videoservice/api/controller/CustomSwaggerApiResourceController.java
diff --git a/src/main/java/de/caritas/cob/videoservice/api/controller/CustomSwaggerPathController.java b/src/main/java/de/caritas/cob/videoservice/api/controller/CustomSwaggerPathController.java