Merge pull request #108 from chanakadkb/fix-cves-and-dependency-issues

Fix vulnerability issues by upgrading/replacing some dependencies and upgrading java version to 21

Author: Jan-M

.github/workflows/codeql-analysis.yml

@@ -39,11 +39,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -54,7 +54,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -68,4 +68,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v3

.github/workflows/workflow.yml

@@ -15,7 +15,7 @@ jobs:
 
     services:
       postgres:
-        image: postgres:13
+        image: postgres:17
         env:
           POSTGRES_PASSWORD: postgres
         # Set health checks to wait until postgres has started
@@ -28,13 +28,14 @@ jobs:
           - 5432:5432
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - name: Set up JDK
-      uses: actions/setup-java@v1
+      uses: actions/setup-java@v4
       with:
-        java-version: 8
+        distribution: 'temurin'
+        java-version: '17'
     - name: Cache local Maven repository
-      uses: actions/cache@v2
+      uses: actions/cache@v4
       with:
         path: ~/.m2/repository
         key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}

.zappr.yaml

@@ -1,8 +1,12 @@
 approvals:
-  pattern: "^(:\\+1:|👍|\\+1|:thumbsup:|[Ll][Gg][Tt][Mm])$"
-  minimum: 1
-  from:
-    orgs:
-      - zalando
-      - zalando-stups
-    collaborators: true
+  groups:
+    zalando:
+      minimum: 1
+      from:
+        orgs:
+          - "zalando"
+          - "zalando-stups"
+X-Zalando-Type: code
+X-Zalando-Team: acid
+
+

README.md

@@ -145,7 +145,7 @@ EXPORT global.value.transformer.search.namespace="my.package;another.package;thi
 Prerequisites
 -------------
 
-* Java 11
+* Java 17
 * To compile, one should use [Maven](http://maven.apache.org/) 3.0.0 or above
 
 Dependencies

cve-suppressions.xml

@@ -1,7 +1,7 @@
 version: '3'
 services:
   db:
-    image: 'postgres:13'
+    image: 'postgres:17'
     environment:
       POSTGRES_PASSWORD: 'postgres'
     ports:

docker-compose.yml

@@ -6,7 +6,7 @@
 
     <groupId>org.zalando</groupId>
     <artifactId>zalando-sprocwrapper</artifactId>
-    <version>3.2.2-SNAPSHOT</version>
+    <version>4.0.0-SNAPSHOT</version>
 
     <name>Stored Procedure Wrapper</name>
     <description>Library to make PostgreSQL stored procedures available through simple Java "*SProcService" interfaces
@@ -59,11 +59,10 @@
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <maven.compiler.source>8</maven.compiler.source>
-        <maven.compiler.target>8</maven.compiler.target>
-        <spring.version>5.3.23</spring.version>
-        <postgresql.version>42.5.1</postgresql.version>
-        <dependency-check-maven.version>7.2.1</dependency-check-maven.version>
+        <maven.compiler.source>17</maven.compiler.source>
+        <maven.compiler.target>17</maven.compiler.target>
+        <spring.version>6.2.0</spring.version>
+        <postgresql.version>42.7.4</postgresql.version>
     </properties>
 
     <dependencies>
@@ -83,31 +82,21 @@
             <version>${postgresql.version}</version>
         </dependency>
         <dependency>
-            <groupId>commons-lang</groupId>
-            <artifactId>commons-lang</artifactId>
-            <version>2.6</version>
-        </dependency>
-        <dependency>
-            <groupId>commons-beanutils</groupId>
-            <artifactId>commons-beanutils</artifactId>
-            <version>1.9.4</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>commons-logging</groupId>
-                    <artifactId>commons-logging</artifactId>
-                </exclusion>
-            </exclusions>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
         </dependency>
         <dependency>
             <groupId>org.hibernate.validator</groupId>
             <artifactId>hibernate-validator</artifactId>
-            <version>6.1.5.Final</version>
+            <version>9.0.0.Beta3</version>
         </dependency>
         <dependency>
             <groupId>org.glassfish</groupId>
-            <artifactId>javax.el</artifactId>
-            <version>3.0.1-b08</version>
+            <artifactId>jakarta.el</artifactId>
+            <version>5.0.0-M1</version>
         </dependency>
+
         <dependency>
             <groupId>org.reflections</groupId>
             <artifactId>reflections</artifactId>
@@ -117,7 +106,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>30.1-jre</version>
+            <version>33.3.1-jre</version>
         </dependency>
         <dependency>
             <groupId>javax.persistence</groupId>
@@ -143,6 +132,11 @@
             <version>${spring.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+                <artifactId>spring-beans</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-test</artifactId>
@@ -197,24 +191,6 @@
                     </execution>
                 </executions>
             </plugin>
-            <plugin>
-                <groupId>org.owasp</groupId>
-                <artifactId>dependency-check-maven</artifactId>
-                <version>${dependency-check-maven.version}</version>
-                <executions>
-                    <execution>
-                        <goals>
-                            <goal>check</goal>
-                        </goals>
-                    </execution>
-                </executions>
-                <configuration>
-                    <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
-                    <suppressionFiles>
-                        <suppressionFile>cve-suppressions.xml</suppressionFile>
-                    </suppressionFiles>
-                </configuration>
-            </plugin>
             <plugin>
                 <groupId>org.basepom.maven</groupId>
                 <artifactId>duplicate-finder-maven-plugin</artifactId>
@@ -272,7 +248,7 @@
             <plugin>
                 <groupId>org.jacoco</groupId>
                 <artifactId>jacoco-maven-plugin</artifactId>
-                <version>0.8.4</version>
+                <version>0.8.12</version>
                 <executions>
                     <execution>
                         <id>prepare-agent</id>

pom.xml

@@ -3,7 +3,7 @@
 import com.google.common.base.Strings;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
-import org.apache.commons.beanutils.BeanUtils;
+import org.springframework.beans.BeanWrapperImpl;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -89,18 +89,19 @@ public BitmapShardDataSourceProvider(final Class<? extends DataSource> dataSourc
 
         for (final Entry<String, String> entry : connectionUrls.entrySet()) {
             final DataSource ds = dataSourceClass.getDeclaredConstructor().newInstance();
+            var dsBeanWrapper = new BeanWrapperImpl(ds);
             for (final Entry<String, String> prop : commonDataSourceProperties.entrySet()) {
-                BeanUtils.setProperty(ds, prop.getKey(), prop.getValue());
+                dsBeanWrapper.setPropertyValue(prop.getKey(), prop.getValue());
             }
 
             final String[] parts = entry.getValue().split("\\|");
 
-            BeanUtils.setProperty(ds, "jdbcUrl", parts[0]);
+            dsBeanWrapper.setPropertyValue("jdbcUrl", parts[0]);
 
             if (parts.length > 1) {
 
                 // a little bit hacky, because "initSQL" is boneCP-specific
-                BeanUtils.setProperty(ds, "initSQL", parts[1]);
+                dsBeanWrapper.setPropertyValue("initSQL", parts[1]);
             }
 
             for (int i = 0; i < dataSources.length; i++) {

src/main/java/org/zalando/sprocwrapper/dsprovider/BitmapShardDataSourceProvider.java

@@ -6,11 +6,11 @@
 import org.slf4j.LoggerFactory;
 
 import javax.sql.DataSource;
-import javax.validation.ConstraintViolation;
-import javax.validation.ConstraintViolationException;
-import javax.validation.Validation;
-import javax.validation.Validator;
-import javax.validation.ValidatorFactory;
+import jakarta.validation.ConstraintViolation;
+import jakarta.validation.ConstraintViolationException;
+import jakarta.validation.Validation;
+import jakarta.validation.Validator;
+import jakarta.validation.ValidatorFactory;
 import java.util.Set;
 
 /**

src/main/java/org/zalando/sprocwrapper/proxy/executors/ValidationExecutorWrapper.java

@@ -4,7 +4,7 @@
 
 import java.util.Locale;
 
-import static org.apache.commons.lang.StringUtils.splitByCharacterTypeCamelCase;
+import static org.apache.commons.lang3.StringUtils.splitByCharacterTypeCamelCase;
 
 /**
  * Static utility methods for naming conventions.