Merge pull request #243 from DovOps/dk-refactor/migrate-to-spring-boo…

…t-3-3 refactor: CVE Remediations
finos · Dec 31, 2024 · 242dd8a · 242dd8a
2 parents 380114d + 29befd8
commit 242dd8a
Show file tree

Hide file tree

Showing 16 changed files with 99 additions and 66 deletions.
diff --git a/.github/node-cve-ignore-list.xml b/.github/node-cve-ignore-list.xml
@@ -7,6 +7,8 @@
         <cpe>cpe:/a:bootstrap:bootstrap:5.3.3</cpe>
         <cve>CVE-2024-6484</cve>
         <cve>CVE-2024-6531</cve>
+        <!-- this is slightly more than 5.0 affecting latest ver of express 5.0.1 -->
+        <cve>CVE-2024-10491</cve>
     </suppress>
 
 </suppressions>
diff --git a/account-service/build.gradle b/account-service/build.gradle
@@ -7,8 +7,8 @@
 
 plugins {
   id 'java'
-  id 'org.springframework.boot' version '3.3.3'
-  id 'io.spring.dependency-management' version '1.1.6'
+  id 'org.springframework.boot' version '3.3.7'
+  id 'io.spring.dependency-management' version '1.1.7'
 }
 
 group = 'finos.traderx.account-service'
@@ -25,9 +25,13 @@ dependencies {
 	implementation 'com.h2database:h2:2.2.224'
 	implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0'
 
+    implementation ('ch.qos.logback:logback-core:1.5.13'){
+		because 'version brought in by spring boot 3.3.7 affected by CVE-2024-12798'
+	}
+
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 }
 
-tasks.named('test') {
-  useJUnitPlatform()
-}
+tasks.withType(Test).configureEach {
+    useJUnitPlatform()
+}
diff --git a/account-service/settings.gradle b/account-service/settings.gradle
@@ -14,3 +14,4 @@ dependencyResolutionManagement {
     }
 }
 rootProject.name = 'account-service'
+
diff --git a/account-service/src/main/java/finos/traderx/accountservice/model/Account.java b/account-service/src/main/java/finos/traderx/accountservice/model/Account.java
@@ -1,5 +1,6 @@
 package finos.traderx.accountservice.model;
 
+import java.io.Serial;
 import java.io.Serializable;
 
 import jakarta.persistence.Column;
@@ -8,13 +9,14 @@
 import jakarta.persistence.SequenceGenerator;
 import jakarta.persistence.GenerationType;
 import jakarta.persistence.Id;
-import jakarta.persistence.Table;
-
+import jakarta.persistence.Table;
+
 @Entity
 @Table(name = "ACCOUNTS")
-public class Account implements Serializable {
-
-		private static final long serialVersionUID = 1L;
+public class Account implements Serializable {
+
+    @Serial
+    private static final long serialVersionUID = 1L;
 
 		@Id
 		@Column(name = "ID")

diff --git a/database/build.gradle b/database/build.gradle
@@ -29,6 +29,7 @@ jar {
         configurations.runtimeClasspath.collect { it.isDirectory() ? it : zipTree(it) }
     }
 }
+
 tasks.withType(Test).configureEach {
     useJUnitPlatform()
 }
diff --git a/database/settings.gradle b/database/settings.gradle
@@ -16,3 +16,4 @@ dependencyResolutionManagement {
 
 rootProject.name = 'database'
 
+
diff --git a/people-service/PeopleService.Core/PeopleService.Core.csproj b/people-service/PeopleService.Core/PeopleService.Core.csproj
@@ -9,10 +9,10 @@
   <ItemGroup>
     <PackageReference Include="CacheManager.Core" Version="1.2.0" />
     <PackageReference Include="CacheManager.Microsoft.Extensions.Configuration" Version="1.2.0" />
-    <PackageReference Include="FluentValidation.AspNetCore" Version="11.3.0" />
+    <PackageReference Include="FluentValidation.AspNetCore" Version="11.3.0" /> <!-- Updated version -->
     <PackageReference Include="JetBrains.Annotations" Version="2023.3.0" />
     <PackageReference Include="MediatR" Version="12.2.0" />
-    <PackageReference Include="System.Text.Json" Version="8.0.4" />
+    <PackageReference Include="System.Text.Json" Version="8.0.5" />
   </ItemGroup>
 
 </Project>
diff --git a/position-service/build.gradle b/position-service/build.gradle
@@ -7,8 +7,8 @@
 
 plugins {
   id 'java'
-  id 'org.springframework.boot' version '3.3.3'
-  id 'io.spring.dependency-management' version '1.1.6'
+  id 'org.springframework.boot' version '3.3.7'
+  id 'io.spring.dependency-management' version '1.1.7'
 }
 
 group = 'finos.traderx.position-service'
@@ -25,9 +25,13 @@ dependencies {
 	implementation 'com.h2database:h2:2.2.224'
 	implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0'
 
+	implementation ('ch.qos.logback:logback-core:1.5.13'){
+		because 'version brought in by spring boot 3.3.7 affected by CVE-2024-12798'
+	}
+
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 }
 
-tasks.named('test') {
-  useJUnitPlatform()
-}
+tasks.withType(Test).configureEach {
+    useJUnitPlatform()
+}
diff --git a/position-service/src/main/java/finos/traderx/positionservice/model/Position.java b/position-service/src/main/java/finos/traderx/positionservice/model/Position.java
@@ -1,21 +1,23 @@
 package finos.traderx.positionservice.model;
 
+import java.io.Serial;
 import java.io.Serializable;
 import java.util.Date;
 
 import jakarta.persistence.Column;
 import jakarta.persistence.Entity;
 import jakarta.persistence.Id;
 import jakarta.persistence.IdClass;
-import jakarta.persistence.Table;
-
+import jakarta.persistence.Table;
+
 @Entity
 @IdClass(PositionID.class)
 @Table(name = "POSITIONS")
-public class Position implements Serializable {
-
-
-	private static final long serialVersionUID = 1L;
+public class Position implements Serializable {
+
+
+    @Serial
+    private static final long serialVersionUID = 1L;
 
 	@Id
 	@Column(name = "ACCOUNTID")

diff --git a/position-service/src/main/java/finos/traderx/positionservice/model/Trade.java b/position-service/src/main/java/finos/traderx/positionservice/model/Trade.java
@@ -1,5 +1,6 @@
 package finos.traderx.positionservice.model;
 
+import java.io.Serial;
 import java.io.Serializable;
 import java.util.Date;
 
@@ -12,7 +13,8 @@
 @Table(name = "TRADES")
 public class Trade implements Serializable {
 
-	private static final long serialVersionUID = 1L;
+    @Serial
+    private static final long serialVersionUID = 1L;
 
     @Column(length = 100, name = "ID")
     @Id

diff --git a/reference-data/package.json b/reference-data/package.json
@@ -20,38 +20,39 @@
     "test:e2e": "jest --config ./test/jest-e2e.json"
   },
   "dependencies": {
-    "@nestjs/common": "^10.3.8",
-    "@nestjs/core": "^10.3.8",
-    "@nestjs/platform-express": "^10.3.8",
-    "@nestjs/swagger": "^7.3.1",
+    "@nestjs/common": "^10.4.15",
+    "@nestjs/core": "^10.4.15",
+    "@nestjs/platform-express": "^10.4.15",
+    "@nestjs/swagger": "^8.1.0",
     "@nestjs/terminus": "^10.2.3",
     "csv-reader": "^1.0.12",
-    "reflect-metadata": "^0.2.0",
+    "npm-check-updates": "^17.1.13",
+    "reflect-metadata": "^0.2.2",
     "rxjs": "^7.8.1"
   },
   "devDependencies": {
-    "@nestjs/cli": "^10.3.2",
-    "@nestjs/schematics": "^10.1.1",
-    "@nestjs/testing": "^10.3.8",
-    "@types/express": "^4.17.21",
-    "@types/jest": "29.5.12",
-    "@types/node": "20.12.13",
-    "@types/supertest": "^2.0.16",
-    "@typescript-eslint/eslint-plugin": "^6.14.0",
-    "@typescript-eslint/parser": "^6.14.0",
-    "eslint": "^8.0.1",
-    "eslint-config-prettier": "^8.3.0",
-    "eslint-plugin-prettier": "^4.0.0",
+    "@nestjs/cli": "^10.4.9",
+    "@nestjs/schematics": "^10.2.3",
+    "@nestjs/testing": "^10.4.15",
+    "@tsconfig/node20": "20.1.4",
+    "@types/express": "^5.0.0",
+    "@types/jest": "29.5.14",
+    "@types/node": "22.10.2",
+    "@types/supertest": "^6.0.2",
+    "@typescript-eslint/eslint-plugin": "^8.19.0",
+    "@typescript-eslint/parser": "^8.19.0",
+    "eslint": "^9.17.0",
+    "eslint-config-prettier": "^9.1.0",
+    "eslint-plugin-prettier": "^5.2.1",
     "jest": "29.7.0",
-    "prettier": "^2.3.2",
-    "source-map-support": "^0.5.20",
-    "supertest": "^6.1.3",
-    "ts-jest": "29.1.4",
+    "prettier": "^3.4.2",
+    "source-map-support": "^0.5.21",
+    "supertest": "^7.0.0",
+    "ts-jest": "29.2.5",
     "ts-loader": "^9.5.1",
     "ts-node": "^10.9.2",
     "tsconfig-paths": "4.2.0",
-    "typescript": "^5.4.5",
-    "@tsconfig/node20": "20.1.4"
+    "typescript": "^5.7.2"
   },
   "jest": {
     "moduleFileExtensions": [

diff --git a/trade-feed/package.json b/trade-feed/package.json
@@ -11,8 +11,9 @@
   "license": "ISC",
   "dependencies": {
     "cors": "^2.8.5",
-    "express": "^4.19.2",
-    "socket.io": "^4.7.5",
-    "winston": "^3.13.0"
+    "express": "^5.0.1",
+    "npm-check-updates": "^17.1.13",
+    "socket.io": "^4.8.1",
+    "winston": "^3.17.0"
   }
 }
diff --git a/trade-processor/build.gradle b/trade-processor/build.gradle
@@ -7,8 +7,8 @@
 
 plugins {
   id 'java'
-  id 'org.springframework.boot' version '3.3.3'
-  id 'io.spring.dependency-management' version '1.1.6'
+  id 'org.springframework.boot' version '3.3.7'
+  id 'io.spring.dependency-management' version '1.1.7'
 }
 
 group = 'finos.traderx.trade-processor'
@@ -32,9 +32,13 @@ dependencies {
 		exclude group: 'org.json', module: 'json'
 	}
 
+    implementation ('ch.qos.logback:logback-core:1.5.13'){
+		because 'version brought in by spring boot 3.3.7 affected by CVE-2024-12798'
+	}
+
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 }
 
-tasks.named('test') {
-  useJUnitPlatform()
-}
+tasks.withType(Test).configureEach {
+    useJUnitPlatform()
+}
diff --git a/trade-processor/src/main/java/finos/traderx/tradeprocessor/model/Position.java b/trade-processor/src/main/java/finos/traderx/tradeprocessor/model/Position.java
@@ -1,21 +1,23 @@
 package finos.traderx.tradeprocessor.model;
 
+import java.io.Serial;
 import java.io.Serializable;
 import java.util.Date;
 
 import jakarta.persistence.Column;
 import jakarta.persistence.Entity;
 import jakarta.persistence.Id;
 import jakarta.persistence.IdClass;
-import jakarta.persistence.Table;
-
+import jakarta.persistence.Table;
+
 @Entity
 @IdClass(PositionID.class)
 @Table(name = "POSITIONS")
-public class Position implements Serializable {
-
-
-	private static final long serialVersionUID = 1L;
+public class Position implements Serializable {
+
+
+    @Serial
+    private static final long serialVersionUID = 1L;
 
 	@Id
 	@Column(name = "ACCOUNTID")

diff --git a/trade-processor/src/main/java/finos/traderx/tradeprocessor/model/Trade.java b/trade-processor/src/main/java/finos/traderx/tradeprocessor/model/Trade.java
@@ -1,5 +1,6 @@
 package finos.traderx.tradeprocessor.model;
 
+import java.io.Serial;
 import java.io.Serializable;
 import java.util.Date;
 
@@ -16,7 +17,8 @@
 @Table(name = "TRADES")
 public class Trade implements Serializable {
 
-	private static final long serialVersionUID = 1L;
+    @Serial
+    private static final long serialVersionUID = 1L;
 
     @Column(length = 100, name = "ID")
     @Id

diff --git a/trade-service/build.gradle b/trade-service/build.gradle
@@ -7,8 +7,8 @@
 
 plugins {
   id 'java'
-  id 'org.springframework.boot' version '3.3.3'
-  id 'io.spring.dependency-management' version '1.1.6'
+  id 'org.springframework.boot' version '3.3.7'
+  id 'io.spring.dependency-management' version '1.1.7'
 }
 
 group = 'finos.traderx.trade-service'
@@ -36,9 +36,13 @@ dependencies {
 		exclude group: 'org.json', module: 'json'
 	}
 
+    implementation ('ch.qos.logback:logback-core:1.5.13'){
+		because 'version brought in by spring boot 3.3.7 affected by CVE-2024-12798'
+	}
+
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 }
 
-tasks.named('test') {
-  useJUnitPlatform()
+tasks.withType(Test).configureEach {
+    useJUnitPlatform()
 }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -14,3 +14,4 @@ dependencyResolutionManagement {
		}
		}
		rootProject.name = 'account-service'
Original file line number	Diff line number	Diff line change
Expand Up		@@ -16,3 +16,4 @@ dependencyResolutionManagement {

		rootProject.name = 'database'