From 9f2105a736a8780435b51fb22bba1bc8d3769ff7 Mon Sep 17 00:00:00 2001 From: Andrea Pinto Date: Thu, 23 Jan 2025 09:58:23 +0100 Subject: [PATCH 1/6] resolve some vulnerabilities --- .github/workflows/scala-release.yaml | 2 +- .github/workflows/scala-style.yaml | 2 +- .github/workflows/scala-unit-tests.yaml | 2 +- project/plugins.sbt | 1 + .../gis/domain/loader/OSMAdministrativeBoundariesLoader.scala | 2 +- .../it/agilelab/gis/domain/loader/OSMPostalCodeLoader.scala | 2 +- .../scala/it/agilelab/gis/domain/loader/ShapeFileReader.scala | 2 +- 7 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/scala-release.yaml b/.github/workflows/scala-release.yaml index 7622d62f..42161bc6 100644 --- a/.github/workflows/scala-release.yaml +++ b/.github/workflows/scala-release.yaml @@ -11,7 +11,7 @@ jobs: - uses: actions/setup-java@v3 with: distribution: temurin - java-version: 8 + java-version: 17 cache: sbt - name: release diff --git a/.github/workflows/scala-style.yaml b/.github/workflows/scala-style.yaml index 52aebce1..a1211982 100644 --- a/.github/workflows/scala-style.yaml +++ b/.github/workflows/scala-style.yaml @@ -14,7 +14,7 @@ jobs: - uses: actions/setup-java@v3 with: distribution: temurin - java-version: 8 + java-version: 17 cache: sbt - name: Verify diff --git a/.github/workflows/scala-unit-tests.yaml b/.github/workflows/scala-unit-tests.yaml index b787457c..11f78096 100644 --- a/.github/workflows/scala-unit-tests.yaml +++ b/.github/workflows/scala-unit-tests.yaml @@ -17,7 +17,7 @@ jobs: - uses: actions/setup-java@v3 with: distribution: temurin - java-version: 8 + java-version: 17 cache: sbt - name: Build and Test diff --git a/project/plugins.sbt b/project/plugins.sbt index be424458..2b831570 100644 --- a/project/plugins.sbt +++ b/project/plugins.sbt @@ -2,3 +2,4 @@ addSbtPlugin("org.scoverage" % "sbt-scoverage" % "2.0.0") addSbtPlugin("com.sksamuel.scapegoat" % "sbt-scapegoat" % "1.1.1") addSbtPlugin("org.scalameta" % "sbt-scalafmt" % "2.4.6") addSbtPlugin("com.github.sbt" % "sbt-ci-release" % "1.5.10") +addSbtPlugin("net.vonbuchholtz" % "sbt-dependency-check" % "5.1.0") diff --git a/src/main/scala/it/agilelab/gis/domain/loader/OSMAdministrativeBoundariesLoader.scala b/src/main/scala/it/agilelab/gis/domain/loader/OSMAdministrativeBoundariesLoader.scala index af721cb9..79e9283e 100644 --- a/src/main/scala/it/agilelab/gis/domain/loader/OSMAdministrativeBoundariesLoader.scala +++ b/src/main/scala/it/agilelab/gis/domain/loader/OSMAdministrativeBoundariesLoader.scala @@ -5,7 +5,7 @@ import it.agilelab.gis.core.loader.Loader import it.agilelab.gis.domain.managers.{ CountrySettings, GeocodePathManager } import it.agilelab.gis.domain.models.OSMBoundary import org.locationtech.jts.geom.Geometry -import org.opengis.feature.simple.SimpleFeature +import org.geotools.api.feature.simple.SimpleFeature import java.io.File import scala.util.Try diff --git a/src/main/scala/it/agilelab/gis/domain/loader/OSMPostalCodeLoader.scala b/src/main/scala/it/agilelab/gis/domain/loader/OSMPostalCodeLoader.scala index 56d08bbb..e917a8f5 100644 --- a/src/main/scala/it/agilelab/gis/domain/loader/OSMPostalCodeLoader.scala +++ b/src/main/scala/it/agilelab/gis/domain/loader/OSMPostalCodeLoader.scala @@ -3,7 +3,7 @@ package it.agilelab.gis.domain.loader import it.agilelab.gis.core.loader.Loader import it.agilelab.gis.domain.models.OSMBoundary import org.locationtech.jts.geom.Geometry -import org.opengis.feature.simple.SimpleFeature +import org.geotools.api.feature.simple.SimpleFeature case class OSMPostalCodeLoader() extends Loader[OSMBoundary] { diff --git a/src/main/scala/it/agilelab/gis/domain/loader/ShapeFileReader.scala b/src/main/scala/it/agilelab/gis/domain/loader/ShapeFileReader.scala index 9023bb1b..17fc1bf4 100644 --- a/src/main/scala/it/agilelab/gis/domain/loader/ShapeFileReader.scala +++ b/src/main/scala/it/agilelab/gis/domain/loader/ShapeFileReader.scala @@ -13,7 +13,7 @@ import org.locationtech.jts.geom.{ Point, Polygon } -import org.opengis.feature.simple._ +import org.geotools.api.feature.simple._ import java.io.File import java.net.URL From e628865f5559d0d2616a65cdffdad951ca0e3bc5 Mon Sep 17 00:00:00 2001 From: Andrea Pinto Date: Thu, 23 Jan 2025 09:58:43 +0100 Subject: [PATCH 2/6] resolve some vulnerabilities --- build.sbt | 5 ++--- project/Dependencies.scala | 9 +++++---- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/build.sbt b/build.sbt index 9572eb88..9e513871 100644 --- a/build.sbt +++ b/build.sbt @@ -2,7 +2,7 @@ import com.sksamuel.scapegoat.sbt.ScapegoatSbtPlugin.autoImport._ inThisBuild( Seq( - scalaVersion := scala211, + scalaVersion := scala212, organization := "it.agilelab", version := "1.8.0-SNAPSHOT", scapegoatVersion := "1.4.15", @@ -43,5 +43,4 @@ lazy val root = (project in file(".")) ) lazy val scala212 = "2.12.16" -lazy val scala211 = "2.11.12" -lazy val supportedScalaVersions = List(scala212, scala211) +lazy val supportedScalaVersions = List(scala212) diff --git a/project/Dependencies.scala b/project/Dependencies.scala index 5ec36b63..e2a16e25 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -4,16 +4,17 @@ import sbt._ trait Dependencies { lazy val coreDependencies: Seq[ModuleID] = Seq( + "com.google.protobuf" % "protobuf-java" % "4.29.3", "org.slf4j" % "slf4j-api" % "1.7.26", "org.slf4j" % "slf4j-simple" % "1.7.26", "org.rogach" %% "scallop" % "3.5.1", "com.typesafe" % "config" % "1.2.1", - "org.scalaz" %% "scalaz-core" % "7.3.2", - "com.github.pureconfig" %% "pureconfig" % "0.12.1", + "org.scalaz" %% "scalaz-core" % "7.3.8", + "com.github.pureconfig" %% "pureconfig" % "0.14.0", "org.locationtech.jts" % "jts-core" % "1.19.0", "org.locationtech.jts.io" % "jts-io-common" % "1.19.0", - "org.geotools" % "gt-shapefile" % "27.0" exclude ("com.vividsolutions", "jts"), - "org.geotools" % "gt-metadata" % "27.0" exclude ("com.vividsolutions", "jts"), + "org.geotools" % "gt-shapefile" % "31.5" exclude ("com.vividsolutions", "jts"), + "org.geotools" % "gt-metadata" % "31.5" exclude ("com.vividsolutions", "jts"), "com.graphhopper" % "graphhopper-core" % "0.11.0" exclude ("com.vividsolutions", "jts-core"), "com.graphhopper" % "graphhopper-reader-osm" % "0.11.0" exclude ("com.vividsolutions", "jts-core"), "com.graphhopper" % "graphhopper-map-matching-core" % "0.11.0-4" exclude ("com.vividsolutions", "jts-core"), From 8348b3d3465a6d83dca23320513d68183d27ccbd Mon Sep 17 00:00:00 2001 From: Andrea Pinto Date: Thu, 23 Jan 2025 17:56:44 +0100 Subject: [PATCH 3/6] WIP --- project/Dependencies.scala | 5 ++--- .../it/agilelab/gis/core/GraphHopperSpec.scala | 17 +++++++++-------- .../gis/domain/loader/GeocodeManagerSpec.scala | 2 +- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/project/Dependencies.scala b/project/Dependencies.scala index e2a16e25..80e7d51f 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -4,7 +4,6 @@ import sbt._ trait Dependencies { lazy val coreDependencies: Seq[ModuleID] = Seq( - "com.google.protobuf" % "protobuf-java" % "4.29.3", "org.slf4j" % "slf4j-api" % "1.7.26", "org.slf4j" % "slf4j-simple" % "1.7.26", "org.rogach" %% "scallop" % "3.5.1", @@ -13,8 +12,8 @@ trait Dependencies { "com.github.pureconfig" %% "pureconfig" % "0.14.0", "org.locationtech.jts" % "jts-core" % "1.19.0", "org.locationtech.jts.io" % "jts-io-common" % "1.19.0", - "org.geotools" % "gt-shapefile" % "31.5" exclude ("com.vividsolutions", "jts"), - "org.geotools" % "gt-metadata" % "31.5" exclude ("com.vividsolutions", "jts"), + "org.geotools" % "gt-shapefile" % "31.5" exclude ("com.vividsolutions", "jts-core"), + "org.geotools" % "gt-metadata" % "31.5" exclude ("com.vividsolutions", "jt-cores"), "com.graphhopper" % "graphhopper-core" % "0.11.0" exclude ("com.vividsolutions", "jts-core"), "com.graphhopper" % "graphhopper-reader-osm" % "0.11.0" exclude ("com.vividsolutions", "jts-core"), "com.graphhopper" % "graphhopper-map-matching-core" % "0.11.0-4" exclude ("com.vividsolutions", "jts-core"), diff --git a/src/test/scala/it/agilelab/gis/core/GraphHopperSpec.scala b/src/test/scala/it/agilelab/gis/core/GraphHopperSpec.scala index 7e3d6237..bd50c125 100644 --- a/src/test/scala/it/agilelab/gis/core/GraphHopperSpec.scala +++ b/src/test/scala/it/agilelab/gis/core/GraphHopperSpec.scala @@ -7,6 +7,7 @@ import it.agilelab.gis.domain.exceptions.RecoverableBrokenSequenceRouteError import it.agilelab.gis.domain.graphhopper._ import org.scalatest._ import org.scalatest.tagobjects.Slow +import scala.jdk.CollectionConverters._ import java.io.File import java.nio.file.{ Files, Paths } @@ -77,7 +78,7 @@ class GraphHopperSpec roadType = Some("residential"), roadName = Some("Via Bassano Porrone"), speedLimit = Some(30), - linearDistance = Some(0.5240652051613223) + linearDistance = Some(0.5240652051613224) )), length = Some(0.0), time = Some(0), @@ -246,7 +247,7 @@ class GraphHopperSpec |45.17262,9.04016,1619089411000 |""".stripMargin - val points: Seq[GPSPoint] = trip.lines + val points: Seq[GPSPoint] = trip.lines.iterator().asScala .filter(_.nonEmpty) .map(_.split(",")) .map(r => GPSPoint(r.head.toDouble, r(1).toDouble, None, r(2).toLong)) @@ -729,7 +730,7 @@ class GraphHopperSpec |40.74456 14.47613 |""".stripMargin - val gpsPoints = points.lines + val gpsPoints = points.lines.iterator().asScala .filter(_.nonEmpty) .map(p => p.split(" ")) .zipWithIndex @@ -748,7 +749,7 @@ class GraphHopperSpec |40.7445 14.47465 |""".stripMargin - val gpsPoints = points.lines + val gpsPoints = points.lines.iterator().asScala .filter(_.nonEmpty) .map(p => p.split(" ")) .zipWithIndex @@ -771,7 +772,7 @@ class GraphHopperSpec |43.67554 12.39515 |""".stripMargin - val gpsPoints = points.lines + val gpsPoints = points.lines.iterator().asScala .filter(_.nonEmpty) .map(p => p.split(" ")) .zipWithIndex @@ -819,7 +820,7 @@ class GraphHopperSpec val points = """ |45.75124, 45.7513, 45.75139, 45.75133, 45.75101, 45.75068, 45.75014, 45.74992, 45.75026, 45.75116, 45.7523, 45.75354, 45.75482, 45.75606, 45.75635, 45.75644, 45.75654, 45.75663, 45.75772, 45.75865, 45.75876, 45.7588, 45.75886, 45.75892, 45.75897, 45.75936, 45.76017, 45.7611, 45.76208, 45.763, 45.76391, 45.76518, 45.76633, 45.76753, 45.76785, 45.76797, 45.76908, 45.76927, 45.7692, 45.7692, 45.7692, 45.7692, 45.76919, 45.76918, 45.76918, 45.76918, 45.76916, 45.76916, 45.76916, 45.76917, 45.76918 |9.05274, 9.05281, 9.05241, 9.05231, 9.05236, 9.05189, 9.05106, 9.05045, 9.05038, 9.05043, 9.05048, 9.05055, 9.05066, 9.05119, 9.05154, 9.0516, 9.05161, 9.05159, 9.05149, 9.05191, 9.05215, 9.05221, 9.05224, 9.05223, 9.0522, 9.05194, 9.05212, 9.05317, 9.05438, 9.05551, 9.05662, 9.05756, 9.05836, 9.05942, 9.05971, 9.05977, 9.06032, 9.06098, 9.06106, 9.06106, 9.06106, 9.06106, 9.06107, 9.06107, 9.06107, 9.06107, 9.06106, 9.06106, 9.06106, 9.06106, 9.06106 - |""".stripMargin.lines + |""".stripMargin.lines.iterator().asScala .filter(_.nonEmpty) .map(l => l.split(",")) .map(l => l.filter(_.nonEmpty).map(_.trim.toDouble)) @@ -1052,7 +1053,7 @@ class GraphHopperSpec | |""".stripMargin - val gpsPoints = points.lines + val gpsPoints = points.lines.iterator().asScala .filter(_.nonEmpty) .map(p => p.trim.split(" ").filter(_.trim.nonEmpty)) .zipWithIndex @@ -2222,7 +2223,7 @@ class GraphHopperSpec } private def csvToPoints(points: String): Seq[GPSPoint] = - points.stripMargin.lines + points.stripMargin.lines.iterator().asScala .map(_.trim) .filter(_.nonEmpty) .filterNot(_.startsWith("#")) // Commenting system for coordinates diff --git a/src/test/scala/it/agilelab/gis/domain/loader/GeocodeManagerSpec.scala b/src/test/scala/it/agilelab/gis/domain/loader/GeocodeManagerSpec.scala index e6edb121..1f4adf6d 100644 --- a/src/test/scala/it/agilelab/gis/domain/loader/GeocodeManagerSpec.scala +++ b/src/test/scala/it/agilelab/gis/domain/loader/GeocodeManagerSpec.scala @@ -150,7 +150,7 @@ class GeocodeManagerSpec extends FlatSpec with Matchers with EitherValues with B speedLimit = None, speedCategory = None, roadType = Some("residential"), - distance = Some(1.4465500367107154) + distance = Some(1.4465500367107156) ) corsoSaccoEVanzettiActual should be(corsoSaccoEVanzettiExpected) From b2221429c00bb60a309cac3bfb15e59fbc0b6029 Mon Sep 17 00:00:00 2001 From: Andrea Pinto Date: Thu, 23 Jan 2025 20:59:59 +0100 Subject: [PATCH 4/6] resolve vulnerability for protobuf --- project/Dependencies.scala | 1 + 1 file changed, 1 insertion(+) diff --git a/project/Dependencies.scala b/project/Dependencies.scala index 80e7d51f..1f22bba6 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -4,6 +4,7 @@ import sbt._ trait Dependencies { lazy val coreDependencies: Seq[ModuleID] = Seq( + "com.google.protobuf" % "protobuf-java" % "3.25.5", "org.slf4j" % "slf4j-api" % "1.7.26", "org.slf4j" % "slf4j-simple" % "1.7.26", "org.rogach" %% "scallop" % "3.5.1", From 909109dbd24ea08196b6988279bf261d54bf0964 Mon Sep 17 00:00:00 2001 From: Andrea Pinto Date: Fri, 24 Jan 2025 12:35:35 +0100 Subject: [PATCH 5/6] remove protobuf library --- project/Dependencies.scala | 1 - 1 file changed, 1 deletion(-) diff --git a/project/Dependencies.scala b/project/Dependencies.scala index 1f22bba6..80e7d51f 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -4,7 +4,6 @@ import sbt._ trait Dependencies { lazy val coreDependencies: Seq[ModuleID] = Seq( - "com.google.protobuf" % "protobuf-java" % "3.25.5", "org.slf4j" % "slf4j-api" % "1.7.26", "org.slf4j" % "slf4j-simple" % "1.7.26", "org.rogach" %% "scallop" % "3.5.1", From 8d2e33466a24eddde6ab60bd2b6aa55a0b1e756e Mon Sep 17 00:00:00 2001 From: Andrea Pinto Date: Fri, 24 Jan 2025 12:43:03 +0100 Subject: [PATCH 6/6] bump version --- build.sbt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.sbt b/build.sbt index 9e513871..fe00ec6d 100644 --- a/build.sbt +++ b/build.sbt @@ -4,7 +4,7 @@ inThisBuild( Seq( scalaVersion := scala212, organization := "it.agilelab", - version := "1.8.0-SNAPSHOT", + version := "1.9.0-SNAPSHOT", scapegoatVersion := "1.4.15", RepositoriesSupport.allResolvers, WarningAsErrorsSupport.enableWarningAsErrors,