Release v5.0.0 alpha.2 (#286)

Update dependencies

CHANGELOG.md

@@ -4,15 +4,22 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 
+## [5.0.0-alpha.2] - 2024-04-30
+
+### Fixed
+- Increased timeout in MockBrockerClientIT to avoid occasional test failures ([#276](https://github.com/medizininformatik-initiative/feasibility-backend/issues/276))
+### Security
+- Updated spring boot to 3.2.5 ([#282](https://github.com/medizininformatik-initiative/feasibility-backend/issues/282))
+- Updated netty-codec-http to 4.1.108.Final to fix [CVE-2024-29025](https://avd.aquasec.com/nvd/cve-2024-29025) ([#279](https://github.com/medizininformatik-initiative/feasibility-backend/issues/279)
+- Updated nimbus-jose-jwt to 9.37.3 to fix [CVE-2023-52428](https://avd.aquasec.com/nvd/cve-2023-52428) ([#275](https://github.com/medizininformatik-initiative/feasibility-backend/issues/275))
+- Updated xnio to 3.8.14.Final to fix [CVE-2023-5685](https://avd.aquasec.com/nvd/cve-2023-5685) ([#274](https://github.com/medizininformatik-initiative/feasibility-backend/issues/274))
+
 ## [5.0.0-alpha.1] - 2024-04-03
 
 ### Added
 - Added an endpoint to validate uploaded structured queries. ([#258](https://github.com/medizininformatik-initiative/feasibility-backend/issues/258))
 ### Changed
 - Validation for structured queries has been reworked. ([#260](https://github.com/medizininformatik-initiative/feasibility-backend/issues/260)), ([#266](https://github.com/medizininformatik-initiative/feasibility-backend/issues/266))
-### Deprecated
-### Removed
-### Fixed
 ### Security
 - Updated spring boot to 3.2.4 ([#262](https://github.com/medizininformatik-initiative/feasibility-backend/issues/262))
 

pom.xml

@@ -5,13 +5,13 @@
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>3.2.4</version>
+    <version>3.2.5</version>
     <relativePath /> <!-- lookup parent from repository -->
   </parent>
 
   <groupId>de.medizininformatik-initiative</groupId>
   <artifactId>FeasibilityGuiBackend</artifactId>
-  <version>5.0.0-alpha.1</version>
+  <version>5.0.0-alpha.2</version>
 
   <name>FeasibilityGuiBackend</name>
   <description>Backend of the Feasibility GUI</description>
@@ -46,6 +46,20 @@
       <artifactId>spring-boot-starter-undertow</artifactId>
     </dependency>
 
+<!--    Remove those when they are updated in the undertow dependency-->
+    <dependency>
+      <groupId>org.jboss.xnio</groupId>
+      <artifactId>xnio-api</artifactId>
+      <version>3.8.14.Final</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.jboss.xnio</groupId>
+      <artifactId>xnio-nio</artifactId>
+      <version>3.8.14.Final</version>
+      <scope>runtime</scope>
+    </dependency>
+
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-actuator</artifactId>
@@ -71,10 +85,22 @@
       <artifactId>spring-boot-starter-validation</artifactId>
     </dependency>
 
+    <!-- Fix CVE-2023-52428. Remove exclusion and manual inclusion when update is included in spring-boot-starter-oauth2-resource-server -->
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
-      <version>3.0.2</version>
+      <exclusions>
+        <exclusion>
+          <groupId>com.nimbusds</groupId>
+          <artifactId>nimbus-jose-jwt</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+
+    <dependency>
+      <groupId>com.nimbusds</groupId>
+      <artifactId>nimbus-jose-jwt</artifactId>
+      <version>9.37.3</version>
     </dependency>
 
     <dependency>
@@ -198,13 +224,13 @@
     <dependency>
       <groupId>de.medizininformatik-initiative</groupId>
       <artifactId>sq2cql</artifactId>
-      <version>0.2.14</version>
+      <version>0.2.16</version>
     </dependency>
 
     <dependency>
       <groupId>com.github.ben-manes.caffeine</groupId>
       <artifactId>caffeine</artifactId>
-      <version>3.1.4</version>
+      <version>3.1.8</version>
     </dependency>
 
     <dependency>
@@ -268,14 +294,6 @@
       <scope>test</scope>
     </dependency>
 
-    <!-- This dependency is only added to address a vulnerability in  org.springframework.boot-->
-    <!-- Remove this once the vulnerability is adressed in the next version -->
-    <dependency>
-      <groupId>org.yaml</groupId>
-      <artifactId>snakeyaml</artifactId>
-      <version>2.0</version>
-    </dependency>
-
     <dependency>
       <groupId>io.projectreactor</groupId>
       <artifactId>reactor-test</artifactId>

src/test/java/de/numcodex/feasibility_gui_backend/query/broker/mock/MockBrokerClientIT.java

@@ -15,7 +15,7 @@
 @SuppressWarnings("NewClassNamingConvention")
 public class MockBrokerClientIT {
 
-    private static final int ASYNC_TIMEOUT_WAIT_MS = 9000;
+    private static final int ASYNC_TIMEOUT_WAIT_MS = 15000;
     private static final Long TEST_BACKEND_QUERY_ID = 1L;
 
     MockBrokerClient client;