From 2f5d882e0c07520d073efbeef8202277b946f240 Mon Sep 17 00:00:00 2001 From: Robert Elliot Date: Fri, 13 Sep 2024 12:25:09 +0100 Subject: [PATCH 1/5] chore: Ignore unfixable vulnerability As of kotlin-stdlib version 1.4.21, the vulnerable functions have been marked as deprecated. Due to still being usable, this advisory is kept as "unfixed". But we can't fix it so ignore it for a year. --- .snyk | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 .snyk diff --git a/.snyk b/.snyk new file mode 100644 index 0000000..9f76929 --- /dev/null +++ b/.snyk @@ -0,0 +1,10 @@ +# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. +version: v1.25.0 +# ignores vulnerabilities until expiry date; change duration by modifying expiry date +ignore: + SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744: + - '*': + reason: None Given + expires: 2025-09-13T11:22:43.997Z + created: 2024-09-13T11:22:43.999Z +patch: {} From 1ea817b82eb813d86049b05c951ddcffe7806fd8 Mon Sep 17 00:00:00 2001 From: Robert Elliot Date: Fri, 13 Sep 2024 13:30:29 +0100 Subject: [PATCH 2/5] chore: Ignore unfixable vulnerability --- .snyk | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.snyk b/.snyk index 9f76929..0f7c1d8 100644 --- a/.snyk +++ b/.snyk @@ -4,7 +4,12 @@ version: v1.25.0 ignore: SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744: - '*': - reason: None Given + reason: No fix available expires: 2025-09-13T11:22:43.997Z created: 2024-09-13T11:22:43.999Z + 'snyk:lic:maven:junit:junit:EPL-1.0': + - '*': + reason: Not relevant, we do not repackage junit + expires: 2034-09-13T12:29:48.476Z + created: 2024-09-13T12:29:48.481Z patch: {} From a2fad10f2f231aadcee9900ffdf3dabeae9ac9be Mon Sep 17 00:00:00 2001 From: Robert Elliot Date: Fri, 13 Sep 2024 13:31:18 +0100 Subject: [PATCH 3/5] chore: Fix transitive vulnerability in commons-compress Set the minimum version to 1.26.0. Version 1.24.0 brought in transitively by org.wiremock:wiremock:3.9.1 has CVE-2024-25710. A gradle constraint does not fix the version, just sets a minimum version: https://www.linen.dev/s/gradle-community/t/22694678/hi-snyk-has-revealed-that-some-deeply-nested-transitive-depe#e46476e5-70e1-49a7-a72f-fa5453374e42 --- build.gradle | 3 +++ 1 file changed, 3 insertions(+) diff --git a/build.gradle b/build.gradle index a0000a5..2990637 100644 --- a/build.gradle +++ b/build.gradle @@ -67,6 +67,9 @@ dependencies { implementation('com.fasterxml.jackson.core:jackson-core:2.15.0') { because 'version 2.14.2 brought in transitively by com.auth0:auth0@2.12.0 has CWE-400' } + implementation('org.apache.commons:commons-compress:1.26.0') { + because 'version 1.24.0 brought in transitively by org.wiremock:wiremock:3.9.1 has CVE-2024-25710' + } } } From 9a0ca95a099aeff48fdfc60bfb70ba48b129f138 Mon Sep 17 00:00:00 2001 From: Robert Elliot Date: Fri, 13 Sep 2024 13:31:48 +0100 Subject: [PATCH 4/5] wiremock-extension-convention plugin 0.2.0 -> 0.3.0 --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 2990637..90074f1 100644 --- a/build.gradle +++ b/build.gradle @@ -12,7 +12,7 @@ plugins { id 'eclipse' id 'project-report' id 'com.diffplug.spotless' version '6.21.0' - id 'org.wiremock.tools.gradle.wiremock-extension-convention' version '0.2.0' + id 'org.wiremock.tools.gradle.wiremock-extension-convention' version '0.3.0' } repositories { From 0684bf1f1a9c471dcedb848983141af2815bc078 Mon Sep 17 00:00:00 2001 From: Robert Elliot Date: Fri, 13 Sep 2024 13:44:56 +0100 Subject: [PATCH 5/5] Add snyk to GHA --- .github/workflows/gradle.yml | 19 +++++++++++++++++-- .github/workflows/release.yml | 14 ++++++++++++++ 2 files changed, 31 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml index 841cdad..64f462d 100644 --- a/.github/workflows/gradle.yml +++ b/.github/workflows/gradle.yml @@ -21,12 +21,12 @@ jobs: JDK_VERSION: ${{ matrix.jdk }} steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up JDK - uses: actions/setup-java@v2 + uses: actions/setup-java@v4 with: java-version: ${{ matrix.jdk }} distribution: 'temurin' @@ -43,3 +43,18 @@ jobs: - name: Test with Gradle run: ./gradlew check --stacktrace --no-daemon + + gradle-scan: + name: Snyk gradle scan + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + + - name: Run Snyk to check build.gradle for vulnerabilities + uses: snyk/actions/gradle-jdk17@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: test + args: --severity-threshold=high --org=f310ee2f-5552-444d-84ee-ec8c44c33adb diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d7bd2f1..5d12eea 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,3 +38,17 @@ jobs: OSSRH_TOKEN: ${{ secrets.OSSRH_TOKEN }} OSSRH_GPG_SECRET_KEY: ${{ secrets.OSSRH_GPG_SECRET_KEY }} OSSRH_GPG_SECRET_KEY_PASSWORD: ${{ secrets.OSSRH_GPG_SECRET_KEY_PASSWORD }} + + gradle-monitor: + name: Snyk gradle monitor + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Run Snyk to monitor build.gradle for vulnerabilities + uses: snyk/actions/gradle-jdk17@master + env: + SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} + with: + command: monitor + args: --org=f310ee2f-5552-444d-84ee-ec8c44c33adb --project-name=wiremock-jwt-extension --policy-path=.snyk