Merge pull request #208 from RADAR-base/security/upgrade

[Security] Fix vulnerabilities incl. migration to radar-jersey 0.11.1

.github/workflows/scheduled-snyk.yaml

@@ -0,0 +1,30 @@
+name: Snyk scheduled test
+on:
+  schedule:
+    - cron: '0 2 * * 1'
+  push:
+    branches:
+      - master
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    env:
+      REPORT_FILE: test.json
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --all-projects --configuration-matching='^runtimeClasspath$' --json-file-output=${{ env.REPORT_FILE }} --severity-threshold=high --policy-path=$PWD/.snyk
+
+      - name: Report new vulnerabilities
+        uses: thehyve/report-vulnerability@master
+        if: success() || failure()
+        with:
+          report-file: ${{ env.REPORT_FILE }}
+        env:
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/snyk.yaml

@@ -0,0 +1,16 @@
+name: Snyk test
+on:
+  pull_request:
+    branches: [ master, dev ]
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/gradle-jdk17@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --all-projects --configuration-matching='^runtimeClasspath$' --severity-threshold=high --policy-path=$PWD/.snyk

.snyk

@@ -0,0 +1,5 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+patch: {}

build.gradle.kts

@@ -37,6 +37,6 @@ subprojects {
 
 project(":kafka-connect-upload-source") {
     radarKotlin {
-        javaVersion.set(11)
+        javaVersion.set(17)
     }
 }

buildSrc/src/main/kotlin/Versions.kt

@@ -20,20 +20,20 @@ object Versions {
 
     const val okhttp = "4.12.0"
 
-    const val radarSchemas = "0.8.5"
+    const val radarSchemas = "0.8.11"
 
     const val junit = "5.10.0"
     const val mockito = "5.3.1"
 
     const val openCsv = "5.8"
-    const val minio = "8.5.6"
+    const val minio = "8.5.10"
     const val jsch = "0.1.55"
-    const val radarJersey = "0.11.0"
+    const val radarJersey = "0.11.1"
     const val jersey = "3.1.3"
     const val hsqldb = "2.7.2"
     const val mockitoKotlin = "5.1.0"
     const val hamcrest = "2.2"
-    const val commonsCompress = "1.24.0"
+    const val commonsCompress = "1.26.0"
     const val xz = "1.9"
     const val managementPortal = "2.1.0"
 }

kafka-connect-upload-source/Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM gradle:8.4-jdk11 as builder
+FROM --platform=$BUILDPLATFORM gradle:8.4-jdk17 as builder
 
 RUN mkdir /code
 WORKDIR /code
@@ -15,7 +15,7 @@ COPY ./kafka-connect-upload-source/src/main/java /code/kafka-connect-upload-sour
 
 RUN gradle jar
 
-FROM confluentinc/cp-kafka-connect-base:7.5.1
+FROM confluentinc/cp-kafka-connect-base:7.7.1
 
 MAINTAINER @nivemaham @blootsvoets
 

kafka-connect-upload-source/src/main/java/org/radarbase/connect/upload/converter/archive/SevenZipInputStreamIterator.kt

@@ -7,6 +7,7 @@ import org.radarbase.connect.upload.io.TempFile
 import org.radarbase.connect.upload.io.TempFile.Companion.copyToTempFile
 import java.io.IOException
 import java.io.InputStream
+import java.nio.file.Files
 import java.nio.file.Path
 
 class SevenZipInputStreamIterator(
@@ -20,7 +21,7 @@ class SevenZipInputStreamIterator(
         file = input.copyToTempFile(tempDir, "7zip")
         input.close()
         sevenZFile = try {
-            SevenZFile(file.tempFile.toFile())
+            SevenZFile.builder().setSeekableByteChannel(Files.newByteChannel(file.tempFile)).get()
         } catch (ex: IOException) {
             throw ConversionFailedException("Cannot open 7zip file", ex)
         }

radar-upload-backend/src/main/java/org/radarbase/upload/lifecycle/RecordStateLifecycleManager.kt

@@ -9,6 +9,7 @@ import kotlinx.coroutines.launch
 import kotlinx.coroutines.sync.Mutex
 import kotlinx.coroutines.sync.withLock
 import kotlinx.coroutines.withContext
+import org.glassfish.jersey.process.internal.RequestContext
 import org.glassfish.jersey.process.internal.RequestScope
 import org.glassfish.jersey.server.BackgroundScheduler
 import org.glassfish.jersey.server.monitoring.ApplicationEvent
@@ -36,6 +37,7 @@ class RecordStateLifecycleManager(
     @Context private val asyncCoroutineService: AsyncCoroutineService,
     @Context private val config: Config,
     @Context private val requestScope: jakarta.inject.Provider<RequestScope>,
+    @Context private val requestContext: jakarta.inject.Provider<RequestContext>,
     @Context private val sourceTypeMapper: SourceTypeMapper,
 ) : ApplicationEventListener {
     private val staleProcessingAge: Map<String, Pair<Duration, Mutex>>
@@ -64,7 +66,9 @@ class RecordStateLifecycleManager(
 
     private fun addSourceTypes() {
         CoroutineScope(executor.asCoroutineDispatcher()).launch {
-            val wrapper = CoroutineRequestWrapper(null, requestScope.get(), "addSourceTypes")
+            val wrapper = CoroutineRequestWrapper(requestScope.get()) {
+                this.location = "addSourceTypes"
+            }
             try {
                 withContext(wrapper.coroutineContext) {
                     entityManagerFactory.createEntityManager().use { entityManager ->

radar-upload-backend/src/test/java/org/radarbase/upload/doa/RecordRepositoryImplTest.kt

@@ -92,7 +92,7 @@ internal class RecordRepositoryImplTest {
         val eventStart = mock<ApplicationEvent> {
             on(ApplicationEvent::getType) doReturn ApplicationEvent.Type.INITIALIZATION_APP_FINISHED
         }
-        DatabaseInitialization({ doaEMF }, dbConfig).onEvent(eventStart)
+        DatabaseInitialization({ doaEMF }, dbConfig, MockAsyncCoroutineService()).onEvent(eventStart)
         entityManager = doaEMF.createEntityManager()
         repository = RecordRepositoryImpl(this.mockEntityManagerProvider, asyncService = MockAsyncCoroutineService())
         Mockito.`when`(mockEntityManagerProvider.get()).thenReturn(entityManager)

radar-upload-backend/src/test/java/org/radarbase/upload/doa/SourceTypeRepositoryImplTest.kt

@@ -83,7 +83,7 @@ internal class SourceTypeRepositoryImplTest {
         val eventStart = mock<ApplicationEvent> {
             on(ApplicationEvent::getType) doReturn ApplicationEvent.Type.INITIALIZATION_APP_FINISHED
         }
-        DatabaseInitialization({ doaEMF }, config).onEvent(eventStart)
+        DatabaseInitialization({ doaEMF }, config, MockAsyncCoroutineService()).onEvent(eventStart)
         entityManager = doaEMF.createEntityManager()
         sourceTypeMapper = SourceTypeMapperImpl()
         repository = SourceTypeRepositoryImpl(mockEntityManagerProvider, MockAsyncCoroutineService(), sourceTypeMapper)

radar-upload-backend/src/test/java/org/radarbase/upload/mock/MockAsyncCoroutineService.kt

@@ -23,4 +23,7 @@ class MockAsyncCoroutineService : AsyncCoroutineService {
     override suspend fun <T> runInRequestScope(block: () -> T): T = block()
 
     override suspend fun <T> suspendInRequestScope(block: (CancellableContinuation<T>) -> Unit): T = suspendCancellableCoroutine(block)
+    override suspend fun <T> withContext(name: String, block: suspend () -> T): T {
+        TODO("Not yet implemented")
+    }
 }