From 600ba09796a5e24fc82188b2823e1a286de97886 Mon Sep 17 00:00:00 2001
From: Viren Baraiya <virenx@gmail.com>
Date: Fri, 5 Jul 2024 21:50:50 -0700
Subject: [PATCH] vulnerability fixes

---
 build.gradle                                  | 37 +++++++++++++++----
 dependencies.gradle                           |  6 +--
 docker/server/Dockerfile                      |  2 +-
 .../ApplicationExceptionMapper.java           |  2 -
 4 files changed, 34 insertions(+), 13 deletions(-)

diff --git a/build.gradle b/build.gradle
index 8a134574c..a531fbae1 100644
--- a/build.gradle
+++ b/build.gradle
@@ -8,7 +8,7 @@ buildscript {
         }
     }
     dependencies {
-        classpath 'org.springframework.boot:spring-boot-gradle-plugin:3.2.1'
+        classpath 'org.springframework.boot:spring-boot-gradle-plugin:3.1.4'
         classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.+'
     }
 }
@@ -21,6 +21,7 @@ plugins {
     id 'signing'
     id 'java-library'
     id "com.diffplug.spotless" version "6.25.0"
+    id 'org.springframework.boot' version '3.3.0'
 }
 
 // Establish version and status
@@ -50,11 +51,19 @@ allprojects {
 
     group = 'org.conductoross'
 
-    configurations.all {
-        exclude group: 'ch.qos.logback', module: 'logback-classic'
-        exclude group: 'ch.qos.logback', module: 'logback-core'
-        exclude group: 'org.apache.logging.log4j', module: 'log4j-to-slf4j'
-        exclude group: 'org.slf4j', module: 'slf4j-log4j12'
+    configurations {
+        all {
+            exclude group: 'ch.qos.logback', module: 'logback-classic'
+            exclude group: 'ch.qos.logback', module: 'logback-core'
+            exclude group: 'org.apache.logging.log4j', module: 'log4j-to-slf4j'
+            exclude group: 'org.slf4j', module: 'slf4j-log4j12'
+
+            resolutionStrategy.eachDependency { details ->
+                if (details.requested.group.startsWith('com.fasterxml.jackson.') ) {
+                    details.useVersion "2.15.2"
+                }
+            }
+        }
     }
 
     repositories {
@@ -84,8 +93,19 @@ allprojects {
         testImplementation 'junit:junit'
         testImplementation "org.junit.vintage:junit-vintage-engine"
         testAnnotationProcessor 'org.projectlombok:lombok:1.18.34'
-    }
 
+        //Locks for the dependecies
+        implementation('org.codehaus.jettison:jettison') {
+            version {
+                strictly '1.5.4'
+            }
+        }
+        implementation('org.apache.tomcat.embed:tomcat-embed-core') {
+            version {
+                strictly '10.1.25'
+            }
+        }
+    }
     // processes additional configuration metadata json file as described here
     // https://docs.spring.io/spring-boot/docs/2.3.1.RELEASE/reference/html/appendix-configuration-metadata.html#configuration-metadata-additional-metadata
     compileJava.inputs.files(processResources)
@@ -99,6 +119,9 @@ allprojects {
             showStandardStreams = false
         }
     }
+    bootJar {
+        enabled = false
+    }
 }
 
 // all client and their related modules are published with Java 17 compatibility
diff --git a/dependencies.gradle b/dependencies.gradle
index 3e6850a81..b768c98d3 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -18,7 +18,7 @@ ext {
     revActivation = '2.0.1'
     revApacheHttpComponentsClient5 = '5.2.1'
     revAwaitility = '3.1.6'
-    revAwsSdk = '1.12.635'
+    revAwsSdk = '1.12.756'
     revBval = '2.0.5'
     revCassandra = '3.10.2'
     revCassandraUnit = '3.11.2.0'
@@ -62,9 +62,9 @@ ext {
     revKafka = '2.6.0'
     revMicrometer = '1.8.12'
     revPrometheus = '0.9.0'
-    revElasticSearch7 = '7.17.16'
+    revElasticSearch7 = '7.17.19'
     revCodec = '1.15'
-    revAzureStorageBlobSdk = '12.7.0'
+    revAzureStorageBlobSdk = '12.18.0'
     revNatsStreaming = '2.6.5'
     revNats = '2.16.14'
     revStan = '2.2.3'
diff --git a/docker/server/Dockerfile b/docker/server/Dockerfile
index abf09aa8d..4dd41bad1 100644
--- a/docker/server/Dockerfile
+++ b/docker/server/Dockerfile
@@ -24,7 +24,7 @@ RUN ls -ltr
 # ===========================================================================================================
 # 1. Builder stage 2
 # ===========================================================================================================
-FROM alpine:3.19 AS ui-builder
+FROM alpine:3.20 AS ui-builder
 
 LABEL maintainer="Orkes OSS <oss@orkes.io>"
 
diff --git a/rest/src/main/java/com/netflix/conductor/rest/controllers/ApplicationExceptionMapper.java b/rest/src/main/java/com/netflix/conductor/rest/controllers/ApplicationExceptionMapper.java
index 486853b9f..6aa1aa904 100644
--- a/rest/src/main/java/com/netflix/conductor/rest/controllers/ApplicationExceptionMapper.java
+++ b/rest/src/main/java/com/netflix/conductor/rest/controllers/ApplicationExceptionMapper.java
@@ -22,7 +22,6 @@
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.RestControllerAdvice;
-import org.springframework.web.servlet.resource.NoResourceFoundException;
 
 import com.netflix.conductor.common.validation.ErrorResponse;
 import com.netflix.conductor.core.exception.ConflictException;
@@ -50,7 +49,6 @@ public class ApplicationExceptionMapper {
         EXCEPTION_STATUS_MAP.put(ConflictException.class, HttpStatus.CONFLICT);
         EXCEPTION_STATUS_MAP.put(IllegalArgumentException.class, HttpStatus.BAD_REQUEST);
         EXCEPTION_STATUS_MAP.put(InvalidFormatException.class, HttpStatus.INTERNAL_SERVER_ERROR);
-        EXCEPTION_STATUS_MAP.put(NoResourceFoundException.class, HttpStatus.NOT_FOUND);
     }
 
     @ExceptionHandler(Throwable.class)