Merge pull request #200 from conductor-oss/cvefixes

Vulnerability fixes

build.gradle

@@ -8,7 +8,7 @@ buildscript {
         }
     }
     dependencies {
-        classpath 'org.springframework.boot:spring-boot-gradle-plugin:3.2.1'
+        classpath 'org.springframework.boot:spring-boot-gradle-plugin:3.1.4'
         classpath 'com.diffplug.spotless:spotless-plugin-gradle:6.+'
     }
 }
@@ -21,6 +21,7 @@ plugins {
     id 'signing'
     id 'java-library'
     id "com.diffplug.spotless" version "6.25.0"
+    id 'org.springframework.boot' version '3.3.0'
 }
 
 // Establish version and status
@@ -50,11 +51,19 @@ allprojects {
 
     group = 'org.conductoross'
 
-    configurations.all {
-        exclude group: 'ch.qos.logback', module: 'logback-classic'
-        exclude group: 'ch.qos.logback', module: 'logback-core'
-        exclude group: 'org.apache.logging.log4j', module: 'log4j-to-slf4j'
-        exclude group: 'org.slf4j', module: 'slf4j-log4j12'
+    configurations {
+        all {
+            exclude group: 'ch.qos.logback', module: 'logback-classic'
+            exclude group: 'ch.qos.logback', module: 'logback-core'
+            exclude group: 'org.apache.logging.log4j', module: 'log4j-to-slf4j'
+            exclude group: 'org.slf4j', module: 'slf4j-log4j12'
+
+            resolutionStrategy.eachDependency { details ->
+                if (details.requested.group.startsWith('com.fasterxml.jackson.') ) {
+                    details.useVersion "2.15.2"
+                }
+            }
+        }
     }
 
     repositories {
@@ -74,6 +83,7 @@ allprojects {
         implementation('org.apache.logging.log4j:log4j-slf4j-impl')
         implementation('org.apache.logging.log4j:log4j-jul')
         implementation('org.apache.logging.log4j:log4j-web')
+
         compileOnly 'org.projectlombok:lombok:1.18.34'
 
         annotationProcessor 'org.projectlombok:lombok:1.18.34'
@@ -84,8 +94,19 @@ allprojects {
         testImplementation 'junit:junit'
         testImplementation "org.junit.vintage:junit-vintage-engine"
         testAnnotationProcessor 'org.projectlombok:lombok:1.18.34'
-    }
 
+        //Locks for the dependecies
+        implementation('org.codehaus.jettison:jettison') {
+            version {
+                strictly '1.5.4'
+            }
+        }
+        implementation('org.apache.tomcat.embed:tomcat-embed-core') {
+            version {
+                strictly '10.1.25'
+            }
+        }
+    }
     // processes additional configuration metadata json file as described here
     // https://docs.spring.io/spring-boot/docs/2.3.1.RELEASE/reference/html/appendix-configuration-metadata.html#configuration-metadata-additional-metadata
     compileJava.inputs.files(processResources)
@@ -99,6 +120,9 @@ allprojects {
             showStandardStreams = false
         }
     }
+    bootJar {
+        enabled = false
+    }
 }
 
 // all client and their related modules are published with Java 17 compatibility

dependencies.gradle

@@ -18,7 +18,7 @@ ext {
     revActivation = '2.0.1'
     revApacheHttpComponentsClient5 = '5.2.1'
     revAwaitility = '3.1.6'
-    revAwsSdk = '1.12.635'
+    revAwsSdk = '1.12.756'
     revBval = '2.0.5'
     revCassandra = '3.10.2'
     revCassandraUnit = '3.11.2.0'
@@ -60,13 +60,14 @@ ext {
     revFasterXml = '2.15.3'
     revAmqpClient = '5.13.0'
     revKafka = '2.6.0'
-    revMicrometer = '1.8.12'
+    revMicrometer = '1.13.1'
     revPrometheus = '0.9.0'
-    revElasticSearch7 = '7.17.16'
+    revElasticSearch7 = '7.17.19'
     revCodec = '1.15'
-    revAzureStorageBlobSdk = '12.7.0'
+    revAzureStorageBlobSdk = '12.18.0'
     revNatsStreaming = '2.6.5'
     revNats = '2.16.14'
     revStan = '2.2.3'
+    revFlyway = '9.0.4'
 
 }

docker/server/Dockerfile

@@ -24,7 +24,7 @@ RUN ls -ltr
 # ===========================================================================================================
 # 1. Builder stage 2
 # ===========================================================================================================
-FROM alpine:3.19 AS ui-builder
+FROM alpine:3.20 AS ui-builder
 
 LABEL maintainer="Orkes OSS <[email protected]>"
 

metrics/src/main/java/com/netflix/conductor/contribs/metrics/PrometheusMetricsConfiguration.java

@@ -21,7 +21,6 @@
 import com.netflix.spectator.micrometer.MicrometerRegistry;
 
 import io.micrometer.core.instrument.MeterRegistry;
-import io.micrometer.prometheus.PrometheusRenameFilter;
 
 /**
  * Metrics prometheus module, sending all metrics to a Prometheus server.
@@ -40,7 +39,6 @@ public class PrometheusMetricsConfiguration {
     public PrometheusMetricsConfiguration(MeterRegistry meterRegistry) {
         LOGGER.info("Prometheus metrics module initialized");
         final MicrometerRegistry metricsRegistry = new MicrometerRegistry(meterRegistry);
-        meterRegistry.config().meterFilter(new PrometheusRenameFilter());
         Spectator.globalRegistry().add(metricsRegistry);
     }
 }

metrics/src/test/java/com/netflix/conductor/contribs/metrics/PrometheusMetricsConfigurationTest.java

@@ -31,8 +31,7 @@
 import com.netflix.spectator.micrometer.MicrometerRegistry;
 
 import io.micrometer.core.instrument.MeterRegistry;
-import io.micrometer.prometheus.PrometheusConfig;
-import io.micrometer.prometheus.PrometheusMeterRegistry;
+import io.micrometer.core.instrument.simple.SimpleMeterRegistry;
 
 import static org.junit.Assert.assertTrue;
 
@@ -72,7 +71,7 @@ public static class TestConfig {
         @Bean
         @Primary
         public MeterRegistry meterRegistry() {
-            return new PrometheusMeterRegistry(PrometheusConfig.DEFAULT);
+            return new SimpleMeterRegistry();
         }
     }
 }

postgres-external-storage/build.gradle

@@ -7,7 +7,7 @@ dependencies {
 
     implementation "org.postgresql:postgresql:${revPostgres}"
     implementation 'org.springframework.boot:spring-boot-starter-jdbc'
-    implementation 'org.flywaydb:flyway-core'
+    implementation "org.flywaydb:flyway-core:${revFlyway}"
     implementation "org.springdoc:springdoc-openapi-starter-webmvc-ui:${revSpringDoc}"
     implementation "commons-codec:commons-codec:${revCodec}"
 

postgres-persistence/build.gradle

@@ -15,10 +15,9 @@ dependencies {
     implementation "org.apache.commons:commons-lang3"
     implementation "org.postgresql:postgresql:${revPostgres}"
     implementation "org.springframework.boot:spring-boot-starter-jdbc"
-    implementation "org.flywaydb:flyway-core"
+    implementation "org.flywaydb:flyway-core:${revFlyway}"
 
     testImplementation "org.apache.groovy:groovy-all:${revGroovy}"
-
     testImplementation project(':conductor-server')
     testImplementation project(':conductor-client')
     testImplementation project(':conductor-grpc-client')

postgres-persistence/src/main/java/com/netflix/conductor/postgres/config/PostgresConfiguration.java

@@ -65,7 +65,7 @@ public Flyway flywayForPrimaryDb() {
             config.locations("classpath:db/migration_postgres");
         }
 
-        return config.configuration(Map.of("flyway.postgresql.transactional.lock", "false"))
+        return config.configuration(Map.of())
                 .schemas(properties.getSchema())
                 .dataSource(dataSource)
                 .outOfOrder(true)

test-harness/src/test/groovy/com/netflix/conductor/test/integration/HierarchicalForkJoinSubworkflowRerunSpec.groovy

@@ -237,6 +237,7 @@ class HierarchicalForkJoinSubworkflowRerunSpec extends AbstractSpecification {
 
         then: "verify that a new mid level workflow is created and is in RUNNING state"
         newMidLevelWorkflowId != midLevelWorkflowId
+        workflowExecutor.decide(newMidLevelWorkflowId)
         with(workflowExecutionService.getExecutionStatus(newMidLevelWorkflowId, true)) {
             status == Workflow.WorkflowStatus.RUNNING
             tasks.size() == 4