Fix security vulnerabilities (#1)

* fix: OS vulnerabilities and use uni-resolver 0.8.0 * chore: use eclipse-temurin image for build image * chore: update parent to 0.15.0 * chore: add maven ci profile with maven-enforcer-plugin * fix: remove install goal to fix issue with multiple maven-source-plugin invocations
danubetech · Oct 31, 2023 · e07efa3 · e07efa3
1 parent a82d44f
commit e07efa3
Show file tree

Hide file tree

Showing 4 changed files with 42 additions and 14 deletions.
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,14 +1,14 @@
 # Dockerfile for universalresolver/driver-did-dns
 
-FROM maven:3-jdk-11 AS build
+FROM maven:3-eclipse-temurin-17-focal AS build
 MAINTAINER Markus Sabadello <markus@danubetech.com>
 
 # build driver-did-dns
 
 ADD . /opt/driver-did-dns
-RUN cd /opt/driver-did-dns && mvn clean install package -P war -N -DskipTests
+RUN cd /opt/driver-did-dns && mvn clean package -P war -N -DskipTests
 
-FROM jetty:9.4-jre11
+FROM jetty:9.4.53-jre17-alpine-eclipse-temurin
 MAINTAINER Markus Sabadello <markus@danubetech.com>
 
 USER jetty

diff --git a/pom.xml b/pom.xml
@@ -10,7 +10,7 @@
 	<parent>
 		<groupId>decentralized-identity</groupId>
 		<artifactId>uni-resolver</artifactId>
-		<version>0.5.0</version>
+		<version>0.15.0</version>
 	</parent>
 
 	<scm>
@@ -29,21 +29,48 @@
 
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-		<java.version>11</java.version>
+		<java.version>17</java.version>
+
+		<jcl-over-slf4j.version>2.0.9</jcl-over-slf4j.version>
+		<log4j-slf4j2-impl.version>2.21.0</log4j-slf4j2-impl.version>
 	</properties>
 
 	<profiles>
-
 		<profile>
-
+			<id>ci</id>
+			<properties><packaging.type>jar</packaging.type></properties>
+			<build>
+				<plugins>
+					<plugin>
+						<groupId>org.apache.maven.plugins</groupId>
+						<artifactId>maven-enforcer-plugin</artifactId>
+						<version>3.0.0</version>
+						<executions>
+							<execution>
+								<id>enforce-no-snapshots</id>
+								<goals>
+									<goal>enforce</goal>
+								</goals>
+								<configuration>
+									<rules>
+										<requireReleaseDeps>
+											<message>No Snapshots Allowed!</message>
+										</requireReleaseDeps>
+									</rules>
+									<fail>true</fail>
+								</configuration>
+							</execution>
+						</executions>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+		<profile>
 			<id>default</id>
 			<activation><activeByDefault>true</activeByDefault></activation>
 			<properties><packaging.type>jar</packaging.type></properties>
-
 		</profile>
-
 		<profile>
-
 			<id>war</id>
 			<properties><packaging.type>war</packaging.type></properties>
 			<build>
@@ -90,19 +117,19 @@
 					</plugin>
 				</plugins>
 			</build>
-
 		</profile>
-
 	</profiles>
 
 	<dependencies>
 		<dependency>
 			<groupId>org.slf4j</groupId>
 			<artifactId>jcl-over-slf4j</artifactId>
+			<version>${jcl-over-slf4j.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>org.apache.logging.log4j</groupId>
-			<artifactId>log4j-slf4j-impl</artifactId>
+			<artifactId>log4j-slf4j2-impl</artifactId>
+			<version>${log4j-slf4j2-impl.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>decentralized-identity</groupId>

diff --git a/src/main/java/uniresolver/driver/did/dns/DidDnsDriver.java b/src/main/java/uniresolver/driver/did/dns/DidDnsDriver.java
@@ -235,7 +235,7 @@ private List<Object> rewriteIdAndController(List<Object> verificationMethods, St
 				JsonLDUtils.jsonLdRemove(verificationMethodJsonLd, JsonLDKeywords.JSONLD_TERM_ID);
 				JsonLDUtils.jsonLdAdd(verificationMethodJsonLd, JsonLDKeywords.JSONLD_TERM_ID, rewrittenVerificationMethodId);
 
-				String verificationMethodController = verificationMethodJsonLd.getController();
+				String verificationMethodController = String.valueOf(verificationMethodJsonLd.getController());
 				if (! verificationMethodController.equals(didKeyDid)) {
 					log.warn("Skipping unexpected verification method controller, since it is not \"" + didKeyDid + "\": " + verificationMethodController);
 					continue;

diff --git a/src/main/java/uniresolver/driver/did/dns/DnsResolver.java b/src/main/java/uniresolver/driver/did/dns/DnsResolver.java
@@ -3,6 +3,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.xbill.DNS.*;
+import org.xbill.DNS.Record;
 import uniresolver.ResolutionException;
 
 import java.net.InetSocketAddress;