Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[#863] Placed Dependencies and Dependency Versions In TOML file #885

Merged
merged 30 commits into from
Jan 13, 2025
Merged

[#863] Placed Dependencies and Dependency Versions In TOML file #885

merged 30 commits into from
Jan 13, 2025

Conversation

ThatSilentCoder
Copy link
Collaborator

@ThatSilentCoder ThatSilentCoder commented Nov 22, 2024
edited
Loading

Description

I've observed that many dependencies in our build.gradle and settings.gradle files have hard-coded version numbers. To streamline the process of managing these versions, this PR consolidates all the dependencies in one easy-to-access file.

Test Instructions using the Gradle build command:

  1. Run the ./gradlew clean --refresh-dependencies build command and verify that not only does this command pull all of the new dependencies but it also builds the entire application without any issues.

Test Instructions using the RPM/Debian file:

  1. Another way to confirm that these changes are good is by building an RPM and installing then running the HIRS-ACA service (building the RPM requires building and assembling all the artifacts and running the ACA service locally).

  2. Stop the current HIRS-ACA runing on your device (assuming you already have one running)

sudo systemctl stop hirs-aca

  1. Get rid of the old HIRS-ACA service:

On Rhel Linux distros:

sudo dnf remove  HIRS_AttestationCA.x86_64

or on a Debian-based Linux distribution:

sudo  apt remove HIRS_AttestationCA.x86_64

  1. Go to your HIRs repo and checkout this branch,:
cd HIRS/

git pull

git checkout https://github.com/nsacyber/HIRS/tree/v3_issue_863-write-dependencies-version-numbers-in-gradleproperties-file

  1. Create a RPM/Debian file:

On Rhel-based distros:

./gradlew clean buildRPM

On Debian-based distros:

./gradlew clean buildDeb

  1. Install the service:

On Rhel-based distros:

sudo dnf install HIRS*rpm

On Debian-based distros:

sudo dnf install HIRS*deb

  1. Go to the HIRS website and verify that it all works fine.
https://localhost:8443/

Summary Of Updates:

  • Upgraded Gradle from version 8.3 to version 8.11.1.
  • Moved repetitive tasks to the root build.gradle file.
  • Upgraded spring-framework-boot plugin from version 3.0.6 to version 3.0.13.
  • Upgraded spring-dependency-management plugin from version 1.1.0 to version 1.1.7.
  • Upgraded ospackage plugin from version 11.4.0 to version 11.10.0.
  • Upgraded spotbugs plugin from version 6.0.4 to version 6.0.13.
  • Upgraded gradle-jaxb plugin from version 5.1.0 to version 7.0.1.
  • Deleted unused dependencies and/or replaced dependencies that were already included in a bigger dependency (this was to ensure that we do not have any dependency mismatches).
  • Placed all dependencies and dependencies versions in a toml file. Click on the following link for more details on Version Cataloguing: Medium Article on Version Catalog and see the table below to see all the changes:

Dependencies Changes:

(Certain dependencies have been omitted if they have been replaced by one of
the below dependencies or if their versions haven't changed)

Name Old Version New Version Notes
org.apache.httpcomponents:httpclient N/A 4.5.14 Replaced vulnerable apache transitive dependency in com.github.marandus:pci-ids.
org.bouncycastle:bcmail-jdk18on 1.77 1.79
commons-codec:commons-codec 1.15 1.17.1
commons-io:commons-io 2.11.0 2.18.0
org.apache.commons:commons-lang3 3.13.0 3.17.0
com.google.code.gson:gson 2.10.1 2.11.0
org.glassfish:jakarta.json N/A 2.0.1 Replaced the older org.glassfish:javax.json dependency with this one.
org.glassfish.jaxb:jaxb-runtime 2.3.1 4.0.5
com.google.guava:guava 31.1-jre 33.3.1-jre
com.fasterxml.jackson.core:jackson-core 2.14.2 2.18.2
com.fasterxml.jackson.core:jackson-databind 2.14.2 2.18.2
jakarta.persistence:jakarta.persistence-api 3.1.0 3.2.0
jakarta.xml.bind:jakarta.xml.bind-api 4.0.0 4.0.2
org.jcommander:jcommander 1.83 2.0
org.projectlombok:lombok 1.18.26 1.18.36
org.mariadb.jdbc:mariadb-java-client 3.1.4 3.5.1
com.google.protobuf:protobuf-java 3.24.1 4.28.3
org.slf4j:slf4j-simple 1.7.30 2.0.16
org.springframework.boot:spring-boot-starter-data-jpa 3.0.1 3.4.0
org.springframework.boot:spring-boot-starter-log4j2 3.0.1 3.4.0
org.springframework.boot:spring-boot-starter-tomcat 3.0.1 3.4.0
org.springframework.boot:spring-boot-starter-validation 3.0.1 3.4.0
org.springframework.retry:spring-retry 2.0.0 2.0.10
org.springframework.boot:spring-boot-starter-web 3.0.1 3.4.0
org.springframework:spring-webmvc N/A 6.2.1 Replaced vulnerable webmvc dependency in org.springframework.boot:spring-boot-starter-web.
org.apache.tomcat.embed:tomcat-embed-jasper 10.1.5 10.1.33
org.springframework.boot:spring-boot-starter-test 3.0.1 3.4.0 Junit, Mockito, and Hamcrest, and testng have all been removed since these testing dependencies are packaged with the spring-boot-starter test dependency.

Issues this PR addresses:

Closes #863

@ThatSilentCoder
issue_863: Successfully moved all the dependencies to toml file and c…
2162478 
…urrently replacing dependencies listed in the build.gradle file with the ones referenced in the toml file
@ThatSilentCoder
issue_863: finished updating dependency versions. Ready for PR
3307cdd
@ThatSilentCoder ThatSilentCoder linked an issue Nov 22, 2024 that may be closed by this pull request
Place Dependencies in a Version Catalog file #863
Closed
@ThatSilentCoder
issue_863: downgraded versions since there was an issue with the depe…
ce78c75 
…ndencies versions and the ci/cd pipeline in git. will update each depedency slowly to ensure that upgrades are down correctly.
@ThatSilentCoder
issue_863: upgrading this slowly but surely
548c203
@ThatSilentCoder
issue_863: upgrading this slowly but surely again. testing to see if …
d831d02 
…github's ci/cd is happy still with these set of changes.
@ThatSilentCoder
issue_863: upgrading this slowly but surely again. testing to see if …
fea5960 
…github's ci/cd is happy still with these set of changes (again)
@ThatSilentCoder
issue_863: upgrading this slowly but surely again. testing to see if …
3c0b2cb 
…github's ci/cd is happy still with these set of changes (again) partIII
@ThatSilentCoder
issue_863: Part IV of upgrading this slowly to see if github's ci/cd …
3698ffc 
…is happy still with these set of changes (again)
@ThatSilentCoder
issue_863: Part V of upgrading this slowly to see if github's ci/cd i…
e70cdbc 
…s happy still with these set of changes (again)
@ThatSilentCoder
issue_863: Part VI of updating dependencies slowly
cd7a7e1
@ThatSilentCoder
issue_863: Part VII of updating dependencies
7b0486f
@ThatSilentCoder
issue_863: Part 8 of updating dependencies
637ec53
@ThatSilentCoder
issue_863: Part 9 of updating dependencies
7cef3ac
@ThatSilentCoder
issue_863: Part 10 of updating dependencies
17375bc
@ThatSilentCoder
issue_863: Part 12 of updating dependencies
77a31fe
@ThatSilentCoder
issue_863: Part 13 of updating dependencies
8d62d85
@ThatSilentCoder
issue_863: Part 14 of updating dependencies
d396ace
@ThatSilentCoder
issue_863: Part 15 of updating dependencies
c8d53cd
@ThatSilentCoder
issue_863: Updating tomcat core.
8008c4d
@ThatSilentCoder
issue_863: removed some critical vulnerable dependencies
bc25d6a
@ThatSilentCoder
issue_863: updated spring boot version. second try at it.
4798b16
@ThatSilentCoder
issue_863: undid spring update. need to figure out how to smoothly tr…
e32a9b6 
…ansition to newer spring.
@ThatSilentCoder
issue_863: updated spring boot, hibernate, and spring retry. Removed …
a57cd09 
…an unused dependency.
@ThatSilentCoder
issue_863: removed unused dependencies and am currently resolving cri…
028a521 
…tical vulnerable dependendcies
@ThatSilentCoder
issue_863: reverted changes from last commit. let's see if that makes…
301689d 
… a difference
@ThatSilentCoder
issue_863: Updated gradle version, fixed more vulnerabilities, now fi…
1c39f8d 
…guring what to do with the remaining vulnerabilities.
@ThatSilentCoder
issue_863: Updated gradle plugins version, fixed more vulnerabilities…
3d795a5 
…, now figuring what to do with the remaining vulnerabilities.
@ThatSilentCoder ThatSilentCoder marked this pull request as ready for review December 19, 2024 13:34
@ThatSilentCoder
issue_863: Updated gradle plugins version again. Ready for PR. Vulner…
d470fd8 
…ability issues will be addressed in another PR. I've cut down vulnerabilities by quite a lot and I want to test the new OWASP plugin against the remaining vulnerabilities.
@chubtub chubtub self-requested a review December 20, 2024 19:49
chubtub
chubtub approved these changes Dec 20, 2024
View reviewed changes
Copy link
Contributor

@chubtub chubtub left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look good

@ThatSilentCoder ThatSilentCoder mentioned this pull request Jan 10, 2025
Open
iadgovuser29
iadgovuser29 approved these changes Jan 13, 2025
View reviewed changes
Copy link
Collaborator

@iadgovuser29 iadgovuser29 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested provisioning and ACA behavior in real settings and everything appears to work as expected.

@iadgovuser29 iadgovuser29 merged commit 11691e5 into main Jan 13, 2025
12 checks passed
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@chubtub chubtub chubtub approved these changes

@iadgovuser29 iadgovuser29 iadgovuser29 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Place Dependencies in a Version Catalog file
3 participants
@ThatSilentCoder @iadgovuser29 @chubtub