Update versions and apply Sonatype scan Plugin (#1254)

* logging 1.5.1 * use jetty verison defined in servlet * apply sonatype scan gradle plugin * force version of logback classic from micronaut logging logback.json.classic still has a dependency to a vulnerable dependency * add exclude coordinates * sonatype scan * add env variables
micronaut-projects · Jan 7, 2025 · 4aaaa31 · 4aaaa31
1 parent 408c2b2
commit 4aaaa31
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 4 deletions.
diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
@@ -30,6 +30,8 @@ jobs:
       PREDICTIVE_TEST_SELECTION: "${{ github.event_name == 'pull_request' && 'true' || 'false' }}"
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }}
+      OSS_INDEX_PASSWORD: ${{ secrets.OSS_INDEX_PASSWORD }}
     steps:
        # https://github.com/actions/virtual-environments/issues/709
       - name: "🗑 Free disk space"
@@ -58,6 +60,11 @@ jobs:
         run: |
           [ -f ./setup.sh ] && ./setup.sh || [ ! -f ./setup.sh ]
 
+      - name: "🚔 Sonatype Scan"
+        id: sonatypescan
+        run: |
+          ./gradlew ossIndexAudit --no-parallel
+
       - name: "🛠 Build with Gradle"
         id: gradle
         run: |

diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts
@@ -11,4 +11,5 @@ dependencies {
     implementation(libs.gradle.micronaut)
     implementation(libs.kotlin.gradle.plugin)
     implementation(libs.kotlin.gradle.allopen)
+    implementation(libs.sonatype.scan)
 }
diff --git a/buildSrc/src/main/groovy/io.micronaut.build.internal.gcp-module.gradle b/buildSrc/src/main/groovy/io.micronaut.build.internal.gcp-module.gradle
@@ -1,4 +1,18 @@
 plugins {
     id("io.micronaut.build.internal.gcp-base")
     id("io.micronaut.build.internal.module")
+    id("org.sonatype.gradle.plugins.scan")
+}
+String ossIndexUsername = System.getenv("OSS_INDEX_USERNAME") ?: project.properties["ossIndexUsername"]
+String ossIndexPassword = System.getenv("OSS_INDEX_PASSWORD") ?: project.properties["ossIndexPassword"]
+boolean sonatypePluginConfigured = ossIndexUsername != null && ossIndexPassword != null
+if (sonatypePluginConfigured) {
+ossIndexAudit {
+    username = ossIndexUsername
+    password = ossIndexPassword
+    excludeCoordinates = [
+            "org.eclipse.jetty:jetty-http:11.0.24", // no version of Jetty 11 patched https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty/jetty-http
+            "org.threeten:threetenbp:1.7.0", // no version patched https://ossindex.sonatype.org/component/pkg:maven/org.threeten/threetenbp
+    ]
+}
 }
diff --git a/gcp-function-http-test/build.gradle b/gcp-function-http-test/build.gradle
@@ -8,6 +8,7 @@ dependencies {
     api(projects.micronautGcpFunctionHttp)
 
     implementation(mnServlet.micronaut.servlet.core)
+    implementation(platform(mnServlet.boms.jetty))
     implementation(libs.jetty.servlet)
 
     testAnnotationProcessor(mn.micronaut.inject.java)

diff --git a/gcp-logging/build.gradle.kts b/gcp-logging/build.gradle.kts
@@ -5,7 +5,10 @@ plugins {
 dependencies {
     compileOnly(projects.micronautGcpTracing)
     api(projects.micronautGcpCommon)
-    implementation(libs.logback.json.classic)
+    implementation(libs.logback.json.classic) {
+        exclude(group = "ch.qos.logback", module = "logback-classic")
+    }
+    implementation(mnLogging.logback.classic)
     implementation(mn.micronaut.json.core)
     testAnnotationProcessor(mn.micronaut.inject.java)
     testImplementation(mnTestResources.testcontainers.core)

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -19,7 +19,6 @@ brave-propagation-stackdriver = "2.2.6"
 kotlin = '1.9.25'
 cloudevents-api = "2.5.0"
 
-jetty-servlet = "11.0.24"
 logback-json-classic = "0.1.5"
 zipkin-sender-stackdriver = "1.1.1"
 system-stubs-core = "2.1.7"
@@ -28,7 +27,7 @@ awaitility = '4.2.2'
 
 micronaut-grpc = "4.8.0"
 micronaut-jackson-xml = "4.5.0"
-micronaut-logging = "1.4.0"
+micronaut-logging = "1.5.1"
 micronaut-reactor = "3.6.0"
 micronaut-rxjava3 = "3.6.0"
 micronaut-serde = "2.13.0"
@@ -38,6 +37,7 @@ micronaut-test = "4.5.0"
 micronaut-discovery = "4.5.0"
 micronaut-test-resources="2.7.0"
 micronaut-validation = "4.8.0"
+sonatype-scan = "2.8.3"
 
 # Micronaut
 micronaut-gradle-plugin = "4.4.4"
@@ -79,13 +79,14 @@ google-auth-library-credentials = { module = "com.google.auth:google-auth-librar
 
 grpc-auth = { module = "io.grpc:grpc-auth" }
 grpc-netty-shaded = { module = "io.grpc:grpc-netty-shaded" }
-jetty-servlet = { module = "org.eclipse.jetty:jetty-servlet", version.ref = "jetty-servlet" }
+jetty-servlet = { module = "org.eclipse.jetty:jetty-servlet" }
 kotlin-stdlib-jdk8 = { module = "org.jetbrains.kotlin:kotlin-stdlib-jdk8", version.ref = "kotlin" }
 kotlin-reflect = { module = "org.jetbrains.kotlin:kotlin-reflect", version.ref = "kotlin" }
 logback-json-classic = { module = "ch.qos.logback.contrib:logback-json-classic", version.ref = "logback-json-classic" }
 zipkin-sender-stackdriver = { module = "io.zipkin.gcp:zipkin-sender-stackdriver", version.ref = "zipkin-sender-stackdriver" }
 awaitility = { module = 'org.awaitility:awaitility', version.ref = 'awaitility' }
 system-stubs-core = { module = "uk.org.webcompere:system-stubs-core", version.ref = "system-stubs-core" }
+sonatype-scan = { module = "org.sonatype.gradle.plugins:scan-gradle-plugin", version.ref = "sonatype-scan" }
 
 # Plugins
 gradle-micronaut = { module = "io.micronaut.gradle:micronaut-gradle-plugin", version.ref = "micronaut-gradle-plugin" }