Security (#17)

- Adds Lift configuration
- Improves OSS Index Audit configuration
- Updates some dependencies with potential vulnerabilities

{patch}

.github/workflows/codeql-analysis.yml

@@ -60,8 +60,8 @@ jobs:
           # Prefix the list here with "+" to use these queries and those in the config file.
           # queries: ./path/to/local/query, your-org/your-repo/queries@main
       - name: Build with Gradle
-        run: ./gradlew build -x test
+        run: ./gradlew build -x test -x dockerClean -x dockerPrepare -x dockerRun -x dockerRunStatus -x dockerStop
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@46110c361b7e9ea1b6f9c6ba2cc941fa7a106cca
       - name: Check dependencies with Gradle
-        run: ./gradlew ossIndexAudit --info
+        run: ./gradlew ossIndexAudit -PossIndexUsername=${{ secrets.OSS_INDEX_USER }} -PossIndexPassword=${{ secrets.OSS_INDEX_PASSWORD }}

.github/workflows/gradle-ci.yml

@@ -9,6 +9,8 @@ on:
     paths-ignore:
       - 'README.md'
       - '**/README.md'
+      - '.lift/.toml'
+      - '**/.lift/.toml'
       - 'SECURITY.md'
       - 'LICENSE'
       - '.github/ISSUE_TEMPLATE/**'
@@ -46,4 +48,3 @@ jobs:
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           file: ./lowkey-vault-app/build/reports/jacoco/report.xml
-          fail_ci_if_error: false

.github/workflows/gradle-oss-index-scan.yml

@@ -21,4 +21,4 @@ jobs:
         with:
           java-version: 11
       - name: Check dependencies with Gradle
-        run: ./gradlew ossIndexAudit --info
+        run: ./gradlew ossIndexAudit -PossIndexUsername=${{ secrets.OSS_INDEX_USER }} -PossIndexPassword=${{ secrets.OSS_INDEX_PASSWORD }}

.github/workflows/gradle.yml

@@ -9,6 +9,8 @@ on:
     paths-ignore:
       - 'README.md'
       - '**/README.md'
+      - '.lift/.toml'
+      - '**/.lift/.toml'
       - 'SECURITY.md'
       - 'LICENSE'
       - '.github/ISSUE_TEMPLATE/**'
@@ -63,4 +65,3 @@ jobs:
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           file: ./lowkey-vault-app/build/reports/jacoco/report.xml
-          fail_ci_if_error: false

.lift.toml

@@ -0,0 +1,24 @@
+# Lift configuration
+# Reference https://help.sonatype.com/lift/configuration-reference
+
+# setup = <path to setup script>
+# build = ENV= <env> <build option> [target]
+build = "./gradlew build -x test -x dockerClean -x dockerPrepare -x dockerRun -x dockerRunStatus -x dockerStop"
+
+# importantRules = <exclusive list of issues to report back to user>
+# ignoreRules = <list of issues never to report to the user>
+# ignoreFiles = <gitignore format string of files to ignore>
+
+## tools = <infer | errorprone | eslint | hlint | findsecbugs >
+tools = ["infer", "findsecbugs", "open source vulnerabilities", "bill of materials"]
+
+# disableTools = <list of tools to not run on the project>
+disableTools = ["errorprone"]
+
+# customTools = <list of user-provided tools conforming to a tool API>
+# allow = <list of users whose pull requests can trigger analysis>
+# jdkVersion = <jdk version>
+jdkVersion = "11"
+
+# summaryComments = <true or false (defaults to false)
+summaryComments = false

build.gradle

@@ -1,5 +1,7 @@
 plugins {
     id 'io.toolebox.git-versioner' version '1.6.5'
+    id 'org.sonatype.gradle.plugins.scan' version '2.2.2' apply false
+    id 'org.owasp.dependencycheck' version '6.5.2' apply false
 }
 
 group = 'com.github.nagyesta.lowkey-vault'
@@ -9,6 +11,8 @@ project.ext {
     gitUser = project.hasProperty('githubUser') ? (project.property('githubUser') as String) : ''
     ossrhUser = project.hasProperty('ossrhUsername') ? (project.property('ossrhUsername') as String) : ''
     ossrhPass = project.hasProperty('ossrhPassword') ? (project.property('ossrhPassword') as String) : ''
+    ossIndexUser = project.hasProperty('ossIndexUsername') ? (project.property('ossIndexUsername') as String) : ''
+    ossIndexPass = project.hasProperty('ossIndexPassword') ? (project.property('ossIndexPassword') as String) : ''
     keyToolDir = project.hasProperty('keyToolDir') ? (project.property('keyToolDir') as String) : ''
     repoUrl = 'https://github.com/nagyesta/lowkey-vault'
     licenseName = 'MIT License'
@@ -24,17 +28,17 @@ project.ext {
     // internal build versions
     httpClientVersion = '4.5.13'
     azureKeyVaultClientVersion = '4.3.4'
-    abortMissionVersion = '2.8.1'
+    abortMissionVersion = '2.8.4'
     cucumberVersion = '7.1.0'
     jupiterVersion = '5.8.2'
     mockitoCoreVersion = '3.9.0'
-    springBootVersion = '2.6.1'
+    springBootVersion = '2.6.2'
     bouncyCastleVersion = '1.69'
     hibernateVersion = '6.2.0.Final'
-    springVersion = '5.3.13'
+    springVersion = '5.3.14'
     lombokVersion = '1.18.20'
     findBugsVersion = '3.0.2'
-    logbackVersion = '1.2.6'
+    logbackVersion = '1.2.10'
     testcontainersVersion = '1.16.2'
 }
 
@@ -73,6 +77,8 @@ configure(subprojects.findAll({
     apply plugin: 'jacoco'
     apply plugin: 'maven-publish'
     apply plugin: 'signing'
+    apply plugin: 'org.sonatype.gradle.plugins.scan'
+    apply plugin: 'org.owasp.dependencycheck'
 
     versioner.apply()
 
@@ -161,6 +167,7 @@ configure(subprojects.findAll({
                     .fromFile(rootProject.file('config/checkstyle/checkstyle-stylesheet.xsl') as String)
         }
     }
+    checkstyle.toolVersion = '9.2.1'
 
     publishing {
         repositories {
@@ -187,6 +194,15 @@ configure(subprojects.findAll({
     tasks.withType(GenerateModuleMetadata) {
         enabled = false
     }
+
+    ossIndexAudit {
+        username = rootProject.ext.ossIndexUser
+        password = rootProject.ext.ossIndexPass
+        printBanner = false
+        colorEnabled = true
+        showAll = false
+        dependencyGraph = true
+    }
 }
 
 repositories {

lowkey-vault-app/build.gradle

@@ -3,7 +3,6 @@ plugins {
     id 'java'
     //noinspection SpellCheckingInspection
     id "io.freefair.lombok" version '6.2.0'
-    id 'org.sonatype.gradle.plugins.scan' version '2.2.0'
     id 'com.github.nagyesta.abort-mission-gradle-plugin' version '2.1.0'
 }
 
@@ -20,6 +19,8 @@ dependencies {
     implementation "org.springframework.boot:spring-boot-starter-web:${rootProject.ext.springBootVersion}"
     implementation "org.springframework.boot:spring-boot-starter-tomcat:${rootProject.ext.springBootVersion}"
     implementation "org.springframework.boot:spring-boot-starter-validation:${rootProject.ext.springBootVersion}"
+    implementation "ch.qos.logback:logback-classic:${rootProject.ext.logbackVersion}"
+    implementation "ch.qos.logback:logback-core:${rootProject.ext.logbackVersion}"
     implementation "org.bouncycastle:bcpkix-jdk15on:${rootProject.ext.bouncyCastleVersion}"
     implementation "org.hibernate:hibernate-validator:${rootProject.ext.hibernateVersion}"
     implementation "com.google.code.findbugs:jsr305:${rootProject.ext.findBugsVersion}"

lowkey-vault-client/build.gradle

@@ -1,7 +1,5 @@
 plugins {
     id 'java'
-    //noinspection SpellCheckingInspection
-    id 'org.sonatype.gradle.plugins.scan' version '2.2.0'
 }
 
 group = "${rootProject.group}"
@@ -12,8 +10,12 @@ project.ext {
 }
 
 dependencies {
-    implementation "com.azure:azure-security-keyvault-keys:${rootProject.ext.azureKeyVaultClientVersion}"
-    implementation "com.azure:azure-security-keyvault-secrets:${rootProject.ext.azureKeyVaultClientVersion}"
+    implementation("com.azure:azure-security-keyvault-keys:${rootProject.ext.azureKeyVaultClientVersion}") {
+        exclude(group: "io.netty")
+    }
+    implementation("com.azure:azure-security-keyvault-secrets:${rootProject.ext.azureKeyVaultClientVersion}") {
+        exclude(group: "io.netty")
+    }
     implementation "org.apache.httpcomponents:httpclient:${rootProject.ext.httpClientVersion}"
     testImplementation "org.mockito:mockito-core:${rootProject.ext.mockitoCoreVersion}"
     testImplementation "org.junit.jupiter:junit-jupiter:${rootProject.ext.jupiterVersion}"

lowkey-vault-testcontainers/build.gradle

@@ -1,7 +1,5 @@
 plugins {
     id 'java'
-    //noinspection SpellCheckingInspection
-    id 'org.sonatype.gradle.plugins.scan' version '2.2.0'
 }
 
 group = "${rootProject.group}"