Fix CVE-2020-9488 vulnerability. (#367)

* Fix  CVE-2020-9488 vulnerability.

* - upgrade Gradle to 6.3
- fix deprecated Gradle elements
- upgrade Spring Boot to 2.2.6.RELEASE
- upgrade idamBob to 2.0.1

* update to chart-java 2.18.0

* Switch to idam BOM 2.1.0 to fix CVE-2020-9488 vulnerability

.gitignore

@@ -39,4 +39,7 @@ bin
 
 ### Helm ###
 **/charts/*.tgz
-charts/*/requirements.lock
+charts/*/requirements.lock
+
+### Jenkins Additions ###
+init.gradle

build.gradle

@@ -6,7 +6,7 @@ plugins {
   id 'io.spring.dependency-management' version '1.0.9.RELEASE' apply false
   id 'org.owasp.dependencycheck' version '5.1.1'
   id 'org.sonarqube' version '2.6.2'
-  id 'org.springframework.boot' version '2.2.4.RELEASE' apply false
+  id 'org.springframework.boot' version '2.2.6.RELEASE' apply false
   id 'com.gorylenko.gradle-git-properties' version '1.4.21'
   id "info.solidsoft.pitest" version "1.3.0"
   id 'pmd'
@@ -17,7 +17,7 @@ gitProperties {
   dateFormat = "yyyy-MM-dd HH:mm:ssZ"
 }
 
-allprojects  {
+allprojects {
   apply plugin: 'java'
   apply plugin: 'io.spring.dependency-management'
   apply plugin: 'org.owasp.dependencycheck'
@@ -31,8 +31,7 @@ allprojects  {
   sourceCompatibility = 1.8
   targetCompatibility = 1.8
 
-  def idamBomVersion = '1.9.7'
-  ext['tomcat.version'] = '9.0.31'
+  def idamBomVersion = '2.1.0'
 
   dependencyManagement {
     imports {
@@ -43,7 +42,7 @@ allprojects  {
   repositories {
     mavenCentral()
     maven {
-       url "https://dl.bintray.com/hmcts/hmcts-maven"
+      url "https://dl.bintray.com/hmcts/hmcts-maven"
     }
     jcenter()
   }
@@ -66,18 +65,18 @@ allprojects  {
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-web'
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-security'
     // TODO: remove version once 2.2.2.RELEASE is out
-    implementation (group: 'org.springframework.cloud', name: 'spring-cloud-starter-netflix-zuul', version: '2.2.1.RELEASE') {
+    implementation(group: 'org.springframework.cloud', name: 'spring-cloud-starter-netflix-zuul', version: '2.2.1.RELEASE') {
       exclude(module: 'rxnetty-contexts')
       exclude(module: 'rxnetty-servo')
       exclude(module: 'rxnetty')
     }
     implementation group: 'org.springframework.security', name: 'spring-security-taglibs'
-    
+
     compileOnly("org.projectlombok:lombok")
-    
+
     annotationProcessor("org.projectlombok:lombok")
     annotationProcessor "org.springframework.boot:spring-boot-configuration-processor"
-    
+
     implementation group: 'javax.servlet', name: 'jstl'
     implementation group: 'javax.json', name: 'javax.json-api'
     implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind'
@@ -92,22 +91,21 @@ allprojects  {
     implementation group: 'org.pitest', name: 'pitest', version: '1.3.2'
     implementation group: 'org.owasp.encoder', name: 'encoder-jsp', version: '1.2.2'
     implementation group: 'info.solidsoft.gradle.pitest', name: 'gradle-pitest-plugin', version: '1.3.0'
-    implementation group: 'org.codehaus.sonar-plugins', name:'sonar-pitest-plugin', version: '0.5'
+    implementation group: 'org.codehaus.sonar-plugins', name: 'sonar-pitest-plugin', version: '0.5'
+    implementation group: 'uk.gov.hmcts.reform', name: 'properties-volume-spring-boot-starter', version: '0.0.4'
+    implementation group: 'uk.gov.hmcts.reform', name: 'health-spring-boot-starter', version: '0.0.4'
 
     // TODO mockito version is not correctly resolved from IdAM BOM. Remove version when this is fixed
     testCompileOnly("org.projectlombok:lombok")
-    
+
     testAnnotationProcessor("org.projectlombok:lombok")
-    
+
     testImplementation group: 'org.mockito', name: 'mockito-core'
     testImplementation group: 'org.springframework.boot', name: 'spring-boot-devtools'
-    testCompile(group: 'org.springframework.boot', name: 'spring-boot-starter-test') {
-        exclude(module: 'commons-logging')
+    testImplementation(group: 'org.springframework.boot', name: 'spring-boot-starter-test') {
+      exclude(module: 'commons-logging')
     }
     testImplementation group: 'org.springframework.security', name: 'spring-security-test'
-
-    compile group: 'uk.gov.hmcts.reform', name: 'properties-volume-spring-boot-starter', version: '0.0.4'
-    compile group: 'uk.gov.hmcts.reform', name: 'health-spring-boot-starter', version: '0.0.4'
   }
 
   tasks.withType(JavaCompile) {
@@ -160,7 +158,7 @@ allprojects  {
 
   task codeceptSmokeSauce(type: Exec, dependsOn: ':yarnInstall') {
     workingDir '.'
-    commandLine 'node_modules/codeceptjs/bin/codecept.js', 'run', '--config', 'saucelabs.conf.js','--steps', '--grep', '@smoke', '--verbose', '--debug', '--reporter', 'mochawesome'
+    commandLine 'node_modules/codeceptjs/bin/codecept.js', 'run', '--config', 'saucelabs.conf.js', '--steps', '--grep', '@smoke', '--verbose', '--debug', '--reporter', 'mochawesome'
   }
 
   task functionalSauce(dependsOn: ':codeceptFunctionalSauce') {
@@ -182,20 +180,20 @@ allprojects  {
 project.tasks['sonarqube'].dependsOn test
 
 def listFiles(String pattern) {
-    return new FileNameFinder()
-        .getFileNames("${project.rootDir}", pattern)
-        .stream()
-        .collect(Collectors.joining(","))
+  return new FileNameFinder()
+    .getFileNames("${project.rootDir}", pattern)
+    .stream()
+    .collect(Collectors.joining(","))
 }
 
 sonarqube {
   properties {
     property "sonar.projectName", "SIDAM-WEB-PUBLIC"
     property "sonar.exclusions", "**/uk/gov/hmcts/reform/idam/web/config/properties/*.java," +
-            "**/uk/gov/hmcts/reform/idam/web/model/*.java," +
-            "**/uk/gov/hmcts/reform/idam/web/helper/MvcKeys.java," +
-            "**/uk/gov/hmcts/reform/idam/web/Application.java," +
-            "**/*Exception.java"
+      "**/uk/gov/hmcts/reform/idam/web/model/*.java," +
+      "**/uk/gov/hmcts/reform/idam/web/helper/MvcKeys.java," +
+      "**/uk/gov/hmcts/reform/idam/web/Application.java," +
+      "**/*Exception.java"
     property "sonar.host.url", "https://sonar.reform.hmcts.net/"
     property "sonar.pitest.mode", "reuseReport"
     property "sonar.pitest.reportsDirectory", "build/reports/pitest"

charts/idam-web-public/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 appVersion: "1.0"
 description: A Helm chart for HMCTS Reform IDAM Web Public
 name: idam-web-public
-version: 0.2.3
+version: 0.2.4
 maintainers:
   - name: Amido Reform SIDAM Team
     email: reform.idam@HMCTS.NET

charts/idam-web-public/requirements.yaml

@@ -1,4 +1,4 @@
 dependencies:
   - name: java
-    version: ~2.16.0
+    version: ~2.18.0
     repository: '@hmctspublic'

charts/idam-web-public/values.aat.template.yaml

@@ -5,6 +5,5 @@ java:
   ingressIP: ${INGRESS_IP}
   consulIP: ${CONSUL_LB_IP}
   replicas: 1
-  aadIdentityName: idam
   environment:
     STRATEGIC_SERVICE_URL: http://idam-api-staging.service.core-compute-aat.internal

charts/idam-web-public/values.yaml

@@ -6,6 +6,7 @@ java:
   ingressHost: "idam-web-public.service.core-compute-{{ .Values.global.environment }}.internal"
   replicas: 3
   applicationPort: 8080
+  aadIdentityName: idam
   keyVaults:
     "idam-idam":
       resourceGroup: idam-idam

gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,6 @@
-#Thu Nov 07 15:26:14 GMT 2019
+#Fri May 01 15:54:14 BST 2020
+distributionUrl=https\://services.gradle.org/distributions/gradle-6.3-all.zip
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-5.5-all.zip
+zipStoreBase=GRADLE_USER_HOME

gradlew

@@ -125,8 +125,8 @@ if $darwin; then
     GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\""
 fi
 
-# For Cygwin, switch paths to Windows format before running java
-if $cygwin ; then
+# For Cygwin or MSYS, switch paths to Windows format before running java
+if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then
     APP_HOME=`cygpath --path --mixed "$APP_HOME"`
     CLASSPATH=`cygpath --path --mixed "$CLASSPATH"`
     JAVACMD=`cygpath --unix "$JAVACMD"`
@@ -154,19 +154,19 @@ if $cygwin ; then
         else
             eval `echo args$i`="\"$arg\""
         fi
-        i=$((i+1))
+        i=`expr $i + 1`
     done
     case $i in
-        (0) set -- ;;
-        (1) set -- "$args0" ;;
-        (2) set -- "$args0" "$args1" ;;
-        (3) set -- "$args0" "$args1" "$args2" ;;
-        (4) set -- "$args0" "$args1" "$args2" "$args3" ;;
-        (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
-        (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
-        (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
-        (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
-        (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
+        0) set -- ;;
+        1) set -- "$args0" ;;
+        2) set -- "$args0" "$args1" ;;
+        3) set -- "$args0" "$args1" "$args2" ;;
+        4) set -- "$args0" "$args1" "$args2" "$args3" ;;
+        5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;;
+        6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;;
+        7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;;
+        8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;;
+        9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;;
     esac
 fi
 
@@ -175,14 +175,9 @@ save () {
     for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done
     echo " "
 }
-APP_ARGS=$(save "$@")
+APP_ARGS=`save "$@"`
 
 # Collect all arguments for the java command, following the shell quoting and substitution rules
 eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS"
 
-# by default we should be in the correct project dir, but when run from Finder on Mac, the cwd is wrong
-if [ "$(uname)" = "Darwin" ] && [ "$HOME" = "$PWD" ]; then
-  cd "$(dirname "$0")"
-fi
-
 exec "$JAVACMD" "$@"

gradlew.bat

@@ -29,6 +29,9 @@ if "%DIRNAME%" == "" set DIRNAME=.
 set APP_BASE_NAME=%~n0
 set APP_HOME=%DIRNAME%
 
+@rem Resolve any "." and ".." in APP_HOME to make it shorter.
+for %%i in ("%APP_HOME%") do set APP_HOME=%%~fi
+
 @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
 set DEFAULT_JVM_OPTS="-Xmx64m" "-Xms64m"