Merge pull request #183 from companieshouse/feature/JU-529-technical-debt

addressing java migration technical debt

Author: foman-ch

Makefile

@@ -1,6 +1,20 @@
 artifact_name       := orders.api.ch.gov.uk
 version             := "unversioned"
 
+dependency_check_base_suppressions:=common_suppressions_spring_6.xml
+
+# dependency_check_suppressions_repo_branch
+# The branch of the dependency-check-suppressions repository to use
+# as the source of the suppressions file.
+# This should point to "main" branch when being used for release,
+# but can point to a different branch for experimentation/development.
+dependency_check_suppressions_repo_branch:=feature/suppressions-for-company-accounts-api
+
+dependency_check_minimum_cvss := 4
+dependency_check_assembly_analyzer_enabled := false
+dependency_check_suppressions_repo_url:[email protected]:companieshouse/dependency-check-suppressions.git
+suppressions_file := target/suppressions.xml
+
 .PHONY: all
 all: build
 
@@ -67,7 +81,35 @@ sonar:
 sonar-pr-analysis:
 	mvn sonar:sonar	-P sonar-pr-analysis
 
+
+.PHONY: dependency-check
+dependency-check:
+	@ if [ -d "$(DEPENDENCY_CHECK_SUPPRESSIONS_HOME)" ]; then \
+		suppressions_home="$${DEPENDENCY_CHECK_SUPPRESSIONS_HOME}"; \
+	fi; \
+	if [ ! -d "$${suppressions_home}" ]; then \
+	    suppressions_home_target_dir="./target/dependency-check-suppressions"; \
+		if [ -d "$${suppressions_home_target_dir}" ]; then \
+			suppressions_home="$${suppressions_home_target_dir}"; \
+		else \
+			mkdir -p "./target"; \
+			git clone $(dependency_check_suppressions_repo_url) "$${suppressions_home_target_dir}" && \
+				suppressions_home="$${suppressions_home_target_dir}"; \
+			if [ -d "$${suppressions_home_target_dir}" ] && [ -n "$(dependency_check_suppressions_repo_branch)" ]; then \
+				cd "$${suppressions_home}"; \
+				git checkout $(dependency_check_suppressions_repo_branch); \
+				cd -; \
+			fi; \
+		fi; \
+	fi; \
+	suppressions_path="$${suppressions_home}/suppressions/$(dependency_check_base_suppressions)"; \
+	if [  -f "$${suppressions_path}" ]; then \
+		cp -av "$${suppressions_path}" $(suppressions_file); \
+		mvn org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=$(dependency_check_minimum_cvss) -DassemblyAnalyzerEnabled=$(dependency_check_assembly_analyzer_enabled) -DsuppressionFiles=$(suppressions_file); \
+	else \
+		printf -- "\n ERROR Cannot find suppressions file at '%s'\n" "$${suppressions_path}" >&2; \
+		exit 1; \
+	fi
+
 .PHONY: security-check
-security-check:
-	mvn org.owasp:dependency-check-maven:update-only
-	mvn org.owasp:dependency-check-maven:check -DfailBuildOnCVSS=4 -DassemblyAnalyzerEnabled=false
+security-check: dependency-check

README.md

@@ -3,7 +3,7 @@
 API handling CRUD operations on CH Ordering Service
 
 ### Requirements
-* [Java 8][1]
+* [Java 21][1]
 * [Maven][2]
 * [Git][3]
 
@@ -28,6 +28,6 @@ API handling CRUD operations on CH Ordering Service
 | *`/orders/{orderId}/reprocess`*            | POST   | Triggers the re-processing of the order.                            |
 | *`/healthcheck`*                           | GET    | Returns HTTP OK (`200`) to indicate a healthy application instance. |
 
-[1]: http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
+[1]: https://www.oracle.com/java/technologies/downloads/#java21
 [2]: https://maven.apache.org/download.cgi
 [3]: https://git-scm.com/downloads

pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>uk.gov.companieshouse</groupId>
         <artifactId>companies-house-parent</artifactId>
-        <version>2.1.5</version>
+        <version>2.1.6</version>
     </parent>
     <artifactId>orders.api.ch.gov.uk</artifactId>
     <version>unversioned</version>
@@ -15,34 +15,34 @@
 
     <properties>
         <maven.compiler.release>21</maven.compiler.release>
-        <ch-kafka.version>3.0.1</ch-kafka.version>
-        <kafka-models.version>3.0.7</kafka-models.version>
+        <ch-kafka.version>3.0.3</ch-kafka.version>
+        <kafka-models.version>3.0.8</kafka-models.version>
         <java.version>21</java.version>
-        <structured-logging.version>3.0.3</structured-logging.version>
-        <commons.lang.version>3.14.0</commons.lang.version>
+        <structured-logging.version>3.0.9</structured-logging.version>
+        <commons.lang.version>3.16.0</commons.lang.version>
         <commons.beanutils.version>1.9.4</commons.beanutils.version>
-        <org.mapstruct.version>1.5.5.FINAL</org.mapstruct.version>
-        <gson.version>2.10.1</gson.version>
-        <hamcrest.version>2.2</hamcrest.version>
+        <org.mapstruct.version>1.6.0</org.mapstruct.version>
+        <gson.version>2.11.0</gson.version>
+        <hamcrest.version>3.0</hamcrest.version>
         <!-- system-rules: 1.17.2 is the latest version that works with JUnit 5.
              See https://github.com/stefanbirkner/system-rules/issues/70 -->
         <system-rules-version>1.17.2</system-rules-version>
-        <spring-cloud-contract-wiremock-version>4.1.1</spring-cloud-contract-wiremock-version>
+        <spring-cloud-contract-wiremock-version>4.1.4</spring-cloud-contract-wiremock-version>
         <start-class>uk.gov.companieshouse.orders.api.OrdersApiApplication</start-class>
-        <private-api-sdk-java.version>4.0.76</private-api-sdk-java.version>
+        <private-api-sdk-java.version>4.0.99</private-api-sdk-java.version>
         <api-sdk-manager-java-library.version>3.0.5</api-sdk-manager-java-library.version>
         <api-sdk-java.version>6.0.9</api-sdk-java.version>
         <api-helper-java.version>3.0.1</api-helper-java.version>
-        <api-security-java.version>2.0.0</api-security-java.version>
-        <de-flapdoodle-embed-mongo.version>4.9.3</de-flapdoodle-embed-mongo.version>
-        <wiremock-standalone.version>3.4.2</wiremock-standalone.version>
-        <spring-boot-dependencies.version>3.2.4</spring-boot-dependencies.version>
-        <spring-boot-maven-plugin.version>3.2.0</spring-boot-maven-plugin.version>
-        <commons-compress.version>1.26.1</commons-compress.version>
-        <maven-compiler-plugin.version>3.12.1</maven-compiler-plugin.version>
-        <maven-surefire-plugin.version>3.2.5</maven-surefire-plugin.version>
-        <http2-common.version>11.0.20</http2-common.version>
-        <test-containers.version>1.19.7</test-containers.version>
+        <api-security-java.version>2.0.6</api-security-java.version>
+        <spring-boot-dependencies.version>3.3.2</spring-boot-dependencies.version>
+        <spring-boot-maven-plugin.version>3.3.2</spring-boot-maven-plugin.version>
+        <commons-compress.version>1.27.0</commons-compress.version>
+        <maven-compiler-plugin.version>3.13.0</maven-compiler-plugin.version>
+        <maven-surefire-plugin.version>3.3.1</maven-surefire-plugin.version>
+        <http3-common.version>11.0.22</http3-common.version>
+        <test-containers.version>1.20.1</test-containers.version>
+        <jakarta.servlet-api.version>6.0.0</jakarta.servlet-api.version>
+        <spring-kafka-test.version>3.2.2</spring-kafka-test.version>
         <!-- Docker -->
         <jib-maven-plugin.version>3.4.1</jib-maven-plugin.version>
 
@@ -74,28 +74,27 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-actuator</artifactId>
-            <version>3.2.4</version>
-        </dependency>
-        <dependency>
-            <!--Overriding spring-web version to remove vulnerability-->
-            <groupId>org.springframework</groupId>
-            <artifactId>spring-web</artifactId>
-            <version>6.1.6</version>
         </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-compress</artifactId>
             <version>${commons-compress.version}</version>
         </dependency>
         <dependency>
-            <groupId>org.eclipse.jetty.http2</groupId>
-            <artifactId>http2-common</artifactId>
-            <version>${http2-common.version}</version>
+            <groupId>org.eclipse.jetty.http3</groupId>
+            <artifactId>http3-common</artifactId>
+            <version>${http3-common.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.mortbay.jetty.quiche</groupId>
+                    <artifactId>jetty-quiche-native</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>jakarta.servlet</groupId>
             <artifactId>jakarta.servlet-api</artifactId>
-            <version>6.0.0</version>
+            <version>${jakarta.servlet-api.version}</version>
             <scope>provided</scope>
         </dependency>
         <dependency>
@@ -197,7 +196,7 @@
             <groupId>org.springframework.kafka</groupId>
             <artifactId>spring-kafka-test</artifactId>
             <scope>test</scope>
-            <version>3.0.13</version>
+            <version>${spring-kafka-test.version}</version>
             <exclusions>
                 <exclusion>
                     <groupId>org.pcollections</groupId>