Update CWA-Parent to Spring Boot 3 and JDK 17 (#13)

f11h · web-flow · commit 0507b37d8478 · 2023-02-14T09:31:44.000+01:00
* Update to Spring Boot 3

* Update to Spring Boot 3

* Update Dependencies

* Update CI Jobs to Java 17

* Update Readme

* Update OWASP Exclusions

* Update OWASP Exclusions
diff --git a/.github/workflows/ci-main.yml b/.github/workflows/ci-main.yml
@@ -20,7 +20,7 @@ jobs:
           restore-keys: ${{ env.cache-name }}-
       - uses: actions/setup-java@v1
         with:
-          java-version: 11
+          java-version: 17
       - name: environment
         run: |
           sudo apt-get install --yes --no-install-recommends libxml-xpath-perl
diff --git a/.github/workflows/ci-pull-request.yml b/.github/workflows/ci-pull-request.yml
@@ -7,11 +7,11 @@ on:
       - reopened
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/setup-java@v2
         with:
-          java-version: 11
+          java-version: 17
           distribution: adopt
       - uses: actions/checkout@v2
         with:
@@ -31,7 +31,7 @@ jobs:
     steps:
       - uses: actions/setup-java@v2
         with:
-          java-version: 11
+          java-version: 17
           distribution: adopt
       - uses: actions/checkout@v2
         with:
diff --git a/.github/workflows/ci-release.yml b/.github/workflows/ci-release.yml
@@ -30,7 +30,7 @@ jobs:
           restore-keys: ${{ env.cache-name }}-
       - uses: actions/setup-java@v1
         with:
-          java-version: 11
+          java-version: 17
       - name: version
         run: >-
           APP_SHA=$(git rev-parse --short ${GITHUB_SHA});
diff --git a/README.md b/README.md
@@ -60,7 +60,7 @@ In either case open a terminal pointing to the directory you put the sources in.
 #### Maven based build
 This is the recommended way for taking part in the development.  
 Please check, whether following prerequisites are installed on your machine:
-- [Open JDK 11](https://openjdk.java.net) or a similar JDK 11 compatible VM  
+- [Open JDK 17](https://adoptium.net) or a similar JDK 17 compatible VM  
 - [Maven](https://maven.apache.org)
 
 ## Documentation  
diff --git a/keycloak/pom.xml b/keycloak/pom.xml
@@ -23,18 +23,21 @@
             <version>${project.parent.version}</version>
             <type>pom</type>
         </dependency>
-
         <dependency>
-            <groupId>org.keycloak</groupId>
-            <artifactId>keycloak-spring-boot-starter</artifactId>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
         </dependency>
         <dependency>
             <groupId>com.c4-soft.springaddons</groupId>
-            <artifactId>spring-security-oauth2-test-addons</artifactId>
+            <artifactId>spring-addons-oauth2-test</artifactId>
         </dependency>
         <dependency>
             <groupId>com.c4-soft.springaddons</groupId>
-            <artifactId>spring-security-oauth2-test-webmvc-addons</artifactId>
+            <artifactId>spring-addons-webmvc-test</artifactId>
         </dependency>
     </dependencies>
 </project>
diff --git a/mysql-persistence/pom.xml b/mysql-persistence/pom.xml
@@ -32,8 +32,8 @@
             <artifactId>h2</artifactId>
         </dependency>
         <dependency>
-            <groupId>mysql</groupId>
-            <artifactId>mysql-connector-java</artifactId>
+            <groupId>com.mysql</groupId>
+            <artifactId>mysql-connector-j</artifactId>
             <scope>runtime</scope>
         </dependency>
         <dependency>
diff --git a/owasp/suppressions.xml b/owasp/suppressions.xml
@@ -1,36 +1,24 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-
-    <suppress>
-        <notes>CVE is matching for Spring Security 5.3.x, but we have 5.7.x</notes>
-        <cve>CVE-2020-5408</cve>
-    </suppress>
-
-    <suppress>
-        <notes>CVE is matching for Spring Framework up to 5.3.20, but we have 5.3.21</notes>
-        <cve>CVE-2016-1000027</cve>
-    </suppress>
-    
     <suppress>
-        <notes>False Positive matches</notes>
-        <cve>CVE-2022-31514</cve>
-        <cve>CVE-2022-2393</cve>
+        <notes>Both CVE are matching for eclipse ide</notes>
+        <cve>CVE-2008-7271</cve>
+        <cve>CVE-2010-4647</cve>
     </suppress>
 
     <suppress>
-        <notes>SnakeYML False Positive Matcher (CVE is up to 1.32, but also matches for 1.33)</notes>
-        <cve>CVE-2022-38752</cve>
+        <notes>no YAML content from users is parsed within this service</notes>
+        <cve>CVE-2022-1471</cve>
     </suppress>
 
     <suppress>
-        <notes>This CVE is only affecting Keycloak Server not the Lib. (https://bugzilla.redhat.com/show_bug.cgi?id=2141404)</notes>
-        <cve>CVE-2022-3916</cve>
+        <notes>H2 is only used for testing, not production</notes>
+        <cve>CVE-2022-45868</cve>
     </suppress>
 
     <suppress>
-        <notes>The affected libs are just used for unit-testing.</notes>
-        <cve>CVE-2022-31690</cve>
-        <cve>CVE-2022-31692</cve>
+        <notes>False positive. CVE is matching for hutools. OWASP Check matches for json-lib</notes>
+        <cve>CVE-2022-45688</cve>
     </suppress>
 
 </suppressions>
diff --git a/pom.xml b/pom.xml
