From 635985bfd1cab27cc21710815fa237e04954dea2 Mon Sep 17 00:00:00 2001
From: Jakub Lidke <jakub.lidke@uni-marburg.de>
Date: Mon, 28 Aug 2023 14:27:28 +0200
Subject: [PATCH] chore: remove previous build via Dockerfile. Fix security
 issue: CVE-2023-34453, CVE-2023-34454, CVE-2023-34455, CVE-2022-1471

---
 Dockerfile       | 37 -------------------------------------
 build.gradle.kts | 21 ++++++++++++++-------
 2 files changed, 14 insertions(+), 44 deletions(-)
 delete mode 100644 Dockerfile

diff --git a/Dockerfile b/Dockerfile
deleted file mode 100644
index f5f6029..0000000
--- a/Dockerfile
+++ /dev/null
@@ -1,37 +0,0 @@
-FROM gradle:8.1-jdk17 AS build
-WORKDIR /home/gradle/src
-ENV GRADLE_USER_HOME /gradle
-
-COPY build.gradle.kts settings.gradle.kts ./
-
-COPY --chown=gradle:gradle . .
-RUN gradle build --info && \
-    java -Djarmode=layertools -jar build/libs/*.jar extract
-
-FROM gcr.io/distroless/java17:nonroot
-WORKDIR /opt/kafka-streams-template
-COPY --from=build /home/gradle/src/dependencies/ ./
-COPY --from=build /home/gradle/src/spring-boot-loader/ ./
-COPY --from=build /home/gradle/src/application/ ./
-COPY HealthCheck.java .
-
-USER nonroot
-ARG GIT_REF=""
-ARG GIT_URL=""
-ARG BUILD_TIME=""
-ARG VERSION=0.0.0
-ENV APP_VERSION=${VERSION} \
-    SPRING_PROFILES_ACTIVE="prod"
-ENTRYPOINT ["java", "-XX:MaxRAMPercentage=90", "org.springframework.boot.loader.JarLauncher"]
-
-HEALTHCHECK --interval=25s --timeout=3s --retries=2 CMD ["java", "HealthCheck.java", "||", "exit", "1"]
-
-LABEL org.opencontainers.image.created=${BUILD_TIME} \
-    org.opencontainers.image.authors="Paul-Chrisitan Volkmer, Jakub Lidke" \
-    org.opencontainers.image.source=${GIT_URL} \
-    org.opencontainers.image.version=${VERSION} \
-    org.opencontainers.image.revision=${GIT_REF} \
-    org.opencontainers.image.vendor="" \
-    org.opencontainers.image.license="AGPLv3" \
-    org.opencontainers.image.title="etl-processor" \
-    org.opencontainers.image.description="Relay application between Onkostar and bwHc for pseudonymization or anonymization of patient data and profide additional monitoring of processed data."
diff --git a/build.gradle.kts b/build.gradle.kts
index d8389e6..61ca3ed 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -3,8 +3,9 @@ import org.jetbrains.kotlin.gradle.tasks.KotlinCompile
 import org.springframework.boot.gradle.tasks.bundling.BootBuildImage
 
 plugins {
-    id("org.springframework.boot") version "3.1.1"
-    id("io.spring.dependency-management") version "1.1.0"
+    war
+    id("org.springframework.boot") version "3.1.2"
+    id("io.spring.dependency-management") version "1.1.3"
     kotlin("jvm") version "1.9.0"
     kotlin("plugin.spring") version "1.9.0"
 }
@@ -48,17 +49,22 @@ repositories {
     mavenCentral()
 }
 
-tasks.getByName<Jar>("jar") {
-    enabled = false
-}
-
 dependencies {
     implementation("org.jetbrains.kotlin:kotlin-reflect")
     implementation("org.springframework.boot:spring-boot-starter-thymeleaf")
     implementation("org.springframework.boot:spring-boot-starter-web")
     implementation("org.springframework.boot:spring-boot-starter-data-jdbc")
     implementation("com.fasterxml.jackson.module:jackson-module-kotlin")
-    implementation("org.springframework.kafka:spring-kafka")
+    implementation("org.springframework.kafka:spring-kafka"){
+        // CVE-2023-34453, CVE-2023-34454, CVE-2023-34455
+        exclude( "org.xerial.snappy:snappy-java")
+        // CVE-2022-1471
+        exclude("org.yaml:snakeyaml")
+    }
+    // fixes CVE-2023-34453, CVE-2023-34454, CVE-2023-34455
+    implementation("org.xerial.snappy:snappy-java:1.1.10.3")
+    // fix CVE-2022-1471
+    implementation("org.yaml:snakeyaml:2.1")
     implementation("org.flywaydb:flyway-mysql")
     implementation("commons-codec:commons-codec")
     implementation("io.projectreactor.kotlin:reactor-kotlin-extensions")
@@ -71,6 +77,7 @@ dependencies {
     developmentOnly("org.springframework.boot:spring-boot-devtools")
     developmentOnly("org.springframework.boot:spring-boot-docker-compose")
     annotationProcessor("org.springframework.boot:spring-boot-configuration-processor")
+    providedRuntime("org.springframework.boot:spring-boot-starter-tomcat")
     testImplementation("org.springframework.boot:spring-boot-starter-test")
     testImplementation("io.projectreactor:reactor-test")
     testImplementation("org.mockito.kotlin:mockito-kotlin:${versions["mockito-kotlin"]}")