Upgrading Spring boot to address CVE and exempt bootstrap from inaccu…

…rate CVE reports
DovOps · Sep 4, 2024 · 740e9a6 · 740e9a6
1 parent 4635519
commit 740e9a6
Show file tree

Hide file tree

Showing 9 changed files with 21 additions and 12 deletions.
diff --git a/.github/node-cve-ignore-list.xml b/.github/node-cve-ignore-list.xml
@@ -1,3 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress>
+        <notes>Erroneously reporting CVE-2024-6484 and CVE-2024-6531</notes>
+        <cpe>bootstrap:bootstrap:5.3.3</cpe>
+    </suppress>
 </suppressions>
diff --git a/account-service/build.gradle b/account-service/build.gradle
@@ -7,8 +7,8 @@
 
 plugins {
   id 'java'
-  id 'org.springframework.boot' version '3.3.1'
-  id 'io.spring.dependency-management' version '1.1.5'
+  id 'org.springframework.boot' version '3.3.3'
+  id 'io.spring.dependency-management' version '1.1.6'
 }
 
 group = 'finos.traderx.account-service'
@@ -23,7 +23,7 @@ dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
 	implementation 'org.springframework.boot:spring-boot-starter-web'
 	implementation 'com.h2database:h2:2.2.224'
-	implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.5.0'
+	implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0'
 
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 }

diff --git a/account-service/src/main/resources/application.properties b/account-service/src/main/resources/application.properties
@@ -7,6 +7,7 @@ spring.datasource.password=${DATABASE_DBPASS:sa}
 spring.data.jpa.database-platform=org.hibernate.dialect.H2Dialect
 spring.data.jpa.show-sql=true
 spring.jpa.hibernate.naming.physical-strategy=org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
+spring.threads.virtual.enabled=true
 
 # To avoid "Request header is too large" when application is backed by oidc proxy.
 server.max-http-request-header-size=1000000

diff --git a/position-service/build.gradle b/position-service/build.gradle
@@ -7,8 +7,8 @@
 
 plugins {
   id 'java'
-  id 'org.springframework.boot' version '3.3.1'
-  id 'io.spring.dependency-management' version '1.1.5'
+  id 'org.springframework.boot' version '3.3.3'
+  id 'io.spring.dependency-management' version '1.1.6'
 }
 
 group = 'finos.traderx.position-service'
@@ -23,7 +23,7 @@ dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
 	implementation 'org.springframework.boot:spring-boot-starter-web'
 	implementation 'com.h2database:h2:2.2.224'
-	implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.5.0'
+	implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0'
 
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 }

diff --git a/position-service/src/main/resources/application.properties b/position-service/src/main/resources/application.properties
@@ -7,6 +7,7 @@ spring.datasource.password=${DATABASE_DBPASS:sa}
 spring.data.jpa.database-platform=org.hibernate.dialect.H2Dialect
 spring.data.jpa.show-sql=true
 spring.jpa.hibernate.naming.physical-strategy=org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
+spring.threads.virtual.enabled=true
 
 # To avoid "Request header is too large" when application is backed by oidc proxy.
 server.max-http-request-header-size=1000000
diff --git a/trade-processor/build.gradle b/trade-processor/build.gradle
@@ -7,8 +7,8 @@
 
 plugins {
   id 'java'
-  id 'org.springframework.boot' version '3.3.1'
-  id 'io.spring.dependency-management' version '1.1.5'
+  id 'org.springframework.boot' version '3.3.3'
+  id 'io.spring.dependency-management' version '1.1.6'
 }
 
 group = 'finos.traderx.trade-processor'
@@ -23,7 +23,7 @@ dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
 	implementation 'org.springframework.boot:spring-boot-starter-web'
 	implementation 'com.h2database:h2:2.2.224'
-	implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.5.0'
+	implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0'
 
 	implementation('org.json:json:20240303') {
 		because 'previous versions are affected by multiple CVE'

diff --git a/trade-processor/src/main/resources/application.properties b/trade-processor/src/main/resources/application.properties
@@ -9,6 +9,7 @@ spring.data.jpa.show-sql=true
 spring.jpa.hibernate.ddl-auto=update
 
 spring.jpa.hibernate.naming.physical-strategy=org.hibernate.boot.model.naming.PhysicalNamingStrategyStandardImpl
+spring.threads.virtual.enabled=true
 
 trade.feed.address=${TRADE_FEED_ADDRESS:http://${TRADE_FEED_HOST:localhost}:18086}
 

diff --git a/trade-service/build.gradle b/trade-service/build.gradle
@@ -7,8 +7,8 @@
 
 plugins {
   id 'java'
-  id 'org.springframework.boot' version '3.3.1'
-  id 'io.spring.dependency-management' version '1.1.5'
+  id 'org.springframework.boot' version '3.3.3'
+  id 'io.spring.dependency-management' version '1.1.6'
 }
 
 group = 'finos.traderx.trade-service'
@@ -27,7 +27,7 @@ dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
 	implementation 'org.springframework.boot:spring-boot-starter-web'
 	implementation 'com.h2database:h2:2.2.224'
-	implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.5.0'
+	implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0'
 
 	implementation('org.json:json:20240303') {
 		because 'previous versions are affected by multiple CVE'

diff --git a/trade-service/src/main/resources/application.properties b/trade-service/src/main/resources/application.properties
@@ -1,4 +1,6 @@
 server.port=${TRADING_SERVICE_PORT:18092}
+spring.threads.virtual.enabled=true
+
 people.service.url=${PEOPLE_SERVICE_URL:http://${PEOPLE_SERVICE_HOST:localhost}:18089}
 account.service.url=${ACCOUNT_SERVICE_URL:http://${ACCOUNT_SERVICE_HOST:localhost}:18088}
 reference.data.service.url=${REFERENCE_DATA_SERVICE_URL:http://${REFERENCE_DATA_HOST:localhost}:18085}