Gradle upgrade and CVE remediation (#38)

* Fix JSON CVE, remove direct slf4j dep, and upgrade to Gradle 8.4

* Added CVE remediation for JS libs

* Updated npm JS dependencies

* Added overrides for chromedriver and axios

* Updated tomcat embed version to address new CVE

* Update CVE deps

* removed unused dependency

* updated ignore

.github/gradle-cve-ignore-list.xml

@@ -12,7 +12,7 @@
     </suppress>
     <suppress>
         <notes><![CDATA[Ignoring, since we don't unmarshal XML to JSON; see https://github.com/stleary/JSON-java/issues/708]]></notes>
-        <filePath regex="true">.*\bjson-20090211\.jar</filePath>
+        <filePath regex="true">.*\bjson-20231013\.jar</filePath>
         <cve>CVE-2022-45688</cve>
     </suppress>
     <suppress>

account-service/build.gradle

@@ -26,18 +26,17 @@ dependencies {
 		exclude group: 'org.apache.tomcat.embed', module: 'tomcat-embed-websocket'
 		exclude group: 'org.apache.tomcat.embed', module: 'tomcat-embed-el'
 	}
-	implementation('org.apache.tomcat.embed:tomcat-embed-core:10.1.13') {
-		because 'previous versions are affected by CVE-2023-41080'
+	implementation('org.apache.tomcat.embed:tomcat-embed-core:10.1.15') {
+		because 'previous versions are affected by CVE-2023-41080 and others'
 	}
-	implementation('org.apache.tomcat.embed:tomcat-embed-websocket:10.1.13') {
-		because 'previous versions are affected by CVE-2023-41080'
+	implementation('org.apache.tomcat.embed:tomcat-embed-websocket:10.1.15') {
+		because 'previous versions are affected by CVE-2023-41080 and others'
 	}
-	implementation('org.apache.tomcat.embed:tomcat-embed-el:10.1.13') {
-		because 'previous versions are affected by CVE-2023-41080'
+	implementation('org.apache.tomcat.embed:tomcat-embed-el:10.1.15') {
+		because 'previous versions are affected by CVE-2023-41080 and others'
 	}
 	implementation 'com.h2database:h2:2.2.220'
 	implementation 'org.springdoc:springdoc-openapi-ui:1.7.0'
-	implementation group: 'org.slf4j', name: 'slf4j-api', version: '2.0.7'
 
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 }

account-service/gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.0.2-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip
 networkTimeout=10000
+validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

account-service/gradlew

@@ -83,10 +83,8 @@ done
 # This is normally unused
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
-APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
-
-# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
-DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -133,26 +131,29 @@ location of your Java installation."
     fi
 else
     JAVACMD=java
-    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+    if ! command -v java >/dev/null 2>&1
+    then
+        die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
 
 Please set the JAVA_HOME variable in your environment to match the
 location of your Java installation."
+    fi
 fi
 
 # Increase the maximum file descriptors if we can.
 if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
     case $MAX_FD in #(
       max*)
         # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
-        # shellcheck disable=SC3045
+        # shellcheck disable=SC2039,SC3045
         MAX_FD=$( ulimit -H -n ) ||
             warn "Could not query maximum file descriptor limit"
     esac
     case $MAX_FD in  #(
       '' | soft) :;; #(
       *)
         # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
-        # shellcheck disable=SC3045
+        # shellcheck disable=SC2039,SC3045
         ulimit -n "$MAX_FD" ||
             warn "Could not set maximum file descriptor limit to $MAX_FD"
     esac
@@ -197,11 +198,15 @@ if "$cygwin" || "$msys" ; then
     done
 fi
 
-# Collect all arguments for the java command;
-#   * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
-#     shell script including quotes and variable substitutions, so put them in
-#     double quotes to make sure that they get re-expanded; and
-#   * put everything else in single quotes, so that it's not re-expanded.
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+
+# Collect all arguments for the java command:
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#     and any embedded shellness will be escaped.
+#   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
+#     treated as '${Hostname}' itself on the command line.
 
 set -- \
         "-Dorg.gradle.appname=$APP_BASE_NAME" \

account-service/settings.gradle

@@ -4,7 +4,7 @@
  * The settings file is used to specify which projects to include in your build.
  *
  * Detailed information about configuring a multi-project build in Gradle can be found
- * in the user manual at https://docs.gradle.org/8.0.2/userguide/multi_project_builds.html
+ * in the user manual at https://docs.gradle.org/8.4/userguide/multi_project_builds.html
  */
 
 dependencyResolutionManagement {

database/gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.0.2-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip
 networkTimeout=10000
+validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

database/gradlew

@@ -83,10 +83,8 @@ done
 # This is normally unused
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
-APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
-
-# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
-DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -133,26 +131,29 @@ location of your Java installation."
     fi
 else
     JAVACMD=java
-    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+    if ! command -v java >/dev/null 2>&1
+    then
+        die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
 
 Please set the JAVA_HOME variable in your environment to match the
 location of your Java installation."
+    fi
 fi
 
 # Increase the maximum file descriptors if we can.
 if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
     case $MAX_FD in #(
       max*)
         # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
-        # shellcheck disable=SC3045
+        # shellcheck disable=SC2039,SC3045
         MAX_FD=$( ulimit -H -n ) ||
             warn "Could not query maximum file descriptor limit"
     esac
     case $MAX_FD in  #(
       '' | soft) :;; #(
       *)
         # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
-        # shellcheck disable=SC3045
+        # shellcheck disable=SC2039,SC3045
         ulimit -n "$MAX_FD" ||
             warn "Could not set maximum file descriptor limit to $MAX_FD"
     esac
@@ -197,11 +198,15 @@ if "$cygwin" || "$msys" ; then
     done
 fi
 
-# Collect all arguments for the java command;
-#   * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
-#     shell script including quotes and variable substitutions, so put them in
-#     double quotes to make sure that they get re-expanded; and
-#   * put everything else in single quotes, so that it's not re-expanded.
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+
+# Collect all arguments for the java command:
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#     and any embedded shellness will be escaped.
+#   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
+#     treated as '${Hostname}' itself on the command line.
 
 set -- \
         "-Dorg.gradle.appname=$APP_BASE_NAME" \

database/settings.gradle

@@ -4,7 +4,7 @@
  * The settings file is used to specify which projects to include in your build.
  *
  * Detailed information about configuring a multi-project build in Gradle can be found
- * in the user manual at https://docs.gradle.org/8.0.2/userguide/multi_project_builds.html
+ * in the user manual at https://docs.gradle.org/8.4/userguide/multi_project_builds.html
  */
 
 dependencyResolutionManagement {

position-service/build.gradle

@@ -26,19 +26,18 @@ dependencies {
 		exclude group: 'org.apache.tomcat.embed', module: 'tomcat-embed-websocket'
 		exclude group: 'org.apache.tomcat.embed', module: 'tomcat-embed-el'
 	}
-	implementation('org.apache.tomcat.embed:tomcat-embed-core:10.1.13') {
-		because 'previous versions are affected by CVE-2023-41080'
+	implementation('org.apache.tomcat.embed:tomcat-embed-core:10.1.15') {
+		because 'previous versions are affected by CVE-2023-41080 and others'
 	}
-	implementation('org.apache.tomcat.embed:tomcat-embed-websocket:10.1.13') {
-		because 'previous versions are affected by CVE-2023-41080'
+	implementation('org.apache.tomcat.embed:tomcat-embed-websocket:10.1.15') {
+		because 'previous versions are affected by CVE-2023-41080 and others'
 	}
-	implementation('org.apache.tomcat.embed:tomcat-embed-el:10.1.13') {
-		because 'previous versions are affected by CVE-2023-41080'
+	implementation('org.apache.tomcat.embed:tomcat-embed-el:10.1.15') {
+		because 'previous versions are affected by CVE-2023-41080 and others'
 	}
 	implementation 'com.h2database:h2:2.2.220'
 	implementation 'org.springdoc:springdoc-openapi-ui:1.7.0'
-	implementation group: 'org.slf4j', name: 'slf4j-api', version: '1.7.30'
-
+
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
 
 }

position-service/gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.0.2-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip
 networkTimeout=10000
+validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

position-service/gradlew

@@ -83,10 +83,8 @@ done
 # This is normally unused
 # shellcheck disable=SC2034
 APP_BASE_NAME=${0##*/}
-APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit
-
-# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
-DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+# Discard cd standard output in case $CDPATH is set (https://github.com/gradle/gradle/issues/25036)
+APP_HOME=$( cd "${APP_HOME:-./}" > /dev/null && pwd -P ) || exit
 
 # Use the maximum available, or set MAX_FD != -1 to use that value.
 MAX_FD=maximum
@@ -133,26 +131,29 @@ location of your Java installation."
     fi
 else
     JAVACMD=java
-    which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
+    if ! command -v java >/dev/null 2>&1
+    then
+        die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH.
 
 Please set the JAVA_HOME variable in your environment to match the
 location of your Java installation."
+    fi
 fi
 
 # Increase the maximum file descriptors if we can.
 if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then
     case $MAX_FD in #(
       max*)
         # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked.
-        # shellcheck disable=SC3045
+        # shellcheck disable=SC2039,SC3045
         MAX_FD=$( ulimit -H -n ) ||
             warn "Could not query maximum file descriptor limit"
     esac
     case $MAX_FD in  #(
       '' | soft) :;; #(
       *)
         # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked.
-        # shellcheck disable=SC3045
+        # shellcheck disable=SC2039,SC3045
         ulimit -n "$MAX_FD" ||
             warn "Could not set maximum file descriptor limit to $MAX_FD"
     esac
@@ -197,11 +198,15 @@ if "$cygwin" || "$msys" ; then
     done
 fi
 
-# Collect all arguments for the java command;
-#   * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of
-#     shell script including quotes and variable substitutions, so put them in
-#     double quotes to make sure that they get re-expanded; and
-#   * put everything else in single quotes, so that it's not re-expanded.
+
+# Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script.
+DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"'
+
+# Collect all arguments for the java command:
+#   * DEFAULT_JVM_OPTS, JAVA_OPTS, JAVA_OPTS, and optsEnvironmentVar are not allowed to contain shell fragments,
+#     and any embedded shellness will be escaped.
+#   * For example: A user cannot expect ${Hostname} to be expanded, as it is an environment variable and will be
+#     treated as '${Hostname}' itself on the command line.
 
 set -- \
         "-Dorg.gradle.appname=$APP_BASE_NAME" \

position-service/settings.gradle

@@ -4,7 +4,7 @@
  * The settings file is used to specify which projects to include in your build.
  *
  * Detailed information about configuring a multi-project build in Gradle can be found
- * in the user manual at https://docs.gradle.org/8.0.2/userguide/multi_project_builds.html
+ * in the user manual at https://docs.gradle.org/8.4/userguide/multi_project_builds.html
  */
 
 dependencyResolutionManagement {

trade-processor/build.gradle

@@ -26,21 +26,24 @@ dependencies {
 		exclude group: 'org.apache.tomcat.embed', module: 'tomcat-embed-websocket'
 		exclude group: 'org.apache.tomcat.embed', module: 'tomcat-embed-el'
 	}
-	implementation('org.apache.tomcat.embed:tomcat-embed-core:10.1.13') {
-		because 'previous versions are affected by CVE-2023-41080'
+	implementation('org.apache.tomcat.embed:tomcat-embed-core:10.1.15') {
+		because 'previous versions are affected by CVE-2023-41080 and others'
 	}
-	implementation('org.apache.tomcat.embed:tomcat-embed-websocket:10.1.13') {
-		because 'previous versions are affected by CVE-2023-41080'
+	implementation('org.apache.tomcat.embed:tomcat-embed-websocket:10.1.15') {
+		because 'previous versions are affected by CVE-2023-41080 and others'
 	}
-	implementation('org.apache.tomcat.embed:tomcat-embed-el:10.1.13') {
-		because 'previous versions are affected by CVE-2023-41080'
+	implementation('org.apache.tomcat.embed:tomcat-embed-el:10.1.15') {
+		because 'previous versions are affected by CVE-2023-41080 and others'
+	}
+	implementation('org.json:json:20231013') {
+		because 'previous versions are affected by multiple CVE'
 	}
 	implementation 'com.h2database:h2:2.2.220'
 	implementation 'org.springdoc:springdoc-openapi-ui:1.7.0'
-	implementation 'org.json:json'
-	implementation 'io.socket:socket.io-client:2.1.0'
+	implementation ('io.socket:socket.io-client:2.1.0'){
+		exclude group: 'org.json', module: 'json'
+	}
    	implementation 'io.swagger.core.v3:swagger-core:2.2.15'
-	implementation group: 'org.slf4j', name: 'slf4j-api', version: '1.7.30'
 	implementation 'org.yaml:snakeyaml:2.0'
 
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'

trade-processor/gradle/wrapper/gradle-wrapper.properties

@@ -1,6 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.0.2-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip
 networkTimeout=10000
+validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists