[DC-795] Catalog - High severity security issue - Upgrade logback-core to 1.2.13 Due Jan 3

[rjohanek]

Creates new shared plugin for common and service build.gradle files to inherit from
Updates dependency management plugin
Updates gradle plugin

Updates terra-common-lib (transitive dependency logback core)
Updates terra data repo client to jakarta version
Updates springboot
Updates sam client version
Updates swagger codegen and annotations

[okotsopoulos]

Would you be able to help me understand the difference / relationship between common/build.gradle and service/build.gradle? Without understanding, it looks like there could be some redundant dependency definitions between the two but I'm not confident in that.

More critically, it doesn't look like your logback versions have been updated to non-vulnerable versions due to your new spring imports. 1.4.11 is still vulnerable, so if using 1.4.x dependencies you'll need to be at version >= 1.4.12 (the latest version is 1.4.14).

(base) okotsopo@wm111-e35 terra-data-catalog % ./gradlew service:dependencyInsight --dependency logback

> Task :service:dependencyInsight
ch.qos.logback:logback-classic:1.4.11 (selected by rule)
  Variant compile:
    | Attribute Name                 | Provided | Requested    |
    |--------------------------------|----------|--------------|
    | org.gradle.status              | release  |              |
    | org.gradle.category            | library  | library      |
    | org.gradle.libraryelements     | jar      | classes      |
    | org.gradle.usage               | java-api | java-api     |
    | org.gradle.dependency.bundling |          | external     |
    | org.gradle.jvm.environment     |          | standard-jvm |
    | org.gradle.jvm.version         |          | 17           |

ch.qos.logback:logback-classic:1.4.11
\--- org.springframework.boot:spring-boot-starter-logging:3.2.0
     \--- org.springframework.boot:spring-boot-starter:3.2.0
          +--- org.springframework.boot:spring-boot-starter-thymeleaf:3.2.0
          |    \--- compileClasspath (requested org.springframework.boot:spring-boot-starter-thymeleaf)
          +--- org.springframework.boot:spring-boot-starter-jdbc:3.2.0
          |    \--- org.springframework.boot:spring-boot-starter-data-jdbc:3.2.0
          |         \--- compileClasspath (requested org.springframework.boot:spring-boot-starter-data-jdbc)
          +--- org.springframework.boot:spring-boot-starter-web:3.2.0
          |    \--- compileClasspath (requested org.springframework.boot:spring-boot-starter-web)
          \--- org.springframework.boot:spring-boot-starter-json:3.2.0
               \--- org.springframework.boot:spring-boot-starter-web:3.2.0 (*)

ch.qos.logback:logback-core:1.4.11 (selected by rule)
  Variant compile:
    | Attribute Name                 | Provided | Requested    |
    |--------------------------------|----------|--------------|
    | org.gradle.status              | release  |              |
    | org.gradle.category            | library  | library      |
    | org.gradle.libraryelements     | jar      | classes      |
    | org.gradle.usage               | java-api | java-api     |
    | org.gradle.dependency.bundling |          | external     |
    | org.gradle.jvm.environment     |          | standard-jvm |
    | org.gradle.jvm.version         |          | 17           |

ch.qos.logback:logback-core:1.4.11
\--- ch.qos.logback:logback-classic:1.4.11
     \--- org.springframework.boot:spring-boot-starter-logging:3.2.0
          \--- org.springframework.boot:spring-boot-starter:3.2.0
               +--- org.springframework.boot:spring-boot-starter-thymeleaf:3.2.0
               |    \--- compileClasspath (requested org.springframework.boot:spring-boot-starter-thymeleaf)
               +--- org.springframework.boot:spring-boot-starter-jdbc:3.2.0
               |    \--- org.springframework.boot:spring-boot-starter-data-jdbc:3.2.0
               |         \--- compileClasspath (requested org.springframework.boot:spring-boot-starter-data-jdbc)
               +--- org.springframework.boot:spring-boot-starter-web:3.2.0
               |    \--- compileClasspath (requested org.springframework.boot:spring-boot-starter-web)
               \--- org.springframework.boot:spring-boot-starter-json:3.2.0
                    \--- org.springframework.boot:spring-boot-starter-web:3.2.0 (*)

(*) - Indicates repeated occurrences of a transitive dependency subtree. Gradle expands transitive dependency subtrees only once per project; repeat occurrences only display the root of the subtree, followed by this annotation.

Good news though! Spring Boot looks to have pulled in logback 1.4.14 in its upcoming release of 3.2.1 slated for 12/21/23: spring-projects/spring-boot#38809

You could pin the versions for now, then come back later to bump Spring Boot from 3.2.0 -> 3.2.1 and clean up the pins. Or you could play chicken with Spring Boot and wait until their new release to skip the middleman :)

I'm personally in favor of the first, given the proximity to our holiday shut-down, due dates for vulnerability remediation, and potential impact of Spring Boot 3 upgrades… I'm planning to circle back to DrsHub and ECM to clean up those pins once Spring Boot 3.2.1 is out myself.

[rjohanek]

Would you be able to help me understand the difference / relationship between common/build.gradle and service/build.gradle? Without understanding, it looks like there could be some redundant dependency definitions between the two but I'm not confident in that.

More critically, it doesn't look like your logback versions have been updated to non-vulnerable versions due to your new spring imports. 1.4.11 is still vulnerable, so if using 1.4.x dependencies you'll need to be at version >= 1.4.12 (the latest version is 1.4.14).

Thanks for pointing this out, I just pinned the logback version. As for your first question, it's my understanding that both common/build.gradle and service/build.gradle inherit from the common conventions file but do not depend on each other as they are for separate subprojects. I can try to reduce the number of redundant dependencies by creating a shared plugin.

[okotsopoulos]

Nice work!

[pshapiro4broad]

A few more comments, overall this looks OK and I wouldn't want to hold it up for these changes, since this is due very soon. Maybe we want a more general cleanup ticket to be picked up later on when we don't have any time pressure.

[sonarqubecloud]

Quality Gate passed

Kudos, no new issues were introduced!

0 New issues
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud