Kong
diff --git a/‎.github/dependabot.yml‎
Lines changed: 19 additions & 0 deletions b/‎.github/dependabot.yml‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎.github/workflows/kong-image-release.yaml‎
Lines changed: 53 additions & 24 deletions b/‎.github/workflows/kong-image-release.yaml‎
Lines changed: 53 additions & 24 deletions
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎DOCKER_COMPOSE_GUIDE.md‎
Lines changed: 140 additions & 0 deletions b/‎DOCKER_COMPOSE_GUIDE.md‎
Lines changed: 140 additions & 0 deletions
diff --git a/‎SECURITY.md‎
Lines changed: 60 additions & 0 deletions b/‎SECURITY.md‎
Lines changed: 60 additions & 0 deletions
@@ -5,7 +5,26 @@
 
 version: 2
 updates:
+  # Keep GitHub Actions up to date
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "github-actions"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+
+  # Keep Maven dependencies up to date
   - package-ecosystem: "maven" # See documentation for possible values
     directory: "/" # Location of package manifests
     schedule:
       interval: "weekly"
+    labels:
+      - "dependencies"
+      - "maven"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
@@ -9,24 +9,52 @@ env:
   ECR_PROD_ROLE: arn:aws:iam::910202568813:role/ecr-github-kong-julie
 
 jobs:
-  release-details:
-    name: Make Release Date
+  determine-version:
+    name: Determine Next Version
     runs-on: ubuntu-latest
     outputs:
-      release_date: ${{ steps.date.outputs.release_date }}
+      version: ${{ steps.bump.outputs.version }}
     steps:
-      - name: Get current date
-        id: date
-        run: echo "::set-output name=release_date::$(date +'%Y-%m-%d-%H-%M')"
+      - name: Checkout code
+        uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1
+        with:
+          fetch-depth: 0  # Fetch all history for tags
+
+      - name: Get latest tag and bump version
+        id: bump
+        run: |
+          # Get the latest tag that matches v*.*.* pattern
+          LATEST_TAG=$(git tag -l "v*.*.*" | sort -V | tail -n 1)
+          
+          if [ -z "$LATEST_TAG" ]; then
+            # No tags found, start with v0.1.0
+            NEW_VERSION="v0.1.0"
+            echo "No existing tags found. Starting with $NEW_VERSION"
+          else
+            echo "Latest tag: $LATEST_TAG"
+            # Remove 'v' prefix and split version
+            VERSION_NO_V="${LATEST_TAG#v}"
+            MAJOR=$(echo $VERSION_NO_V | cut -d. -f1)
+            MINOR=$(echo $VERSION_NO_V | cut -d. -f2)
+            PATCH=$(echo $VERSION_NO_V | cut -d. -f3)
+            
+            # Increment patch version
+            NEW_PATCH=$((PATCH + 1))
+            NEW_VERSION="v${MAJOR}.${MINOR}.${NEW_PATCH}"
+            echo "Bumping from $LATEST_TAG to $NEW_VERSION"
+          fi
+          
+          echo "version=$NEW_VERSION" >> $GITHUB_OUTPUT
+          echo "Next version will be: $NEW_VERSION"
 
   release-image:
     name: Release Image
     runs-on: ubuntu-latest
-    needs: release-details
-    if: ${{needs.release-details.result == 'success'}}
+    needs: determine-version
+    if: ${{needs.determine-version.result == 'success'}}
     environment: prod
     permissions:
-        contents: read
+        contents: write
         id-token: write
     steps:
       - name: Checkout code
@@ -35,22 +63,12 @@ jobs:
       - name: Set up the JDK
         uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 #4.7.1
         with:
-          java-version: 11
+          java-version: 17
           distribution: temurin
           cache: maven
 
       - name: Build with Maven
-        run: mvn -B package --file pom.xml
-
-      - name: copy fat jar
-        run: cp ./target/julie-ops.jar release/docker
-
-      - name: copy runner file
-        run: cp ./src/main/scripts/julie-ops-cli.sh release/docker
-
-      - name: list files (release dir)
-        run: ls -l
-        working-directory: release/docker
+        run: mvn -B package -DskipTests --file pom.xml
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 #v3.10.0
@@ -65,12 +83,23 @@ jobs:
       - name: Login to ECR
         uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 #v2.0.1
         with:
-          registry: ${{ env.ECR_ACCOUNT_ID }}
+          registries: ${{ env.ECR_ACCOUNT_ID }}
 
       - name: Build and push Docker image
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
         with:
-          context: release/docker
+          context: .
           file: release/docker/Dockerfile
           push: true
-          tags: ${{ env.ECR_PROD_REGISTRY }}:${{ needs.release-details.outputs.release_date }}
+          build-args: |
+            BASE_IMAGE_PREFIX=910202568813.dkr.ecr.us-east-2.amazonaws.com/dockerhub/library/
+          tags: |
+            ${{ env.ECR_PROD_REGISTRY }}:${{ needs.determine-version.outputs.version }}
+            ${{ env.ECR_PROD_REGISTRY }}:latest
+
+      - name: Create Git tag
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git tag -a ${{ needs.determine-version.outputs.version }} -m "Release ${{ needs.determine-version.outputs.version }}"
+          git push origin ${{ needs.determine-version.outputs.version }}
@@ -15,3 +15,4 @@ private.key
 rpm-gen-key
 .s3/
 .mvn
+.vscode/settings.json
@@ -0,0 +1,140 @@
+# Docker Compose Test Environment
+
+This docker-compose setup creates a complete testing environment with:
+- **Kafka** (port 9092)
+- **Zookeeper** (port 2181)
+- **Kafbat UI** (port 8080)
+- **Julie-Ops** (Kafka Topology Builder)
+
+## Quick Start
+
+1. **Start all services:**
+   ```bash
+   docker-compose up -d
+   ```
+
+2. **Access Kafbat UI:**
+   Open your browser to http://localhost:8080 to view and manage Kafka topics
+
+3. **Run Julie-Ops commands:**
+   ```bash
+   # Exec into the julie-ops container
+   docker-compose exec julie-ops bash
+   
+   # Example: Run topology builder with the example descriptor
+   julie-ops-cli.sh \
+     --brokers kafka:29092 \
+     --clientConfig /config/topology-builder-docker.properties \
+     --topology /config/descriptor-docker-test.yaml
+   
+   # Or run directly without exec
+   docker-compose exec julie-ops julie-ops-cli.sh \
+     --brokers kafka:29092 \
+     --clientConfig /config/topology-builder-docker.properties \
+     --topology /config/descriptor-docker-test.yaml
+   ```
+
+4. **View logs:**
+   ```bash
+   # All services
+   docker-compose logs -f
+   
+   # Specific service
+   docker-compose logs -f kafka
+   docker-compose logs -f julie-ops
+   ```
+
+5. **Stop all services:**
+   ```bash
+   docker-compose down
+   ```
+
+## Julie-Ops Configuration
+
+The julie-ops container mounts two volumes:
+- `./example` → `/config` (contains properties and descriptor files)
+- `./topologies` → `/topologies` (for custom topology files)
+
+### Example Usage
+
+Create a simple topology descriptor in `example/descriptor-test.yaml`:
+
+```yaml
+---
+context: "test"
+projects:
+  - name: "myProject"
+    topics:
+      - name: "test.topic.a"
+        config:
+          replication.factor: "1"
+          num.partitions: "3"
+      - name: "test.topic.b"
+        config:
+          replication.factor: "1"
+          num.partitions: "1"
+```
+
+Then run:
+```bash
+docker-compose exec julie-ops julie-ops-cli.sh \
+  --brokers kafka:29092 \
+  --clientConfig /config/topology-builder-docker.properties \
+  --topology /config/descriptor-test.yaml
+```
+
+## Useful Commands
+
+### Kafka Producer/Consumer Testing
+```bash
+# Produce messages
+docker-compose exec kafka kafka-console-producer \
+  --bootstrap-server localhost:9092 \
+  --topic test.topic.a
+
+# Consume messages
+docker-compose exec kafka kafka-console-consumer \
+  --bootstrap-server localhost:9092 \
+  --topic test.topic.a \
+  --from-beginning
+```
+
+### List Topics
+```bash
+docker-compose exec kafka kafka-topics \
+  --bootstrap-server localhost:9092 \
+  --list
+```
+
+## Troubleshooting
+
+### Kafka not starting
+- Ensure ports 9092 and 2181 are not already in use
+- Check logs: `docker-compose logs kafka`
+
+### Julie-Ops connection issues
+- Verify Kafka is running: `docker-compose ps`
+- Check bootstrap server in config files points to `kafka:29092` (internal) or `localhost:9092` (from host)
+
+### Clean restart
+```bash
+# Stop and remove all containers and volumes
+docker-compose down -v
+
+# Rebuild and start
+docker-compose up -d
+```
+
+## Ports
+
+- **9092** - Kafka (external access)
+- **29092** - Kafka (internal docker network)
+- **2181** - Zookeeper
+- **8080** - Kafbat UI
+
+## Notes
+
+- This is a **development/testing** setup with minimal configuration
+- No authentication/authorization configured
+- Single Kafka broker with replication factor 1
+- Data is ephemeral (removed with `docker-compose down -v`)
@@ -0,0 +1,60 @@
+# Security Notice
+
+## Fixed CVE Vulnerabilities
+
+### ✅ CVE-2024-47561 - Apache Avro (CRITICAL) - FIXED
+- **Affected Version**: 1.11.3
+- **Fixed Version**: 1.11.4
+- **Issue**: Arbitrary Code Execution when reading Avro Data
+- **Status**: **RESOLVED** - Upgraded to avro 1.11.4
+
+## Known CVE Vulnerabilities
+
+### ⚠️ GHSA-72hv-8253-57qq - Jackson Core (HIGH) - NO FIX AVAILABLE YET
+- **Affected Versions**: All versions including 2.19.0
+- **Issue**: Number Length Constraint Bypass in Async Parser Leads to Potential DoS
+- **Status**: **MONITORING** - Using latest Jackson version (2.19.0), awaiting upstream fix
+
+#### Description
+The non-blocking (async) JSON parser in jackson-core bypasses the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. This allows an attacker to send JSON with arbitrarily long numbers through the async parser API, leading to excessive memory allocation and potential CPU exhaustion.
+
+#### Impact
+- Memory Exhaustion: Unbounded allocation of memory in the TextBuffer
+- CPU Exhaustion: O(n²) BigInteger parsing operations
+
+#### Mitigation Recommendations
+Until a patch is available:
+
+1. **Configure StreamReadConstraints explicitly**:
+   ```java
+   StreamReadConstraints constraints = StreamReadConstraints.builder()
+       .maxNumberLength(1000)  // Enforce limit explicitly
+       .build();
+   JsonFactory factory = JsonFactory.builder()
+       .streamReadConstraints(constraints)
+       .build();
+   ```
+
+2. **Avoid async parsers** if possible - use synchronous parsers which correctly enforce the constraint
+
+3. **Input validation** - Implement additional validation layers for JSON inputs from untrusted sources
+
+4. **Rate limiting** - Implement rate limiting on endpoints that parse JSON
+
+5. **Monitor** - Watch for updates to Jackson library: https://github.com/FasterXML/jackson-core
+
+## Vulnerability Scanning
+
+This project was scanned for CVEs on March 20, 2026. To re-scan dependencies:
+
+```bash
+# Check for updates to dependencies with known CVEs
+mvn versions:display-dependency-updates
+
+# Force update to latest versions (review carefully)
+mvn versions:use-latest-releases
+```
+
+## Reporting Security Issues
+
+If you discover a security vulnerability in this project, please report it privately by emailing the maintainers.