Merge branch 'main' into NIAD-3393

Author: MartinWheelerMT

.github/workflows/release.yml

@@ -1,16 +1,18 @@
 on:
-  push:
-    tags: "*"
+  release:
+    types: [published]
 
 jobs:
   push_to_dockerhub:
     strategy:
       matrix:
-        image:
-          - {folder: service, dockerhub_name: nia-gp2gp-adaptor}
+        config:
+          - folder: service
+            dockerhub_name: nia-gp2gp-adaptor
+            upload_url: ${{ github.event.release.upload_url }}
     uses: NHSDigital/integration-adaptor-actions/.github/workflows/release-adaptor-container-image.yml@main
     with:
-        dockerhub_name: ${{matrix.image.dockerhub_name}}
-        folder: ${{matrix.image.folder}}
-
+        folder: ${{ matrix.config.folder }}
+        dockerhub_name: ${{ matrix.config.dockerhub_name }}
+        upload_url: ${{ matrix.config.upload_url }}
     secrets: inherit

e2e-tests/build.gradle

@@ -16,17 +16,18 @@ dependencies {
     implementation 'org.apache.qpid:qpid-jms-client:2.7.0'
     implementation "org.apache.geronimo.specs:geronimo-jms_1.1_spec:1.1.1"
     implementation 'org.mongodb:mongo-java-driver:3.12.14'
+    testImplementation(platform('org.junit:junit-bom:5.13.4'))
+    testImplementation 'org.junit.jupiter:junit-jupiter'
     testImplementation 'com.fasterxml.jackson.core:jackson-databind:2.19.2'
     testImplementation 'com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.19.2'
     testImplementation 'commons-io:commons-io:2.20.0'
     testImplementation 'org.awaitility:awaitility:4.3.0'
-    testImplementation 'org.junit.jupiter:junit-jupiter-api:5.11.4'
     testImplementation "org.assertj:assertj-core:3.27.4"
     testImplementation 'ch.qos.logback:logback-classic:1.5.18'
     testImplementation 'org.xmlunit:xmlunit-assertj3:2.10.3'
     testImplementation 'org.apache.httpcomponents.client5:httpclient5:5.5'
 
-    testRuntimeOnly 'org.junit.jupiter:junit-jupiter-engine:5.11.4'
+    testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
 }
 
 tasks.withType(Test) {

scripts/config/.syft.yaml

@@ -0,0 +1,83 @@
+# a list of globs to exclude from scanning. same as --exclude ; for example:
+# exclude:
+#   - "/etc/**"
+#   - "./out/**/*.json"
+exclude:
+  - ./.git/**
+
+# maximum number of workers used to process the list of package catalogers in parallel
+parallelism: 3
+
+# cataloging packages is exposed through the packages and power-user subcommands
+package:
+  # search within archives that do contain a file index to search against (zip)
+  # note: for now this only applies to the java package cataloger
+  # SYFT_PACKAGE_SEARCH_INDEXED_ARCHIVES env var
+  search-indexed-archives: true
+  # search within archives that do not contain a file index to search against (tar, tar.gz, tar.bz2, etc)
+  # note: enabling this may result in a performance impact since all discovered compressed tars will be decompressed
+  # note: for now this only applies to the java package cataloger
+  # SYFT_PACKAGE_SEARCH_UNINDEXED_ARCHIVES env var
+  search-unindexed-archives: true
+  cataloger:
+    # enable/disable cataloging of packages
+    # SYFT_PACKAGE_CATALOGER_ENABLED env var
+    enabled: true
+    # the search space to look for packages (options: all-layers, squashed)
+    # same as -s ; SYFT_PACKAGE_CATALOGER_SCOPE env var
+    scope: "squashed"
+
+# cataloging file contents is exposed through the power-user subcommand
+file-contents:
+  cataloger:
+    # enable/disable cataloging of secrets
+    # SYFT_FILE_CONTENTS_CATALOGER_ENABLED env var
+    enabled: true
+    # the search space to look for secrets (options: all-layers, squashed)
+    # SYFT_FILE_CONTENTS_CATALOGER_SCOPE env var
+    scope: "squashed"
+  # skip searching a file entirely if it is above the given size (default = 1MB; unit = bytes)
+  # SYFT_FILE_CONTENTS_SKIP_FILES_ABOVE_SIZE env var
+  skip-files-above-size: 1048576
+  # file globs for the cataloger to match on
+  # SYFT_FILE_CONTENTS_GLOBS env var
+  globs: []
+
+# cataloging file metadata is exposed through the power-user subcommand
+file-metadata:
+  cataloger:
+    # enable/disable cataloging of file metadata
+    # SYFT_FILE_METADATA_CATALOGER_ENABLED env var
+    enabled: true
+    # the search space to look for file metadata (options: all-layers, squashed)
+    # SYFT_FILE_METADATA_CATALOGER_SCOPE env var
+    scope: "squashed"
+  # the file digest algorithms to use when cataloging files (options: "sha256", "md5", "sha1")
+  # SYFT_FILE_METADATA_DIGESTS env var
+  digests: ["sha256"]
+
+# cataloging secrets is exposed through the power-user subcommand
+secrets:
+  cataloger:
+    # enable/disable cataloging of secrets
+    # SYFT_SECRETS_CATALOGER_ENABLED env var
+    enabled: true
+    # the search space to look for secrets (options: all-layers, squashed)
+    # SYFT_SECRETS_CATALOGER_SCOPE env var
+    scope: "all-layers"
+  # show extracted secret values in the final JSON report
+  # SYFT_SECRETS_REVEAL_VALUES env var
+  reveal-values: false
+  # skip searching a file entirely if it is above the given size (default = 1MB; unit = bytes)
+  # SYFT_SECRETS_SKIP_FILES_ABOVE_SIZE env var
+  skip-files-above-size: 1048576
+  # name-regex pairs to consider when searching files for secrets. Note: the regex must match single line patterns
+  # but may also have OPTIONAL multiline capture groups. Regexes with a named capture group of "value" will
+  # use the entire regex to match, but the secret value will be assumed to be entirely contained within the
+  # "value" named capture group.
+  additional-patterns: {}
+  # names to exclude from the secrets search, valid values are: "aws-access-key", "aws-secret-key", "pem-private-key",
+  # "docker-config-auth", and "generic-api-key". Note: this does not consider any names introduced in the
+  # "secrets.additional-patterns" config option.
+  # SYFT_SECRETS_EXCLUDE_PATTERN_NAMES env var
+  exclude-pattern-names: []

scripts/sbom-generator.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+
+set -e
+
+# Script to generate SBOM (Software Bill of Materials) for the repository
+# content and any artefact created by the CI/CD pipeline.
+#
+# Usage:
+#   $ ./generate-sbom.sh
+#
+# Options:
+#   VERBOSE=true  # Show all the executed commands, default is `false`
+
+# ==============================================================================
+
+# SEE: https://github.com/anchore/syft/pkgs/container/syft, use the `linux/amd64` os/arch
+image_version=v0.84.1@sha256:9a8f80eee3984d4a3f9a86e4d66e739e30dfc34564d76d3574f98798db5d5b35
+
+# ==============================================================================
+
+function main() {
+  echo $BUILD_SOURCESIRECTORY
+  create-sbom
+  enrich-sbom
+}
+
+function create-sbom() {
+
+  docker run --rm --platform linux/amd64 \
+    --volume $PWD:/scan \
+    --workdir /scan \
+    ghcr.io/anchore/syft:$image_version \
+      packages dir:/scan \
+      --config /scan/scripts/config/.syft.yaml \
+      --output spdx-json=/scan/sbom-spdx.tmp.json
+}
+
+function enrich-sbom() {
+
+  git_url=$(git config --get remote.origin.url)
+  git_branch=$(git rev-parse --abbrev-ref HEAD)
+  git_commit_hash=$(git rev-parse HEAD)
+  git_tags=$(echo \"$(git tag | tr '\n' ',' | sed 's/,$//' | sed 's/,/","/g')\" | sed 's/""//g')
+  pipeline_run_id=${BUILD_BUILDID:-0}
+  pipeline_run_number=${BUILD_BUILDNUMBER:-0}
+  pipeline_run_attempt=${GITHUB_RUN_ATTEMPT:-0}
+  echo "pipeline_run_attempt: ${pipeline_run_id}"
+  docker run --rm --platform linux/amd64 \
+    --volume $PWD:/repo \
+    --workdir /repo \
+    ghcr.io/make-ops-tools/jq:latest \
+      '.creationInfo |= . + {"repository":{"url":"'${git_url}'","branch":"'${git_branch}'","tags":['${git_tags}'],"commitHash":"'${git_commit_hash}'"},"pipeline":{"id":'${pipeline_run_id}',"number":'${pipeline_run_number}',"attempt":'${pipeline_run_attempt}'}}' \
+      sbom-spdx.tmp.json \
+        > sbom-spdx.json
+  rm -f sbom-spdx.tmp.json
+}
+
+function is_arg_true() {
+
+  if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+# ==============================================================================
+
+is_arg_true "$VERBOSE" && set -x
+
+main $*
+
+exit 0

service/build.gradle

@@ -71,8 +71,8 @@ dependencies {
 	testImplementation 'org.testcontainers:junit-jupiter:1.21.3'
 	testImplementation 'org.awaitility:awaitility:4.3.0'
 	testImplementation 'org.wiremock:wiremock-standalone:3.13.1'
-	testImplementation 'com.squareup.okhttp3:okhttp:4.12.0'
-	testImplementation 'com.squareup.okhttp3:mockwebserver:4.12.0'
+	testImplementation 'com.squareup.okhttp3:okhttp:5.1.0'
+	testImplementation 'com.squareup.okhttp3:mockwebserver3:5.1.0'
 	testImplementation 'com.adobe.testing:s3mock-testcontainers:4.7.0'
 
    pitest 'com.arcmutate:base:1.3.2'

service/src/intTest/java/uk/nhs/adaptors/gp2gp/gpc/GpcWebClientTest.java

@@ -13,8 +13,12 @@
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Objects;
+import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
 
+import mockwebserver3.MockResponse;
+import mockwebserver3.MockWebServer;
+
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
@@ -27,9 +31,6 @@
 import org.springframework.test.context.bean.override.mockito.MockitoSpyBean;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 
-import okhttp3.mockwebserver.MockResponse;
-import okhttp3.mockwebserver.MockWebServer;
-import okhttp3.mockwebserver.SocketPolicy;
 import uk.nhs.adaptors.gp2gp.common.exception.RetryLimitReachedException;
 import uk.nhs.adaptors.gp2gp.gpc.builder.GpcTokenBuilder;
 import uk.nhs.adaptors.gp2gp.gpc.configuration.GpcConfiguration;
@@ -69,33 +70,30 @@ public class GpcWebClientTest {
     private GpcClient gpcWebClient;
 
     private static MockResponse initialiseOKResponse() {
-        MockResponse response = new MockResponse();
-        response.setResponseCode(OK.value())
-            .setBody(TEST_BODY);
-
-        return response;
+        return new MockResponse.Builder()
+            .code(OK.value())
+            .body(TEST_BODY)
+            .build();
     }
 
     private static MockResponse initialise500Response() {
-        MockResponse response = new MockResponse();
-        response.setResponseCode(INTERNAL_SERVER_ERROR.value());
-        response.setBody(TEST_BODY);
-
-        return response;
+        return new MockResponse.Builder()
+            .code(INTERNAL_SERVER_ERROR.value())
+            .body(TEST_BODY)
+            .build();
     }
 
     private static MockResponse initialise500ResponseNoBody() {
-        MockResponse response = new MockResponse();
-        response.setResponseCode(INTERNAL_SERVER_ERROR.value());
-
-        return response;
+        return new MockResponse.Builder()
+            .code(INTERNAL_SERVER_ERROR.value())
+            .build();
     }
 
     private static MockResponse initialiseNoResponse() {
-        MockResponse response = new MockResponse();
-        response.setSocketPolicy(SocketPolicy.NO_RESPONSE);
-
-        return response;
+        return new MockResponse.Builder()
+            .bodyDelay(1, TimeUnit.HOURS)
+            .headersDelay(1, TimeUnit.HOURS)
+            .build();
     }
 
     @BeforeEach
@@ -107,8 +105,8 @@ public void initialise() throws IOException {
     }
 
     @AfterEach
-    public void tearDown() throws IOException {
-        mockWebServer.shutdown();
+    public void tearDown() {
+        mockWebServer.close();
     }
 
     @Test
@@ -254,7 +252,7 @@ void When_GetStructuredRecord_With_HttpStatus200_Expect_AuthorizationHeaderToBeP
         gpcWebClient.getStructuredRecord(taskDefinition);
         tokens.add(Objects.requireNonNull(mockWebServer
                         .takeRequest()
-                        .getHeader(HttpHeaders.AUTHORIZATION))); // Add token from Authorisation header (WebClient call).
+                        .getHeaders().get(HttpHeaders.AUTHORIZATION))); // Add token from Authorisation header (WebClient call).
 
         // then
         final long distinctTokens = tokens.stream().distinct().count();