Fix build issues and address CVEs (#265)

* Fix .net core build in security job

* Adding dependency bumps to address CVE scan and freshen dependencies

* fixing a docker issue encountered when running security action

* Attempt to find non CVE version of Json

* suppress CVE for json

* More Vuln Fixes

* fixed gradle builds

* update docker build action

* Fixed docker build

* Fixed acct

* Upgraded Spring Boot and Fixed Builds

* More dependency fixes

* Address okhttp vulnerability

* okhttp

Author: DovOps

.github/dotnet-cve-ignore-list.xml

@@ -6,4 +6,10 @@
         <filePath regex="true">.*\bSerilog\.Sinks\.Async\.dll</filePath>
         <cve>CVE-2021-43138</cve>
     </suppress>
+
+    <suppress>
+        <notes><![CDATA[System.Text.Json is used in a safe context - see https://nvd.nist.gov/vuln/detail/CVE-2024-43485]]></notes>
+        <filePath regex="true">.*\bPeopleService\.Core\.csproj</filePath>
+        <cve>CVE-2024-43485</cve>
+    </suppress>
 </suppressions>

.github/workflows/security.yml

@@ -70,6 +70,10 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: 9.0.x
       - name: Build project with dotnet
         run: dotnet build --configuration Release
         working-directory: ${{ matrix.module-folder }}
@@ -157,7 +161,12 @@ jobs:
             'reference-data']
     steps:
       - uses: actions/checkout@v4
-      - uses: docker-practice/actions-setup-docker@master
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Configure Docker Daemon
+        run: |
+          echo '{"experimental": true}' | sudo tee /etc/docker/daemon.json
+          sudo systemctl restart docker
       - name: Build
         run: docker build -f Dockerfile -t user/app:latest .
         working-directory: ${{ matrix.module-folder }}

account-service/build.gradle

@@ -7,29 +7,30 @@
 
 plugins {
   id 'java'
-  id 'org.springframework.boot' version '3.3.7'
+  id 'org.springframework.boot' version '3.4.4'
   id 'io.spring.dependency-management' version '1.1.7'
 }
 
 group = 'finos.traderx.account-service'
 version = '0.0.1-SNAPSHOT'
 
-java{
-	sourceCompatibility = JavaVersion.VERSION_21
+java {
+    sourceCompatibility = JavaVersion.VERSION_21
 }
 
 dependencies {
 
-	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
-	implementation 'org.springframework.boot:spring-boot-starter-web'
-	implementation 'com.h2database:h2:2.2.224'
-	implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0'
+    implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
+    implementation 'org.springframework.boot:spring-boot-starter-web'
+    implementation 'com.h2database:h2:2.2.224'
 
-    implementation ('ch.qos.logback:logback-core:1.5.15'){
-		because 'version brought in by spring boot 3.3.7 affected by CVE-2024-12798'
-	}
+    implementation ('org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.6')
+ 
+    // Add compatible logback-classic version
+    implementation 'ch.qos.logback:logback-core:1.5.15'
+    implementation 'ch.qos.logback:logback-classic:1.5.15' // Ensure compatibility
 
-	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+    testImplementation 'org.springframework.boot:spring-boot-starter-test'
 }
 
 tasks.withType(Test).configureEach {

people-service/PeopleService.Core/PeopleService.Core.csproj

@@ -12,7 +12,7 @@
     <PackageReference Include="FluentValidation.AspNetCore" Version="11.3.0" /> <!-- Updated version -->
     <PackageReference Include="JetBrains.Annotations" Version="2024.3.0" />
     <PackageReference Include="MediatR" Version="12.4.1" />
-    <PackageReference Include="System.Text.Json" Version="9.0.2" />
+    <PackageReference Include="System.Text.Json" Version="9.0.3" />
   </ItemGroup>
 
 </Project>

people-service/PeopleService.WebApi/PeopleService.WebApi.csproj

@@ -13,7 +13,7 @@
     <PackageReference Include="MediatR" Version="12.4.1" />
     <PackageReference Include="Serilog.AspNetCore" Version="9.0.0" />
     <PackageReference Include="Serilog.Extensions.Logging.File" Version="3.0.0" />
-    <PackageReference Include="Swashbuckle.AspNetCore" Version="7.3.1" />
+    <PackageReference Include="Swashbuckle.AspNetCore" Version="8.0.0" />
   </ItemGroup>
 
   <ItemGroup>

position-service/build.gradle

@@ -7,29 +7,30 @@
 
 plugins {
   id 'java'
-  id 'org.springframework.boot' version '3.3.7'
+  id 'org.springframework.boot' version '3.4.4'
   id 'io.spring.dependency-management' version '1.1.7'
 }
 
 group = 'finos.traderx.position-service'
 version = '0.0.1-SNAPSHOT'
 
-java{
-	sourceCompatibility = JavaVersion.VERSION_21
+java {
+    sourceCompatibility = JavaVersion.VERSION_21
 }
 
 dependencies {
 
-	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
-	implementation 'org.springframework.boot:spring-boot-starter-web'
-	implementation 'com.h2database:h2:2.2.224'
-	implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0'
+    implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
+    implementation 'org.springframework.boot:spring-boot-starter-web'
+    implementation 'com.h2database:h2:2.2.224'
+    implementation ('org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.6') 
 
-	implementation ('ch.qos.logback:logback-core:1.5.15'){
-		because 'version brought in by spring boot 3.3.7 affected by CVE-2024-12798'
-	}
+    implementation ('ch.qos.logback:logback-core:1.5.15') {
+        because 'version brought in by spring boot 3.3.7 affected by CVE-2024-12798'
+    }
+    implementation 'ch.qos.logback:logback-classic:1.5.15' // Ensure compatibility
 
-	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+    testImplementation 'org.springframework.boot:spring-boot-starter-test'
 }
 
 tasks.withType(Test).configureEach {

reference-data/Dockerfile

@@ -2,6 +2,8 @@ FROM --platform=$BUILDPLATFORM node:23 AS builder
 WORKDIR /usr/src/app
 COPY package*.json ./
 RUN npm install --only=production
+RUN npm install @nestjs/cli
+
 COPY . .
 RUN npm run build
 

reference-data/package.json

@@ -20,39 +20,39 @@
     "test:e2e": "jest --config ./test/jest-e2e.json"
   },
   "dependencies": {
-    "@nestjs/common": "^10.4.15",
-    "@nestjs/core": "^10.4.15",
-    "@nestjs/platform-express": "^10.4.15",
-    "@nestjs/swagger": "^8.1.0",
-    "@nestjs/terminus": "^10.2.3",
+    "@nestjs/common": "^11.0.12",
+    "@nestjs/core": "^11.0.12",
+    "@nestjs/platform-express": "^11.0.12",
+    "@nestjs/swagger": "^11.1.0",
+    "@nestjs/terminus": "^11.0.0",
     "csv-reader": "^1.0.12",
-    "npm-check-updates": "^17.1.13",
+    "npm-check-updates": "^17.1.16",
     "reflect-metadata": "^0.2.2",
-    "rxjs": "^7.8.1"
+    "rxjs": "^7.8.2"
   },
   "devDependencies": {
-    "@nestjs/cli": "^10.4.9",
-    "@nestjs/schematics": "^10.2.3",
-    "@nestjs/testing": "^10.4.15",
-    "@tsconfig/node20": "20.1.4",
-    "@types/express": "^5.0.0",
+    "@nestjs/cli": "^11.0.5",
+    "@nestjs/schematics": "^11.0.2",
+    "@nestjs/testing": "^11.0.12",
+    "@tsconfig/node20": "20.1.5",
+    "@types/express": "^5.0.1",
     "@types/jest": "29.5.14",
-    "@types/node": "22.10.2",
-    "@types/supertest": "^6.0.2",
-    "@typescript-eslint/eslint-plugin": "^8.19.0",
-    "@typescript-eslint/parser": "^8.19.0",
-    "eslint": "^9.17.0",
-    "eslint-config-prettier": "^9.1.0",
-    "eslint-plugin-prettier": "^5.2.1",
+    "@types/node": "22.13.14",
+    "@types/supertest": "^6.0.3",
+    "@typescript-eslint/eslint-plugin": "^8.28.0",
+    "@typescript-eslint/parser": "^8.28.0",
+    "eslint": "^9.23.0",
+    "eslint-config-prettier": "^10.1.1",
+    "eslint-plugin-prettier": "^5.2.5",
     "jest": "29.7.0",
-    "prettier": "^3.4.2",
+    "prettier": "^3.5.3",
     "source-map-support": "^0.5.21",
-    "supertest": "^7.0.0",
-    "ts-jest": "29.2.5",
-    "ts-loader": "^9.5.1",
+    "supertest": "^7.1.0",
+    "ts-jest": "29.3.0",
+    "ts-loader": "^9.5.2",
     "ts-node": "^10.9.2",
     "tsconfig-paths": "4.2.0",
-    "typescript": "^5.7.2"
+    "typescript": "^5.8.2"
   },
   "jest": {
     "moduleFileExtensions": [

trade-feed/package.json

@@ -12,7 +12,7 @@
   "dependencies": {
     "cors": "^2.8.5",
     "express": "^5.0.1",
-    "npm-check-updates": "^17.1.13",
+    "npm-check-updates": "^17.1.16",
     "socket.io": "^4.8.1",
     "winston": "^3.17.0"
   }

trade-processor/build.gradle

@@ -7,36 +7,45 @@
 
 plugins {
   id 'java'
-  id 'org.springframework.boot' version '3.3.7'
+  id 'org.springframework.boot' version '3.4.4'
   id 'io.spring.dependency-management' version '1.1.7'
 }
 
 group = 'finos.traderx.trade-processor'
 version = '0.0.1-SNAPSHOT'
 
-java{
-	sourceCompatibility = JavaVersion.VERSION_21
+java {
+    sourceCompatibility = JavaVersion.VERSION_21
 }
 
 dependencies {
-    
-	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
-	implementation 'org.springframework.boot:spring-boot-starter-web'
-	implementation 'com.h2database:h2:2.2.224'
-	implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0'
-	
-	implementation('org.json:json:20240303') {
-		because 'previous versions are affected by multiple CVE'
-	}
-	implementation ('io.socket:socket.io-client:2.1.1'){
-		exclude group: 'org.json', module: 'json'
-	}
-
-    implementation ('ch.qos.logback:logback-core:1.5.15'){
-		because 'version brought in by spring boot 3.3.7 affected by CVE-2024-12798'
-	}
-
-	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+
+    implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
+    implementation 'org.springframework.boot:spring-boot-starter-web'
+    implementation 'com.h2database:h2:2.2.224'
+    implementation 'org.springdoc:springdoc-openapi-starter-webmvc-ui:2.6.0'
+
+    implementation('org.json:json:20240303') {
+        because 'previous versions are affected by multiple CVE'
+    }
+    implementation ('io.socket:socket.io-client:2.1.2') {
+        exclude group: 'org.json', module: 'json'
+    }
+
+    implementation ('org.springdoc:springdoc-openapi-starter-webmvc-ui:2.8.6') 
+    implementation ('org.springframework.boot:spring-boot-starter-web')
+
+    // Override okhttp and okio versions to address vulnerabilities
+    implementation 'com.squareup.okhttp3:okhttp:4.12.0' // Suggested version
+    // implementation 'com.squareup.okio:okio:1.17.5' // Latest compatible version for okhttp 3.14.9
+
+    // Add compatible logback-classic version
+    implementation ('ch.qos.logback:logback-core:1.5.15') {
+        because 'version brought in by spring boot 3.3.7 affected by CVE-2024-12798'
+    }
+    implementation 'ch.qos.logback:logback-classic:1.5.15' // Ensure compatibility
+
+    testImplementation 'org.springframework.boot:spring-boot-starter-test'
 }
 
 tasks.withType(Test).configureEach {