From d8e5d7c81999113e4259c3c4120e9ae1d35422be Mon Sep 17 00:00:00 2001
From: Patrick Boos <patrick.boos@getyourguide.com>
Date: Fri, 27 Dec 2024 11:47:15 +0100
Subject: [PATCH] [CHK-11672][CHK-11673] Force min logback version correctly
 (security)

---
 build.gradle                                  | 19 +++++++++++++++++++
 .../build.gradle                              | 11 -----------
 .../build.gradle                              | 11 -----------
 3 files changed, 19 insertions(+), 22 deletions(-)

diff --git a/build.gradle b/build.gradle
index df590891..4fbff325 100644
--- a/build.gradle
+++ b/build.gradle
@@ -78,4 +78,23 @@ subprojects {
         consoleOutput = true
         ruleSets = ["$rootDir/ruleset.xml"]
     }
+
+    // Needed for security. See:
+    // - https://github.com/getyourguide/openapi-validation-java/security/dependabot/7
+    // - https://github.com/getyourguide/openapi-validation-java/security/dependabot/6
+    // Hopefully with spring-boot 3.4.2+ this won't be needed anymore and can be removed.
+    configurations.configureEach {
+        resolutionStrategy.eachDependency {details ->
+            if (details.requested.group == 'ch.qos.logback'
+                && (details.requested.name == 'logback-core' || details.requested.name == 'logback-classic')
+            ) {
+                def parse = { String v -> v.tokenize('.').collect { it.padLeft(3, '0') }.join() }
+                def current = parse(details.requested.version)
+                def minimum = parse('1.5.15')
+                if (current < minimum) {
+                    details.useVersion '1.5.15'
+                }
+            }
+        }
+    }
 }
diff --git a/examples/example-spring-boot-starter-web/build.gradle b/examples/example-spring-boot-starter-web/build.gradle
index 9338fada..ffcca815 100644
--- a/examples/example-spring-boot-starter-web/build.gradle
+++ b/examples/example-spring-boot-starter-web/build.gradle
@@ -5,17 +5,6 @@ plugins {
     alias(libs.plugins.openapi.generator)
 }
 
-// Needed for security. See:
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/7
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/6
-// Hopefully with spring-boot 3.4.2+ this won't be needed anymore and can be removed.
-dependencyManagement {
-    dependencies {
-        dependency 'ch.qos.logback:logback-core:1.5.15'
-        dependency 'ch.qos.logback:logback-classic:1.5.15'
-    }
-}
-
 dependencies {
     implementation project(':examples:examples-common')
     implementation project(':spring-boot-starter:spring-boot-starter-web')
diff --git a/examples/example-spring-boot-starter-webflux/build.gradle b/examples/example-spring-boot-starter-webflux/build.gradle
index ab761f7e..59eaef61 100644
--- a/examples/example-spring-boot-starter-webflux/build.gradle
+++ b/examples/example-spring-boot-starter-webflux/build.gradle
@@ -5,17 +5,6 @@ plugins {
     alias(libs.plugins.openapi.generator)
 }
 
-// Needed for security. See:
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/7
-// - https://github.com/getyourguide/openapi-validation-java/security/dependabot/6
-// Hopefully with spring-boot 3.4.2+ this won't be needed anymore and can be removed.
-dependencyManagement {
-    dependencies {
-        dependency 'ch.qos.logback:logback-core:1.5.15'
-        dependency 'ch.qos.logback:logback-classic:1.5.15'
-    }
-}
-
 dependencies {
     implementation project(':examples:examples-common')
     implementation project(':spring-boot-starter:spring-boot-starter-webflux')