Dependency updates and apply Sonatype Scan Gradle Plugin (#2264)

sdelamo · web-flow · commit f6b522b89f53 · 2025-01-08T13:33:26.000+01:00
* core 4.7.9

* aws sdk v2 2.29.39

* use jetty version defined in servlet

jetty

* logging 1.5.1

* protect against NPE in log statement

* add sonatype scan gradle plugin

* define version in libs.versions.toml

* sonatype 2.8.3

* only for java 17

* add env variables
diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
@@ -30,6 +30,8 @@ jobs:
       PREDICTIVE_TEST_SELECTION: "${{ github.event_name == 'pull_request' && 'true' || 'false' }}"
       SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      OSS_INDEX_USERNAME: ${{ secrets.OSS_INDEX_USERNAME }}
+      OSS_INDEX_PASSWORD: ${{ secrets.OSS_INDEX_PASSWORD }}
     steps:
        # https://github.com/actions/virtual-environments/issues/709
       - name: "🗑 Free disk space"
@@ -58,6 +60,12 @@ jobs:
         run: |
           [ -f ./setup.sh ] && ./setup.sh || [ ! -f ./setup.sh ]
 
+      - name: "🚔 Sonatype Scan"
+        id: sonatypescan
+        if: matrix.java == '17'
+        run: |
+          ./gradlew ossIndexAudit --no-parallel
+
       - name: "🛠 Build with Gradle"
         id: gradle
         run: |
diff --git a/aws-service-discovery/src/main/java/io/micronaut/discovery/aws/servicediscovery/registration/ServiceRegistrationStatusTask.java b/aws-service-discovery/src/main/java/io/micronaut/discovery/aws/servicediscovery/registration/ServiceRegistrationStatusTask.java
@@ -72,7 +72,7 @@ public void run() {
             GetOperationResponse result = serviceDiscoveryClient.getOperation(
                     GetOperationRequest.builder().operationId(operationId).build()
             );
-            LOG.info("Service registration for operation {} resulted in {}", operationId, result.operation().status());
+            LOG.info("Service registration for operation {} resulted in {}", operationId, result == null || result.operation() == null ? null : result.operation().status());
             if (result.operation().status() == OperationStatus.FAIL || result.operation().status() == OperationStatus.SUCCESS) {
                 registered = true; // either way we are done
                 if (result.operation().status() == OperationStatus.FAIL) {
diff --git a/buildSrc/build.gradle b/buildSrc/build.gradle
@@ -11,4 +11,5 @@ dependencies {
     implementation libs.javapoet
     implementation libs.gradle.micronaut
     implementation libs.gradle.kotlin
-}
+    implementation(libs.sonatype.scan)
+}
diff --git a/buildSrc/src/main/groovy/io.micronaut.build.internal.aws-module.gradle b/buildSrc/src/main/groovy/io.micronaut.build.internal.aws-module.gradle
@@ -1,4 +1,23 @@
 plugins {
     id "io.micronaut.build.internal.aws-base"
     id "io.micronaut.build.internal.module"
+    id("org.sonatype.gradle.plugins.scan")
 }
+String ossIndexUsername = System.getenv("OSS_INDEX_USERNAME") ?: project.properties["ossIndexUsername"]
+String ossIndexPassword = System.getenv("OSS_INDEX_PASSWORD") ?: project.properties["ossIndexPassword"]
+boolean sonatypePluginConfigured = ossIndexUsername != null && ossIndexPassword != null
+if (sonatypePluginConfigured) {
+    ossIndexAudit {
+        username = ossIndexUsername
+        password = ossIndexPassword
+        excludeCompileOnly = true
+        excludeCoordinates = [
+                "org.eclipse.jetty:jetty-http:11.0.24" // no version of Jetty 11 patched https://ossindex.sonatype.org/component/pkg:maven/org.eclipse.jetty/jetty-http
+        ]
+    }
+}
+configurations.all {
+    resolutionStrategy {
+        force("commons-io:commons-io:2.14.0") // first version patched https://ossindex.sonatype.org/component/pkg:maven/commons-io/commons-io
+    }
+}
diff --git a/function-aws-api-proxy-test/build.gradle.kts b/function-aws-api-proxy-test/build.gradle.kts
@@ -5,6 +5,7 @@ plugins {
 dependencies {
     api(mn.micronaut.http.server)
     api(projects.micronautFunctionAwsApiProxy)
+    implementation(platform(mnServlet.boms.jetty))
     implementation(libs.jetty.server)
     testImplementation(mn.micronaut.http.client)
     testImplementation(mn.micronaut.jackson.databind)
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -1,18 +1,17 @@
 [versions]
-micronaut = "4.7.2"
+micronaut = "4.7.9"
 micronaut-docs = "2.0.0"
 micronaut-test = "4.5.0"
 groovy = "4.0.22"
 spock = "2.3-groovy-4.0"
 
 bouncycastle = '1.70'
 fileupload = '0.0.6'
-jetty = '11.0.24'
 logback-json-classic = '0.1.5'
 
 micronaut-discovery = "4.5.0"
 micronaut-groovy = "4.5.0"
-micronaut-logging = "1.4.0"
+micronaut-logging = "1.5.1"
 micronaut-mongodb = "5.5.0"
 micronaut-reactor = "3.6.0"
 micronaut-security = "4.11.2"
@@ -35,6 +34,7 @@ micronaut-starter = "3.9.2"
 slf4j = "2.0.16"
 servlet-api = "2.5"
 javapoet = "1.13.0"
+sonatype-scan = "2.8.3"
 
 # The following version should probably
 # be defined in Micronaut Graal but it's not shipped with a BOM yet
@@ -90,7 +90,7 @@ bouncycastle-provider = { module = 'org.bouncycastle:bcprov-jdk15on', version.re
 fileupload = { module = 'org.javadelight:delight-fileupload', version.ref = 'fileupload' }
 graal-sdk = { module = 'org.graalvm.sdk:graal-sdk', version.ref = 'graal' }
 jackson-afterburner = { module = 'com.fasterxml.jackson.module:jackson-module-afterburner' }
-jetty-server = { module = 'org.eclipse.jetty:jetty-server', version.ref = 'jetty' }
+jetty-server = { module = 'org.eclipse.jetty:jetty-server' }
 jcl-over-slf4j = { module = 'org.slf4j:jcl-over-slf4j', version.ref = 'slf4j' }
 junit-jupiter-engine = { module = 'org.junit.jupiter:junit-jupiter-engine' }
 junit-jupiter-api = { module = 'org.junit.jupiter:junit-jupiter-api' }
@@ -115,6 +115,8 @@ managed-awssdk-secretsmanager = { module = 'software.amazon.awssdk:secretsmanage
 managed-jcl-over-slf4j = { module = 'org.slf4j:jcl-over-slf4j', version.ref = 'slf4j' }
 
 servlet-api = { module = 'javax.servlet:servlet-api', version.ref = 'servlet-api' }
+sonatype-scan = { module = "org.sonatype.gradle.plugins:scan-gradle-plugin", version.ref = "sonatype-scan" }
+
 # Gradle
 
 gradle-micronaut = { module = "io.micronaut.gradle:micronaut-gradle-plugin", version.ref = "micronaut-gradle-plugin" }
