Update github action versions (#288)

- Update github action version - Update gradle plugin versions - Clean up solved vulnerabilities in allow-list - Update BDK to 3.0.0
finos · Feb 14, 2024 · 53df953 · 53df953
1 parent 44e9720
commit 53df953
Show file tree

Hide file tree

Showing 12 changed files with 52 additions and 76 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -4,11 +4,11 @@ jobs:
   gradle:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-java@v3
         with:
           distribution: 'temurin'
           java-version: 17
-      - uses: gradle/gradle-build-action@v2
+      - uses: gradle/gradle-build-action@v2.4.2
         with:
           arguments: check
diff --git a/.github/workflows/cve-scanning-gradle.yml b/.github/workflows/cve-scanning-gradle.yml
@@ -2,7 +2,7 @@ name: CVE Scanning for Gradle
 
 on:
   schedule:
-    - cron: '0 8,18 * * 1-5'
+    - cron: '0 8,17 * * 1-5'
   pull_request:
     branches: [ master ]
     paths:
@@ -14,11 +14,11 @@ jobs:
   scan:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - name: Set up JDK
+      - uses: actions/checkout@v4
+      - name: Set up JDK 17
         uses: actions/setup-java@v3
         with:
-          java-version: 17
+          java-version: '17'
           distribution: 'temurin'
       - name: Build with Gradle
         run: ./gradlew build

diff --git a/.github/workflows/gradle-wrapper-validation.yml b/.github/workflows/gradle-wrapper-validation.yml
@@ -6,5 +6,5 @@ jobs:
     name: "Validation"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: gradle/wrapper-validation-action@v1
+      - uses: actions/checkout@v4
+      - uses: gradle/wrapper-validation-action@56b90f209b02bf6d1deae490e9ef18b21a389cd4
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -7,7 +7,7 @@ jobs:
   gradle:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-java@v3
         with:
           distribution: 'temurin'
@@ -17,6 +17,6 @@ jobs:
           printf "$GPG_KEY_BASE64" | base64 --decode > secring.gpg
         env:
           GPG_KEY_BASE64: ${{ secrets.GPG_KEY_BASE64 }}
-      - uses: gradle/gradle-build-action@v1
+      - uses: gradle/gradle-build-action@v2.4.2
         with:
           arguments: publish -PmavenRepoUsername=${{ secrets.MAVEN_USERNAME }} -PmavenRepoPassword=${{ secrets.MAVEN_PASSWORD }} -Psigning.keyId=${{ secrets.GPG_KEY_ID }} -Psigning.secretKeyRingFile=${{ github.workspace }}/secring.gpg -Psigning.password=${{ secrets.GPG_KEY_PASSPHRASE }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,7 +11,7 @@ jobs:
     name: "Release"
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - uses: actions/setup-java@v3
         with:
@@ -71,12 +71,12 @@ jobs:
     env:
       VERSION: 1.0.5
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           repository: symphonyplatformsolutions/wdk-federation-client
           ref: ${{ env.VERSION }}
 
-      - uses: gradle/gradle-build-action@v2
+      - uses: gradle/gradle-build-action@v2.4.2
         with:
           arguments: build
 
@@ -97,7 +97,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Download artifacts
         uses: actions/download-artifact@v3

diff --git a/allow-list.xml b/allow-list.xml
@@ -1,28 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <suppress>
-        <notes><![CDATA[
-        Dependency coming from spotbug gradle plugin only.
-        ]]></notes>
-        <gav>org.apache.bcel:bcel:6.5.0</gav>
-        <cve>CVE-2022-42920</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        Dependency coming from checkstyle gradle plugin only.
-        ]]></notes>
-        <gav>com.google.guava:guava:31.1-jre</gav>
-        <cve>CVE-2020-8908</cve>
-        <cve>CVE-2023-2976</cve>
-    </suppress>
-    <suppress>
-      <notes><![CDATA[
-          Dependency coming from checkstyle gradle plugin only.
-          ]]></notes>
-      <gav>com.google.guava:guava:29.0-jre</gav>
-      <cve>CVE-2020-8908</cve>
-      <cve>CVE-2023-2976</cve>
-    </suppress>
     <suppress>
         <notes><![CDATA[
         Already latest version, to fix later
@@ -33,47 +10,33 @@
     </suppress>
     <suppress>
         <notes><![CDATA[
-        Already latest version, to fix later
-        ]]></notes>
-        <gav>org.yaml:snakeyaml:1.31</gav>
-        <cve>CVE-2022-1471</cve>
-        <cve>CVE-2022-38751</cve>
-        <cve>CVE-2022-38752</cve>
-        <cve>CVE-2022-41854</cve>
-    </suppress>
-    <suppress>
-      <notes><![CDATA[
-          No fix available
+          From SpringBoot bom dependency
           ]]></notes>
-      <gav>org.yaml:snakeyaml:1.33</gav>
-      <cve>CVE-2022-1471</cve>
+        <gav>com.jayway.jsonpath:json-path:2.8.0</gav>
+        <cve>CVE-2023-51074</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[
-          No fix available
+          From checkstyle plugin dependency
           ]]></notes>
-        <gav>org.springframework:spring-web:5.3.27</gav>
-        <cve>CVE-2016-1000027</cve>
+        <gav>org.codehaus.plexus:plexus-classworlds:2.6.0</gav>
+        <cve>CVE-2022-4244</cve>
+        <cve>CVE-2022-4245</cve>
     </suppress>
     <suppress>
-      <notes><![CDATA[
-          No fix available
+        <notes><![CDATA[
+          From checkstyle plugin dependency
           ]]></notes>
-      <gav>org.springframework:spring-expression:5.3.26</gav>
-      <cve>CVE-2023-20863</cve>
+        <gav>org.codehaus.plexus:plexus-component-annotations:2.1.0</gav>
+        <cve>CVE-2022-4244</cve>
+        <cve>CVE-2022-4245</cve>
     </suppress>
     <suppress>
         <notes><![CDATA[
-        Dependency not found in the dependency analyzer, no idea where it is found
-        ]]></notes>
-        <gav>org.testng:testng:7.5</gav>
-        <cve>CVE-2022-4065</cve>
-    </suppress>
-    <suppress>
-      <notes><![CDATA[
-            No fix available
-            ]]></notes>
-      <gav>net.minidev:json-smart:2.4.8</gav>
-      <cve>CVE-2023-1370</cve>
+          From checkstyle plugin dependency
+          ]]></notes>
+        <gav>org.codehaus.plexus:plexus-container-default:2.1.0</gav>
+        <cve>CVE-2022-4244</cve>
+        <cve>CVE-2022-4245</cve>
     </suppress>
 </suppressions>
diff --git a/build.gradle b/build.gradle
@@ -1,6 +1,6 @@
 plugins {
     id("io.github.gradle-nexus.publish-plugin") version "1.3.0"
-    id "org.owasp.dependencycheck" version "8.2.1"
+    id "org.owasp.dependencycheck" version "9.0.9"
 }
 
 group = 'org.finos.symphony.wdk'

diff --git a/buildSrc/src/main/groovy/workflow-bot.java-conventions.gradle b/buildSrc/src/main/groovy/workflow-bot.java-conventions.gradle
@@ -59,6 +59,17 @@ check.dependsOn javadoc
 
 checkstyle {
     configFile = rootProject.file("checkstyle.xml")
+    toolVersion '10.13.0'
+}
+
+configurations.checkstyle {
+    resolutionStrategy.capabilitiesResolution.withCapability("com.google.collections:google-collections") {
+        select("com.google.guava:guava:0")
+    }
+}
+
+spotbugs {
+    toolVersion = '4.8.3'
 }
 
 // Enable HTML report for spotbugs

diff --git a/studio/build.gradle b/studio/build.gradle
@@ -6,7 +6,7 @@ dependencies {
     compileOnly project(':workflow-language')
     compileOnly project(':workflow-bot-app')
     compileOnly 'org.springframework:spring-tx'
-    implementation platform('org.finos.symphony.bdk:symphony-bdk-bom:3.0.0.RC6')
+    implementation platform('org.finos.symphony.bdk:symphony-bdk-bom:3.0.0')
     implementation 'org.finos.symphony.bdk:symphony-bdk-app-spring-boot-starter'
 }
 

diff --git a/workflow-bot-app/build.gradle b/workflow-bot-app/build.gradle
@@ -2,7 +2,7 @@ import org.apache.tools.ant.filters.ReplaceTokens
 
 plugins {
     id 'workflow-bot.java-conventions'
-    id 'org.springframework.boot' version '3.2.1'
+    id 'org.springframework.boot' version '3.2.2'
 }
 
 javadoc {
@@ -14,7 +14,7 @@ javadoc {
 dependencies {
     implementation project(':workflow-language')
 
-    implementation platform('org.finos.symphony.bdk:symphony-bdk-bom:3.0.0.RC6') {
+    implementation platform('org.finos.symphony.bdk:symphony-bdk-bom:3.0.0') {
         exclude group: 'org.slf4j', module: 'slf4j-api'
     }
 

diff --git a/...app/src/test/java/com/symphony/bdk/workflow/management/WorkflowManagementServiceTest.java b/...app/src/test/java/com/symphony/bdk/workflow/management/WorkflowManagementServiceTest.java
@@ -12,6 +12,7 @@
 import com.symphony.bdk.workflow.swadl.v1.Workflow;
 
 import com.github.fge.jsonschema.core.exceptions.ProcessingException;
+import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.ArgumentCaptor;
@@ -59,10 +60,11 @@ public class WorkflowManagementServiceTest {
       + "          content: msg\n"
       + "      content: content";
 
-  Workflow workflow;
-  SwadlView swadlView;
+  static Workflow workflow;
+  static SwadlView swadlView;
 
-  public WorkflowManagementServiceTest() throws IOException, ProcessingException {
+  @BeforeAll
+  static void setup() throws IOException, ProcessingException {
     workflow = SwadlParser.fromYaml(swadl);
     swadlView = SwadlView.builder().swadl(swadl).description("desc").createdBy(1234L).build();
   }

diff --git a/workflow-language/build.gradle b/workflow-language/build.gradle
@@ -10,7 +10,7 @@ javadoc {
 }
 
 dependencies {
-    api platform('org.finos.symphony.bdk:symphony-bdk-bom:3.0.0.RC6')
+    api platform('org.finos.symphony.bdk:symphony-bdk-bom:3.0.0')
 
     api 'org.finos.symphony.bdk:symphony-bdk-core'
     api 'org.finos.symphony.bdk.ext:symphony-group-extension'