-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathbuild.gradle.kts
79 lines (59 loc) · 2.81 KB
/
build.gradle.kts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
val kafkaVersion = "3.6.2"
plugins {
// Apply the org.jetbrains.kotlin.jvm Plugin to add support for Kotlin.
id("org.jetbrains.kotlin.jvm") version "1.6.10"
// Add ktlint
id("org.jmailen.kotlinter") version "3.6.0"
// Vulnerable dependency checker
id("org.owasp.dependencycheck") version "9.0.8"
// Apply the java-library plugin for API and implementation separation.
`java-library`
}
// Package version
version = "0.7.9"
repositories {
// Use Maven Central for resolving dependencies.
mavenCentral()
}
dependencies {
// Align versions of all Kotlin components
implementation(platform("org.jetbrains.kotlin:kotlin-bom"))
// Use the Kotlin JDK 8 standard library.
implementation("org.jetbrains.kotlin:kotlin-stdlib-jdk8")
// Kafka dependencies
// Previous 3.6.0 version was flagged as vulnerability:
// CVE-2024-27309 https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEKAFKA-6600922
implementation("org.apache.kafka:connect-api:$kafkaVersion")
implementation("org.apache.kafka:connect-json:$kafkaVersion")
implementation("org.apache.kafka:connect-transforms:$kafkaVersion")
implementation("org.apache.avro:avro:1.11.3")
// Use the Kotlin test library.
testImplementation("org.jetbrains.kotlin:kotlin-test")
// Use the Kotlin JUnit integration.
testImplementation("org.jetbrains.kotlin:kotlin-test-junit")
// CVE-2023-6378 https://logback.qos.ch/news.html#1.3.12
implementation("ch.qos.logback:logback-classic:1.4.14")
implementation("ch.qos.logback:logback-core:1.4.14")
// Previous 2.15.2 version was flagged as vulnerability:
// CVE-2023-35116 - developers claim it's a bogus alert https://github.com/FasterXML/jackson-databind/issues/3972
// but I guess won't hurt to upgrade it + will resolve dependency check failure
implementation("com.fasterxml.jackson.core:jackson-databind:2.16.0")
// Upgraded version of Snappy Java to patch:
// CVE-2023-34454 - https://github.com/advisories/GHSA-fjpj-2g6w-x25r
// CVE-2023-34453 - https://github.com/advisories/GHSA-pqr6-cmr2-h8hf
// CVE-2023-34455 - https://github.com/advisories/GHSA-qcwq-55hx-v3vh
implementation("org.xerial.snappy:snappy-java:1.1.10.5")
// CVE-2023-42503
implementation("org.apache.commons:commons-compress:1.26.0")
implementation("com.fasterxml.jackson.module:jackson-module-kotlin:2.13.3")
implementation("org.mongodb.kafka:mongo-kafka-connect:1.7.0")
implementation("org.mongodb:bson:4.5.1")
}
//A full list of config options can be found here:
//https://jeremylong.github.io/DependencyCheck/dependency-check-gradle/configuration.html
dependencyCheck {
// anything over a 5.0 is above a 'warning'
failBuildOnCVSS = 5.0F
analyzers.assemblyEnabled = false
nvd.apiKey = System.getenv("NVD_API_KEY") ?: ""
}