diff --git a/.github/workflows/eumserver_release.yml b/.github/workflows/eumserver_release.yml index a3ae484..8b50c17 100644 --- a/.github/workflows/eumserver_release.yml +++ b/.github/workflows/eumserver_release.yml @@ -19,6 +19,8 @@ jobs: uses: actions/checkout@v3 - name: Grant execute permission for gradlew run: chmod +x gradlew + - name: Scan dependencies + run: ./gradlew dependencyCheckAnalyze - name: Build project run: ./gradlew assemble bootJar -PbuildVersion=${{ github.ref_name }} - name: Create BOM diff --git a/.gitignore b/.gitignore index 0d177b7..2a0ebb3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ .gradle *build/ +out/ !gradle/wrapper/gradle-wrapper.jar *.log *.zip diff --git a/README.md b/README.md index 2dd96e1..da5ff99 100644 --- a/README.md +++ b/README.md @@ -330,3 +330,6 @@ to ```inspectit-ocelot-eum-server.jar``` and copied to the ./docker directory ##### How to Release To create a new release, you have to create a new git tag and push it on to GitHub. This Tag is the new version number of the release. Afterwards the release build will be automatically triggered. + +Important tasks to check first are `dependencyUpdates` and `dependencyUpdates[Major|Minor]` for newer (patch, minor, major) +versions and `dependencyCheckAnalyze` for security issues in the used dependencies. diff --git a/build.gradle b/build.gradle index 21ce6ca..7f89d58 100644 --- a/build.gradle +++ b/build.gradle @@ -1,9 +1,12 @@ +import com.github.benmanes.gradle.versions.updates.DependencyUpdatesTask + plugins { id "org.springframework.boot" version "${springBootVersion}" id "com.palantir.docker" version "${palantirDockerVersion}" id "org.cyclonedx.bom" version "${cyclonedxBomVersion}" id "io.spring.dependency-management" version "${springDependencyManangementVersion}" id "org.owasp.dependencycheck" version "${owaspDependencyCheckVersion}" + id "com.github.ben-manes.versions" version "${versionsPlugin}" } repositories { @@ -14,8 +17,11 @@ apply plugin: "java" apply plugin: "jacoco" group = "rocks.inspectit.ocelot" -sourceCompatibility = "17" -targetCompatibility = "17" + +java { + sourceCompatibility = "17" + targetCompatibility = "17" +} if (!project.hasProperty("buildVersion") || project.getProperty("buildVersion").empty) { ext.buildVersion = "SNAPSHOT" @@ -71,9 +77,12 @@ bootJar { dependsOn downloadAndExtractBoomerang dependsOn downloadOpenTelemetryPlugin - archivesBaseName = "inspectit-ocelot-eum-server" archiveVersion = "${buildVersion}" + base { + archivesName = "inspectit-ocelot-eum-server" + } + manifest { attributes "Start-Class": "rocks.inspectit.oce.eum.server.EUMServerApplication" } @@ -82,14 +91,14 @@ bootJar { from generateVersionFile.versionFile // include boomerang - from("$buildDir/boomerangjs-${boomerangVersion}/package") { + from(layout.buildDirectory.dir("boomerangjs-${boomerangVersion}/package")) { include "plugins/*.js" include "boomerang.js" into "static/boomerang" } //include boomerang opentelemetry - from("$buildDir") { + from(layout.buildDirectory) { include "boomerang-opentelemetry.js" into "static/boomerang" } @@ -128,6 +137,8 @@ dependencies { "io.opencensus:opencensus-impl:${openCensusVersion}", "io.opencensus:opencensus-exporter-stats-prometheus:${openCensusVersion}", + //"io.grpc:grpc-context:1.58.0", + platform("io.opentelemetry:opentelemetry-bom-alpha:${openTelemetryAlphaVersion}"), "io.opentelemetry:opentelemetry-semconv", platform("io.opentelemetry:opentelemetry-bom:${openTelemetryVersion}"), @@ -187,8 +198,8 @@ dependencies { tasks.register('copyServerJar', Copy) { dependsOn bootJar - from("${buildDir}/libs/inspectit-ocelot-eum-server-${version}.jar") - into("${buildDir}/docker-jar") + from(layout.buildDirectory.file("libs/inspectit-ocelot-eum-server-${version}.jar")) + into(layout.buildDirectory.dir("docker-jar")) rename("inspectit-ocelot-eum-server-${version}\\.jar", "inspectit-ocelot-eum-server.jar") } @@ -200,3 +211,64 @@ docker { dockerfile file("docker/Dockerfile") files "docker/entrypoint.sh", copyServerJar.outputs } + +dependencyCheck { + failBuildOnCVSS = 6 + suppressionFile = "dependencyCheckSuppression.xml" + analyzers { + assemblyEnabled = false + ossIndex { + enabled = true + } + } +} + +def isNonStable = { String candidate -> + def stableKeyword = ['RELEASE', 'FINAL', 'GA', 'JRE'].any { it -> candidate.toUpperCase().contains(it) } + def versionRegex = /^[0-9,.v-]+(-r)?$/ + return !stableKeyword && !(candidate ==~ versionRegex) +} + +def isNotSameMajorMinor = { String current, String candidate, boolean matchMinor -> + if(current.equals(candidate)) return false + + def firstDot = current.indexOf('.') + def secondDot = current.indexOf('.', firstDot + 1) + def major = current.substring(0, firstDot) + def minor = current.substring(firstDot + 1, secondDot) + def majorRegex = /^$major\..*/ + def minorRegex = /^$major\.${minor}\..*/ + return !((candidate ==~ majorRegex) && (!matchMinor || (candidate ==~ minorRegex))) +} + +tasks.named("dependencyUpdates").configure { + rejectVersionIf { + // only patch updates + isNonStable(it.candidate.version) || isNotSameMajorMinor(it.currentVersion, it.candidate.version, true) + } +} + +tasks.register('dependencyUpdatesMinor', DependencyUpdatesTask) { + rejectVersionIf { + // only minor updates + isNonStable(it.candidate.version) || isNotSameMajorMinor(it.currentVersion, it.candidate.version, false) + } +} + +tasks.register('dependencyUpdatesMajor', DependencyUpdatesTask) { + rejectVersionIf { + // all updates including major updates + isNonStable(it.candidate.version) + } +} + +tasks.withType(DependencyUpdatesTask).configureEach { + // default settings + revision = 'milestone' + gradleReleaseChannel = "current" + checkConstraints = true + checkBuildEnvironmentConstraints = true + outputFormatter = 'json,plain' + outputDir = 'build/reports' + reportfileName = 'dependencyUpdates' +} diff --git a/dependencyCheckSuppression.xml b/dependencyCheckSuppression.xml new file mode 100644 index 0000000..a0bcfaf --- /dev/null +++ b/dependencyCheckSuppression.xml @@ -0,0 +1,10 @@ + + + + + e5bc2949679b6214e8d9a1e5b707f2b42bb3fa13 + CVE-2019-3826 + + diff --git a/gradle.properties b/gradle.properties index 6443b78..d678f7c 100644 --- a/gradle.properties +++ b/gradle.properties @@ -3,7 +3,7 @@ boomerangVersion=1.737.0 # The open-telemetry-boomerang version to ship with the EUM server boomerangOpenTelemetryPluginVersion=0.25.0-8 # Upgrade to Spring 3.* and Java 17 -springBootVersion=3.1.3 +springBootVersion=3.1.4 # CVE-2022-1471 was resolved with SnakeYAML 2.0 snakeYamlVersion=2.0 # Ensure to adapt the netty version (inspectit-ocelot-core/build.gradle) when changing the OpenCensus version @@ -14,7 +14,7 @@ prometheusClientVersion = 0.6.0 openTelemetryVersion=1.27.0 openTelemetryAlphaVersion=1.27.0-alpha openTelemetryProtoVersion=1.7.1-alpha -protobufVersion=3.22.3 +protobufVersion=3.22.5 guavaVersion=32.1.2-jre geoip2Version=4.0.1 commonsNetVersion=3.9.0 @@ -27,15 +27,16 @@ okioJvmVersion=3.5.0 opencensusInfluxdbExporterVersion=1.2 armeriaVersion=1.23.1 -testContainersVersion=1.18.0 +testContainersVersion=1.18.3 ### gradle plugin versions ### Check for newer version at https://plugins.gradle.org/ # io.spring.dependency-management -springDependencyManangementVersion=1.1.0 +springDependencyManangementVersion=1.1.3 # org.owasp.dependencycheck -owaspDependencyCheckVersion=8.2.1 +owaspDependencyCheckVersion=8.4.0 # org.cyclonedx.bom cyclonedxBomVersion=1.7.4 # com.palantir.docker palantirDockerVersion=0.35.0 +versionsPlugin=0.48.0 diff --git a/gradle/wrapper/gradle-wrapper.jar b/gradle/wrapper/gradle-wrapper.jar index 7454180..943f0cb 100644 Binary files a/gradle/wrapper/gradle-wrapper.jar and b/gradle/wrapper/gradle-wrapper.jar differ diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index 070cb70..744c64d 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,5 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-7.6-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-bin.zip +networkTimeout=10000 zipStoreBase=GRADLE_USER_HOME zipStorePath=wrapper/dists diff --git a/gradlew b/gradlew index 744e882..65dcd68 100755 --- a/gradlew +++ b/gradlew @@ -1,7 +1,7 @@ -#!/usr/bin/env sh +#!/bin/sh # -# Copyright 2015 the original author or authors. +# Copyright © 2015-2021 the original authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,67 +17,101 @@ # ############################################################################## -## -## Gradle start up script for UN*X -## +# +# Gradle start up script for POSIX generated by Gradle. +# +# Important for running: +# +# (1) You need a POSIX-compliant shell to run this script. If your /bin/sh is +# noncompliant, but you have some other compliant shell such as ksh or +# bash, then to run this script, type that shell name before the whole +# command line, like: +# +# ksh Gradle +# +# Busybox and similar reduced shells will NOT work, because this script +# requires all of these POSIX shell features: +# * functions; +# * expansions «$var», «${var}», «${var:-default}», «${var+SET}», +# «${var#prefix}», «${var%suffix}», and «$( cmd )»; +# * compound commands having a testable exit status, especially «case»; +# * various built-in commands including «command», «set», and «ulimit». +# +# Important for patching: +# +# (2) This script targets any POSIX shell, so it avoids extensions provided +# by Bash, Ksh, etc; in particular arrays are avoided. +# +# The "traditional" practice of packing multiple parameters into a +# space-separated string is a well documented source of bugs and security +# problems, so this is (mostly) avoided, by progressively accumulating +# options in "$@", and eventually passing that to Java. +# +# Where the inherited environment variables (DEFAULT_JVM_OPTS, JAVA_OPTS, +# and GRADLE_OPTS) rely on word-splitting, this is performed explicitly; +# see the in-line comments for details. +# +# There are tweaks for specific operating systems such as AIX, CygWin, +# Darwin, MinGW, and NonStop. +# +# (3) This script is generated from the Groovy template +# https://github.com/gradle/gradle/blob/HEAD/subprojects/plugins/src/main/resources/org/gradle/api/internal/plugins/unixStartScript.txt +# within the Gradle project. +# +# You can find Gradle at https://github.com/gradle/gradle/. +# ############################################################################## # Attempt to set APP_HOME + # Resolve links: $0 may be a link -PRG="$0" -# Need this for relative symlinks. -while [ -h "$PRG" ] ; do - ls=`ls -ld "$PRG"` - link=`expr "$ls" : '.*-> \(.*\)$'` - if expr "$link" : '/.*' > /dev/null; then - PRG="$link" - else - PRG=`dirname "$PRG"`"/$link" - fi +app_path=$0 + +# Need this for daisy-chained symlinks. +while + APP_HOME=${app_path%"${app_path##*/}"} # leaves a trailing /; empty if no leading path + [ -h "$app_path" ] +do + ls=$( ls -ld "$app_path" ) + link=${ls#*' -> '} + case $link in #( + /*) app_path=$link ;; #( + *) app_path=$APP_HOME$link ;; + esac done -SAVED="`pwd`" -cd "`dirname \"$PRG\"`/" >/dev/null -APP_HOME="`pwd -P`" -cd "$SAVED" >/dev/null -APP_NAME="Gradle" -APP_BASE_NAME=`basename "$0"` +# This is normally unused +# shellcheck disable=SC2034 +APP_BASE_NAME=${0##*/} +APP_HOME=$( cd "${APP_HOME:-./}" && pwd -P ) || exit # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. DEFAULT_JVM_OPTS='"-Xmx64m" "-Xms64m"' # Use the maximum available, or set MAX_FD != -1 to use that value. -MAX_FD="maximum" +MAX_FD=maximum warn () { echo "$*" -} +} >&2 die () { echo echo "$*" echo exit 1 -} +} >&2 # OS specific support (must be 'true' or 'false'). cygwin=false msys=false darwin=false nonstop=false -case "`uname`" in - CYGWIN* ) - cygwin=true - ;; - Darwin* ) - darwin=true - ;; - MSYS* | MINGW* ) - msys=true - ;; - NONSTOP* ) - nonstop=true - ;; +case "$( uname )" in #( + CYGWIN* ) cygwin=true ;; #( + Darwin* ) darwin=true ;; #( + MSYS* | MINGW* ) msys=true ;; #( + NONSTOP* ) nonstop=true ;; esac CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar @@ -87,9 +121,9 @@ CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar if [ -n "$JAVA_HOME" ] ; then if [ -x "$JAVA_HOME/jre/sh/java" ] ; then # IBM's JDK on AIX uses strange locations for the executables - JAVACMD="$JAVA_HOME/jre/sh/java" + JAVACMD=$JAVA_HOME/jre/sh/java else - JAVACMD="$JAVA_HOME/bin/java" + JAVACMD=$JAVA_HOME/bin/java fi if [ ! -x "$JAVACMD" ] ; then die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME @@ -98,7 +132,7 @@ Please set the JAVA_HOME variable in your environment to match the location of your Java installation." fi else - JAVACMD="java" + JAVACMD=java which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. Please set the JAVA_HOME variable in your environment to match the @@ -106,80 +140,105 @@ location of your Java installation." fi # Increase the maximum file descriptors if we can. -if [ "$cygwin" = "false" -a "$darwin" = "false" -a "$nonstop" = "false" ] ; then - MAX_FD_LIMIT=`ulimit -H -n` - if [ $? -eq 0 ] ; then - if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then - MAX_FD="$MAX_FD_LIMIT" - fi - ulimit -n $MAX_FD - if [ $? -ne 0 ] ; then - warn "Could not set maximum file descriptor limit: $MAX_FD" - fi - else - warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" - fi +if ! "$cygwin" && ! "$darwin" && ! "$nonstop" ; then + case $MAX_FD in #( + max*) + # In POSIX sh, ulimit -H is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC3045 + MAX_FD=$( ulimit -H -n ) || + warn "Could not query maximum file descriptor limit" + esac + case $MAX_FD in #( + '' | soft) :;; #( + *) + # In POSIX sh, ulimit -n is undefined. That's why the result is checked to see if it worked. + # shellcheck disable=SC3045 + ulimit -n "$MAX_FD" || + warn "Could not set maximum file descriptor limit to $MAX_FD" + esac fi -# For Darwin, add options to specify how the application appears in the dock -if $darwin; then - GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" -fi +# Collect all arguments for the java command, stacking in reverse order: +# * args from the command line +# * the main class name +# * -classpath +# * -D...appname settings +# * --module-path (only if needed) +# * DEFAULT_JVM_OPTS, JAVA_OPTS, and GRADLE_OPTS environment variables. # For Cygwin or MSYS, switch paths to Windows format before running java -if [ "$cygwin" = "true" -o "$msys" = "true" ] ; then - APP_HOME=`cygpath --path --mixed "$APP_HOME"` - CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` - - JAVACMD=`cygpath --unix "$JAVACMD"` - - # We build the pattern for arguments to be converted via cygpath - ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` - SEP="" - for dir in $ROOTDIRSRAW ; do - ROOTDIRS="$ROOTDIRS$SEP$dir" - SEP="|" - done - OURCYGPATTERN="(^($ROOTDIRS))" - # Add a user-defined pattern to the cygpath arguments - if [ "$GRADLE_CYGPATTERN" != "" ] ; then - OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" - fi +if "$cygwin" || "$msys" ; then + APP_HOME=$( cygpath --path --mixed "$APP_HOME" ) + CLASSPATH=$( cygpath --path --mixed "$CLASSPATH" ) + + JAVACMD=$( cygpath --unix "$JAVACMD" ) + # Now convert the arguments - kludge to limit ourselves to /bin/sh - i=0 - for arg in "$@" ; do - CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` - CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option - - if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition - eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` - else - eval `echo args$i`="\"$arg\"" + for arg do + if + case $arg in #( + -*) false ;; # don't mess with options #( + /?*) t=${arg#/} t=/${t%%/*} # looks like a POSIX filepath + [ -e "$t" ] ;; #( + *) false ;; + esac + then + arg=$( cygpath --path --ignore --mixed "$arg" ) fi - i=`expr $i + 1` + # Roll the args list around exactly as many times as the number of + # args, so each arg winds up back in the position where it started, but + # possibly modified. + # + # NB: a `for` loop captures its iteration list before it begins, so + # changing the positional parameters here affects neither the number of + # iterations, nor the values presented in `arg`. + shift # remove old arg + set -- "$@" "$arg" # push replacement arg done - case $i in - 0) set -- ;; - 1) set -- "$args0" ;; - 2) set -- "$args0" "$args1" ;; - 3) set -- "$args0" "$args1" "$args2" ;; - 4) set -- "$args0" "$args1" "$args2" "$args3" ;; - 5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; - 6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; - 7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; - 8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; - 9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; - esac fi -# Escape application args -save () { - for i do printf %s\\n "$i" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/' \\\\/" ; done - echo " " -} -APP_ARGS=`save "$@"` +# Collect all arguments for the java command; +# * $DEFAULT_JVM_OPTS, $JAVA_OPTS, and $GRADLE_OPTS can contain fragments of +# shell script including quotes and variable substitutions, so put them in +# double quotes to make sure that they get re-expanded; and +# * put everything else in single quotes, so that it's not re-expanded. + +set -- \ + "-Dorg.gradle.appname=$APP_BASE_NAME" \ + -classpath "$CLASSPATH" \ + org.gradle.wrapper.GradleWrapperMain \ + "$@" + +# Stop when "xargs" is not available. +if ! command -v xargs >/dev/null 2>&1 +then + die "xargs is not available" +fi + +# Use "xargs" to parse quoted args. +# +# With -n1 it outputs one arg per line, with the quotes and backslashes removed. +# +# In Bash we could simply go: +# +# readarray ARGS < <( xargs -n1 <<<"$var" ) && +# set -- "${ARGS[@]}" "$@" +# +# but POSIX shell has neither arrays nor command substitution, so instead we +# post-process each arg (as a line of input to sed) to backslash-escape any +# character that might be a shell metacharacter, then use eval to reverse +# that process (while maintaining the separation between arguments), and wrap +# the whole thing up as a single "set" statement. +# +# This will of course break if any of these variables contains a newline or +# an unmatched quote. +# -# Collect all arguments for the java command, following the shell quoting and substitution rules -eval set -- $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS "\"-Dorg.gradle.appname=$APP_BASE_NAME\"" -classpath "\"$CLASSPATH\"" org.gradle.wrapper.GradleWrapperMain "$APP_ARGS" +eval "set -- $( + printf '%s\n' "$DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS" | + xargs -n1 | + sed ' s~[^-[:alnum:]+,./:=@_]~\\&~g; ' | + tr '\n' ' ' + )" '"$@"' exec "$JAVACMD" "$@" diff --git a/gradlew.bat b/gradlew.bat index 107acd3..93e3f59 100644 --- a/gradlew.bat +++ b/gradlew.bat @@ -14,7 +14,7 @@ @rem limitations under the License. @rem -@if "%DEBUG%" == "" @echo off +@if "%DEBUG%"=="" @echo off @rem ########################################################################## @rem @rem Gradle startup script for Windows @@ -25,7 +25,8 @@ if "%OS%"=="Windows_NT" setlocal set DIRNAME=%~dp0 -if "%DIRNAME%" == "" set DIRNAME=. +if "%DIRNAME%"=="" set DIRNAME=. +@rem This is normally unused set APP_BASE_NAME=%~n0 set APP_HOME=%DIRNAME% @@ -40,7 +41,7 @@ if defined JAVA_HOME goto findJavaFromJavaHome set JAVA_EXE=java.exe %JAVA_EXE% -version >NUL 2>&1 -if "%ERRORLEVEL%" == "0" goto execute +if %ERRORLEVEL% equ 0 goto execute echo. echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. @@ -75,13 +76,15 @@ set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar :end @rem End local scope for the variables with windows NT shell -if "%ERRORLEVEL%"=="0" goto mainEnd +if %ERRORLEVEL% equ 0 goto mainEnd :fail rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of rem the _cmd.exe /c_ return code! -if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 -exit /b 1 +set EXIT_CODE=%ERRORLEVEL% +if %EXIT_CODE% equ 0 set EXIT_CODE=1 +if not ""=="%GRADLE_EXIT_CONSOLE%" exit %EXIT_CODE% +exit /b %EXIT_CODE% :mainEnd if "%OS%"=="Windows_NT" endlocal