fix: update maven dependencies to latest versions to mitigate vulnera…

.github/workflows/code-climate-coverage.yaml

@@ -60,10 +60,10 @@ jobs:
         if: env.GIT_BRANCH == 'refs/heads/master'
 
       # Setup Java Environment
-      - name: Set up JDK 1.8
-        uses: actions/setup-java@v1
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
         with:
-          java-version: 1.8
+          java-version: '17'
       - uses: actions/cache@v1
         with:
           path: ~/.m2/repository

.github/workflows/trivy-analysis.yml

@@ -18,10 +18,11 @@ jobs:
         uses: actions/checkout@v2
 
       # Set up JDK build environment
-      - name: Set up JDK 8
-        uses: actions/setup-java@v1
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
         with:
-          java-version: 8
+          java-version: '17'
+          distribution: 'temurin'
 
       # Runs build steps
       - name: Maven Package
@@ -39,18 +40,20 @@ jobs:
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@master
         with:
-          scan-type: image
-          image-ref: bc-paris-api:${{ github.sha }}
-          format: template
-          template: '@/contrib/sarif.tpl'
-          output: trivy-results.sarif
-          exit-code: 1
+          scan-type: 'image'
+          image-ref: 'bc-paris-api:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: '1'
           ignore-unfixed: true
-          severity: HIGH,CRITICAL
+          severity: 'HIGH,CRITICAL'
+          scan-ref: '.'
+          vuln-type: 'os,library'
+          list-all-pkgs: false
 
       #Upload results to the Github security tab.
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@v3
         if: always()
         with:
-          sarif_file: trivy-results.sarif
+          sarif_file: 'trivy-results.sarif'

Dockerfile

@@ -1,4 +1,4 @@
-FROM eclipse-temurin:8-jre-jammy
+FROM eclipse-temurin:17-jre-jammy
 
 COPY ./target/bcparis-service-1.3.2.jar bcparis-service-1.3.2.jar
 

openshift/applications/buildConfigs/bc-paris-api-bc.yaml

@@ -64,7 +64,7 @@ objects:
         sourceStrategy:
           from:
             kind: ImageStreamTag
-            name: 'java:8'
+            name: 'java:17'
             namespace: openshift
         type: Source
       successfulBuildsHistoryLimit: 5

pom.xml

@@ -17,7 +17,7 @@
 		</sonar.exclusions>
 
 		<!-- ========== Enforce ========== -->
-		<java.version>1.8</java.version>
+		<java.version>17</java.version>
 		<!-- 3.3.9 is the most recent version supported by Red Hat Jenkins slave
             images. We can't go to 3.5 -->
 		<maven.version>3.8.5</maven.version>
@@ -79,7 +79,7 @@
 			<dependency>
 				<groupId>com.fasterxml.jackson.core</groupId>
 				<artifactId>jackson-databind</artifactId>
-				<version>2.13.4.2</version>
+				<version>2.18.0-rc1</version>
 			</dependency>
 
 			<dependency>
@@ -198,7 +198,7 @@
 			<dependency>
 				<groupId>org.springdoc</groupId>
 				<artifactId>springdoc-openapi-ui</artifactId>
-				<version>1.6.9</version>
+				<version>1.8.0</version>
 			</dependency>
 
 			<dependency>
@@ -210,7 +210,7 @@
 			<dependency>
 				<groupId>javax.xml.bind</groupId>
 				<artifactId>jaxb-api</artifactId>
-				<version>2.3.1</version>
+				<version>2.4.0-b180830.0359</version>
 			</dependency>
 		</dependencies>
 	</dependencyManagement>
@@ -248,12 +248,13 @@
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-core</artifactId>
+			<version>${spring-security.version}</version>
 		</dependency>
 
 		<dependency>
 			<groupId>org.apache.cxf</groupId>
 			<artifactId>cxf-core</artifactId>
-			<version>4.0.4</version>
+			<version>4.0.5</version>
 		</dependency>
 
 		<!-- Enabling health checks and metrics -->
@@ -306,6 +307,7 @@
 		<dependency>
 			<groupId>ch.qos.logback</groupId>
 			<artifactId>logback-core</artifactId>
+			<version>1.5.8</version>
 		</dependency>
 
 		<dependency>
@@ -320,7 +322,7 @@
 		<dependency>
 			<groupId>dev.akkinoc.spring.boot</groupId>
 			<artifactId>logback-access-spring-boot-starter</artifactId>
-			<version>4.1.1</version>
+			<version>4.3.0</version>
 		</dependency>
 
 
@@ -337,6 +339,11 @@
 			<artifactId>log4j-api</artifactId>
 			<version>${log4j2.version}</version>
 		</dependency>
+		<dependency>
+			<groupId>javax.servlet</groupId>
+			<artifactId>javax.servlet-api</artifactId>
+			<version>4.0.1</version>
+		</dependency>
 
 		<!-- https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-to-slf4j -->
 		<dependency>
@@ -356,14 +363,14 @@
 		<dependency>
 			<groupId>org.apache.tomcat.embed</groupId>
 			<artifactId>tomcat-embed-core</artifactId>
-			<version>11.0.0-M18</version>
+			<version>11.0.0-M25</version>
 		</dependency>
 
 		<!-- https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-websocket -->
 		<dependency>
 			<groupId>org.apache.tomcat.embed</groupId>
 			<artifactId>tomcat-embed-websocket</artifactId>
-			<version>11.0.0-M18</version>
+			<version>11.0.0-M25</version>
 		</dependency>
 	</dependencies>
 
@@ -396,8 +403,8 @@
 				<artifactId>maven-compiler-plugin</artifactId>
 				<version>3.10.1</version>
 				<configuration>
-					<source>1.8</source>
-					<target>1.8</target>
+					<source>17</source>
+					<target>17</target>
 				</configuration>
 			</plugin>
 			<plugin>

src/main/java/ca/bc/gov/iamp/bcparis/transformation/MessageTransform.java

@@ -30,7 +30,7 @@ public Layer7Message parse(Layer7Message message) {
 	/**
 	 * Remove the CDATA tags
 	 * 
-	 * @param msgFFmt
+	 * @param message
 	 *            Example: <![CDATA[\rSN:M00001-0001 MT:MUF
 	 *            MSID:BRKR-190703-20:40:43\nFROM:BC41127\nTO:BC41028]]>
 	 * @return Example: SN:M00001-0001 MT:MUF