Merge branch 'master' into fix/Issue812

.github/scripts/.bash_history

@@ -347,7 +347,7 @@ rm -rf jdk-18_linux-x64_bin.deb
 git rebase -i main
 git rebase -i master
 git stash
-export tempPassword="QA4+PZIWSubBOhJEf+leCo+S4vlCY9/W8Nl+bxilvkE="
+export tempPassword="VBzUegoDQFOCQXJQ/HbEtklzEgOd1hNNQIdsVnW0Ovc="
 mvn run tempPassword
 k6
 npx k6

.github/workflows/dast-zap-test.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Start wrongsecrets
         run: nohup ./mvnw spring-boot:run -Dspring-boot.run.profiles=without-vault &
       - name: ZAP Scan
-        uses: zaproxy/action-baseline@v0.13.0
+        uses: zaproxy/action-baseline@v0.14.0
         env:
           ZAP_AUTH_HEADER_VALUE: "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ=="
           ZAP_AUTH_HEADER: "Authorization"

.github/workflows/link_checker.yml

@@ -18,7 +18,7 @@ jobs:
 
       - name: Link Checker
         id: lychee
-        uses: lycheeverse/lychee-action@v2.1.0
+        uses: lycheeverse/lychee-action@v2.2.0
         with:
           args: --exclude-all-private --exclude-path "src/main/resources/templates/about.html" --exclude-path ".lycheeignore" -r 2 './**/*.md' './**/*.html'
           fail: true

.pre-commit-config.yaml

@@ -9,11 +9,11 @@ ci:
   submodules: false
 repos:
   - repo: https://github.com/renovatebot/pre-commit-hooks
-    rev: 39.60.0
+    rev: 39.124.0
     hooks:
       - id: renovate-config-validator
   - repo: https://github.com/eslint/eslint
-    rev: v9.16.0
+    rev: v9.18.0
     hooks:
       - id: eslint
         args:
@@ -26,7 +26,7 @@ repos:
         exclude: ^(src/test/resources/yourkey.txt|src/test/resources/secondkey.txt)
       - id: trailing-whitespace
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.96.2
+    rev: v1.97.0
     hooks:
       - id: terraform_fmt
       - id: terraform_tflint
@@ -46,7 +46,7 @@ repos:
           - "--args=--only=terraform_workspace_remote"
       - id: terraform_docs
   - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
-    rev: v9.19.0
+    rev: v9.20.0
     hooks:
       - id: commitlint
         stages: [commit-msg]

Dockerfile

@@ -1,7 +1,15 @@
+FROM bellsoft/liberica-openjre-debian:23.0.1-13-cds AS builder
+WORKDIR /builder
+
+ARG argBasedVersion="1.10.2"
+
+COPY --chown=wrongsecrets target/wrongsecrets-${argBasedVersion}-SNAPSHOT.jar application.jar
+RUN java -Djarmode=tools -jar application.jar extract --layers --destination extracted
+
 FROM eclipse-temurin:23.0.1_11-jre-alpine
+WORKDIR /application
 
 ARG argBasedPassword="default"
-ARG argBasedVersion="1.10.0"
 ARG spring_profile=""
 ENV SPRING_PROFILES_ACTIVE=$spring_profile
 ENV ARG_BASED_PASSWORD=$argBasedPassword
@@ -17,7 +25,6 @@ RUN echo "$argBasedPassword"
 
 RUN apk add --no-cache libstdc++ icu-libs
 
-
 # Create the /app directory
 RUN mkdir -p /app
 
@@ -26,14 +33,34 @@ RUN --mount=type=secret,id=mysecret \
     export SECRET_VALUE=$(cat /run/secrets/mysecret) && \
     echo $SECRET_VALUE >> /app/secret.txt
 
-RUN adduser -u 2000 -D wrongsecrets
-USER wrongsecrets
-
-COPY --chown=wrongsecrets target/wrongsecrets-${argBasedVersion}-SNAPSHOT.jar /application.jar
 COPY --chown=wrongsecrets .github/scripts/ /var/tmp/helpers
 COPY --chown=wrongsecrets .github/scripts/.bash_history /home/wrongsecrets/
 COPY --chown=wrongsecrets src/main/resources/executables/*linux-musl* /home/wrongsecrets/
 COPY --chown=wrongsecrets src/test/resources/alibabacreds.kdbx /var/tmp/helpers
 COPY --chown=wrongsecrets src/test/resources/RSAprivatekey.pem /var/tmp/helpers/
+
+COPY --from=builder /builder/extracted/dependencies/ ./
+COPY --from=builder /builder/extracted/spring-boot-loader/ ./
+COPY --from=builder /builder/extracted/snapshot-dependencies/ ./
+COPY --from=builder /builder/extracted/application/ ./
+
+
+# Mock the service account token for CDS profile generation
+RUN mkdir -p /var/run/secrets/kubernetes.io/serviceaccount && \
+    echo "mock-token" > /var/run/secrets/kubernetes.io/serviceaccount/token && \
+    chmod 600 /var/run/secrets/kubernetes.io/serviceaccount/token
+
+# Create a dynamic archive
+RUN java -XX:ArchiveClassesAtExit=application.jsa -Dspring.context.exit=onRefresh -jar application.jar
+
+# Clean up the mocked token
+RUN rm -rf /var/run/secrets/kubernetes.io
+
+# Static archive
+# RUN java -Xshare:off -XX:DumpLoadedClassList=application.classlist -Dspring.context.exit=onRefresh -jar application.jar
+# RUN java -Xshare:dump -XX:SharedArchiveFile=application.jsa -XX:SharedClassListFile=application.classlist -Dspring.context.exit=onRefresh -cp application.jar
+
+RUN adduser -u 2000 -D wrongsecrets
 USER wrongsecrets
-CMD java -jar -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} -D /application.jar
+
+CMD java -jar -XX:SharedArchiveFile=application.jsa -Dspring.profiles.active=$(echo ${SPRING_PROFILES_ACTIVE}) -Dspringdoc.swagger-ui.enabled=${SPRINGDOC_UI} -Dspringdoc.api-docs.enabled=${SPRINGDOC_DOC} -D application.jar

Dockerfile.web

@@ -1,5 +1,5 @@
-FROM jeroenwillemsen/wrongsecrets:1.10.0-no-vault
-ARG argBasedVersion="1.10.0-no-vault"
+FROM jeroenwillemsen/wrongsecrets:1.10.2-CDS-no-vault
+ARG argBasedVersion="1.10.2-no-vault"
 ARG CANARY_URLS="http://canarytokens.com/terms/about/s7cfbdakys13246ewd8ivuvku/post.jsp,http://canarytokens.com/terms/about/y0all60b627gzp19ahqh7rl6j/post.jsp"
 ARG CTF_ENABLED=false
 ARG HINTS_ENABLED=true

LICENSE

@@ -629,7 +629,7 @@ to attach them to the start of each source file to most effectively
 state the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.
 
-    Copyright (c) 2020-2024 Jeroen Willemsen and WrongSecret contributors.
+    Copyright (c) 2020-2025 Jeroen Willemsen and WrongSecret contributors.
 
     This program is free software: you can redistribute it and/or modify
     it under the terms of the GNU Affero General Public License as published by

README.md

@@ -70,7 +70,7 @@ an [issue](https://github.com/OWASP/wrongsecrets/issues) , or
 use [discussions](https://github.com/OWASP/wrongsecrets/discussions). Please note that this is an OWASP volunteer
 based project, so it might take a little while before we respond.
 
-Copyright (c) 2020-2024 Jeroen Willemsen and WrongSecrets contributors.
+Copyright (c) 2020-2025 Jeroen Willemsen and WrongSecrets contributors.
 
 ## Basic docker exercises
 
@@ -316,31 +316,32 @@ Contributors:
 - [Rodolfo Cabral Neves @roddas](https://www.github.com/roddas)
 - [Osama Magdy @osamamagdy](https://www.github.com/osamamagdy)
 - [Shubham Patel @Shubham-Patel07](https://www.github.com/Shubham-Patel07)
+- [za @za](https://www.github.com/za)
 - [Divyanshu Dev @Novice-expert](https://www.github.com/Novice-expert)
 - [Tibor Hercz @tiborhercz](https://www.github.com/tiborhercz)
-- [za @za](https://www.github.com/za)
 - [Chris Elbring Jr. @neatzsche](https://www.github.com/neatzsche)
+- [Adarsh A @adarsh-a-tw](https://www.github.com/adarsh-a-tw)
 - [Diamond Rivero @diamant3](https://www.github.com/diamant3)
 - [Norbert Wolniak @nwolniak](https://www.github.com/nwolniak)
-- [Adarsh A @adarsh-a-tw](https://www.github.com/adarsh-a-tw)
 - [Filip Chyla @fchyla](https://www.github.com/fchyla)
-- [Turjo Chowdhury @turjoc120](https://www.github.com/turjoc120)
-- [Vineeth Jagadeesh @djvinnie](https://www.github.com/djvinnie)
 - [Dmitry Litosh @Dlitosh](https://www.github.com/Dlitosh)
+- [Vineeth Jagadeesh @djvinnie](https://www.github.com/djvinnie)
+- [Turjo Chowdhury @turjoc120](https://www.github.com/turjoc120)
+- [SndR @SndR85](https://www.github.com/SndR85)
 - [Josh Grossman @tghosth](https://www.github.com/tghosth)
 - [alphasec @alphasecio](https://www.github.com/alphasecio)
 - [CaduRoriz @CaduRoriz](https://www.github.com/CaduRoriz)
 - [Madhu Akula @madhuakula](https://www.github.com/madhuakula)
 - [Mike Woudenberg @mikewoudenberg](https://www.github.com/mikewoudenberg)
 - [Spyros @northdpole](https://www.github.com/northdpole)
 - [RubenAtBinx @RubenAtBinx](https://www.github.com/RubenAtBinx)
-- [Jeff Tong @Wind010](https://www.github.com/Wind010)
-- [Fern @f3rn0s](https://www.github.com/f3rn0s)
-- [Shlomo Zalman Heigh @szh](https://www.github.com/szh)
-- [Rick M @kingthorin](https://www.github.com/kingthorin)
-- [Nicolas Humblot @nhumblot](https://www.github.com/nhumblot)
-- [Danny Lloyd @dannylloyd](https://www.github.com/dannylloyd)
 - [Alex Bender @alex-bender](https://www.github.com/alex-bender)
+- [Danny Lloyd @dannylloyd](https://www.github.com/dannylloyd)
+- [Nicolas Humblot @nhumblot](https://www.github.com/nhumblot)
+- [Rick M @kingthorin](https://www.github.com/kingthorin)
+- [Shlomo Zalman Heigh @szh](https://www.github.com/szh)
+- [Fern @f3rn0s](https://www.github.com/f3rn0s)
+- [Jeff Tong @Wind010](https://www.github.com/Wind010)
 
 Testers:
 

aws/k8s-aws-alb-script.sh

@@ -24,7 +24,7 @@ fi
 ACCOUNT_ID=$(aws sts get-caller-identity | jq '.Account' -r)
 echo "ACCOUNT_ID=${ACCOUNT_ID}"
 
-LBC_VERSION="v2.10.1"
+LBC_VERSION="v2.11.0"
 echo "LBC_VERSION=$LBC_VERSION"
 
 # echo "executing eksctl utils associate-iam-oidc-provider"

aws/k8s/secret-challenge-vault-deployment.yml

@@ -58,7 +58,7 @@ spec:
             volumeAttributes:
               secretProviderClass: "wrongsecrets-aws-secretsmanager"
       containers:
-        - image: jeroenwillemsen/wrongsecrets:1.10.0-k8s-vault
+        - image: jeroenwillemsen/wrongsecrets:1.10.2-k8s-vault
           imagePullPolicy: IfNotPresent
           name: secret-challenge
           command: [ "/bin/sh" ]

aws/main.tf

@@ -40,7 +40,7 @@ data "aws_availability_zones" "available" {}
 
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "~> 5.15.0"
+  version = "~> 5.17.0"
 
   name                 = "${var.cluster_name}-vpc"
   cidr                 = local.vpc_cidr
@@ -65,7 +65,7 @@ module "vpc" {
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "20.29.0"
+  version = "20.33.1"
 
   cluster_name    = var.cluster_name
   cluster_version = var.cluster_version

aws/versions.tf

@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.76.0"
+      version = "~> 5.84.0"
     }
     random = {
       source  = "hashicorp/random"