-
Notifications
You must be signed in to change notification settings - Fork 68
/
build.gradle
103 lines (92 loc) · 4.32 KB
/
build.gradle
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
import org.cloudfoundry.credhub.gradlebuild.DependenciesGraphPlugin
buildscript {
ext {
apacheCommonsLang3Version = '3.17.0'
apacheCommonsIoVersion = '2.17.0'
apacheHttpClientVersion = '4.5.14'
asciiDoctorConvertPluginVersion = '4.0.3'
bcpkixFipsVersion = '2.0.7'
bcFipsVersion = '2.0.0'
commonsCodecVersion = '1.17.1' // remove this after deleting (now deprecated) spring-security-oauth2
flywayVersion = '7.15.0'
guavaVersion = '33.3.1-jre'
h2Version = '1.4.200'
jsonPathVersion = '2.9.0'
kotlinVersion = '2.0.21'
ktlintVersion = '0.49.1'
passayVersion = '1.6.6'
postgresqlJdbcVersion = '42.7.4'
springRestDocsVersion = '2.0.8.RELEASE'
springBootVersion = '2.7.18'
springSecurityOauth2Version = '2.5.2.RELEASE'
springSecurityOauth2AutoconfigureVersion = '2.6.8'
mariadbJdbcVersion = '2.7.12' // Bumping to v3 breaks some pipeline jobs, so pinning to v2 for now. v2 (current version) is stable and will be supported until about September 2025 (https://mariadb.com/kb/en/about-mariadb-connector-j/).
snakeyamlVersion = '2.3'
grpcVersion = '1.68.1'
// We need to stay with protobuf-java & protoc 3.25.x as the latest
// grpc still depends on protobuf-java & protoc 3.25.x. Once we
// bump grpc to version that depnds on protobuf-java & protoc to 4.x.x,
// it is likely that we are going to get conflicts because we also have
// direct dependency to protobuf 3.25.x. We will need to bump protobuf
// version to 4.x.x then.
protoBufJavaVersion = '3.25.5'
protoCVersion = '3.25.5'
}
repositories {
mavenCentral()
maven { url("https://repo.spring.io/plugins-release") }
maven { url("https://plugins.gradle.org/m2/") }
}
dependencies {
classpath("org.jetbrains.kotlin:kotlin-gradle-plugin:${kotlinVersion}")
classpath("org.jetbrains.kotlin:kotlin-allopen:${kotlinVersion}")
classpath("org.owasp:dependency-check-gradle:11.1.0")
classpath("org.bouncycastle:bc-fips:${bcFipsVersion}")
classpath("org.bouncycastle:bcpkix-fips:${bcpkixFipsVersion}")
}
// Versions we're overriding from the Spring Boot Bom (Dependabot does not issue PRs to bump these versions, so we need to manually bump them)
// spring-boot 2.7.18 has dependency to spring-framework 5.3.31, which has
// CVE-2024-22243. So, override that with spring-framework 5 latest patch
// version. This should be removed once spring-boot version is bumped.
ext["spring-framework.version"] = "5.3.39"
// spring-boot 2.7.18 provides spring-security 5.7.11, which has
// CVE-2024-22257. So, override that with spring-security 5.7 latest patch
// version. This should be removed once spring-boot version is bumped.
ext['spring-security.version'] = '5.8.15'
// spring-boot 2.7.18 has dependency to io.netty 4.1.101, which has
// CVE-2024-29025. So override it with the latest patch.
ext['netty.version'] = '4.1.112.Final'
// spring-boot 2.7.18 has dependency to tomcat-embed-core 9.0.83, which
// has multipe CVEs including CVE-2024-34750. Setting it to 9.0.95
ext["tomcat.version"] = '9.0.95'
}
plugins {
id 'com.github.ben-manes.versions' version '0.51.0'
}
apply plugin: DependenciesGraphPlugin
apply plugin: "org.owasp.dependencycheck"
dependencyUpdates.resolutionStrategy = {
componentSelection { rules ->
rules.all { ComponentSelection selection ->
boolean rejected = ['alpha', 'beta', 'rc', 'cr', 'm'].any { qualifier ->
selection.candidate.version ==~ /(?i).*[.-]${qualifier}[.\d-]*/
}
if (rejected) {
selection.reject('Release candidate')
}
}
}
}
subprojects {
plugins.withType(JavaPlugin) {
dependencies {
implementation("org.yaml:snakeyaml:${snakeyamlVersion}")
implementation("com.h2database:h2:${h2Version}")
implementation("com.google.guava:guava:${guavaVersion}")
testImplementation("org.mockito:mockito-inline")
}
}
}
// Override spring boot's kotllin version dependency
ext['kotlin.version'] = '${kotlinVersion}'
assert JavaVersion.current().isCompatibleWith(JavaVersion.VERSION_17)