Update to Spring Boot 3

.github/workflows/ci-dependency-check.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       - uses: actions/setup-java@v2
         with:
-          java-version: 11
+          java-version: 17
           distribution: adopt
       - uses: actions/checkout@v2
         with:

.github/workflows/ci-main.yml

@@ -6,11 +6,11 @@ on:
       - main
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/setup-java@v2
         with:
-          java-version: 11
+          java-version: 17
           distribution: adopt
       - uses: actions/checkout@v2
         with:
@@ -61,11 +61,11 @@ jobs:
           name: DGCG001_PRD
           path: target/DGCG001_PRD*
   build-docker:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/setup-java@v2
         with:
-          java-version: 11
+          java-version: 17
           distribution: adopt
       - uses: actions/checkout@v2
         with:
@@ -115,11 +115,11 @@ jobs:
           APP_PACKAGES_USERNAME: ${{ github.actor }}
           APP_PACKAGES_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
   license:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/setup-java@v2
         with:
-          java-version: 11
+          java-version: 17
           distribution: adopt
       - uses: actions/checkout@v2
         with:

.github/workflows/ci-openapi.yml

@@ -6,11 +6,11 @@ on:
       - created
 jobs:
   release:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/setup-java@v2
         with:
-          java-version: 11
+          java-version: 17
           distribution: adopt
       - uses: actions/checkout@v2
         with:

.github/workflows/ci-pull-request.yml

@@ -7,11 +7,11 @@ on:
       - reopened
 jobs:
   build:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/setup-java@v2
         with:
-          java-version: 11
+          java-version: 17
           distribution: adopt
       - uses: actions/checkout@v2
         with:

.github/workflows/ci-release-notes.yml

@@ -5,7 +5,7 @@ on:
       - created
 jobs:
   release-notes:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
         with:

.github/workflows/ci-release.yml

@@ -5,11 +5,11 @@ on:
       - created
 jobs:
   release:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/setup-java@v2
         with:
-          java-version: 11
+          java-version: 17
           distribution: adopt
       - uses: actions/checkout@v2
         with:

.github/workflows/ci-sonar.yml

@@ -10,11 +10,11 @@ on:
       - reopened
 jobs:
   sonar:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/setup-java@v2
         with:
-          java-version: 11
+          java-version: 17
           distribution: adopt
       - uses: actions/checkout@v2
         with:

.github/workflows/codeql.yml

@@ -32,7 +32,7 @@ jobs:
       - name: Setup Java 11
         uses: actions/setup-java@v2
         with:
-          java-version: 11
+          java-version: 17
           distribution: adopt
 
       - name: Build

owasp/suppressions.xml

@@ -1,29 +1,29 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <suppress>
-        <notes>Bug only affects not used features of embedded tomcat.</notes>
-        <cve>CVE-2022-23181</cve>
+        <notes>no YAML content from users is parsed within this service</notes>
+        <cve>CVE-2022-1471</cve>
     </suppress>
     <suppress>
-        <notes>False Positive</notes>
-        <cve>CVE-2016-1000027</cve>
+        <notes>Bitcoin CLI is not used by the JSON LD Lib</notes>
+        <cve>CVE-2021-3401</cve>
+        <cve>CVE-2021-31876</cve>
     </suppress>
     <suppress>
-        <notes>False Positive - Updated to newest version</notes>
-        <cve>CVE-2018-14335</cve>
+        <notes>H2 is only used for testing, not production</notes>
+        <cve>CVE-2022-45868</cve>
     </suppress>
     <suppress>
-        <notes>False Positive</notes>
-        <cve>CVE-2020-5408</cve>
+        <notes>False positive. CVE is matching for hutools. OWASP Check matches for json-lib</notes>
+        <cve>CVE-2022-45688</cve>
     </suppress>
     <suppress>
-        <notes>Only affecting example code shipped with tomcat.</notes>
-        <cve>CVE-2022-34305</cve>
+        <notes>Both CVE are matching for eclipse ide</notes>
+        <cve>CVE-2008-7271</cve>
+        <cve>CVE-2010-4647</cve>
     </suppress>
     <suppress>
-        <notes>DGCG is not using YML User Input, Bug is fixed with SnameYAML 1.32, but CVE Matcher is invalid</notes>
-        <cve>CVE-2022-38751</cve>
-        <cve>CVE-2022-38752</cve>
+        <notes>Still WIP</notes>
+        <cve>CVE-2022-41862</cve>
     </suppress>
-
 </suppressions>

pom.xml

@@ -5,9 +5,9 @@
     <modelVersion>4.0.0</modelVersion>
 
     <parent>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.7.4</version>
+        <groupId>org.springframework.cloud</groupId>
+        <artifactId>spring-cloud-starter-parent</artifactId>
+        <version>2022.0.1</version>
         <relativePath/>
     </parent>
 
@@ -36,32 +36,27 @@
     <properties>
         <packaging.format>war</packaging.format>
         <!-- java -->
-        <java.version>11</java.version>
-        <maven.compiler.source>11</maven.compiler.source>
-        <maven.compiler.target>11</maven.compiler.target>
+        <java.version>17</java.version>
+        <maven.compiler.source>17</maven.compiler.source>
+        <maven.compiler.target>17</maven.compiler.target>
         <!-- charset -->
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <!-- dependencies -->
-        <owasp.version>7.1.2</owasp.version>
-        <spring.security.version>5.7.3</spring.security.version>
-        <lombok.version>1.18.24</lombok.version>
-        <liquibase.version>4.17.0</liquibase.version>
-        <springdoc.version>1.6.11</springdoc.version>
-        <mapstruct.version>1.5.2.Final</mapstruct.version>
-        <bcpkix.version>1.70</bcpkix.version>
-        <semver4j.version>3.1.0</semver4j.version>
+        <dgclib.version>2.0.0</dgclib.version>
+        <owasp.version>8.0.2</owasp.version>
+        <springdoc.version>1.6.14</springdoc.version>
+        <mapstruct.version>1.5.3.Final</mapstruct.version>
+        <bcpkix.version>1.72</bcpkix.version>
+        <semver4j.version>4.1.1</semver4j.version>
         <json-schema.version>1.14.1</json-schema.version>
-        <shedlock.version>4.42.0</shedlock.version>
-        <spring.cloud.version>2021.0.4</spring.cloud.version>
-        <h2.version>2.1.214</h2.version>
-        <dgc.lib.version>1.3.2</dgc.lib.version>
+        <shedlock.version>5.1.0</shedlock.version>
         <!-- plugins -->
         <plugin.maven-assembly.version>3.4.2</plugin.maven-assembly.version>
-        <plugin.checkstyle.version>3.2.0</plugin.checkstyle.version>
+        <plugin.checkstyle.version>3.2.1</plugin.checkstyle.version>
         <plugin.sonar.version>3.9.1.2184</plugin.sonar.version>
         <plugin.jacoco.version>0.8.8</plugin.jacoco.version>
-        <plugin.os-maven.version>1.7.0</plugin.os-maven.version>
+        <plugin.os-maven.version>1.7.1</plugin.os-maven.version>
         <!-- license -->
         <license.projectName>EU Digital Green Certificate Gateway Service / dgc-gateway</license.projectName>
         <license.inceptionYear>2021</license.inceptionYear>
@@ -132,26 +127,14 @@
         </repository>
     </distributionManagement>
 
-    <dependencyManagement>
-        <dependencies>
-            <dependency>
-                <groupId>org.springframework.cloud</groupId>
-                <artifactId>spring-cloud-dependencies</artifactId>
-                <version>${spring.cloud.version}</version>
-                <type>pom</type>
-                <scope>import</scope>
-            </dependency>
-        </dependencies>
-    </dependencyManagement>
-
     <dependencies>
         <dependency>
             <groupId>eu.europa.ec.dgc</groupId>
             <artifactId>dgc-lib</artifactId>
-            <version>${dgc.lib.version}</version>
+            <version>${dgclib.version}</version>
         </dependency>
         <dependency>
-            <groupId>com.vdurmont</groupId>
+            <groupId>org.semver4j</groupId>
             <artifactId>semver4j</artifactId>
             <version>${semver4j.version}</version>
         </dependency>
@@ -161,28 +144,12 @@
             <version>${json-schema.version}</version>
         </dependency>
         <dependency>
-            <groupId>mysql</groupId>
-            <artifactId>mysql-connector-java</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter</artifactId>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.yaml</groupId>
-                    <artifactId>snakeyaml</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>org.yaml</groupId>
-            <artifactId>snakeyaml</artifactId>
-            <version>[1.33,)</version>
+            <groupId>com.mysql</groupId>
+            <artifactId>mysql-connector-j</artifactId>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>[2.13.4.2,)</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -226,17 +193,6 @@
         <dependency>
             <groupId>org.liquibase</groupId>
             <artifactId>liquibase-core</artifactId>
-            <exclusions>
-                <exclusion>
-                    <groupId>org.apache.commons</groupId>
-                    <artifactId>commons-text</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-text</artifactId>
-            <version>[1.10.0,)</version>
         </dependency>
         <dependency>
             <groupId>org.projectlombok</groupId>
@@ -251,7 +207,6 @@
         <dependency>
             <groupId>com.h2database</groupId>
             <artifactId>h2</artifactId>
-            <version>${h2.version}</version>
             <scope>runtime</scope>
         </dependency>
         <dependency>
@@ -261,13 +216,12 @@
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
-            <artifactId>bcpkix-jdk15on</artifactId>
+            <artifactId>bcpkix-jdk18on</artifactId>
             <version>${bcpkix.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-web</artifactId>
-            <version>${spring.security.version}</version>
         </dependency>
         <dependency>
             <groupId>net.javacrumbs.shedlock</groupId>
@@ -284,11 +238,6 @@
     <build>
         <pluginManagement>
             <plugins>
-                <plugin>
-                    <groupId>org.apache.maven.plugins</groupId>
-                    <artifactId>maven-checkstyle-plugin</artifactId>
-                    <version>${plugin.checkstyle.version}</version>
-                </plugin>
                 <plugin>
                     <groupId>org.sonarsource.scanner.maven</groupId>
                     <artifactId>sonar-maven-plugin</artifactId>
@@ -334,14 +283,14 @@
                 <configuration>
                     <suppressionFile>./owasp/suppressions.xml</suppressionFile>
                     <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
+                    <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
                 </configuration>
             </plugin>
             <plugin>
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-maven-plugin</artifactId>
-                <version>${project.parent.version}</version>
                 <configuration>
-                    <profiles>dev</profiles>
+                    <profiles>dev,log2console</profiles>
                     <wait>5000</wait>
                     <maxAttempts>30</maxAttempts>
                 </configuration>
@@ -369,10 +318,10 @@
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-checkstyle-plugin</artifactId>
+                <version>${plugin.checkstyle.version}</version>
                 <configuration>
                     <configLocation>codestyle/checkstyle.xml</configLocation>
                     <excludes>target/**/*</excludes>
-                    <encoding>UTF-8</encoding>
                     <consoleOutput>true</consoleOutput>
                     <failsOnError>true</failsOnError>
                     <violationSeverity>warning</violationSeverity>

src/main/java/eu/europa/ec/dgc/gateway/client/JrcClient.java

@@ -21,7 +21,7 @@
 package eu.europa.ec.dgc.gateway.client;
 
 import eu.europa.ec.dgc.gateway.model.JrcRatValuesetResponse;
-import javax.validation.Valid;
+import jakarta.validation.Valid;
 import org.springframework.cloud.openfeign.FeignClient;
 import org.springframework.http.MediaType;
 import org.springframework.validation.annotation.Validated;