Keycloak CVE fix GHSA-f8h5-v2vg-46rr

keycloak.yaml

@@ -32,6 +32,10 @@ pipeline:
       tag: ${{package.version}}
       expected-commit: 27d38787d9eae0854f79a358cda77f834008b71a
 
+  - uses: patch
+    with:
+      patches: GHSA-f8h5-v2vg-46rr.patch
+
   - uses: maven/pombump
 
   - runs: |

keycloak/GHSA-f8h5-v2vg-46rr.patch

@@ -0,0 +1,72 @@
+Remove the deprecated function and add a check in the mapper to avoid flaky builds. Upstream ref: https://github.com/keycloak/keycloak/pull/28055
+
+diff --git a/pom.xml b/pom.xml
+index 911650e887..f2d42206f8 100644
+--- a/pom.xml
++++ b/pom.xml
+@@ -45,8 +45,8 @@
+         <jboss.snapshots.repo.id>jboss-snapshots-repository</jboss.snapshots.repo.id>
+         <jboss.snapshots.repo.url>https://s01.oss.sonatype.org/content/repositories/snapshots/</jboss.snapshots.repo.url>
+
+-        <quarkus.version>3.8.3</quarkus.version>
+-        <quarkus.build.version>3.8.3</quarkus.build.version>
++        <quarkus.version>3.9.2</quarkus.version>
++        <quarkus.build.version>3.9.2</quarkus.build.version>
+
+         <project.build-time>${timestamp}</project.build-time>
+
+diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/PropertyMappingInterceptor.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/PropertyMappingInterceptor.java
+index cc89bcd832..de9f33869a 100644
+--- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/PropertyMappingInterceptor.java
++++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/PropertyMappingInterceptor.java
+@@ -27,7 +27,6 @@ import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper;
+ import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMappers;
+
+ import java.util.Iterator;
+-import java.util.function.Function;
+
+ import static org.keycloak.quarkus.runtime.Environment.isRebuild;
+
+@@ -55,12 +54,12 @@ public class PropertyMappingInterceptor implements ConfigSourceInterceptor {
+     public static void enable() {
+         disable.remove();
+     }
+-    
+-    <T> Iterator<T> filterRuntime(Iterator<T> iter, Function<T, String> nameFunc) {
++
++    static Iterator<String> filterRuntime(Iterator<String> iter) {
+         if (!isRebuild() && !Environment.isRebuildCheck()) {
+             return iter;
+         }
+-        return new FilterIterator<>(iter, item -> !isRuntime(nameFunc.apply(item)));
++        return new FilterIterator<>(iter, item -> !isRuntime(item));
+     }
+
+     static boolean isRuntime(String name) {
+@@ -70,12 +69,7 @@ public class PropertyMappingInterceptor implements ConfigSourceInterceptor {
+
+     @Override
+     public Iterator<String> iterateNames(ConfigSourceInterceptorContext context) {
+-        return filterRuntime(context.iterateNames(), Function.identity());
+-    }
+-
+-    @Override
+-    public Iterator<ConfigValue> iterateValues(ConfigSourceInterceptorContext context) {
+-        return filterRuntime(context.iterateValues(), ConfigValue::getName);
++        return filterRuntime(context.iterateNames());
+     }
+
+     @Override
+diff --git a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/PropertyMapper.java b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/PropertyMapper.java
+index cbd7093e37..e084e3f99e 100644
+--- a/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/PropertyMapper.java
++++ b/quarkus/runtime/src/main/java/org/keycloak/quarkus/runtime/configuration/mappers/PropertyMapper.java
+@@ -203,7 +203,7 @@ public class PropertyMapper<T> {
+     }
+
+     private ConfigValue transformValue(String name, Optional<String> value, ConfigSourceInterceptorContext context, String configSourceName) {
+-        if (value == null) {
++        if (value == null || value.isEmpty()) {
+             return null;
+         }
+