[High] fecgov/openFEC:data/flyway/build.gradle - need a fix by Apr. 28, 2019

[qqss88]

Overview:
org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.

Affected versions of this package are vulnerable to Man-in-the-Middle (MitM). It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver.
Man-in-the-Middle (MitM)
https://app.snyk.io/org/fecgov/project/e6c155e9-f0ac-4a49-98fa-83c24f5b74b3/

Vulnerable module: org.postgresql:postgresql

Introduced through: org.flywaydb:flyway-commandline@5.1.3

Detailed paths :
Introduced through: project@0.0.0 › org.flywaydb:flyway-commandline@5.1.3 › org.postgresql:postgresql@42.2.2.jre6

Remediation : Upgrade org.postgresql:postgresql to version 42.2.5 or higher.

• Install version 5.2.4 of Flyway
• Update Flyway version to 5.2.4 here
• Update Flyway version to 5.2.4 here
• Update README with new version instructions
• Update team google doc instructions
• Test with manual deploy - make sure flyway checks to see if there are any new migrations
• Test migration with headless app (look for flyway-independent-migration) As a team we decided we could skip this step since we tested it with the last upgrade. We find manual deploy to be sufficient.
• Give devs instructions on updating local

[lbeaufort]

It looks like Currently Flyway version 5.1.3 downloads
flyway-5.1.3/drivers/postgresql-42.2.2.jre6.jar

I'm thinking we might need to upgrade Flyway version, but we need to figure out if that will automatically update the postgresql driver.

[pkfec]

@lbeaufort I have installed the latest version of flyway 5.2.4 and ran the migrations against my local test db. This latest version of flyway comes with an upgraded postgressql-42.2.5.jre6.jar. Didnt run into any issues on my local. Hope this helps.

[lbeaufort]

That is great, thank you so much @pkfec!