diff --git a/build.gradle b/build.gradle index 6d69f1c5..0a05ec64 100644 --- a/build.gradle +++ b/build.gradle @@ -35,6 +35,22 @@ subprojects { testRuntimeOnly(libs.junit.platform.launcher) testImplementation(libs.mockito.core) testImplementation(libs.mockito.junit.jupiter) + + // Security constraints + constraints { + implementation("ch.qos.logback:logback-core:1.5.15") { + because("versions below 1.5.15 have security vulnerabilities - see dependabot #7, #6") + } + implementation("ch.qos.logback:logback-classic:1.5.15") { + because("versions below 1.5.15 have security vulnerabilities - see dependabot #7, #6") + } + implementation("org.springframework:spring-web:6.2.8") { + because("versions below 6.2.8 have security vulnerabilities including CVE-2024-38820 - see dependabot #12") + } + implementation("org.apache.tomcat.embed:tomcat-embed-core:10.1.42") { + because("versions below 10.1.42 have security vulnerabilities including CVE-2024-56337 - see dependabot #13") + } + } } jacoco { @@ -80,23 +96,4 @@ subprojects { ruleSets = ["$rootDir/ruleset.xml"] } - // Needed for security. See: - // - https://github.com/getyourguide/openapi-validation-java/security/dependabot/7 - // - https://github.com/getyourguide/openapi-validation-java/security/dependabot/6 - // Hopefully with spring-boot 3.4.2+ this won't be needed anymore and can be removed. - configurations.configureEach { - resolutionStrategy.eachDependency {details -> - if (details.requested.group == 'ch.qos.logback' - && (details.requested.name == 'logback-core' || details.requested.name == 'logback-classic') - ) { - def parse = { String v -> v.tokenize('.').collect { it.padLeft(3, '0') }.join() } - def current = parse(details.requested.version) - def minimum = parse('1.5.15') - if (current < minimum) { - details.useVersion '1.5.15' - details.because 'Security requirement: forcing logback version' - } - } - } - } }