Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add an owasp-check profile #30179

Merged
merged 1 commit into from
Jan 20, 2023
Merged

Add an owasp-check profile #30179

merged 1 commit into from
Jan 20, 2023

Conversation

sberyozkin
Copy link
Member

Make it easier to run OWASP checks on the whole project or individual extensions

@quarkus-bot quarkus-bot bot added area/dependencies Pull requests that update a dependency file area/documentation labels Jan 4, 2023
@quarkus-bot quarkus-bot bot added this to To do in Quarkus Documentation Jan 4, 2023
@quarkus-bot

This comment has been minimized.

Sign in to view
@loicmathieu
Copy link
Contributor

Hi @sberyozkin if I understand it correctly, this add the dependency check plugin in the Quarkus build itself.
Do you plan to create a github scheduled action for ex to check dependency violations each day ?
Maybe the CONTRIBUTING guide should be updated to explain how to check dependency violations when someone add a new dependency ?

@sberyozkin
Copy link
Member Author

Hi @loicmathieu

Do you plan to create a github scheduled action for ex to check dependency violations each day ?

Not yet, the initial motivation was to make it easier for anyone building Quarkus to check, now and then someone reports an OWASP issue so it could be handy to have an option to run a quick test inside a specific extension, without having to go to some demo, update the pom there, etc.

Adding an action can be the next step, I can experiment with setting up the one in my fork.
I should probably though update the dependabot rules to get the version updated regularly.

Maybe the CONTRIBUTING guide should be updated to explain how to check dependency violations when someone add a new dependency

I think it makes sense

@sberyozkin
Copy link
Member Author

Hmm, I can't invoke it as mvn -Pdependency-check dependency-check:check and instead have to call it as mvn -Pdependency-check org.owasp:dependency-check-maven:check, as it looks like pluginGroups can be added in settings.xml only, or can I define it somewhere in pom.xml ?

@loicmathieu
Copy link
Contributor

Plugin management is not easy with maven (I think they plan to improve it in Maven 4), maybe ask one of our Maven expert ;)

Please add a section in the CONTRIBUTING guide on how to launch it then I'll approve the PR.

@sberyozkin
Copy link
Member Author

Hi Loic @loicmathieu Just about to ping Alexey on dev, I wanted to add a shorter line to the contributions doc :-)

@sberyozkin
Copy link
Member Author

@loicmathieu, have a look please, that should look better now with thanks to @aloubyansky.

I'll investigate how to add an action and have a complete report aggregated as well, soon enough after I get from PTO in one week's time

aloubyansky
aloubyansky reviewed Jan 6, 2023
View reviewed changes
Copy link
Member

@aloubyansky aloubyansky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Having a plugin config in the pluginManagement should already allow mvn dependency-check:check in submodules. The profile could help with the defaultGoal.

build-parent/pom.xml Outdated Show resolved Hide resolved
build-parent/pom.xml Outdated Show resolved Hide resolved
aloubyansky
aloubyansky reviewed Jan 6, 2023
View reviewed changes
build-parent/pom.xml Outdated Show resolved Hide resolved
Quarkus Documentation automation moved this from To do to Reviewer approved Jan 6, 2023
@sberyozkin
Copy link
Member Author

Thanks Alexey and Loic for the ideas how to improve/simplify.

@sberyozkin
Copy link
Member Author

Lets also wait for Guillaume to check it

@sberyozkin sberyozkin changed the title Add a dependency-check profile Add an owasp-check profile Jan 6, 2023
@quarkus-bot

This comment has been minimized.

Sign in to view
loicmathieu
loicmathieu approved these changes Jan 7, 2023
View reviewed changes
Copy link
Contributor

@loicmathieu loicmathieu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm

gsmet
gsmet requested changes Jan 9, 2023
View reviewed changes
Copy link
Member

@gsmet gsmet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I force pushed some formatting and documentation fixes.

But running mvn -Dowasp-check at the root doesn't work (because it's declared in the build-parent). Not sure if you wanted it to work but if so there's more work needed. If not, you should probably precise in the documentation that the command needs to be run in the extension directory.

Quarkus Documentation automation moved this from Reviewer approved to Review pending Jan 9, 2023
@gsmet
Copy link
Member

gsmet commented Jan 9, 2023

Also I tried to run it in extensions/hibernate-validator and ended up with the following error:

[ERROR] org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-36569'
org.owasp.dependencycheck.data.update.exception.UpdateException: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-36569'
    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles (ProcessTask.java:157)
    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call (ProcessTask.java:114)
    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call (ProcessTask.java:41)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:829)
Caused by: org.owasp.dependencycheck.data.nvdcve.DatabaseException: Error updating 'CVE-2020-36569'
    at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability (CveDB.java:823)
    at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse (NvdCveParser.java:114)
    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON (ProcessTask.java:141)
    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles (ProcessTask.java:154)
    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call (ProcessTask.java:114)
    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call (ProcessTask.java:41)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:829)
Caused by: org.h2.jdbc.JdbcBatchUpdateException: Value too long for column "VERSIONENDEXCLUDING CHARACTER VARYING(60)": "'0.0.0-20160722212129-ac0cc4484ad4_before_v0.0.0-20200131131040-063a3fb69896' (75)"; SQL statement:
INSERT INTO software (cveid, cpeEntryId, versionEndExcluding, versionEndIncluding, versionStartExcluding, versionStartIncluding, vulnerable) VALUES (?, ?, ?, ?, ?, ?, ?) [22001-214]
    at org.h2.jdbc.JdbcPreparedStatement.executeBatch (JdbcPreparedStatement.java:1269)
    at org.apache.commons.dbcp2.DelegatingStatement.executeBatch (DelegatingStatement.java:241)
    at org.apache.commons.dbcp2.DelegatingStatement.executeBatch (DelegatingStatement.java:241)
    at org.owasp.dependencycheck.data.nvdcve.CveDB.executeBatch (CveDB.java:1248)
    at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerabilityInsertSoftware (CveDB.java:1098)
    at org.owasp.dependencycheck.data.nvdcve.CveDB.updateVulnerability (CveDB.java:816)
    at org.owasp.dependencycheck.data.update.nvd.NvdCveParser.parse (NvdCveParser.java:114)
    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.importJSON (ProcessTask.java:141)
    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.processFiles (ProcessTask.java:154)
    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call (ProcessTask.java:114)
    at org.owasp.dependencycheck.data.update.nvd.ProcessTask.call (ProcessTask.java:41)
    at java.util.concurrent.FutureTask.run (FutureTask.java:264)
    at java.util.concurrent.ThreadPoolExecutor.runWorker (ThreadPoolExecutor.java:1128)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run (ThreadPoolExecutor.java:628)
    at java.lang.Thread.run (Thread.java:829)
[WARNING] A new version of dependency-check is available. Consider updating to version 7.4.4.
[WARNING] Unable to update 1 or more Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.

@quarkus-bot

This comment has been minimized.

Sign in to view
@sberyozkin
Copy link
Member Author

sberyozkin commented Jan 15, 2023
edited
Loading

@gsmet Thanks for the updates,

you should probably precise in the documentation that the command needs to be run in the extension directory.

Sure.

Will also try 7.4.4 with hibernate-validator

@sberyozkin
Copy link
Member Author

sberyozkin commented Jan 16, 2023
edited
Loading

Hi @gsmet

Not sure if it is 7.4.4 which fixed the error you reported or not, but it works OK,

[INFO] Checking for updates
[INFO] NVD CVE requires several updates; this could take a couple of minutes.
[INFO] Download Started for NVD CVE - 2002
[INFO] Download Complete for NVD CVE - 2002  (1152 ms)
....
[INFO] Processing Complete for NVD CVE - 2022  (27138 ms)
[INFO] Download Started for NVD CVE - Modified
[INFO] Download Complete for NVD CVE - Modified  (1009 ms)
[INFO] Processing Started for NVD CVE - Modified
[INFO] Processing Complete for NVD CVE - Modified  (1285 ms)
[INFO] Begin database maintenance
[INFO] Updated the CPE ecosystem on 125055 NVD records
[INFO] Removed the CPE ecosystem on 4 NVD records
[INFO] Cleaned up 6 orphaned NVD records
[INFO] End database maintenance (21143 ms)
[INFO] Begin database defrag
[INFO] End database defrag (5537 ms)
[INFO] Check for updates complete (226382 ms)

.....

Writing report to: /home/sberyozkin/work/rh/quarkusio/quarkus/extensions/hibernate-validator/deployment/target/dependency-check-report.html
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for Quarkus - Hibernate Validator 999-SNAPSHOT:
[INFO] 
[INFO] Quarkus - Hibernate Validator ...................... SUCCESS [03:55 min]
[INFO] Quarkus - Hibernate Validator - SPI ................ SUCCESS [ 10.735 s]
[INFO] Quarkus - Hibernate Validator - Runtime ............ SUCCESS [  8.957 s]
[INFO] Quarkus - Hibernate Validator - Deployment ......... SUCCESS [  7.297 s]

@sberyozkin
Copy link
Member Author

sberyozkin commented Jan 16, 2023
edited
Loading

Latest updates:

  • added a clarification to CONTRIBUTING.md that the check has to be run in the extension directory
  • updated version to 7.4.4
  • disabled the NET analyzer

We can further tune it as necessary

@quarkus-bot

This comment has been minimized.

Sign in to view
@quarkus-bot

This comment has been minimized.

Sign in to view
Quarkus Documentation automation moved this from Review pending to Reviewer approved Jan 19, 2023
@gsmet
Copy link
Member

gsmet commented Jan 19, 2023

I triggered another CI run as apparently something went wrong on the GitHub side.

@gsmet gsmet added the triage/waiting-for-ci Ready to merge when CI successfully finishes label Jan 19, 2023
@quarkus-bot

This comment has been minimized.

Sign in to view
@sberyozkin
Copy link
Member Author

Thanks, looks like it failed yesterday again, so I've triggered it once more

@quarkus-bot
Copy link

quarkus-bot bot commented Jan 20, 2023

Failing Jobs - Building 23ccc4d

Status Name Step Failures Logs Raw logs
Devtools Tests - JDK 11 Build Failures Logs Raw logs
Devtools Tests - JDK 11 Windows Build ⚠️ Check → Logs Raw logs
Devtools Tests - JDK 17 Build Failures Logs Raw logs
✔️ JVM Tests - JDK 11
✔️ JVM Tests - JDK 17
JVM Tests - JDK 18 Build ⚠️ Check → Logs Raw logs
Native Tests - Misc4 Build ⚠️ Check → Logs Raw logs

Full information is available in the Build summary check run.

Failures

⚙️ Devtools Tests - JDK 11 #

- Failing: integration-tests/devtools

📦 integration-tests/devtools

io.quarkus.devtools.codestarts.quarkus.HibernateOrmCodestartTest.testContent line 23 - More details - Source on GitHub

java.lang.AssertionError: 
[Snapshot is not matching (use -Dsnap to update it automatically): HibernateOrmCodestartTest/testContent/src_main_kotlin_ilove_quark_us_MyKotlinEntity.kt] 
Path:

io.quarkus.devtools.codestarts.quarkus.HibernateOrmPanacheKotlinCodestartTest.testContent line 23 - More details - Source on GitHub

java.lang.AssertionError: 
[Snapshot is not matching (use -Dsnap to update it automatically): HibernateOrmPanacheKotlinCodestartTest/testContent/src_main_kotlin_ilove_quark_us_MyKotlinEntity.kt] 
Path:

⚙️ Devtools Tests - JDK 17 #

- Failing: integration-tests/devtools

📦 integration-tests/devtools

io.quarkus.devtools.codestarts.quarkus.HibernateOrmCodestartTest.testContent line 23 - More details - Source on GitHub

java.lang.AssertionError: 
[Snapshot is not matching (use -Dsnap to update it automatically): HibernateOrmCodestartTest/testContent/src_main_kotlin_ilove_quark_us_MyKotlinEntity.kt] 
Path:

io.quarkus.devtools.codestarts.quarkus.HibernateOrmPanacheKotlinCodestartTest.testContent line 23 - More details - Source on GitHub

java.lang.AssertionError: 
[Snapshot is not matching (use -Dsnap to update it automatically): HibernateOrmPanacheKotlinCodestartTest/testContent/src_main_kotlin_ilove_quark_us_MyKotlinEntity.kt] 
Path:

@sberyozkin sberyozkin merged commit 975c1f3 into quarkusio:main Jan 20, 2023
Quarkus Documentation automation moved this from Reviewer approved to Done Jan 20, 2023
@quarkus-bot quarkus-bot bot removed the triage/waiting-for-ci Ready to merge when CI successfully finishes label Jan 20, 2023
@sberyozkin sberyozkin deleted the owasp-dependency-check branch January 20, 2023 22:32
@quarkus-bot quarkus-bot bot added this to the 2.17 - main milestone Jan 20, 2023
@sberyozkin
Copy link
Member Author

Guillaume, not sure it is worth mentioning it in the release notes but please add a label if you think it can be of interest

@gsmet gsmet modified the milestones: 2.17 - main, 2.16.1.Final Jan 27, 2023
benkard added a commit to benkard/mulkcms2 that referenced this pull request Apr 2, 2023
@benkard
Update all non-major dependencies (mulk/mulkcms2!13)
b9e425d 
This MR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [flow-bin](https://github.com/flowtype/flow-bin) ([changelog](https://github.com/facebook/flow/blob/master/Changelog.md)) | devDependencies | minor | [`^0.198.0` -> `^0.199.0`](https://renovatebot.com/diffs/npm/flow-bin/0.198.0/0.199.0) |
| [org.postgresql:postgresql](https://jdbc.postgresql.org) ([source](https://github.com/pgjdbc/pgjdbc)) | build | patch | `42.5.1` -> `42.5.2` |
| [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | patch | `2.16.0.Final` -> `2.16.1.Final` |
| [io.quarkus:quarkus-universe-bom](https://github.com/quarkusio/quarkus-platform) | import | patch | `2.16.0.Final` -> `2.16.1.Final` |
| [org.apache.maven.plugins:maven-enforcer-plugin](https://maven.apache.org/enforcer/) | build | minor | `3.1.0` -> `3.2.1` |

---

### Release Notes

<details>
<summary>flowtype/flow-bin</summary>

### [`v0.199.0`](flow/flow-bin@0568b6e...05bb4e3)

[Compare Source](flow/flow-bin@0568b6e...05bb4e3)

### [`v0.198.2`](flow/flow-bin@0d01841...0568b6e)

[Compare Source](flow/flow-bin@0d01841...0568b6e)

### [`v0.198.1`](flow/flow-bin@2b180bb...0d01841)

[Compare Source](flow/flow-bin@2b180bb...0d01841)

</details>

<details>
<summary>pgjdbc/pgjdbc</summary>

### [`v42.5.2`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#&#8203;4252-2023-01-31-143046--0500)

##### Changed

docs: specify that timeouts are in seconds and there is a maximum. Housekeeping on some tests fixes [#Issue 2671](pgjdbc/pgjdbc#2671) [MR #&#8203;2686](pgjdbc/pgjdbc#2686)
docs: clarify binaryTransfer and add it to README [MR# 2698](pgjdbc/pgjdbc#2698)
docs: Document the need to encode reserved characters in the connection URL [MR #&#8203;2700](pgjdbc/pgjdbc#2700)
feat: Define binary transfer for custom types dynamically/automatically fixes [Issue #&#8203;2554](pgjdbc/pgjdbc#2554) [MR #&#8203;2556](pgjdbc/pgjdbc#2556)

##### Added

fix: added gssResponseTimeout as part of [MR #&#8203;2687](pgjdbc/pgjdbc#2687) to make sure we don't wait forever on a GSS RESPONSE

##### Fixed

fix: Ensure case of XML tags in Maven snippet is correct [MR #&#8203;2682](pgjdbc/pgjdbc#2682)
fix: Make sure socket is closed if an exception is thrown in createSocket fixes [Issue #&#8203;2684](pgjdbc/pgjdbc#2684) [MR #&#8203;2685](pgjdbc/pgjdbc#2685)
fix: Apply patch from [Issue #&#8203;2683](pgjdbc/pgjdbc#2683) to fix hanging ssl connections [MR #&#8203;2687](pgjdbc/pgjdbc#2687)
fix - binary conversion of (very) long numeric values (longer than 4 \* 2^15 digits) [MR #&#8203;2697](pgjdbc/pgjdbc#2697) fixes [Issue #&#8203;2695](pgjdbc/pgjdbc#2695)
minor: enhance readability connection of startup params [MR #&#8203;2705](pgjdbc/pgjdbc#2785)

</details>

<details>
<summary>quarkusio/quarkus</summary>

### [`v2.16.1.Final`](https://github.com/quarkusio/quarkus/releases/tag/2.16.1.Final)

[Compare Source](quarkusio/quarkus@2.16.0.Final...2.16.1.Final)

##### Complete changelog

-   [#&#8203;30729](quarkusio/quarkus#30729) - Bump mariadb-java-client from 3.1.1 to 3.1.2
-   [#&#8203;30724](quarkusio/quarkus#30724) - Upgrade to Mutiny 1.9.0
-   [#&#8203;30722](quarkusio/quarkus#30722) - Set SameSite Strict only on OIDC session cookie
-   [#&#8203;30720](quarkusio/quarkus#30720) - Bump picocli.version from 4.7.0 to 4.7.1
-   [#&#8203;30719](quarkusio/quarkus#30719) - Bump jackson-bom from 2.14.1 to 2.14.2
-   [#&#8203;30715](quarkusio/quarkus#30715) - PanacheRepositoryResource should implement ReactiveRestDataResource
-   [#&#8203;30713](quarkusio/quarkus#30713) - Use MapProperty instead of Map
-   [#&#8203;30694](quarkusio/quarkus#30694) - Use newer API for creating tmp files in RESTEasy Reactive
-   [#&#8203;30692](quarkusio/quarkus#30692) - Bump htmlunit version to 2.70.0
-   [#&#8203;30686](quarkusio/quarkus#30686) - Don't fail send when a sse sink has been closed
-   [#&#8203;30681](quarkusio/quarkus#30681) - RESTEasy Reactive: SSE broadcaster fails if a sink has been closed
-   [#&#8203;30680](quarkusio/quarkus#30680) - Mark methods generatred by ASM transformations as synthetic
-   [#&#8203;30659](quarkusio/quarkus#30659) - Drop unused class GradleLogger
-   [#&#8203;30653](quarkusio/quarkus#30653) - Fix opening in IDE when more than IDE is running
-   [#&#8203;30652](quarkusio/quarkus#30652) - Match prometheus export metrics format
-   [#&#8203;30651](quarkusio/quarkus#30651) - ArC - use reflection fallback for PreDestroy callbacks if needed
-   [#&#8203;30649](quarkusio/quarkus#30649) - Document redirect options in RESTEasy Reactive
-   [#&#8203;30644](quarkusio/quarkus#30644) - Adjust source language absent in documentation code blocks
-   [#&#8203;30636](quarkusio/quarkus#30636) - PreDestroy hooks fail depending on method modifiers
-   [#&#8203;30635](quarkusio/quarkus#30635) - Introduce a `minimum-java-version` in the extension descriptor metadata
-   [#&#8203;30625](quarkusio/quarkus#30625) - OIDC authentication loop if Cookie Policy sameSite=strict
-   [#&#8203;30624](quarkusio/quarkus#30624) - Fix NPE obtaining a project map from Maven session
-   [#&#8203;30622](quarkusio/quarkus#30622) - Update invalid package in guide
-   [#&#8203;30612](quarkusio/quarkus#30612) - Fix import file name in redis-reference.adoc
-   [#&#8203;30609](quarkusio/quarkus#30609) - Qute generated resolvers - getters should take precedence over fields
-   [#&#8203;30593](quarkusio/quarkus#30593) - Qute validation - improve hierarchy indexing to fix assignability issues
-   [#&#8203;30591](quarkusio/quarkus#30591) - Resolve correct version when application version is unset
-   [#&#8203;30589](quarkusio/quarkus#30589) - Bump junit-bom from 5.9.1 to 5.9.2
-   [#&#8203;30585](quarkusio/quarkus#30585) - Bump Microsoft SQL Server JDBC driver to 11.2.3
-   [#&#8203;30584](quarkusio/quarkus#30584) - Update MS SQL JDBC driver to version 11.2.3
-   [#&#8203;30576](quarkusio/quarkus#30576) - Use accept header to choose metrics export format
-   [#&#8203;30574](quarkusio/quarkus#30574) - Handle empty source directory for included builds
-   [#&#8203;30569](quarkusio/quarkus#30569) - Add default implementation for REST Data interfaces
-   [#&#8203;30564](quarkusio/quarkus#30564) - Update security-openid-connect-client.adoc
-   [#&#8203;30559](quarkusio/quarkus#30559) - container-image extension running with kubernetes extension
-   [#&#8203;30557](quarkusio/quarkus#30557) - AWT: JniRuntimeAccess: freetypeScaler.c calls sun.font.FontUtilities
-   [#&#8203;30548](quarkusio/quarkus#30548) - Add a blurb about not supporting validation.xml in Quarkus
-   [#&#8203;30526](quarkusio/quarkus#30526) - RESTEasy classic servlets - add RoutingContext to active request context
-   [#&#8203;30515](quarkusio/quarkus#30515) - Native build fails with hibernate-orm-rest-data-panache + elytron-security-properties-file
-   [#&#8203;30513](quarkusio/quarkus#30513) - Limit application.properties lookup to main source set
-   [#&#8203;30510](quarkusio/quarkus#30510) - Simplify logic in create-app.adoc and allow to define stream
-   [#&#8203;30501](quarkusio/quarkus#30501) - Fix HibernateOrmCodestart
-   [#&#8203;30500](quarkusio/quarkus#30500) - Place extension with an unknown category in the uncategorized category
-   [#&#8203;30496](quarkusio/quarkus#30496) - Update documentation
-   [#&#8203;30490](quarkusio/quarkus#30490) - Avoid adding the exception itself as a suppressed exception
-   [#&#8203;30488](quarkusio/quarkus#30488) - Updates to Infinispan 14.0.6.Final
-   [#&#8203;30485](quarkusio/quarkus#30485) - Verify code flow access token first if no UserInfo precondition exists
-   [#&#8203;30479](quarkusio/quarkus#30479) - Define defaultValueDocumentation for builderImage
-   [#&#8203;30474](quarkusio/quarkus#30474) - Docs - default value of `quarkus.native.builder-image` is not shown
-   [#&#8203;30470](quarkusio/quarkus#30470) - Revert --enable-monitoring with no arguments support
-   [#&#8203;30460](quarkusio/quarkus#30460) - Bump kafka3.version from 3.3.1 to 3.3.2
-   [#&#8203;30453](quarkusio/quarkus#30453) - Gradle build failing w/ Quarkus 2.16.0
-   [#&#8203;30430](quarkusio/quarkus#30430) - Bump gizmo from 1.5.0.Final to 1.6.0.Final
-   [#&#8203;30429](quarkusio/quarkus#30429) - Bump Keycloak version to 20.0.3
-   [#&#8203;30426](quarkusio/quarkus#30426) - Fix redundant push when using buildx
-   [#&#8203;30424](quarkusio/quarkus#30424) - Building of container images with buildx causes build failures
-   [#&#8203;30423](quarkusio/quarkus#30423) - 2.15+ - Services dependent on libraries without classes no longer build
-   [#&#8203;30418](quarkusio/quarkus#30418) - Disable -D argument propagation in DevMojo
-   [#&#8203;30415](quarkusio/quarkus#30415) - Arc - Change Types#getTypeClosure so that superclasses and interfaces of producer types no longer throw on finding wildcards
-   [#&#8203;30412](quarkusio/quarkus#30412) - Arc - wildcard detection for producer methods/fields is too aggressive
-   [#&#8203;30410](quarkusio/quarkus#30410) - Introduce support for GraalVM `--enable-monitoring`
-   [#&#8203;30408](quarkusio/quarkus#30408) - Warning: Option 'AllowVMInspection' is deprecated and might be removed from future versions: Please use --enable-monitoring
-   [#&#8203;30405](quarkusio/quarkus#30405) - Quarkus Undertow doesn't work with blocking SecurityIdentityAugmentor
-   [#&#8203;30399](quarkusio/quarkus#30399) - Fix ElasticSearch Dev Services container restart
-   [#&#8203;30384](quarkusio/quarkus#30384) - Elasticsearch Dev Services restarts container on every auto-compile
-   [#&#8203;30368](quarkusio/quarkus#30368) - Allow Environment variables to populate property Maps in build time Config
-   [#&#8203;30354](quarkusio/quarkus#30354) - AWT `io.quarkus.awt.it.ImageGeometryFontsIT` native integration test failing with "GraalVM for Java 20" dev builds
-   [#&#8203;30347](quarkusio/quarkus#30347) - Bump junit-jupiter from 5.9.1 to 5.9.2
-   [#&#8203;30343](quarkusio/quarkus#30343) - Trailing comma is lost from prometheus metrics
-   [#&#8203;30335](quarkusio/quarkus#30335) - Add native compilation section to Hibernate Validator guide
-   [#&#8203;30332](quarkusio/quarkus#30332) - NPE in toString method for Processor Parameters in kafka-streams 3.3.1 version
-   [#&#8203;30275](quarkusio/quarkus#30275) - Inline Log category property doesn't work
-   [#&#8203;30208](quarkusio/quarkus#30208) - OIDC: 401 when access-token needs to be refreshed and user-info-required=true
-   [#&#8203;30179](quarkusio/quarkus#30179) - Add an owasp-check profile
-   [#&#8203;28781](quarkusio/quarkus#28781) - RESTEasy Reactive: document redirects
-   [#&#8203;24027](quarkusio/quarkus#24027) - Hibernate Validator does not use META-INF/validation.xml, it should work or be stated in the documentation.
-   [#&#8203;23002](quarkusio/quarkus#23002) - if more than two running IDE while launching 'x' gives error

</details>

<details>
<summary>quarkusio/quarkus-platform</summary>

### [`v2.16.1.Final`](quarkusio/quarkus-platform@2.16.0.Final...2.16.1.Final)

[Compare Source](quarkusio/quarkus-platform@2.16.0.Final...2.16.1.Final)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

👻 **Immortal**: This MR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aloubyansky aloubyansky aloubyansky approved these changes

@gsmet gsmet gsmet approved these changes

@loicmathieu loicmathieu loicmathieu approved these changes

Assignees
No one assigned
Labels
area/dependencies Pull requests that update a dependency file area/documentation
Projects
Quarkus Documentation
Done
Milestone
2.16.1.Final
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@sberyozkin @loicmathieu @gsmet @aloubyansky