CVE fixes, Feb 2024 (#174)

Co-authored-by: Roman Zabaluev <gpg@haarolean.dev>

Author: alexeyzavyalov

.github/workflows/cve.yml

@@ -1,4 +1,4 @@
-name: CVE checks docker main
+name: "Infra: CVE checks"
 on:
   workflow_dispatch:
   schedule:

api/Dockerfile

@@ -1,5 +1,5 @@
 #FROM azul/zulu-openjdk-alpine:17-jre-headless
-FROM azul/zulu-openjdk-alpine@sha256:a36679ac0d28cb835e2a8c00e1e0d95509c6c51c5081c7782b85edb1f37a771a
+FROM azul/zulu-openjdk-alpine@sha256:d59f1266db40341318e563fd76c21b2880ffa5d371f0c097c29d33f89c3a0010
 
 RUN apk add --no-cache \
     # snappy codec

api/pom.xml

@@ -253,6 +253,30 @@
             <groupId>dev.cel</groupId>
             <artifactId>cel</artifactId>
         </dependency>
+        <!--        CVE fixes -->
+        <dependency>
+            <groupId>ch.qos.logback</groupId>
+            <artifactId>logback-classic</artifactId>
+            <version>1.4.12</version>
+        </dependency>
+        <!--        CVE fixes -->
+        <dependency>
+            <groupId>ch.qos.logback</groupId>
+            <artifactId>logback-core</artifactId>
+            <version>1.4.12</version>
+        </dependency>
+        <!--        CVE fixes -->
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>logging-interceptor</artifactId>
+            <version>4.12.0</version>
+        </dependency>
+        <!--        CVE fixes -->
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>1.26.0</version>
+        </dependency>
 
     </dependencies>
 

api/src/main/java/io/kafbat/ui/serdes/builtin/ProtobufFileSerde.java

@@ -365,7 +365,8 @@ private Map<String, ProtoFile> knownProtoFiles() {
           loadKnownProtoFile("google/protobuf/struct.proto", StructProto.getDescriptor()),
           loadKnownProtoFile("google/protobuf/timestamp.proto", TimestampProto.getDescriptor()),
           loadKnownProtoFile("google/protobuf/type.proto", TypeProto.getDescriptor()),
-          loadKnownProtoFile("google/protobuf/wrappers.proto", WrappersProto.getDescriptor())
+          loadKnownProtoFile("google/protobuf/wrappers.proto", WrappersProto.getDescriptor()),
+          loadKnownProtoFile("wire/extensions.proto")
       ).collect(Collectors.toMap(p -> p.getLocation().getPath(), p -> p));
     }
 
@@ -382,6 +383,10 @@ private ProtoFile loadKnownProtoFile(String path, Descriptors.FileDescriptor fil
       return ProtoFile.Companion.get(ProtoParser.Companion.parse(Location.get(path), protoFileString));
     }
 
+    private ProtoFile loadKnownProtoFile(String path) {
+      return ProtoFile.Companion.get(ProtoFileElement.empty(path));
+    }
+
     private Loader createFilesLoader(Map<String, ProtoFile> files) {
       return new Loader() {
         @Override

documentation/compose/postgres/Dockerfile

@@ -2,8 +2,8 @@ ARG image
 
 FROM ${image}
 
-MAINTAINER Kafbat Team
+LABEL maintainer="Kafbat Team"
 
-ADD data.sql /docker-entrypoint-initdb.d
+COPY data.sql /docker-entrypoint-initdb.d
 
 EXPOSE 5432

pom.xml

@@ -32,30 +32,29 @@
         <antlr4-maven-plugin.version>4.12.0</antlr4-maven-plugin.version>
         <apache.commons.version>2.12.0</apache.commons.version>
         <assertj.version>3.25.3</assertj.version>
-        <avro.version>1.11.1</avro.version>
+        <avro.version>1.11.3</avro.version>
         <byte-buddy.version>1.12.19</byte-buddy.version>
-        <confluent.version>7.4.0</confluent.version>
+        <confluent.version>7.4.4</confluent.version>
         <datasketches-java.version>3.1.0</datasketches-java.version>
         <groovy.version>3.0.13</groovy.version>
         <jackson.version>2.14.0</jackson.version>
-        <kafka-clients.version>3.5.0</kafka-clients.version>
+        <kafka-clients.version>3.5.2</kafka-clients.version>
         <org.mapstruct.version>1.5.5.Final</org.mapstruct.version>
         <org.projectlombok.version>1.18.30</org.projectlombok.version>
         <protobuf-java.version>3.23.3</protobuf-java.version>
         <scala-lang.library.version>2.13.9</scala-lang.library.version>
         <snakeyaml.version>2.0</snakeyaml.version>
-        <spring-boot.version>3.1.3</spring-boot.version>
+        <spring-boot.version>3.1.9</spring-boot.version>
         <serde-api.version>1.0.0</serde-api.version>
         <odd-oddrn-generator.version>0.1.17</odd-oddrn-generator.version>
         <odd-oddrn-client.version>0.1.39</odd-oddrn-client.version>
-        <org.json.version>20230227</org.json.version>
+        <org.json.version>20231013</org.json.version>
         <dev.cel.version>0.3.0</dev.cel.version>
         <guava.version>33.0.0-jre</guava.version>
-
         <!-- Test dependency versions -->
         <junit.version>5.9.1</junit.version>
         <mockito.version>5.3.1</mockito.version>
-        <okhttp3.mockwebserver.version>4.10.0</okhttp3.mockwebserver.version>
+        <okhttp3.mockwebserver.version>4.12.0</okhttp3.mockwebserver.version>
         <testcontainers.version>1.19.5</testcontainers.version>
 
         <!-- Frontend dependency versions -->