Rebase master#1342
Conversation
* Added dependabot.yml * Reverting dependabot.yml
* Added egov-malware-detection service and corresponding changes linked to egov-filestore * updated the version * Fixed the test cases for filestore service * fixed the kafka issue in filestore service
* Updated the base docker image for java 17 and java 8 * Updated the base image to distroless * Changed distroless image to nonroot * Patched libraries with CVEs * Added DataAccessException error handling in tracer * Updated egov libraries version * Updated chagelog and service versions * Patched remaining libraries raised by trivy * Updated docker image of libraries * Removed unnecessary logging * Handling nullpointer when tenant not found * Fixed audit service instantiation issue * Removed @Autowired in bean initialisation * Fixed egov-pg-service instantiation issues * Correction to httpclient5 version * Removed Autowired annotation from bean * Fixed service request instantiation issues * Changed annotation to PostContruct * Fixed spring cloud gateway instantiation issue --------- Co-authored-by: talele08 <talele.aniket@gmail.com> Co-authored-by: shashwat-egov <shashwat.mishra@egovernments.org>
Co-authored-by: talele08 <talele.aniket@gmail.com>
* Patched postgres dependency * Patched postgresql --------- Co-authored-by: talele08 <talele.aniket@gmail.com>
Co-authored-by: talele08 <talele08@users.noreply.github.com>
Co-authored-by: talele08 <talele.aniket@gmail.com>
Co-authored-by: talele08 <talele.aniket@gmail.com>
Co-authored-by: talele08 <talele.aniket@gmail.com>
Co-authored-by: talele08 <talele.aniket@gmail.com>
Co-authored-by: talele08 <talele.aniket@gmail.com>
Co-authored-by: talele08 <talele.aniket@gmail.com>
* Upgraded dependency versions * Fix the database connectivity issue in pdf service * updated dependency versions --------- Co-authored-by: talele08 <talele.aniket@gmail.com> Co-authored-by: vinothrallapalli-egov <vinoth.r@egovernments.org>
* fix(security): remove invalid babel-traverse override and add missing ansi-regex/y18n overrides - Remove "babel-traverse": "^7.23.2" override — babel-traverse@7.x does not exist on npm (Babel 7 renamed it to @babel/traverse); this caused npm audit fix to fail with ETARGET, blocking all automated remediation - Add "ansi-regex": "^5.0.1" override for CVE-2021-3807 (ReDoS, HIGH) - Add "y18n": "^5.0.8" override for CVE-2020-7774 (Prototype Pollution, HIGH) - Replace "jsonpath": "^1.3.0" with "jsonpath-plus": "^10.2.0" to eliminate eval-based code injection (CVE-2026-1615, GHSA-87r5-mp6g-5w5j, HIGH) - Fix eslintConfig.parserOptions.ecmaVersion from 7 to 2020 so async/await in source files parses correctly (pre-existing config bug) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(security): replace jsonpath with jsonpath-plus to eliminate eval-based code injection jsonpath@1.x uses eval() internally for path expression evaluation. As a direct production dependency processing external request data, this is a runtime code injection risk (CVE-2026-1615, GHSA-87r5-mp6g-5w5j, HIGH). jsonpath-plus@10.2.0 is a maintained replacement with no eval() and no underscore dependency (also resolves alert #1357 for underscore DoS). A backward-compatible shim preserves the existing jp.query() call signature across all three affected files so no call sites need modification. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(security): regenerate package-lock.json to apply all security overrides The lockfile was in v1 format (Node 10/npm 6 era) with stale resolved versions that pre-dated most override entries. Regenerating with npm 10 applies all overrides and resolves ~30 open Dependabot alerts including: - minimist (CVE-2021-44906 Critical) via mkdirp - tar (12 CVEs: path traversal, symlink attacks) - underscore (CVE-2026-27601 High) via jsonpath - lodash (CVE-2026-4800, CVE-2020-8203, CVE-2021-23337 High) - minimatch (4 ReDoS CVEs) - semver (CVE-2022-25883 ReDoS) - braces (CVE-2024-4068) - json5 (CVE-2022-46175 Prototype Pollution) - decode-uri-component (CVE-2022-38900) - ansi-regex (CVE-2021-3807 ReDoS) - y18n (CVE-2020-7774 Prototype Pollution) - brace-expansion, color-string, on-headers, fsevents Production runtime audit: 0 vulnerabilities Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(security): upgrade Dockerfile base image from node:10 (EOL) to node:22-alpine (LTS) Node 10 reached end-of-life April 2021 — the container shipped with 5+ years of unpatched Node.js runtime and OS CVEs. Node 22 LTS is supported until April 2028. Alpine variant reduces the image attack surface and size. Both builder and runtime stages updated. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * docs(security): add SECURITY_FIX_SUMMARY and CLAUDE.md SECURITY_FIX_SUMMARY.md documents all 101 Dependabot alerts reviewed, ~34 vulnerabilities fixed in this PR, remaining unfixable dev-time issues (Babel 6 ecosystem, micromatch/nodemon chain), and recommended follow-up. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * fix(pdfmake): handle vfs_fonts export structure change in pdfmake 0.2.23 pdfmake/build/vfs_fonts.js no longer wraps the VFS under pdfFonts.pdfMake.vfs in 0.2.23+; it now exports the font map directly. Use a compat check so the service works with both old and new versions. Fixes pod crash: TypeError: Cannot read properties of undefined (reading 'vfs') Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
…on (#1299) Bumps [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc) from 42.7.1 to 42.7.11. - [Release notes](https://github.com/pgjdbc/pgjdbc/releases) - [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md) - [Commits](pgjdbc/pgjdbc@REL42.7.1...REL42.7.11) --- updated-dependencies: - dependency-name: org.postgresql:postgresql dependency-version: 42.7.11 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
babel-traverse@6 (GHSA-67hx-6x53-jw92, CVSS 9.3) has no patch — the fix is exclusively in @babel/traverse >=7.23.2. Migrated the entire Babel 6 dev toolchain to Babel 7: - babel-cli → @babel/cli - babel-core → @babel/core - babel-preset-es2015 + babel-preset-stage-0 → @babel/preset-env (node:current) - babel-plugin-transform-runtime → @babel/plugin-transform-runtime - babel-plugin-transform-async-to-generator, babel-polyfill → removed (native in Node 22) - Added @babel/runtime to production deps (required by transform-runtime) - Added @babel/traverse >=7.23.2 override to pin the patched version - Updated .babelrc and npm scripts accordingly Result: npm audit reports 0 vulnerabilities (was 40 before this PR series). Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: talele08 <talele08@users.noreply.github.com>
Bumps [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc) from 42.7.1 to 42.7.11. - [Release notes](https://github.com/pgjdbc/pgjdbc/releases) - [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md) - [Commits](pgjdbc/pgjdbc@REL42.7.1...REL42.7.11) --- updated-dependencies: - dependency-name: org.postgresql:postgresql dependency-version: 42.7.11 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
* Bump ch.qos.logback:logback-classic in /core-services/egov-user (#1310) Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.2.0 to 1.2.13. - [Release notes](https://github.com/qos-ch/logback/releases) - [Commits](qos-ch/logback@v_1.2.0...v_1.2.13) --- updated-dependencies: - dependency-name: ch.qos.logback:logback-classic dependency-version: 1.2.13 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump org.postgresql:postgresql in /core-services/egov-location (#1311) Bumps [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc) from 42.7.7 to 42.7.11. - [Release notes](https://github.com/pgjdbc/pgjdbc/releases) - [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md) - [Commits](pgjdbc/pgjdbc@REL42.7.7...REL42.7.11) --- updated-dependencies: - dependency-name: org.postgresql:postgresql dependency-version: 42.7.11 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix: pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS * Dependabot/maven/tutorials/backend developer guide/btr service/net.minidev json smart 2.5.2 (#1314) * Bump net.minidev:json-smart Bumps [net.minidev:json-smart](https://github.com/netplex/json-smart-v2) from 2.5.0 to 2.5.2. - [Release notes](https://github.com/netplex/json-smart-v2/releases) - [Commits](netplex/json-smart-v2@2.5.0...2.5.2) --- updated-dependencies: - dependency-name: net.minidev:json-smart dependency-version: 2.5.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * updated json-smart version --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Dependabot/maven/core services/egov malware detection/commons io commons io 2.14.0 (#1316) * Bump commons-io:commons-io in /core-services/egov-malware-detection Bumps commons-io:commons-io from 2.11.0 to 2.14.0. --- updated-dependencies: - dependency-name: commons-io:commons-io dependency-version: 2.14.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * updated common.io --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Dependabot/maven/core services/egov user/org.jsoup jsoup 1.15.3 (#1317) * Bump org.jsoup:jsoup from 1.10.2 to 1.15.3 in /core-services/egov-user Bumps [org.jsoup:jsoup](https://github.com/jhy/jsoup) from 1.10.2 to 1.15.3. - [Release notes](https://github.com/jhy/jsoup/releases) - [Changelog](https://github.com/jhy/jsoup/blob/jsoup-1.15.3/CHANGES) - [Commits](jhy/jsoup@jsoup-1.10.2...jsoup-1.15.3) --- updated-dependencies: - dependency-name: org.jsoup:jsoup dependency-version: 1.15.3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * Update jsoup dependency version to 1.15.3 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump io.minio:minio from 7.1.4 to 8.6.0 in /core-services/egov-filestore (#1318) Bumps [io.minio:minio](https://github.com/minio/minio-java) from 7.1.4 to 8.6.0. - [Release notes](https://github.com/minio/minio-java/releases) - [Commits](minio/minio-java@7.1.4...8.6.0) --- updated-dependencies: - dependency-name: io.minio:minio dependency-version: 8.6.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump io.minio:minio in /core-services/egov-malware-detection (#1319) Bumps [io.minio:minio](https://github.com/minio/minio-java) from 8.5.7 to 8.6.0. - [Release notes](https://github.com/minio/minio-java/releases) - [Commits](minio/minio-java@8.5.7...8.6.0) --- updated-dependencies: - dependency-name: io.minio:minio dependency-version: 8.6.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump com.amazonaws:aws-java-sdk-s3 in /core-services/egov-filestore (#1321) Bumps [com.amazonaws:aws-java-sdk-s3](https://github.com/aws/aws-sdk-java) from 1.11.289 to 1.12.261. - [Changelog](https://github.com/aws/aws-sdk-java/blob/master/CHANGELOG.md) - [Commits](aws/aws-sdk-java@1.11.289...1.12.261) --- updated-dependencies: - dependency-name: com.amazonaws:aws-java-sdk-s3 dependency-version: 1.12.261 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Kafka client will transitively pull the dependency * Update tracer dependency version to 2.9.2-SNAPSHOT * Filestore changes due to minio major version change * Feat: Updated tracer version to 2.9.2 * Fix: Removed hardcoded postgresql version --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: talele08 <talele08@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: talele08 <talele.aniket@gmail.com>
* Fixed central instance schema name and topics resolution * Added validation for tenant id to secure from SQL injections
Co-authored-by: talele08 <talele08@users.noreply.github.com>
Co-authored-by: talele08 <talele08@users.noreply.github.com>
* Bump ch.qos.logback:logback-classic in /core-services/egov-user (#1310) Bumps [ch.qos.logback:logback-classic](https://github.com/qos-ch/logback) from 1.2.0 to 1.2.13. - [Release notes](https://github.com/qos-ch/logback/releases) - [Commits](qos-ch/logback@v_1.2.0...v_1.2.13) --- updated-dependencies: - dependency-name: ch.qos.logback:logback-classic dependency-version: 1.2.13 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump org.postgresql:postgresql in /core-services/egov-location (#1311) Bumps [org.postgresql:postgresql](https://github.com/pgjdbc/pgjdbc) from 42.7.7 to 42.7.11. - [Release notes](https://github.com/pgjdbc/pgjdbc/releases) - [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md) - [Commits](pgjdbc/pgjdbc@REL42.7.7...REL42.7.11) --- updated-dependencies: - dependency-name: org.postgresql:postgresql dependency-version: 42.7.11 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix: pgjdbc: Unbounded PBKDF2 iterations in SCRAM authentication allows CPU exhaustion DoS * Dependabot/maven/tutorials/backend developer guide/btr service/net.minidev json smart 2.5.2 (#1314) * Bump net.minidev:json-smart Bumps [net.minidev:json-smart](https://github.com/netplex/json-smart-v2) from 2.5.0 to 2.5.2. - [Release notes](https://github.com/netplex/json-smart-v2/releases) - [Commits](netplex/json-smart-v2@2.5.0...2.5.2) --- updated-dependencies: - dependency-name: net.minidev:json-smart dependency-version: 2.5.2 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * updated json-smart version --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Dependabot/maven/core services/egov malware detection/commons io commons io 2.14.0 (#1316) * Bump commons-io:commons-io in /core-services/egov-malware-detection Bumps commons-io:commons-io from 2.11.0 to 2.14.0. --- updated-dependencies: - dependency-name: commons-io:commons-io dependency-version: 2.14.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * updated common.io --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Dependabot/maven/core services/egov user/org.jsoup jsoup 1.15.3 (#1317) * Bump org.jsoup:jsoup from 1.10.2 to 1.15.3 in /core-services/egov-user Bumps [org.jsoup:jsoup](https://github.com/jhy/jsoup) from 1.10.2 to 1.15.3. - [Release notes](https://github.com/jhy/jsoup/releases) - [Changelog](https://github.com/jhy/jsoup/blob/jsoup-1.15.3/CHANGES) - [Commits](jhy/jsoup@jsoup-1.10.2...jsoup-1.15.3) --- updated-dependencies: - dependency-name: org.jsoup:jsoup dependency-version: 1.15.3 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> * Update jsoup dependency version to 1.15.3 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump io.minio:minio from 7.1.4 to 8.6.0 in /core-services/egov-filestore (#1318) Bumps [io.minio:minio](https://github.com/minio/minio-java) from 7.1.4 to 8.6.0. - [Release notes](https://github.com/minio/minio-java/releases) - [Commits](minio/minio-java@7.1.4...8.6.0) --- updated-dependencies: - dependency-name: io.minio:minio dependency-version: 8.6.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump io.minio:minio in /core-services/egov-malware-detection (#1319) Bumps [io.minio:minio](https://github.com/minio/minio-java) from 8.5.7 to 8.6.0. - [Release notes](https://github.com/minio/minio-java/releases) - [Commits](minio/minio-java@8.5.7...8.6.0) --- updated-dependencies: - dependency-name: io.minio:minio dependency-version: 8.6.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump com.amazonaws:aws-java-sdk-s3 in /core-services/egov-filestore (#1321) Bumps [com.amazonaws:aws-java-sdk-s3](https://github.com/aws/aws-sdk-java) from 1.11.289 to 1.12.261. - [Changelog](https://github.com/aws/aws-sdk-java/blob/master/CHANGELOG.md) - [Commits](aws/aws-sdk-java@1.11.289...1.12.261) --- updated-dependencies: - dependency-name: com.amazonaws:aws-java-sdk-s3 dependency-version: 1.12.261 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Kafka client will transitively pull the dependency * Update tracer dependency version to 2.9.2-SNAPSHOT * Filestore changes due to minio major version change * Feat: Updated tracer version to 2.9.2 * Fix: Removed hardcoded postgresql version * Patches for vulnerabilites * Changes to dependencies in utilites * Change branch for push trigger to 'security-patch' * Clean up permissions in scorecard.yml (#1330) Removed commented-out permissions for private repositories. * Add workflow_dispatch trigger to scorecard workflow Allows manual triggering from GitHub Actions UI and fixes the job condition to not skip runs triggered via workflow_dispatch on non-default branches. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Fix scorecard publish_results to allow runs on non-default branches publish_results: true causes scorecard-action to abort on any branch other than master. Making it conditional lets manual/PR runs complete. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Update scorecard.yml * Update scorecard.yml --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: talele08 <talele08@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: talele08 <talele.aniket@gmail.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: talele08 <talele.aniket@gmail.com>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
3ba6630
into
sandbox-2.9.2-merge
No description provided.