kie-issues#1594: Security fixes for dev-deployment-kogito-quarkus-bla…

…nk-app (#2716)

Co-authored-by: Tiago Bento <[email protected]>

packages/dev-deployment-kogito-quarkus-blank-app-image/Containerfile

@@ -30,7 +30,7 @@ COPY --chown=$USER_ID:$USER_ID dist-dev/quarkus-app $HOME_PATH/app/
 COPY --chown=$USER_ID:$USER_ID dist-dev/settings.xml /tmp/kogito/.m2/settings.xml
 
 # Pre-populate local Maven repository for faster startup
-RUN ./mvnw clean package -B -nsu --settings /tmp/kogito/.m2/settings.xml -Dmaven.test.skip -Dmaven.repo.local=/tmp/kogito/.m2/repository -Dquarkus.http.non-application-root-path=${ROOT_PATH}/q -Dquarkus.http.root-path=${ROOT_PATH} \
+RUN ./mvnw -Dmaven=3.9.6 clean package -B -nsu --settings /tmp/kogito/.m2/settings.xml -Dmaven.test.skip -Dmaven.repo.local=/tmp/kogito/.m2/repository -Dquarkus.http.non-application-root-path=${ROOT_PATH}/q -Dquarkus.http.root-path=${ROOT_PATH} \
   && chgrp -R 0 $HOME_PATH/app && chmod -R g=u $HOME_PATH/app && chgrp -R 0 /tmp/kogito && chmod -R g=u /tmp/kogito && chgrp -R 0 /.m2 && chmod -R g=u /.m2
 
 USER $USER_ID
@@ -39,4 +39,4 @@ EXPOSE 8080
 
 ENTRYPOINT ["/bin/bash", "-c"]
 
-CMD ["dev-deployment-upload-service && cp -r $HOME_PATH/app/. /tmp/app && cd /tmp/app && ./mvnw quarkus:dev -o -s=/tmp/kogito/.m2/settings.xml -Dquarkus.analytics.disabled=true -Ddebug=false -Dmaven.repo.local=/tmp/kogito/.m2/repository -Dquarkus.http.non-application-root-path=${ROOT_PATH}/q -Dquarkus.http.root-path=${ROOT_PATH}"]
+CMD ["dev-deployment-upload-service && cp -r $HOME_PATH/app/. /tmp/app && cd /tmp/app && ./mvnw -Dmaven=3.9.6 quarkus:dev -o -s=/tmp/kogito/.m2/settings.xml -Dquarkus.analytics.disabled=true -Ddebug=false -Dmaven.repo.local=/tmp/kogito/.m2/repository -Dquarkus.http.non-application-root-path=${ROOT_PATH}/q -Dquarkus.http.root-path=${ROOT_PATH}"]

packages/dev-deployment-kogito-quarkus-blank-app/pom.xml

@@ -25,11 +25,8 @@
   <!-- Purposefully not declaring maven-base as parent -->
   <!-- As this app aims to work as any consumer app would. -->
 
-  <parent>
-    <groupId>org.apache</groupId>
-    <artifactId>apache</artifactId>
-    <version>32</version>
-  </parent>
+  <!-- Purposefully not declaring `apache` as parent -->
+  <!-- As this app is not meant to be published and consumed as a library -->
 
   <modelVersion>4.0.0</modelVersion>
   <groupId>org.kie.kogito</groupId>
@@ -47,15 +44,14 @@
     <!-- Maven versions -->
     <version.maven.artifact.plugin>3.4.1</version.maven.artifact.plugin>
     <version.maven.compiler.plugin>3.13.0</version.maven.compiler.plugin>
-    <version.maven.resources.plugin>3.2.0</version.maven.resources.plugin>
+    <version.maven.resources.plugin>3.3.1</version.maven.resources.plugin>
     <version.maven.failsafe.plugin>3.0.0-M7</version.maven.failsafe.plugin>
     <version.maven.surefire.plugin>3.5.0</version.maven.surefire.plugin>
     <version.maven.install.plugin>3.1.3</version.maven.install.plugin>
     <version.maven.deploy.plugin>3.1.2</version.maven.deploy.plugin>
     <version.maven.site.plugin>3.12.1</version.maven.site.plugin>
     <version.maven.dependency.plugin>3.6.1</version.maven.dependency.plugin>
     <version.maven.jar.plugin>3.4.1</version.maven.jar.plugin>
-    <version.maven.remote.resources.plugin>3.2.0</version.maven.remote.resources.plugin>
     <version.maven.clean.plugin>3.4.0</version.maven.clean.plugin>
     <version.codehaus.flatten.plugin>1.6.0</version.codehaus.flatten.plugin>
 
@@ -67,6 +63,8 @@
     <version.junit>4.13.2</version.junit>
     <version.org.apache.commons.commons-compress>1.26.1</version.org.apache.commons.commons-compress>
     <version.org.iq80.snappy>0.5</version.org.iq80.snappy>
+    <version.commons-io>2.16.1</version.commons-io>
+    <version.com.google.protobuf>3.25.5</version.com.google.protobuf>
   </properties>
 
   <dependencyManagement>
@@ -94,6 +92,18 @@
   </dependencyManagement>
 
   <dependencies>
+    <!-- This was added when the latest version of protobuf brought by Quarkus was 3.25.0 -->
+    <!-- To address CVE-2024-7254, affecting protobuf:3.25.0 -->
+    <dependency>
+      <groupId>com.google.protobuf</groupId>
+      <artifactId>protobuf-java</artifactId>
+      <version>${version.com.google.protobuf}</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.protobuf</groupId>
+      <artifactId>protobuf-java-util</artifactId>
+      <version>${version.com.google.protobuf}</version>
+    </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-compress</artifactId>
@@ -214,7 +224,6 @@
     <pluginManagement>
       <plugins>
         <plugin>
-          <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-site-plugin</artifactId>
           <version>${version.maven.site.plugin}</version>
           <dependencies>
@@ -231,24 +240,6 @@
           </dependencies>
         </plugin>
         <plugin>
-          <groupId>org.apache.maven.plugins</groupId>
-          <artifactId>maven-remote-resources-plugin</artifactId>
-          <version>${version.maven.remote.resources.plugin}</version>
-          <dependencies>
-            <dependency>
-              <groupId>org.apache.commons</groupId>
-              <artifactId>commons-compress</artifactId>
-              <version>${version.org.apache.commons.commons-compress}</version>
-            </dependency>
-            <dependency>
-              <groupId>org.iq80.snappy</groupId>
-              <artifactId>snappy</artifactId>
-              <version>${version.org.iq80.snappy}</version>
-            </dependency>
-          </dependencies>
-        </plugin>
-        <plugin>
-          <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-jar-plugin</artifactId>
           <version>${version.maven.jar.plugin}</version>
           <dependencies>
@@ -260,7 +251,6 @@
           </dependencies>
         </plugin>
         <plugin>
-          <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-surefire-plugin</artifactId>
           <version>${version.maven.surefire.plugin}</version>
           <dependencies>
@@ -276,6 +266,32 @@
             </dependency>
           </dependencies>
         </plugin>
+        <plugin>
+          <artifactId>maven-resources-plugin</artifactId>
+          <version>${version.maven.resources.plugin}</version>
+          <dependencies>
+            <dependency>
+              <!-- This was added when the latest version of maven-resources-plugin was 3.3.1 -->
+              <!-- To address CVE-2024-47554, affecting commons-io:commons-io:2.11 -->
+              <groupId>commons-io</groupId>
+              <artifactId>commons-io</artifactId>
+              <version>${version.commons-io}</version>
+            </dependency>
+          </dependencies>
+        </plugin>
+        <plugin>
+          <artifactId>maven-compiler-plugin</artifactId>
+          <version>${version.maven.compiler.plugin}</version>
+          <dependencies>
+            <dependency>
+              <!-- This was added when the latest version of maven-compiler-plugin was 3.13.0 -->
+              <!-- To address CVE-2024-47554, affecting commons-io:commons-io:2.11 -->
+              <groupId>commons-io</groupId>
+              <artifactId>commons-io</artifactId>
+              <version>${version.commons-io}</version>
+            </dependency>
+          </dependencies>
+        </plugin>
       </plugins>
     </pluginManagement>
     <plugins>
@@ -336,4 +352,24 @@
       </plugin>
     </plugins>
   </build>
+  <repositories>
+    <repository>
+      <id>apache.snapshots</id>
+      <name>Apache Snapshot Repository</name>
+      <url>https://repository.apache.org/snapshots</url>
+      <releases>
+        <enabled>false</enabled>
+      </releases>
+    </repository>
+  </repositories>
+  <pluginRepositories>
+    <pluginRepository>
+      <id>apache.snapshots</id>
+      <name>Apache Snapshot Repository</name>
+      <url>https://repository.apache.org/snapshots</url>
+      <releases>
+        <enabled>false</enabled>
+      </releases>
+    </pluginRepository>
+  </pluginRepositories>
 </project>