CVE November 2024

build.sbt

@@ -67,7 +67,9 @@ lazy val dockerSettings = Seq(
   dockerBaseImage := "eclipse-temurin:21.0.2_13-jdk-alpine",
   dockerRepository := Some("hmda"),
   dockerCommands := dockerCommands.value.flatMap {
-    case cmd@Cmd("FROM",_) => List(cmd, Cmd("RUN", "apk update"),
+    case cmd@Cmd("FROM",_) => List(cmd,
+      Cmd("RUN", "apk update"),
+      Cmd("RUN", "apk upgrade"),
       Cmd("RUN", "rm /var/cache/apk/*"))
     case other => List(other)
   }
@@ -224,45 +226,45 @@ lazy val `check-digit` = (project in file("check-digit"))
   .dependsOn(common % "compile->compile;test->test")
   .dependsOn(`hmda-protocol` % "compile->compile;test->test")
 
-  lazy val `file-proxy` = (project in file("file-proxy"))
-    .enablePlugins(
-      JavaServerAppPackaging,
-      sbtdocker.DockerPlugin,
-      AshScriptPlugin
-    )
-    .settings(hmdaBuildSettings: _*)
-    .settings(
-      Seq(
-        libraryDependencies ++= commonDeps ++ akkaDeps ++ akkaHttpDeps ++ circeDeps ++ slickDeps ++
+lazy val `file-proxy` = (project in file("file-proxy"))
+  .enablePlugins(
+    JavaServerAppPackaging,
+    sbtdocker.DockerPlugin,
+    AshScriptPlugin
+  )
+  .settings(hmdaBuildSettings: _*)
+  .settings(
+    Seq(
+      libraryDependencies ++= commonDeps ++ akkaDeps ++ akkaHttpDeps ++ circeDeps ++ slickDeps ++
         enumeratumDeps :+ monix :+ lettuce :+ scalaJava8Compat :+ scalaMock,
-        Compile / mainClass := Some("hmda.proxy.FileProxy"),
-        assembly / assemblyJarName := {
-          s"${name.value}.jar"
-        },
-        assembly/ assemblyMergeStrategy := {
-          case "application.conf"                      => MergeStrategy.concat
-          case "META-INF/io.netty.versions.properties" => MergeStrategy.concat
-          case "META-INF/MANIFEST.MF" => MergeStrategy.discard
-          case PathList("META-INF", xs@_*) => MergeStrategy.concat
-          case PathList("org", "bouncycastle", xs @_*) => MergeStrategy.first
-          case PathList("jakarta", xs@_*) => MergeStrategy.last
-          case PathList(ps @ _*) if ps.last endsWith ".proto" =>
-            MergeStrategy.first
-          case "module-info.class" => MergeStrategy.concat
-          case x if x.endsWith("/module-info.class") => MergeStrategy.concat
-          case x if x.endsWith("/LineTokenizer.class") => MergeStrategy.concat
-          case x if x.endsWith("/LogSupport.class") => MergeStrategy.concat
-          case x if x.endsWith("/MailcapFile.class") => MergeStrategy.concat
-          case x if x.endsWith("/MimeTypeFile.class") => MergeStrategy.concat
-          case x =>
-            val oldStrategy = (assembly / assemblyMergeStrategy).value
-            oldStrategy(x)
-        }
-      ),
-      dockerSettings,
-      packageSettings
-    )
-    .dependsOn(common % "compile->compile;test->test")
+      Compile / mainClass := Some("hmda.proxy.FileProxy"),
+      assembly / assemblyJarName := {
+        s"${name.value}.jar"
+      },
+      assembly/ assemblyMergeStrategy := {
+        case "application.conf"                      => MergeStrategy.concat
+        case "META-INF/io.netty.versions.properties" => MergeStrategy.concat
+        case "META-INF/MANIFEST.MF" => MergeStrategy.discard
+        case PathList("META-INF", xs@_*) => MergeStrategy.concat
+        case PathList("org", "bouncycastle", xs @_*) => MergeStrategy.first
+        case PathList("jakarta", xs@_*) => MergeStrategy.last
+        case PathList(ps @ _*) if ps.last endsWith ".proto" =>
+          MergeStrategy.first
+        case "module-info.class" => MergeStrategy.concat
+        case x if x.endsWith("/module-info.class") => MergeStrategy.concat
+        case x if x.endsWith("/LineTokenizer.class") => MergeStrategy.concat
+        case x if x.endsWith("/LogSupport.class") => MergeStrategy.concat
+        case x if x.endsWith("/MailcapFile.class") => MergeStrategy.concat
+        case x if x.endsWith("/MimeTypeFile.class") => MergeStrategy.concat
+        case x =>
+          val oldStrategy = (assembly / assemblyMergeStrategy).value
+          oldStrategy(x)
+      }
+    ),
+    dockerSettings,
+    packageSettings
+  )
+  .dependsOn(common % "compile->compile;test->test")
 
 
 lazy val `institutions-api` = (project in file("institutions-api"))
@@ -591,46 +593,46 @@ lazy val `hmda-analytics` = (project in file("hmda-analytics"))
   )
   .dependsOn(common % "compile->compile;test->test")
 
-  lazy val `hmda-auth` = (project in file("hmda-auth"))
-    .enablePlugins(
-      JavaServerAppPackaging,
-      sbtdocker.DockerPlugin,
-      AshScriptPlugin
-    )
-    .settings(hmdaBuildSettings: _*)
-    .settings(
-      Seq(
-        libraryDependencies ++= keycloakServerDeps,
-        Compile / mainClass := Some("hmda.authService.HmdaAuth"),
-        assembly / assemblyJarName := {
-          s"${name.value}.jar"
-        },
-        assembly / assemblyMergeStrategy := {
-          case "application.conf"                      => MergeStrategy.concat
-          case "META-INF/io.netty.versions.properties" => MergeStrategy.concat
-          case "META-INF/MANIFEST.MF" => MergeStrategy.discard
-          case PathList("META-INF", xs @ _*) => MergeStrategy.concat
-          case PathList("org", "bouncycastle", xs @_*) => MergeStrategy.first
-          case PathList("jakarta", xs @ _*) => MergeStrategy.last
-          case "reference.conf" => MergeStrategy.concat
-          case PathList(ps @ _*) if ps.last endsWith ".proto" =>
-            MergeStrategy.first
-          case "module-info.class" => MergeStrategy.concat
-          case x if x.endsWith("/module-info.class") => MergeStrategy.concat
-          case x if x.endsWith("/LineTokenizer.class") => MergeStrategy.concat
-          case x if x.endsWith("/LogSupport.class") => MergeStrategy.concat
-          case x if x.endsWith("/MailcapFile.class") => MergeStrategy.concat
-          case x if x.endsWith("/MimeTypeFile.class") => MergeStrategy.concat
-          case x =>
+lazy val `hmda-auth` = (project in file("hmda-auth"))
+  .enablePlugins(
+    JavaServerAppPackaging,
+    sbtdocker.DockerPlugin,
+    AshScriptPlugin
+  )
+  .settings(hmdaBuildSettings: _*)
+  .settings(
+    Seq(
+      libraryDependencies ++= keycloakServerDeps,
+      Compile / mainClass := Some("hmda.authService.HmdaAuth"),
+      assembly / assemblyJarName := {
+        s"${name.value}.jar"
+      },
+      assembly / assemblyMergeStrategy := {
+        case "application.conf"                      => MergeStrategy.concat
+        case "META-INF/io.netty.versions.properties" => MergeStrategy.concat
+        case "META-INF/MANIFEST.MF" => MergeStrategy.discard
+        case PathList("META-INF", xs @ _*) => MergeStrategy.concat
+        case PathList("org", "bouncycastle", xs @_*) => MergeStrategy.first
+        case PathList("jakarta", xs @ _*) => MergeStrategy.last
+        case "reference.conf" => MergeStrategy.concat
+        case PathList(ps @ _*) if ps.last endsWith ".proto" =>
+          MergeStrategy.first
+        case "module-info.class" => MergeStrategy.concat
+        case x if x.endsWith("/module-info.class") => MergeStrategy.concat
+        case x if x.endsWith("/LineTokenizer.class") => MergeStrategy.concat
+        case x if x.endsWith("/LogSupport.class") => MergeStrategy.concat
+        case x if x.endsWith("/MailcapFile.class") => MergeStrategy.concat
+        case x if x.endsWith("/MimeTypeFile.class") => MergeStrategy.concat
+        case x =>
           val oldStrategy = (assembly / assemblyMergeStrategy).value
           oldStrategy(x)
-        }
-      ),
-      dockerSettings,
-      packageSettings
-    )
-    .dependsOn(common % "compile->compile;test->test")
-    .dependsOn(`institutions-api` % "compile->compile;test->test")
+      }
+    ),
+    dockerSettings,
+    packageSettings
+  )
+  .dependsOn(common % "compile->compile;test->test")
+  .dependsOn(`institutions-api` % "compile->compile;test->test")
 
 lazy val `rate-limit` = (project in file("rate-limit"))
   .enablePlugins(
@@ -816,4 +818,30 @@ lazy val `hmda-quarterly-data-service` = (project in file ("hmda-quarterly-data-
     packageSettings
   )
   .dependsOn(common % "compile->compile;test->test")
-  .dependsOn(`hmda-protocol` % "compile->compile;test->test")
+  .dependsOn(`hmda-protocol` % "compile->compile;test->test")
+
+ThisBuild / libraryDependencies += "com.google.guava" % "guava" % "32.0.0-android"
+
+libraryDependencies ++= Seq(
+  "com.datastax.oss" % "java-driver-core" % "4.15.0" exclude ("com.google.guava", "guava"),
+  "com.datastax.oss" % "java-driver-shaded-guava" % "25.1-jre-graal-sub-1" exclude ("com.google.guava", "guava"),
+  "com.google.guava" % "guava" % "32.0.0-android"
+)
+
+ThisBuild / libraryDependencies += "io.netty" % "netty-common" % "4.1.115.Final"
+
+libraryDependencies ++= Seq(
+  "io.netty" % "netty-common" % "4.1.94.Final" exclude ("io.netty", "netty-common"),
+  "io.netty" % "netty-transport-native-unix-common" % "4.1.94.Final" exclude ("io.netty", "netty-common"),
+  "io.netty" % "netty-common" % "4.1.115.Final"
+)
+
+libraryDependencies ++= Seq(
+  "org.keycloak" % "keycloak-crypto-default" % "25.0.3" exclude ("org.keycloak", "keycloak-core"),
+  "org.keycloak" % "keycloak-server-spi" % "25.0.3" exclude ("org.keycloak", "keycloak-core"),
+  "org.keycloak" % "keycloak-server-spi-private" % "25.0.3" exclude ("org.keycloak", "keycloak-core"),
+  "org.keycloak" % "keycloak-adapter-core" % "25.0.3" exclude ("org.keycloak", "keycloak-core"),
+  "org.keycloak" % "keycloak-admin-client" % "25.0.3" exclude ("org.keycloak", "keycloak-core"),
+  "org.keycloak" % "keycloak-common" % "25.0.3" exclude ("org.keycloak", "keycloak-core"),
+  "org.keycloak" % "keycloak-core" % "26.0.6"
+)

project/Version.scala

@@ -33,7 +33,7 @@ object Version {
   val lettuce                = "6.2.4.RELEASE"
   val java8Compat            = "1.0.2"
   val scalaMock              = "4.3.0"
-  val guava                  = "33.0.0-jre"
+  val guava                  = "32.0.0-android"
   val awsSesSdk              = "1.12.484"
   val zeroAllocation         = "0.16"
   val cormorant              = "0.3.0"