Maintenance (#20)

- Bumps H2, Logback, Spring version to eliminate vulnerable dependencies
- Updates license
- Includes OSS Index scan in all modules
- Creates new workflow for recurring index scans
- Adds gradle wrapper verification into security workflows

{patch}

.github/workflows/codeql-analysis.yml

@@ -45,6 +45,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
+      - name: Validate Gradle wrapper
+        uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b #1.0.4
       - name: Set up JDK 8
         uses: actions/setup-java@d202f5dbf7256730fb690ec59f6381650114feb2
         with:

.github/workflows/gradle-oss-index-scan.yml

@@ -0,0 +1,23 @@
+name: "OSS-Index-Scan"
+
+on:
+  schedule:
+    # * is a special character in YAML, so we have to quote this string
+    - cron: '0 7 * * 1,3,5'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@a81bbbf8298c0fa03ea29cdc473d45769f953675
+      - name: Validate Gradle wrapper
+        uses: gradle/wrapper-validation-action@e6e38bacfdf1a337459f332974bb2327a31aaf4b #1.0.4
+      - name: Set up JDK 8
+        uses: actions/setup-java@d202f5dbf7256730fb690ec59f6381650114feb2
+        with:
+          java-version: 8
+      - name: Check dependencies with Gradle
+        run: ./gradlew ossIndexAudit --info

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2020 Istvan Zoltan Nagy (a.k.a Esta Nagy)
+Copyright (c) 2020-present Istvan Zoltan Nagy (a.k.a Esta Nagy)
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

boosters/testkit/build.gradle

@@ -9,6 +9,8 @@ dependencies {
     implementation project(":mission-control")
     implementation "org.springframework.boot:spring-boot-starter:${rootProject.ext.testSpringBootVersion}"
     implementation "org.springframework.boot:spring-boot-starter-test:${rootProject.ext.testSpringBootVersion}"
+    implementation "ch.qos.logback:logback-core:${rootProject.ext.logbackVersion}"
+    implementation "ch.qos.logback:logback-classic:${rootProject.ext.logbackVersion}"
     testImplementation "org.junit.jupiter:junit-jupiter-api:${rootProject.ext.jupiterPlatformVersion}"
     testImplementation "org.junit.jupiter:junit-jupiter:${rootProject.ext.jupiterPlatformVersion}"
 }

build.gradle

@@ -1,5 +1,7 @@
 plugins {
     id 'io.toolebox.git-versioner' version '1.6.5'
+    id 'org.sonatype.gradle.plugins.scan' version '2.2.2' apply false
+    id 'org.owasp.dependencycheck' version '6.5.2' apply false
 }
 
 group = 'com.github.nagyesta.abort-mission'
@@ -24,21 +26,21 @@ project.ext {
     jupiterVersion = '5.8.2'
     jupiterReportingVersion = '1.8.2'
     testNgVersion = '7.4.0'
-    testSpringBootVersion = '2.6.1'
+    testSpringBootVersion = '2.6.2'
 
     // internal build versions
     jupiterTestKitVersion = '1.8.2'
     jupiterPlatformVersion = '5.8.2'
     latestTestNgVersion = '7.4.0'
     mockitoCoreVersion = '4.1.0'
-    springBootVersion = '2.6.1'
-    springVersion = '5.3.13'
+    springBootVersion = '2.6.2'
+    springVersion = '5.3.14'
     jdbiVersion = '3.18.0'
-    h2Version = '2.0.204'
+    h2Version = '2.0.206'
     gsonVersion = '2.8.9'
     cucumberVersion = '7.1.0'
     slf4jApiVersion = '1.7.32'
-    logbackVersion = "1.2.7"
+    logbackVersion = '1.2.10'
     jsonSchemaValidatorVersion = '1.0.64'
     lombokVersion = '1.18.20'
 }
@@ -71,13 +73,15 @@ versioner {
 }
 
 configure(subprojects.findAll({
-    !'boosters'.equalsIgnoreCase(it.name) && !'mission-report'.equalsIgnoreCase(it.name)
+    !'boosters'.equalsIgnoreCase(it.name) && !'strongback'.equalsIgnoreCase(it.name) && !'mission-report'.equalsIgnoreCase(it.name)
 })) {
     apply plugin: 'java'
     apply plugin: 'checkstyle'
     apply plugin: 'jacoco'
     apply plugin: 'maven-publish'
     apply plugin: 'signing'
+    apply plugin: 'org.sonatype.gradle.plugins.scan'
+    apply plugin: 'org.owasp.dependencycheck'
 
     versioner.apply()
 
@@ -171,6 +175,7 @@ configure(subprojects.findAll({
                     .fromFile(rootProject.file('config/checkstyle/checkstyle-stylesheet.xsl') as String)
         }
     }
+    checkstyle.toolVersion = '9.2.1'
 
     publishing {
         repositories {

mission-report/flight-evaluation-report/build.gradle

@@ -4,7 +4,6 @@ plugins {
     //noinspection SpellCheckingInspection
     id "io.freefair.lombok" version "6.2.0"
     id "org.padler.gradle.minify" version "1.6.0"
-    id "org.sonatype.gradle.plugins.scan" version "2.0.4"
 }
 
 group = "${rootProject.group}.reports"
@@ -19,6 +18,8 @@ dependencies {
     implementation "org.springframework.boot:spring-boot-starter-thymeleaf:${rootProject.ext.springBootVersion}"
     implementation "org.springframework.boot:spring-boot-starter-json:${rootProject.ext.springBootVersion}"
     implementation "com.networknt:json-schema-validator:${rootProject.ext.jsonSchemaValidatorVersion}"
+    implementation "ch.qos.logback:logback-core:${rootProject.ext.logbackVersion}"
+    implementation "ch.qos.logback:logback-classic:${rootProject.ext.logbackVersion}"
     annotationProcessor "org.projectlombok:lombok:${rootProject.ext.lombokVersion}"
     annotationProcessor "org.springframework.boot:spring-boot-configuration-processor:${rootProject.ext.springBootVersion}"
     testImplementation "org.springframework.boot:spring-boot-starter-test:${rootProject.ext.springBootVersion}"