OpenSRP Server Web Vulnerabilities

[bonfaceshisakha]

Issue details

Find here vulnerabilities identified by trivy as I was testing automated vulnerability checks on the repository as well as on the docker image. Having the vulnerabilities may be a blocker in the event changes are pushed to the repo hence requesting if they can be addressed as soon as possible. The PR relating to this can be found here.

Remediation Strategy

High Priority

• Bump com.fasterxml.jackson.core:jackson-databind to either 2.12.6.1 or 2.13.2.1 to fix all CRITICAL & HIGH vulnerabilities.
• Update org.yaml:snakeyaml to 1.32
• Update org.postgresql:postgresql to 42.4.1
• Update org.jdom:jdom2 to 2.0.6.1
• Update org.springframework.amqp:spring-amqp to 2.3.2

Other fixes

• Update commons-io:commons-io to 2.7
• Bump io.netty:netty-handler to 4.1.77.Final
• Bump com.amazonaws:aws-java-sdk-s3 to 1.12.261
• Bump com.google.protobuf:protobuf-java to either 3.16.1, 3.18.2 or 3.19.2
• Bump io.netty:netty-codec to 4.1.77.Final
• Bump io.netty:netty-codec-http to 4.1.77.Final
• Bump org.apache.poi:poi to 5.2.1
• Bump org.jetbrains.kotlin:kotlin-stdlib to 1.6.0
• Bump org.keycloak:keycloak-core to 17.0.1

[ekigamba]

• CodeQL alerts https://github.com/opensrp/opensrp-server-web/pull/1134/checks?check_run_id=9056048461 - 2 critical
• Trivy alerts https://github.com/opensrp/opensrp-server-web/pull/1134/checks?check_run_id=9055980472 - 22 critical alerts

Total = 24 critical alerts