Merge pull request #158 from RADAR-base/security/march-2025-fixes

Apply security upgrades March 2025 platform upgrade

.snyk

@@ -0,0 +1,5 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+# ignores vulnerabilities until expiry date; change duration by modifying expiry date
+ignore:
+patch: {}

buildSrc/src/main/kotlin/Versions.kt

@@ -4,10 +4,10 @@ object Versions {
 
     const val java = 17
     const val kotlin = "1.9.22"
-    const val wrapper = "8.4"
+    const val wrapper = "8.9"
 
-    const val radarCommons = "1.1.2"
-    const val confluent = "7.7.0"
+    const val radarCommons = "1.1.3"
+    const val confluent = "7.8.1"
     const val kafka = "$confluent-ce"
     const val avro = "1.12.0"
 
@@ -28,4 +28,6 @@ object Versions {
     const val junit = "5.10.2"
     const val wiremock = "3.0.1"
     const val mockito = "5.11.0"
+
+    const val nettyVersion = "4.1.118.Final"
 }

kafka-connect-fitbit-source/Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM --platform=$BUILDPLATFORM gradle:8.4-jdk17 as builder
+FROM --platform=$BUILDPLATFORM gradle:8.9-jdk17 AS builder
 
 RUN mkdir /code
 WORKDIR /code
@@ -32,16 +32,11 @@ COPY ./kafka-connect-fitbit-source/src/ /code/kafka-connect-fitbit-source/src
 
 RUN gradle jar
 
-FROM confluentinc/cp-kafka-connect-base:7.5.0
-
-USER root
-
-RUN yum remove -y zulu11-ca-jdk-headless && yum remove -y zulu11-ca-jre-headless
-RUN yum install -y zulu17-ca-jdk-headless && yum install -y zulu17-ca-jre-headless
+FROM confluentinc/cp-kafka-connect-base:7.8.1
 
 USER appuser
 
-MAINTAINER Joris Borgdorff <joris@thehyve.nl>
+LABEL org.opencontainers.image.authors="pim@thehyve.nl"
 
 LABEL description="Kafka REST API Source connector"
 

kafka-connect-fitbit-source/build.gradle.kts

@@ -1,6 +1,13 @@
 description = "Kafka connector for Fitbit API source"
 
 dependencies {
+
+    /* The entries in the block below are added here to force the version of
+     * transitive dependencies and mitigate reported vulnerabilities
+     */
+    implementation("io.netty:netty-handler-proxy:${Versions.nettyVersion}")
+    implementation("io.netty:netty-handler:${Versions.nettyVersion}")
+
     api(project(":kafka-connect-rest-source"))
     api(project(":oura-library"))
     api("io.confluent:kafka-connect-avro-converter:${Versions.confluent}")

kafka-connect-oura-source/Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM --platform=$BUILDPLATFORM gradle:8.4-jdk17 as builder
+FROM --platform=$BUILDPLATFORM gradle:8.9-jdk17 AS builder
 
 RUN mkdir /code
 WORKDIR /code
@@ -32,16 +32,11 @@ COPY ./oura-library/src/ /code/oura-library/src
 
 RUN gradle jar
 
-FROM confluentinc/cp-kafka-connect-base:7.5.0
-
-USER root
-
-RUN yum remove -y zulu11-ca-jdk-headless && yum remove -y zulu11-ca-jre-headless
-RUN yum install -y zulu17-ca-jdk-headless && yum install -y zulu17-ca-jre-headless
+FROM confluentinc/cp-kafka-connect-base:7.8.1
 
 USER appuser
 
-MAINTAINER Pauline Conde <[email protected]>
+LABEL org.opencontainers.image.authors="[email protected]"
 
 LABEL description="Kafka Oura REST API Source connector"
 

kafka-connect-oura-source/build.gradle.kts

@@ -1,6 +1,13 @@
 description = "Kafka connector for Oura API source"
 
 dependencies {
+
+    /* The entries in the block below are added here to force the version of
+     * transitive dependencies and mitigate reported vulnerabilities
+     */
+    implementation("io.netty:netty-handler-proxy:${Versions.nettyVersion}")
+    implementation("io.netty:netty-handler:${Versions.nettyVersion}")
+
     api(project(":oura-library"))
     api("io.confluent:kafka-connect-avro-converter:${Versions.confluent}")
     api("org.radarbase:radar-schemas-commons:${Versions.radarSchemas}")