[Snyk] Security upgrade org.eclipse.jetty:jetty-deploy from 11.0.15 to 12.0.0

[mo-auto]

Snyk has created this PR to fix 3 vulnerabilities in the maven dependencies of this project.

Snyk changed the following file(s):

• jans-config-api/pom.xml

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score	Upgrade
	Improper Validation of Syntactic Correctness of Input SNYK-JAVA-ORGECLIPSEJETTY-8186141	708	org.eclipse.jetty:jetty-deploy: 11.0.15 -> 12.0.0 Major version upgrade Proof of Concept
	Improper Validation of Syntactic Correctness of Input SNYK-JAVA-ORGECLIPSEJETTY-8186158	708	org.eclipse.jetty:jetty-deploy: 11.0.15 -> 12.0.0 Major version upgrade Proof of Concept
	Denial of Service (DoS) SNYK-JAVA-ORGECLIPSEJETTY-8186142	696	org.eclipse.jetty:jetty-deploy: 11.0.15 -> 12.0.0 No Known Exploit

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Denial of Service (DoS)

[dryrunsecurity]

DryRun Security Summary

The code changes for the Janssen Project demonstrate a comprehensive approach to application security by implementing various GitHub Actions workflows that focus on runner hardening, secure authentication, dependency management, vulnerability scanning, code signing, and secure deployment processes.

Expand for full summary

Summary:

The provided code changes cover a wide range of GitHub Actions workflows and configurations for the Janssen Project, an open-source identity and access management (IAM) platform. These changes focus on various aspects of the project's development and deployment processes, with a strong emphasis on application security.

The key security-related aspects of these changes include:

1. Hardening the GitHub Actions Runner: Many of the workflows use the step-security/harden-runner action to apply security hardening measures to the GitHub Actions runner environment, such as enforcing an "audit" egress policy.
2. Secure Authentication and Authorization: The workflows use GitHub secrets and OIDC tokens to authenticate with various services, ensuring that sensitive information is not exposed.
3. Dependency Management and Vulnerability Scanning: The changes include workflows for automatically updating dependencies and scanning for known vulnerabilities, which helps maintain the security of the project's codebase.
4. Code Signing and Integrity: Several workflows use GPG keys to sign Git commits and Docker images, ensuring the integrity and provenance of the changes.
5. Secure Deployment and Release Processes: The workflows handle the building, signing, and publishing of Docker images and other artifacts, with a focus on maintaining the security and reliability of the deployment process.

Overall, these code changes demonstrate a strong commitment to application security throughout the Janssen Project's development and deployment lifecycle. The use of security-conscious practices, such as hardening the runner, managing sensitive information, and integrating security checks, is a positive sign that the project's maintainers are taking a proactive approach to securing the application.

Files Changed:

• .github/workflows/backport.yml: This workflow automates the backporting of merged pull requests to other branches, with a focus on secure authentication and runner hardening.
• .github/CODEOWNERS: This file updates the ownership of various components and directories within the project, which is important for maintaining secure development practices.
• .github/dependabot.yml: This configuration sets up Dependabot to automatically update dependencies, helping to keep the project secure by addressing known vulnerabilities.
• .github/workflows/activate-nightly-build.yml: This workflow is responsible for activating a nightly build process, with security measures such as runner hardening and secure authentication.
• .github/workflows/build-packages.yml: This workflow builds and publishes binary and Python packages, with a focus on signing the packages and generating checksums for integrity verification.
• .github/workflows/central_code_quality_check.yml: This workflow runs code quality checks, including Sonar analysis, to help maintain the security and integrity of the codebase.
• .github/workflows/build-docs.yml: This workflow publishes the project's documentation, with security measures such as GPG signing of commits and runner hardening.
• .github/workflows/codeql-analysis.yml: This workflow sets up the CodeQL code analysis engine to detect potential security vulnerabilities in the codebase.
• .github/workflows/build-wars.yml: This workflow builds and deploys various components of the Janssen Project, with a focus on secure Java version management and Maven command execution.
• .github/workflows/delete_workflow_runs.yml: This workflow automatically deletes old workflow runs, helping to prevent the accumulation of sensitive data or other potentially sensitive information.
• .github/workflows/dependency-review.yml: This workflow scans dependency manifest files for known-vulnerable versions of packages, which is a crucial security practice.
• .github/workflows/flake8-lint.yml: This workflow runs Flake8 linting on Python code, helping to maintain code quality and catch potential security issues.
• .github/workflows/jans_pycloud_build_package.yml: This workflow updates the jans-pycloudlib library in various Docker images, with security measures such as GPG signing of commits.
• .github/workflows/label_pr_issues.yml: This workflow automatically labels pull requests and issues, with security considerations such as runner hardening and restricted access.
• .github/workflows/pr-ref-issue.yml: This workflow enforces a specific pull request process, ensuring that each PR references an open issue, which can help with security traceability.
• .github/workflows/scorecard.yml: This workflow runs the Scorecard security analysis tool on the project, providing a comprehensive evaluation of the project's security posture.
• .github/workflows/docker_build_image.yml: This workflow builds and publishes Docker images for the Janssen Project, with security measures such as image signing and runner

Code Analysis

We ran 9 analyzers against 30 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.