Merge remote-tracking branch 'origin/main' into release

eclipse-tractusx · Apr 19, 2023 · efcd746 · efcd746
2 parents 38424dc + 3b64139
commit efcd746
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,11 +4,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 0.2.3-M1
+### Added
+
+### Fixed
+- Adjust deployment to contain security context
+
 ## 0.2.2-M1
 ### Added
 
 ### Fixed
-Fix cve-2022-45688 (update json to 20230227)
+- Fix cve-2022-45688 (update json to 20230227)
 
 ### Changed
 

diff --git a/README.md b/README.md
@@ -89,6 +89,11 @@ The Helm Chart can be configured using the following parameters (incomplete list
 | `graphdb.storageClassName`     | Defines the storage class name of the `PersistentVolumeClaim` that is used to persist the GraphDB data.  | `standard` |
 | `graphdb.storageSize`     | Size of the `PersistentVolumeClaim`  | `50Gi` |
 
+### Prerequisites
+- Kubernetes 1.19+
+- Helm 3.10.2+
+- PV provisioner support in the underlying infrastructure
+
 ## Notice for Docker image
 
 This application provides container images for demonstration purposes.

diff --git a/backend/Dockerfile b/backend/Dockerfile
@@ -31,12 +31,12 @@ RUN apk --no-cache upgrade \
     && apk  --no-cache add graphviz \
     && rm -rf /var/cache/apk/*
 
-RUN addgroup -S spring \
-    && adduser -S spring -G spring \
+RUN addgroup -g 101 -S spring \
+    && adduser -u 100 -S spring -G spring \
     && mkdir -p /service \
     && chown spring:spring /service
 
-USER spring:spring
+USER 100:101
 
 WORKDIR /service
 

diff --git a/charts/semantic-hub/Chart.yaml b/charts/semantic-hub/Chart.yaml
@@ -3,8 +3,8 @@ name: semantic-hub
 description: Helm Chart for the Catena-X Semantic Hub Application
 
 type: application
-version: 0.1.13
-appVersion: 0.2.2-M1
+version: 0.1.15
+appVersion: 0.2.3-M1
 dependencies:
   - repository: https://charts.bitnami.com/bitnami
     name: keycloak

diff --git a/charts/semantic-hub/templates/hub/hub-deployment.yaml b/charts/semantic-hub/templates/hub/hub-deployment.yaml
@@ -39,13 +39,13 @@ spec:
         app: {{ $deployment_name }}
     spec:
       securityContext:
-        runAsUser: 1000
+        runAsUser: 100
       containers:
         - name: {{ $deployment_name }}
           image: {{ .Values.hub.image.registry }}/{{ .Values.hub.image.repository }}:{{ .Values.hub.image.version | default .Chart.AppVersion }}
           imagePullPolicy: {{ .Values.hub.imagePullPolicy }}
           securityContext:
-            runAsUser: 1000
+            runAsUser: 100
             allowPrivilegeEscalation: false
           {{- if not .Values.hub.authentication }}
           args: ["--spring.profiles.active=local"]

diff --git a/pom.xml b/pom.xml
@@ -173,8 +173,20 @@
 						<groupId>org.springframework.boot</groupId>
 						<artifactId>spring-boot-starter-tomcat</artifactId>
 					</exclusion>
+					<!-- Exlude spring-expression because of CVE-2023-20863 (spring-expression in version 6.0.7) -->
+					<exclusion>
+						<groupId>org.springframework</groupId>
+						<artifactId>spring-expression</artifactId>
+					</exclusion>
 				</exclusions>
 			</dependency>
+			<!-- add explicit dependency spring-expression because of CVE-2023-20863 (spring-expression in version 6.0.7).
+			Remove after spring-boot-starter-web includes the newest version of spring-expression-->
+			<dependency>
+				<groupId>org.springframework</groupId>
+				<artifactId>spring-expression</artifactId>
+				<version>6.0.8</version>
+			</dependency>
 			<!-- Tempory fix for a finding in snakeyaml v1.30, remove once new Spring Boot release contains fix -->
 			<dependency>
 				<groupId>org.springframework.boot</groupId>