ministryofjustice · neilmendum · Apr 6, 2023 · Apr 5, 2023 · Apr 5, 2023 · Apr 6, 2023
@@ -32,6 +32,3 @@ CVE-2022-42889
 # Suppression for h2 2.1.214 password on command line vulnerability
 #   can be suppressed as we only run h2 locally and not on build environments
 CVE-2022-45868
-# Suppression for spring-web 5.3.24 as bundled with spring boot
-#   can be suppressed as we are not using java serialization and deserialization explicitly
-CVE-2016-1000027
diff --git a/applicationinsights.dev.json b/applicationinsights.dev.json
@@ -6,6 +6,9 @@
     "service.version": "${BUILD_NUMBER}"
   },
   "instrumentation": {
+    "springScheduling": {
+      "enabled": false
+    },
     "logging": {
       "level": "DEBUG"
     }

diff --git a/applicationinsights.json b/applicationinsights.json
@@ -6,6 +6,9 @@
     "service.version": "${BUILD_NUMBER}"
   },
   "instrumentation": {
+    "springScheduling": {
+      "enabled": false
+    },
     "logging": {
       "level": "DEBUG"
     }

@@ -1,5 +1,5 @@
 plugins {
-  id("uk.gov.justice.hmpps.gradle-spring-boot") version "4.8.4"
+  id("uk.gov.justice.hmpps.gradle-spring-boot") version "5.1.3"
   id("org.springdoc.openapi-gradle-plugin") version "1.6.0"
   id("jacoco")
   id("org.sonarqube") version "4.0.0.2929"
@@ -17,14 +17,19 @@ configurations {
   testImplementation { exclude(group = "org.junit.vintage") }
 }
 
+repositories {
+  maven { url = uri("https://repo.spring.io/milestone") }
+  mavenCentral()
+}
+
 dependencies {
   implementation("org.springframework.boot:spring-boot-starter-webflux")
   implementation("org.springframework.boot:spring-boot-starter-data-r2dbc")
   implementation("org.springframework.boot:spring-boot-starter-oauth2-resource-server")
   implementation("org.springframework.boot:spring-boot-starter-security")
   implementation("org.springframework.boot:spring-boot-starter-oauth2-client")
 
-  implementation("uk.gov.justice.service.hmpps:hmpps-sqs-spring-boot-starter:1.2.0")
+  implementation("uk.gov.justice.service.hmpps:hmpps-sqs-spring-boot-starter:2.0.0-beta-14")
 
   implementation("org.jetbrains.kotlinx:kotlinx-coroutines-core")
   implementation("org.jetbrains.kotlinx:kotlinx-coroutines-reactor")
@@ -34,8 +39,7 @@ dependencies {
   runtimeOnly("org.springframework.boot:spring-boot-starter-jdbc")
   runtimeOnly("org.postgresql:postgresql:42.6.0")
 
-  implementation("org.springdoc:springdoc-openapi-webflux-ui:1.6.15")
-  implementation("org.springdoc:springdoc-openapi-kotlin:1.6.15")
+  implementation("org.springdoc:springdoc-openapi-starter-webflux-ui:2.1.0")
 
   implementation("com.fasterxml.jackson.module:jackson-module-kotlin")
   implementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310")
@@ -51,15 +55,17 @@ dependencies {
   developmentOnly("org.springframework.boot:spring-boot-devtools")
 
   testImplementation("org.awaitility:awaitility-kotlin")
-  testImplementation("io.jsonwebtoken:jjwt:0.9.1")
+  testImplementation("io.jsonwebtoken:jjwt-impl:0.11.5")
+  testImplementation("io.jsonwebtoken:jjwt-jackson:0.11.5")
   testImplementation("org.mockito:mockito-inline")
   testImplementation("io.swagger.parser.v3:swagger-parser:2.1.13")
   testImplementation("org.springframework.security:spring-security-test")
-  testImplementation("com.github.tomakehurst:wiremock-standalone:2.27.2")
-  testImplementation("org.testcontainers:localstack:1.17.6")
-  testImplementation("org.testcontainers:postgresql:1.17.6")
+  testImplementation("com.github.tomakehurst:wiremock-jre8-standalone:2.35.0")
+  testImplementation("org.testcontainers:localstack:1.18.0")
+  testImplementation("org.testcontainers:postgresql:1.18.0")
   testImplementation("io.projectreactor:reactor-test")
   testImplementation("org.jetbrains.kotlinx:kotlinx-coroutines-test")
+  testImplementation("javax.xml.bind:jaxb-api:2.3.1")
 
   if (project.hasProperty("docs")) {
     implementation("com.h2database:h2")

@@ -1,28 +1,16 @@
 package uk.gov.justice.digital.hmpps.incentivesapi.config
 
 import com.microsoft.applicationinsights.TelemetryClient
-import org.slf4j.LoggerFactory
-import org.springframework.boot.autoconfigure.condition.ConditionalOnExpression
 import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 
 /**
- * Application insights now controlled by the spring-boot-starter dependency.  However when the key is not specified
- * we don't get a telemetry bean and application won't start.  Therefore need this backup configuration.
+ * TelemetryClient gets altered at runtime by the java agent and so is a no-op otherwise
  */
 @Configuration
 class ApplicationInsightsConfiguration {
   @Bean
-  @ConditionalOnExpression("T(org.apache.commons.lang3.StringUtils).isBlank('\${applicationinsights.connection.string:}')")
-  fun telemetryClient(): TelemetryClient {
-    log.warn("Application insights configuration missing, returning dummy bean instead")
-
-    return TelemetryClient()
-  }
-
-  companion object {
-    private val log = LoggerFactory.getLogger(this::class.java)
-  }
+  fun telemetryClient(): TelemetryClient = TelemetryClient()
 }
 
 fun TelemetryClient.trackEvent(name: String, properties: Map<String, String>) = this.trackEvent(name, properties, null)
@@ -2,6 +2,7 @@ package uk.gov.justice.digital.hmpps.incentivesapi.config
 
 import com.fasterxml.jackson.annotation.JsonInclude
 import io.swagger.v3.oas.annotations.media.Schema
+import jakarta.validation.ValidationException
 import org.slf4j.LoggerFactory
 import org.springframework.beans.TypeMismatchException
 import org.springframework.http.HttpStatus
@@ -21,7 +22,6 @@ import org.springframework.web.server.ServerWebInputException
 import org.springframework.web.server.UnsupportedMediaTypeStatusException
 import uk.gov.justice.digital.hmpps.incentivesapi.service.IncentiveReviewNotFoundException
 import uk.gov.justice.digital.hmpps.incentivesapi.util.ParameterValidationException
-import javax.validation.ValidationException
 
 @RestControllerAdvice
 class HmppsIncentivesApiExceptionHandler {

@@ -13,7 +13,7 @@ import io.swagger.v3.oas.models.security.Scopes
 import io.swagger.v3.oas.models.security.SecurityRequirement
 import io.swagger.v3.oas.models.security.SecurityScheme
 import io.swagger.v3.oas.models.servers.Server
-import org.springdoc.core.customizers.OpenApiCustomiser
+import org.springdoc.core.customizers.OpenApiCustomizer
 import org.springframework.beans.factory.annotation.Value
 import org.springframework.boot.info.BuildProperties
 import org.springframework.context.annotation.Bean
@@ -76,7 +76,7 @@ class OpenApiConfiguration(
   }
 
   @Bean
-  fun openAPICustomiser(): OpenApiCustomiser = OpenApiCustomiser {
+  fun openAPICustomiser(): OpenApiCustomizer = OpenApiCustomizer {
     it.components.schemas.forEach { (_, schema: Schema<*>) ->
       val properties = schema.properties ?: mutableMapOf()
       for (propertyName in properties.keys) {

@@ -10,7 +10,7 @@ import org.springframework.security.web.server.SecurityWebFilterChain
 
 @Configuration
 @EnableWebFluxSecurity
-@EnableReactiveMethodSecurity
+@EnableReactiveMethodSecurity(useAuthorizationManager = false)
 @EnableR2dbcRepositories
 class ResourceServerConfiguration {
 

@@ -1,12 +1,12 @@
 package uk.gov.justice.digital.hmpps.incentivesapi.service
 
-import com.amazonaws.services.sqs.model.SendMessageRequest
 import com.fasterxml.jackson.databind.ObjectMapper
 import com.microsoft.applicationinsights.TelemetryClient
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 import org.springframework.beans.factory.annotation.Value
 import org.springframework.stereotype.Service
+import software.amazon.awssdk.services.sqs.model.SendMessageRequest
 import uk.gov.justice.digital.hmpps.incentivesapi.config.AuthenticationFacade
 import uk.gov.justice.hmpps.sqs.HmppsQueue
 import uk.gov.justice.hmpps.sqs.HmppsQueueService
@@ -40,15 +40,15 @@ class AuditService(
 
     val result =
       auditSqsClient.sendMessage(
-        SendMessageRequest(
-          auditQueueUrl,
-          auditEvent.toJson(),
-        ),
-      )
+        SendMessageRequest.builder()
+          .queueUrl(auditQueueUrl)
+          .messageBody(auditEvent.toJson())
+          .build(),
+      ).get()
 
     telemetryClient.trackEvent(
       auditEvent.what,
-      mapOf("messageId" to result.messageId, "id" to id),
+      mapOf("messageId" to result.messageId(), "id" to id),
       null,
     )
   }

@@ -1,5 +1,6 @@
 package uk.gov.justice.digital.hmpps.incentivesapi.service
 
+import jakarta.validation.ValidationException
 import kotlinx.coroutines.flow.Flow
 import kotlinx.coroutines.flow.map
 import kotlinx.coroutines.flow.toList
@@ -14,7 +15,6 @@ import uk.gov.justice.digital.hmpps.incentivesapi.jpa.repository.IncentiveLevelR
 import uk.gov.justice.digital.hmpps.incentivesapi.util.flow.associateByTo
 import java.time.Clock
 import java.time.LocalDateTime
-import javax.validation.ValidationException
 import uk.gov.justice.digital.hmpps.incentivesapi.dto.IncentiveLevel as IncentiveLevelDTO
 import uk.gov.justice.digital.hmpps.incentivesapi.dto.IncentiveLevelUpdate as IncentiveLevelUpdateDTO
 

@@ -1,5 +1,6 @@
 package uk.gov.justice.digital.hmpps.incentivesapi.service
 
+import jakarta.validation.ValidationException
 import kotlinx.coroutines.flow.Flow
 import kotlinx.coroutines.flow.map
 import kotlinx.coroutines.flow.toList
@@ -10,7 +11,6 @@ import uk.gov.justice.digital.hmpps.incentivesapi.jpa.repository.IncentiveLevelR
 import uk.gov.justice.digital.hmpps.incentivesapi.jpa.repository.PrisonIncentiveLevelRepository
 import java.time.Clock
 import java.time.LocalDateTime
-import javax.validation.ValidationException
 import uk.gov.justice.digital.hmpps.incentivesapi.dto.PrisonIncentiveLevel as PrisonIncentiveLevelDTO
 import uk.gov.justice.digital.hmpps.incentivesapi.dto.PrisonIncentiveLevelUpdate as PrisonIncentiveLevelUpdateDTO
 

@@ -1,10 +1,10 @@
 package uk.gov.justice.digital.hmpps.incentivesapi.service
 
 import com.fasterxml.jackson.databind.ObjectMapper
+import io.awspring.cloud.sqs.annotation.SqsListener
 import kotlinx.coroutines.runBlocking
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
-import org.springframework.jms.annotation.JmsListener
 import org.springframework.stereotype.Service
 
 @Service
@@ -16,7 +16,7 @@ class PrisonOffenderEventListener(
     val log: Logger = LoggerFactory.getLogger(this::class.java)
   }
 
-  @JmsListener(destination = "incentives", containerFactory = "hmppsQueueContainerFactoryProxy")
+  @SqsListener("incentives", factory = "hmppsQueueContainerFactoryProxy")
   fun onPrisonOffenderEvent(requestJson: String) = runBlocking {
     val (message, messageAttributes) = mapper.readValue(requestJson, HMPPSMessage::class.java)
     val eventType = messageAttributes.eventType.Value

@@ -1,5 +1,6 @@
 package uk.gov.justice.digital.hmpps.incentivesapi.service
 
+import jakarta.validation.ValidationException
 import kotlinx.coroutines.FlowPreview
 import kotlinx.coroutines.flow.Flow
 import kotlinx.coroutines.flow.count
@@ -31,7 +32,6 @@ import java.time.Clock
 import java.time.LocalDateTime
 import java.time.format.DateTimeFormatter
 import java.util.function.Supplier
-import javax.validation.ValidationException
 
 @Service
 class PrisonerIepLevelReviewService(

@@ -1,11 +1,11 @@
 package uk.gov.justice.digital.hmpps.incentivesapi.service
 
-import com.amazonaws.services.sns.model.MessageAttributeValue
-import com.amazonaws.services.sns.model.PublishRequest
 import com.fasterxml.jackson.databind.ObjectMapper
 import org.slf4j.Logger
 import org.slf4j.LoggerFactory
 import org.springframework.stereotype.Service
+import software.amazon.awssdk.services.sns.model.MessageAttributeValue
+import software.amazon.awssdk.services.sns.model.PublishRequest
 import uk.gov.justice.hmpps.sqs.HmppsQueueService
 import java.time.Instant
 import java.time.LocalDate
@@ -44,12 +44,15 @@ class SnsService(hmppsQueueService: HmppsQueueService, private val objectMapper:
   private fun publishToDomainEventsTopic(payload: HMPPSDomainEvent) {
     log.debug("Event {} for id {}", payload.eventType, payload.additionalInformation)
     domaineventsTopicClient.publish(
-      PublishRequest(domaineventsTopic.arn, objectMapper.writeValueAsString(payload))
-        .withMessageAttributes(
+      PublishRequest.builder()
+        .topicArn(domaineventsTopic.arn)
+        .message(objectMapper.writeValueAsString(payload))
+        .messageAttributes(
           mapOf(
-            "eventType" to MessageAttributeValue().withDataType("String").withStringValue(payload.eventType),
+            "eventType" to MessageAttributeValue.builder().dataType("String").stringValue(payload.eventType).build(),
           ),
         )
+        .build()
         .also { log.info("Published event $payload to outbound topic") },
     )
   }

@@ -1,7 +1,7 @@
 package uk.gov.justice.digital.hmpps.incentivesapi.util
 
+import jakarta.validation.ValidationException
 import org.springframework.data.domain.PageRequest
-import javax.validation.ValidationException
 import kotlin.math.min
 
 infix fun <T> List<T>.paginateWith(pageRequest: PageRequest): List<T> {

@@ -4,7 +4,7 @@
  */
 package uk.gov.justice.digital.hmpps.incentivesapi.util
 
-import javax.validation.ValidationException
+import jakarta.validation.ValidationException
 
 fun ensure(block: Ensure.() -> Unit) = Ensure().apply {
   block()

@@ -59,7 +59,7 @@ class JwtAuthHelper {
           .setSubject(subject)
           .addClaims(it.toMap())
           .setExpiration(Date(System.currentTimeMillis() + expiryTime.toMillis()))
-          .signWith(SignatureAlgorithm.RS256, keyPair.private)
+          .signWith(keyPair.private, SignatureAlgorithm.RS256)
           .compact()
       }
 }