Merged main

Author: gmsdelmundo

.github/workflows/publish-all-operators.yaml

@@ -10,6 +10,10 @@ on:
         - Major
         - Minor
         - Patch
+      vulnerability_severity:
+        description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. Must be one of ['CRITICAL', 'CRITICAL,HIGH' or 'CRITICAL,HIGH,MEDIUM'] (without space in between).
+        type: string
+        default: 'CRITICAL,HIGH'
 
 jobs:
   start:
@@ -70,6 +74,7 @@ jobs:
     with:
       release_type: ${{ inputs.release_type }}
       version_number_input: ${{ needs.start.outputs.new_version }}
+      vulnerability_severity: ${{ inputs.vulnerability_severity }}
     secrets: inherit
 
   buildGCP:
@@ -79,6 +84,7 @@ jobs:
     with:
       release_type: ${{ inputs.release_type }}
       version_number_input: ${{ needs.start.outputs.new_version }}
+      vulnerability_severity: ${{ inputs.vulnerability_severity }}
     secrets: inherit
 
   buildAzure:
@@ -88,6 +94,7 @@ jobs:
     with:
       release_type: ${{ inputs.release_type }}
       version_number_input: ${{ needs.start.outputs.new_version }}
+      vulnerability_severity: ${{ inputs.vulnerability_severity }}
     secrets: inherit
 
   collectAllArtifacts:
@@ -114,7 +121,7 @@ jobs:
           path: ./artifacts/azure_cc_operator
 
       - name: Delete staging artifacts
-        uses: geekyeggo/delete-artifact@v2
+        uses: geekyeggo/delete-artifact@v4
         with: 
           name: |
             image-details

.github/workflows/publish-azure-cc-enclave-docker.yaml

@@ -15,6 +15,11 @@ on:
         description: If set, the version number will not be incremented and the given number will be used.
         type: string
         default: ''
+      vulnerability_severity:
+        description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. Must be one of ['CRITICAL', 'CRITICAL,HIGH' or 'CRITICAL,HIGH,MEDIUM'] (without space in between).
+        type: string
+        default: 'CRITICAL,HIGH'
+
   workflow_call:
     inputs:
       release_type:
@@ -25,6 +30,10 @@ on:
         description: If set, the version number will not be incremented and the given number will be used.
         type: string
         default: ''
+      vulnerability_severity:
+        description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. Must be one of ['CRITICAL', 'CRITICAL,HIGH' or 'CRITICAL,HIGH,MEDIUM'] (without space in between).
+        type: string
+        default: 'CRITICAL,HIGH'
 
     outputs:
       image_tag:
@@ -48,6 +57,7 @@ jobs:
       security-events: write
       packages: write
       id-token: write
+      pull-requests: write
     outputs:
       jar_version: ${{ steps.version.outputs.new_version }}
       image_tag: ${{ steps.updatePom.outputs.image_tag }}
@@ -181,7 +191,7 @@ jobs:
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
-          severity: 'CRITICAL'
+          severity: ${{ inputs.vulnerability_severity }}
           hide-progress: true
 
       - name: Push to Docker

.github/workflows/publish-gcp-oidc-enclave-docker.yaml

@@ -15,6 +15,10 @@ on:
         description: If set, the version number will not be incremented and the given number will be used.
         type: string
         default: ''
+      vulnerability_severity:
+        description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. Must be one of ['CRITICAL', 'CRITICAL,HIGH' or 'CRITICAL,HIGH,MEDIUM'] (without space in between).
+        type: string
+        default: 'CRITICAL,HIGH'
   workflow_call:
     inputs:
       release_type:
@@ -25,6 +29,10 @@ on:
         description: If set, the version number will not be incremented and the given number will be used.
         type: string
         default: ''
+      vulnerability_severity:
+        description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. Must be one of ['CRITICAL', 'CRITICAL,HIGH' or 'CRITICAL,HIGH,MEDIUM'] (without space in between).
+        type: string
+        default: 'CRITICAL,HIGH'
 
     outputs:
       image_tag:
@@ -50,6 +58,7 @@ jobs:
       security-events: write
       packages: write
       id-token: write
+      pull-requests: write
     outputs:
       jar_version: ${{ steps.version.outputs.new_version }}
       image_tag: ${{ steps.updatePom.outputs.image_tag }}
@@ -217,7 +226,7 @@ jobs:
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
-          severity: 'CRITICAL'
+          severity: ${{ inputs.vulnerability_severity }}
           hide-progress: true
 
       - name: Push to Docker

.github/workflows/publish-public-operator-docker-image.yaml

@@ -15,6 +15,10 @@ on:
         description: If set, the version number will not be incremented and the given number will be used.
         type: string
         default: ''
+      vulnerability_severity:
+        description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. Must be one of ['CRITICAL', 'CRITICAL,HIGH' or 'CRITICAL,HIGH,MEDIUM'] (without space in between).
+        type: string
+        default: 'CRITICAL,HIGH'
 
   workflow_call:
     inputs:
@@ -26,6 +30,10 @@ on:
         description: If set, the version number will not be incremented and the given number will be used.
         type: string
         default: ''
+      vulnerability_severity:
+        description: The severity to fail the workflow if such vulnerability is detected. DO NOT override it unless a Jira ticket is raised. Must be one of ['CRITICAL', 'CRITICAL,HIGH' or 'CRITICAL,HIGH,MEDIUM'] (without space in between).
+        type: string
+        default: 'CRITICAL,HIGH'
 
     outputs:
       image_tag:
@@ -35,12 +43,13 @@ on:
 jobs:
   image:
     name: Image
-    uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-docker-versioned.yaml@v2
+    uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-publish-java-to-docker-versioned.yaml@v2
     with:
       release_type: ${{ inputs.release_type }}
       version_number_input: ${{ inputs.version_number_input }}
       cloud_provider: 'default'
       force_release: 'no' # Do not create a release for the component builds, will be created by the parent
+      vulnerability_severity: ${{ inputs.vulnerability_severity }}
     secrets: inherit
 
   e2e:

.trivyignore

@@ -3,3 +3,6 @@
 # for more details
 # e.g. 
 # CVE-2022-3996
+
+# https://atlassian.thetradedesk.com/jira/browse/UID2-2927
+CVE-2023-52425

Dockerfile

@@ -1,4 +1,4 @@
-FROM eclipse-temurin@sha256:de8e6219ff5360811a453a9237713679a9d9106ba5150290ef37fb23e246ce7d
+FROM eclipse-temurin@sha256:d7a82981336958683f147f17396fe2219cb1072a5853e8a8ef16d07f0535343a
 
 WORKDIR /app
 EXPOSE 8080

pom.xml

@@ -6,11 +6,11 @@
 
     <groupId>com.uid2</groupId>
     <artifactId>uid2-operator</artifactId>
-    <version>5.27.36-96319170ee</version>
+    <version>5.27.44-51b2f952f3</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <vertx.version>4.3.8</vertx.version>
+        <vertx.version>4.5.3</vertx.version>
         <vertx-maven-plugin.version>1.0.22</vertx-maven-plugin.version>
         <junit-jupiter.version>5.7.2</junit-jupiter.version>
         <junit-vintage.version>5.7.2</junit-vintage.version>

scripts/azure-cc/Dockerfile

@@ -1,4 +1,4 @@
-FROM eclipse-temurin@sha256:de8e6219ff5360811a453a9237713679a9d9106ba5150290ef37fb23e246ce7d
+FROM eclipse-temurin@sha256:d7a82981336958683f147f17396fe2219cb1072a5853e8a8ef16d07f0535343a
 
 # Install Packages
 RUN apk update && apk add jq

scripts/gcp-oidc/Dockerfile

@@ -1,4 +1,4 @@
-FROM eclipse-temurin@sha256:de8e6219ff5360811a453a9237713679a9d9106ba5150290ef37fb23e246ce7d
+FROM eclipse-temurin@sha256:d7a82981336958683f147f17396fe2219cb1072a5853e8a8ef16d07f0535343a
 
 LABEL "tee.launch_policy.allow_env_override"="API_TOKEN_SECRET_NAME,DEPLOYMENT_ENVIRONMENT,CORE_BASE_URL,OPTOUT_BASE_URL"