Merge branch 'main' into PI-1759-dlq

# Conflicts:
#	.github/workflows/suppress-trivy.yml

.github/actions/render-project-template/action.yml

@@ -31,7 +31,6 @@ runs:
         sed -i '/add new projects here/i \          - '"'"'["${{ inputs.project_name }}"]'"'"'' .github/workflows/access.yml
         sed -i '/add new projects here/i \          - '"'"'["${{ inputs.project_name }}"]'"'"'' .github/workflows/deploy.yml
         sed -i '/add new projects here/i \          - '"'"'["${{ inputs.project_name }}"]'"'"'' .github/workflows/docs.yml
-        sed -i '/add new projects here/i \          - ${{ inputs.project_name }}' .github/workflows/suppress-trivy.yml
         sed -i '/add new projects here/i \          - ${{ inputs.project_name }}' .github/workflows/build.yml
         sed -i '/add new projects here/i \* [${{ steps.project_name.outputs.title_case }}](https://ministryofjustice.github.io/hmpps-probation-integration-services/tech-docs/projects/${{ inputs.project_name }})' doc/tech-docs/source/services.html.md.erb
         sed 's/$SERVICE_NAME/${{ inputs.project_name }}/g' templates/runConfiguration.xml > '.idea/runConfigurations/${{ steps.project_name.outputs.underscore }}.xml'

.github/workflows/docs.yml

@@ -175,7 +175,7 @@ jobs:
       - build-projects
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/download-artifact@v4
+      - uses: actions/download-artifact@v3
         with:
           path: artifacts
 

.github/workflows/gradle.yml

@@ -26,7 +26,7 @@ jobs:
           java-version: '21'
           distribution: 'temurin'
       - name: Setup GPG commit verification
-        uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef # v6.0.0
+        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
         with:
           gpg_private_key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
           passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}

.github/workflows/security.yml

@@ -37,7 +37,7 @@ jobs:
           image-ref: 'ghcr.io/ministryofjustice/hmpps-probation-integration-services/${{ matrix.project }}:latest'
           ignore-unfixed: true
           severity: 'CRITICAL,HIGH'
-          exit-code: '1'
+          exit-code: '0'
           format: 'sarif'
           output: 'trivy-results.sarif'
           trivyignores: '.trivyignore,projects/${{ matrix.project }}/.trivyignore'
@@ -50,7 +50,6 @@ jobs:
           sarif_file: 'trivy-results.sarif'
 
       - name: Get Trivy results
-        if: always()
         uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 # v0.16.0
         with:
           image-ref: 'ghcr.io/ministryofjustice/hmpps-probation-integration-services/${{ matrix.project }}:latest'
@@ -60,44 +59,77 @@ jobs:
           output: 'results.json'
           trivyignores: '.trivyignore,projects/${{ matrix.project }}/.trivyignore'
 
-      - name: Output Trivy results
-        if: always()
-        run: cat results.json
+      - name: Output results
+        id: results
+        run: echo "vulnerabilities=$(jq -c '.Results[].Vulnerabilities | select(. != null) | flatten' results.json)" | tee -a "$GITHUB_OUTPUT"
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+
+      - name: Merge outputs
+        uses: cloudposse/github-action-matrix-outputs-write@928e2a2d3d6ae4eb94010827489805c17c81181f # v0.4.2
+        with:
+          matrix-step-name: trivy
+          matrix-key: ${{ matrix.project }}
+          outputs: |
+            vulnerabilities: ${{ steps.results.outputs.vulnerabilities }}
+
+  trivy-merge:
+    runs-on: ubuntu-latest
+    needs:
+      - trivy-scan
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: cloudposse/github-action-matrix-outputs-read@ea1c28d66c34b8400391ed74d510f66abc392d5e # v0.1.1
+        id: trivy
+        with:
+          matrix-step-name: trivy
 
       - name: Create GitHub issues
-        if: failure()
         run: |
-          jq -c '.Results[].Vulnerabilities | select(. != null) | flatten | .[]' results.json | while read -r vulnerability; do
-            id=$(echo "$vulnerability" | jq -r '.VulnerabilityID')
-            if [[ $(gh issue list --state open --label dependencies --label security --search "$id (${{ matrix.project }})" | wc -l) -gt 0 ]]; then
-              echo "Issue '$id (${{ matrix.project }})' already exists"
+          echo "$result" | jq -c '[.vulnerabilities | to_entries[] | .key as $project | .value // empty | map(. + {Projects: [$project]})] 
+            | flatten 
+            | group_by(.VulnerabilityID) 
+            | map(reduce .[] as $vuln (.[0] + {Locations:[]}; .Projects += $vuln.Projects | .Locations += [$vuln.PkgName + ":" + $vuln.InstalledVersion + " (" + $vuln.PkgPath + ")"]))
+            | map_values({Title: .VulnerabilityID, Body: ("### " + .Title + "\n" + .PrimaryURL + "\n>" + .Description + "\n#### Projects:\n* " + (.Projects | sort | unique | join("\n* ")) + "\n#### Locations:\n* `" + (.Locations | sort | unique | join("`\n* `")) + "`\n#### References:\n* " + (.References | sort | unique | join("\n* ")))})
+            | .[]' \
+          | while read -r vulnerability; do
+            title=$(echo "$vulnerability" | jq -r '.Title')
+            body=$(echo "$vulnerability" | jq -r '.Body')
+            existing=$(gh issue list --state open --label dependencies --label security --search "$title" --json 'number' --jq '.[].number' | head -n1)
+            if [ -n "$existing" ]; then
+              echo "Issue '$title' already exists, updating body..."
+              gh issue edit "$existing" --body "$body"
             else
-              gh issue create \
-                --title "$id (${{ matrix.project }})" \
-                --body "$(echo "$vulnerability" | jq -r '.Title + "\n* Project: ${{ matrix.project }}\n* Package: `" + .PkgName + ":" + .InstalledVersion + "`\n* Location: `" + .PkgPath + "`\n\n>" + .Description + "\n\n" + .PrimaryURL + "\n\nIf the vulnerability does not impact the `${{ matrix.project }}` project, you can suppress this alert by adding a comment starting with `Suppress`. For example, \"Suppressed because we do not process any untrusted XML content\"."')" \
-                --label 'dependencies,security'
+              gh issue create --title "$title" --body "$body" --label 'dependencies,security'
             fi
           done
         env:
           GITHUB_TOKEN: ${{ github.token }}
+          result: ${{ steps.trivy.outputs.result }}
 
-      - name: Check & Close GH Issue
-        if: always()
+      - name: Close GitHub issues
         run: |
-          openissues="$(gh issue list --state open --label dependencies --label security --search '(${{ matrix.project }})' | awk '{print $3}')"
-          scanresults="$(jq -r -c '.Results[].Vulnerabilities | select(. != null) | flatten | .[].VulnerabilityID' results.json)"
+          openissues="$(gh issue list --state open --label dependencies --label security | awk '{print $3}')"
+          scanresults="$(echo "$result" | jq -r -c '.vulnerabilities | with_entries(select(.value != null)) | .[][].VulnerabilityID' | sort -u)"
           issuestoclose="$(comm -23 <(echo "$openissues" | sort -u) <(echo "$scanresults" | sort -u))" #print lines only present in first file
           echo "openissues=$openissues"
           echo "scanresults=$scanresults"
           echo "issuestoclose=$issuestoclose"
           for cve in $issuestoclose; do
             echo "$cve is already resolved, removing matching issue..."
-            issuenumber=$(gh issue list --state open --label dependencies --label security --search "$cve (${{ matrix.project }})" | awk '{print $1}')
+            issuenumber=$(gh issue list --state open --label dependencies --label security --search "$cve" | awk '{print $1}')
             echo "$issuenumber" | xargs -n1 gh issue close
           done
-
         env:
           GITHUB_TOKEN: ${{ github.token }}
+          result: ${{ steps.trivy.outputs.result }}
+
+      - name: Fail job if any vulnerabilities are found
+        if: steps.trivy.outputs.result != '{}'
+        run: if [ "$(echo "$result" | jq '.vulnerabilities | with_entries(select(.value != null)) | length')" != 0 ]; then exit 1; fi
+        env:
+          result: ${{ steps.trivy.outputs.result }}
 
   veracode-scan:
     runs-on: ubuntu-latest

.github/workflows/suppress-trivy.yml

@@ -1,116 +0,0 @@
-name: Suppress Trivy alert
-
-on:
-  issue_comment:
-    types:
-      - created
-  workflow_dispatch:
-    inputs:
-      cve_id:
-        description: CVE ID
-        type: string
-        required: true
-      project:
-        description: Project
-        type: choice
-        required: true
-        options:
-          - approved-premises-and-delius
-          - approved-premises-and-oasys
-          - arns-and-delius
-          - assessment-summary-and-delius
-          - cas3-and-delius
-          - court-case-and-delius
-          - create-and-vary-a-licence-and-delius
-          - custody-key-dates-and-delius
-          - domain-events-and-delius
-          - dps-and-delius
-          - effective-proposal-framework-and-delius
-          - external-api-and-delius
-          - hdc-licences-and-delius
-          - hmpps-auth-and-delius
-          - make-recall-decisions-and-delius
-          - manage-offences-and-delius
-          - manage-pom-cases-and-delius
-          - offender-events-and-delius
-          - opd-and-delius
-          - pathfinder-and-delius
-          - person-search-index-from-delius
-          - pre-sentence-reports-to-delius
-          - prison-case-notes-to-probation
-          - prison-custody-status-to-delius
-          - prison-education-and-delius
-          - prison-identifier-and-delius
-          - prisoner-profile-and-delius
-          - redrive-dead-letter-queues
-          - refer-and-monitor-and-delius
-          - resettlement-passport-and-delius
-          - risk-assessment-scores-to-delius
-          - sentence-plan-and-delius
-          - sentence-plan-and-oasys
-          - soc-and-delius
-          - tier-to-delius
-          - unpaid-work-and-delius
-          - workforce-allocations-to-delius
-          # ^ add new projects here
-          # GitHub Actions doesn't support dynamic choices, we must add each project here to enable manual deployments
-          # See https://github.com/community/community/discussions/11795
-      reason:
-        description: Reason
-        type: string
-        required: true
-
-jobs:
-  build:
-    if: github.event_name=='workflow_dispatch' || (startsWith(github.event.comment.body, 'Suppress') && startsWith(github.event.issue.title, 'CVE-'))
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repo
-        uses: actions/checkout@v4
-        with:
-          ref: main
-
-      - name: Set CVE from Issue Title automatically
-        if: github.event_name=='issue_comment'
-        run: |
-          echo "cve_id=$(echo "$TITLE" | sed -E 's/(.*) .*/\1/')" | tee -a "$GITHUB_ENV"      # CVE-123
-          echo "project=$(echo "$TITLE" | sed -E 's/.* \((.*)\)/\1/')" | tee -a "$GITHUB_ENV" # project-name
-          echo "reason=$COMMENT" | tee -a "$GITHUB_ENV"
-        env:
-          TITLE: ${{ github.event.issue.title }}
-          COMMENT: ${{ github.event.comment.body }}
-          REASON: ${{ inputs.reason }}
-
-      - name: Set CVE from manual input
-        if: github.event_name=='workflow_dispatch'
-        run:  |
-          echo "cve_id=$CVE_ID" | tee -a "$GITHUB_ENV"
-          echo "project=$PROJECT" | tee -a "$GITHUB_ENV"
-          echo "reason=$REASON" | tee -a "$GITHUB_ENV"
-        env:
-          CVE_ID: ${{ inputs.cve_id }}
-          PROJECT: ${{ inputs.project }}
-          REASON: ${{ inputs.reason }}
-
-      - name: Update trivyignore file and create pull request
-        run: |
-          git switch -c "suppress/${CVE_ID}_${PROJECT}"
-          git push origin "suppress/${CVE_ID}_${PROJECT}"
-          git pull origin "suppress/${CVE_ID}_${PROJECT}"
-          git push origin "suppress/${CVE_ID}_${PROJECT}"
-          echo -e "\n# ${REASON} by ${ACTOR}\n${CVE_ID} exp:$(date -d '+2 weeks' '+%Y-%m-%d')" >> "projects/${PROJECT}/.trivyignore"
-          gh api --method PUT "/repos/ministryofjustice/hmpps-probation-integration-services/contents/projects/${PROJECT}/.trivyignore" \
-            --field message="Suppress ${CVE_ID} in ${PROJECT}" \
-            --field content=@<( base64 -i "projects/${PROJECT}/.trivyignore" ) \
-            --field branch="suppress/${CVE_ID}_${PROJECT}" \
-            --field sha="$( git rev-parse "suppress/${CVE_ID}_${PROJECT}:projects/${PROJECT}/.trivyignore" )"
-          gh pr create \
-            --title "Suppress ${CVE_ID} in ${PROJECT}" \
-            --body "Suppressed by ${ACTOR} with reason: ${REASON}" \
-            --label 'dependencies,security'
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-          CVE_ID: ${{ env.cve_id }}
-          PROJECT: ${{ env.project }}
-          REASON: ${{ env.reason }}
-          ACTOR: ${{ github.actor }}

.trivyignore

@@ -1,10 +0,0 @@
-
-# Vulnerability in Logback, which is used by the following dependencies:
-#
-# * Application Insights Java agent
-#     Not exploitable in the context of the Application Insights Java agent.
-#     Reference: https://github.com/microsoft/ApplicationInsights-Java/issues/3414#issuecomment-1833988304
-# * Spring Boot
-#     Only exploitable if logback receiver component is deployed. This is not the case by default in Spring Boot.
-#     Reference: https://github.com/spring-projects/spring-boot/issues/38643#issuecomment-1838497420
-CVE-2023-6378 exp:2024-01-12

README.md

@@ -324,32 +324,6 @@ generic-service:
     SERVICE_URL: https://example.com
 ```
 
-### Secrets
-Add secrets for each environment here: https://github.com/ministryofjustice/hmpps-probation-integration-services/settings/secrets/actions.
-
-The deployment job pushes GitHub secrets to the Kubernetes namespaces. Then at runtime, Kubernetes passes these secrets
-as environment variables to the container.
-
-GitHub secret names should be uppercase and prefixed with the project name. (
-e.g. `PRISON_CASE_NOTES_TO_PROBATION_CLIENT_ID`). The project name will be used as the Kubernetes secret name, and
-anything after it will be used as the key.
-
-For example, `PRISON_CASE_NOTES_TO_PROBATION_CLIENT_ID` will be converted into a secret
-named `prison-case-notes-to-probation`, containing a key of `CLIENT_ID`. This can be referenced in the `values*.yml`
-files like so:
-```yaml
-namespace_secrets:
-  prison-case-notes-to-probation:
-    MY_ENV_VAR: CLIENT_ID
-```
-
-Additionally, there are some shared values defined in a `common` secret in each namespace. This secret contains:
-```yaml
-APPLICATIONINSIGHTS_CONNECTION_STRING: Connection string for pushing Telemetry to Azure Application Insights.
-DB_URL: URL for the Delius probation database
-DB_STANDBY_URL: URL for the standby (read-only) Delius probation database
-```
-
 ## Accessing the Delius Database
 To configure access to the Delius probation database, add an `access.yml` file to the project's `deploy/database` 
 folder.

build.gradle.kts

@@ -6,11 +6,11 @@ import uk.gov.justice.digital.hmpps.plugins.ClassPathPlugin
 import uk.gov.justice.digital.hmpps.plugins.JibConfigPlugin
 
 plugins {
-    kotlin("jvm") version "1.9.21"
-    kotlin("plugin.spring") version "1.9.21" apply false
-    kotlin("plugin.jpa") version "1.9.21" apply false
-    kotlin("kapt") version "1.9.21" apply false
-    id("org.springframework.boot") version "3.2.0" apply false
+    kotlin("jvm") version "1.9.22"
+    kotlin("plugin.spring") version "1.9.22" apply false
+    kotlin("plugin.jpa") version "1.9.22" apply false
+    kotlin("kapt") version "1.9.22" apply false
+    id("org.springframework.boot") version "3.2.1" apply false
     id("io.spring.dependency-management") version "1.1.4" apply false
     id("com.google.cloud.tools.jib") apply false
     id("base")
@@ -20,7 +20,7 @@ plugins {
 val agentDeps: Configuration by configurations.creating
 
 dependencies {
-    agentDeps("com.microsoft.azure:applicationinsights-agent:3.4.18")
+    agentDeps("com.microsoft.azure:applicationinsights-agent:3.4.19")
 }
 
 val copyAgentTask = project.tasks.register<Copy>("copyAgent") {

projects/assessment-summary-and-delius/src/dev/resources/simulations/__files/assessment-summary-H123456.json

@@ -27,7 +27,7 @@
       "riskStaffCustody": "Low",
       "riskStaffCommunity": "Low",
       "riskKnownAdultCustody": "Low",
-      "riskAdultCommunity": "Medium",
+      "riskKnownAdultCommunity": "Medium",
       "riskPublicCustody": "Low",
       "riskPublicCommunity": "High",
       "riskChildrenCustody": "Low",
@@ -88,34 +88,35 @@
       "sentencePlan": {
         "objectives": [
           {
-            "objectiveCode": "Increased knowledge of physical/ psychological/ emotional self harm linked to drug use",
-            "objectiveMeasure": "RII",
+            "objectiveCodeDesc": "Increased knowledge of physical/ psychological/ emotional self harm linked to drug use",
             "objectiveSequence": 1,
             "criminogenicNeeds": [
               {
-                "criminogenicNeed": "IHD"
+                "criminogenicNeed": "IHD",
+                "criminogenicNeedDesc": "Risk to Public"
               }
             ],
             "actions": [
               {
-                "action": "VI9",
-                "actionComment": null
+                "actionDesc": "Drug counselling",
+                "actionComment": "Comments about the action"
               }
             ]
           },
           {
-            "objectiveCode": "Improve employment related skills",
-            "objectiveMeasure": "RII",
+            "objectiveCodeDesc": "Improve employment related skills",
             "objectiveSequence": 2,
             "criminogenicNeeds": [
               {
-                "criminogenicNeed": "I4"
+                "criminogenicNeed": "I4",
+                "criminogenicNeedDesc": "Education Training and Employment"
               }
             ],
             "actions": [
               {
                 "action": "VIII1",
-                "actionComment": null
+                "actionDesc": "Basic skills",
+                "actionComment": "Some comment about their basic skills"
               }
             ]
           }

projects/assessment-summary-and-delius/src/dev/resources/simulations/__files/assessment-summary-L123456.json

@@ -35,7 +35,7 @@
       "riskStaffCustody": null,
       "riskStaffCommunity": "Low",
       "riskKnownAdultCustody": null,
-      "riskAdultCommunity": null,
+      "riskKnownAdultCommunity": null,
       "riskPublicCustody": "Low",
       "riskPublicCommunity": null,
       "riskChildrenCustody": "Low",