From 508703ffce54b56fa269b64d0924e9086cf47451 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ren=C3=A9=20Zubcevic?= <rene@zubcevic.com>
Date: Fri, 31 May 2024 19:39:03 +0200
Subject: [PATCH] update dependencies and version (#1807)

* update dependencies and version
* debug macos build issue
* update and fix Dockerfile(s)
---
 .github/workflows/build.yml       | 24 +++++++++++----
 .github/workflows/pre-commit.yaml |  2 +-
 .github/workflows/release.yml     | 10 +++----
 .github/workflows/test.yml        | 12 ++++----
 Dockerfile                        |  2 +-
 Dockerfile_desktop                | 34 ++++++++++++++-------
 config/desktop/start_webgoat.sh   |  2 +-
 config/desktop/start_zap.sh       |  2 +-
 pom.xml                           | 50 +++++++++++++++++--------------
 9 files changed, 83 insertions(+), 55 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 4c79b4b6b..14e286ef3 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -17,18 +17,30 @@ jobs:
             matrix:
                 os: [ ubuntu-latest, windows-latest, macos-latest ]
         steps:
-            -   uses: actions/checkout@v4
-            -   name: Set up JDK 17
-                uses: actions/setup-java@v4
+            -   uses: actions/checkout@v4.1.6
+            -   name: Set up JDK 21
+                uses: actions/setup-java@v4.2.1
                 with:
                     distribution: 'temurin'
-                    java-version: 17
+                    java-version: 21
                     architecture: x64
             -   name: Cache Maven packages
-                uses: actions/cache@v4.0.0
+                uses: actions/cache@v4.0.2
                 with:
                     path: ~/.m2
                     key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
                     restore-keys: ${{ runner.os }}-m2-
             -   name: Build with Maven
-                run: mvn --no-transfer-progress verify
+                run: |
+                    if [ "$RUNNER_OS" == "macOS" ]; then
+                        # Make "localhost" DNS entry available; see https://github.com/actions/runner-images/issues/6383
+                        # sudo networksetup -setdnsservers Ethernet 9.9.9.9
+                        echo -e "$(ipconfig getifaddr en0) $(hostname -f) $(hostname -s)" | sudo tee -a /etc/hosts
+                        echo `sudo lsof -PiTCP -sTCP:LISTEN`
+                        cat /etc/hosts
+                        mvn --no-transfer-progress verify -DskipTests -DwaittimeForServerStart=150
+                        # skip tests on macos, takes too long with the current runners
+                    else
+                        mvn --no-transfer-progress verify -DwaittimeForServerStart=30
+                    fi
+                shell: bash
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
index 99fa456bf..3113f1184 100644
--- a/.github/workflows/pre-commit.yaml
+++ b/.github/workflows/pre-commit.yaml
@@ -21,7 +21,7 @@ jobs:
             - uses: actions/setup-java@v4
               with:
                   distribution: 'temurin'
-                  java-version: '17'
+                  java-version: '21'
             - name: Pre-commit checks
               uses: pre-commit/action@v3.0.0
             - name: pre-commit-ci-lite
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 91b6b9155..e75b127a6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,15 +15,15 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Set up JDK 17
+      - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
-          java-version: 17
+          java-version: 21
           architecture: x64
 
       - name: Cache Maven packages
-        uses: actions/cache@v4.0.0
+        uses: actions/cache@v4.0.2
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -122,11 +122,11 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Set up JDK 17
+      - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           distribution: 'temurin'
-          java-version: 17
+          java-version: 21
           architecture: x64
 
       - name: Set version to next snapshot
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index c5a5c8702..09fe49479 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -21,23 +21,23 @@ jobs:
         name: "Robot framework test"
         steps:
             # Uses an default action to checkout the code
-            -   uses: actions/checkout@v4
+            -   uses: actions/checkout@v4.1.6
             # Uses an action to add Python to the VM
             -   name: Setup Python
                 uses: actions/setup-python@v5
                 with:
                     python-version: '3.7'
                     architecture: x64
-            # Uses an action to add JDK 17 to the VM (and mvn?)
-            -   name: set up JDK 17
-                uses: actions/setup-java@v4
+            # Uses an action to add JDK 21 to the VM (and mvn?)
+            -   name: set up JDK 21
+                uses: actions/setup-java@v4.2.1
                 with:
                     distribution: 'temurin'
-                    java-version: 17
+                    java-version: 21
                     architecture: x64
             #Uses an action to set up a cache using a certain key based on the hash of the dependencies
             -   name: Cache Maven packages
-                uses: actions/cache@v4.0.0
+                uses: actions/cache@v4.0.2
                 with:
                     path: ~/.m2
                     key: ubuntu-latest-m2-${{ hashFiles('**/pom.xml') }}
diff --git a/Dockerfile b/Dockerfile
index 1fabdd534..213d1dc61 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM docker.io/eclipse-temurin:21.0.1_12-jre
+FROM docker.io/eclipse-temurin:21.0.3_9-jre
 LABEL NAME = "WebGoat: A deliberately insecure Web Application"
 LABEL maintainer = "WebGoat team"
 
diff --git a/Dockerfile_desktop b/Dockerfile_desktop
index 6ce673024..b0149f483 100644
--- a/Dockerfile_desktop
+++ b/Dockerfile_desktop
@@ -9,26 +9,38 @@ COPY config/desktop/start_webgoat.sh /config/start_webgoat.sh
 COPY config/desktop/start_zap.sh /config/start_zap.sh
 COPY config/desktop/WebGoat.txt /config/Desktop/
 
+RUN \
+ apt-get update &&  \
+ apt-get --yes install vim nano gzip
+
 RUN \
  case $(uname -m) in \
   x86_64) ARCH=x64;; \
   aarch64) ARCH=aarch64;; \
   *) ARCH=unknown;; \
  esac && \
- curl -LO https://github.com/zaproxy/zaproxy/releases/download/v2.12.0/ZAP_2.12.0_Linux.tar.gz && \
- tar zfxv ZAP_2.12.0_Linux.tar.gz && \
- rm -rf ZAP_2.12.0_Linux.tar.gz && \
- curl -LO https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.6%2B10/OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \
- tar zfxv OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \
- rm -rf OpenJDK17U-jre_${ARCH}_linux_hotspot_17.0.6_10.tar.gz && \
+ echo ${ARCH}
+
+RUN \
+ curl -LO https://github.com/zaproxy/zaproxy/releases/download/v2.15.0/ZAP_2.15.0_Linux.tar.gz && \
+ tar zfxv ZAP_2.15.0_Linux.tar.gz && \
+ rm -rf ZAP_2.15.0_Linux.tar.gz
+
+RUN \
+ case $(uname -m) in \
+  x86_64) ARCH=x64;; \
+  aarch64) ARCH=aarch64;; \
+  *) ARCH=unknown;; \
+ esac && \
+ echo "oeps == ${ARCH}==" && \
+ curl -L https://github.com/adoptium/temurin21-binaries/releases/download/jdk-21.0.3%2B9/OpenJDK21U-jre_"${ARCH}"_linux_hotspot_21.0.3_9.tar.gz -o java.tar.gz && \
+ tar zfxv java.tar.gz && \
+ rm -rf java.tar.gz && \
  chmod +x /config/start_webgoat.sh && \
  chmod +x /config/start_zap.sh && \
- apt-get update &&  \
- apt-get --yes install vim nano && \
- echo "JAVA_HOME=/config/jdk-17.0.6+10-jre/" >> .bash_aliases && \
+ echo "JAVA_HOME=/config/jdk-21.0.3+9-jre/" >> .bash_aliases && \
  echo "PATH=$PATH:$JAVA_HOME/bin" >> .bash_aliases
 
-
-ENV JAVA_HOME=/home/webgoat/jdk-17.0.6+10-jre
+ENV JAVA_HOME=/config/jdk-21.0.3+9-jre
 
 WORKDIR /config/Desktop
diff --git a/config/desktop/start_webgoat.sh b/config/desktop/start_webgoat.sh
index fe2fa042d..fef8784e7 100644
--- a/config/desktop/start_webgoat.sh
+++ b/config/desktop/start_webgoat.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
-/config/jdk-17.0.6+10-jre/bin/java \
+/config/jdk-21.0.3+9-jre/bin/java \
   -Duser.home=/config \
   -Dfile.encoding=UTF-8 \
   -DTZ=Europe/Amsterdam \
diff --git a/config/desktop/start_zap.sh b/config/desktop/start_zap.sh
index 5a0cb999b..068b550c1 100644
--- a/config/desktop/start_zap.sh
+++ b/config/desktop/start_zap.sh
@@ -1,3 +1,3 @@
 #!/bin/sh
 
-/config/jdk-17.0.6+10-jre/bin/java -jar /config/ZAP_2.12.0/zap-2.12.0.jar
+/config/jdk-21.0.3+9-jre/bin/java -jar /config/ZAP_2.15.0/zap-2.15.0.jar
diff --git a/pom.xml b/pom.xml
index ba0e17fc7..c62d08a61 100644
--- a/pom.xml
+++ b/pom.xml
@@ -5,12 +5,12 @@
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>3.1.5</version>
+    <version>3.2.6</version>
   </parent>
 
   <groupId>org.owasp.webgoat</groupId>
   <artifactId>webgoat</artifactId>
-  <version>2023.9-SNAPSHOT</version>
+  <version>2024.2-SNAPSHOT</version>
   <packaging>jar</packaging>
 
   <name>WebGoat</name>
@@ -110,21 +110,23 @@
   <properties>
     <!-- Shared properties with plugins and version numbers across submodules-->
     <asciidoctorj.version>2.5.10</asciidoctorj.version>
-    <bootstrap.version>5.3.2</bootstrap.version>
+    <bootstrap.version>5.3.3</bootstrap.version>
     <cglib.version>3.3.0</cglib.version>
     <!-- do not update necessary for lesson -->
     <checkstyle.version>3.3.1</checkstyle.version>
     <commons-collections.version>3.2.1</commons-collections.version>
+    <commons-compress.version>1.26.0</commons-compress.version>
     <commons-io.version>2.15.1</commons-io.version>
-    <commons-lang3.version>3.12.0</commons-lang3.version>
-    <commons-text.version>1.10.0</commons-text.version>
+    <commons-lang3.version>3.14.0</commons-lang3.version>
+    <commons-text.version>1.12.0</commons-text.version>
     <guava.version>32.1.3-jre</guava.version>
     <jacoco.version>0.8.11</jacoco.version>
-    <java.version>17</java.version>
+    <java.version>21</java.version>
     <jaxb.version>2.3.1</jaxb.version>
+    <jetty.version>11.0.18</jetty.version>
     <jjwt.version>0.9.1</jjwt.version>
     <jose4j.version>0.9.3</jose4j.version>
-    <jquery.version>3.7.0</jquery.version>
+    <jquery.version>3.7.1</jquery.version>
     <jsoup.version>1.17.2</jsoup.version>
     <maven-compiler-plugin.version>3.8.0</maven-compiler-plugin.version>
     <maven-failsafe-plugin.version>2.22.0</maven-failsafe-plugin.version>
@@ -132,19 +134,20 @@
     <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
     <maven-source-plugin.version>3.1.0</maven-source-plugin.version>
     <maven-surefire-plugin.version>3.2.1</maven-surefire-plugin.version>
-    <maven.compiler.source>17</maven.compiler.source>
-    <maven.compiler.target>17</maven.compiler.target>
+    <maven.compiler.source>21</maven.compiler.source>
+    <maven.compiler.target>21</maven.compiler.target>
     <pmd.version>3.15.0</pmd.version>
     <!-- Use UTF-8 Encoding -->
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
-    <thymeleaf.version>3.1.1.RELEASE</thymeleaf.version>
+    <thymeleaf.version>3.1.2.RELEASE</thymeleaf.version>
+    <waittimeForServerStart>30</waittimeForServerStart>
     <webdriver.version>5.6.3</webdriver.version>
     <webgoat.context>/</webgoat.context>
     <webgoat.sslenabled>false</webgoat.sslenabled>
-    <webjars-locator-core.version>0.53</webjars-locator-core.version>
+    <webjars-locator-core.version>0.58</webjars-locator-core.version>
     <webwolf.context>/</webwolf.context>
-    <wiremock.version>2.27.2</wiremock.version>
+    <wiremock.version>3.6.0</wiremock.version>
     <xml-resolver.version>1.2</xml-resolver.version>
     <xstream.version>1.4.5</xstream.version>
     <!-- do not update necessary for lesson -->
@@ -153,7 +156,13 @@
 
   <dependencyManagement>
     <dependencies>
-
+      <dependency>
+        <groupId>org.eclipse.jetty.ee10</groupId>
+        <artifactId>jetty-ee10-bom</artifactId>
+        <version>12.0.3</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
       <dependency>
         <groupId>org.ow2.asm</groupId>
         <artifactId>asm</artifactId>
@@ -248,7 +257,7 @@
         <version>${webjars-locator-core.version}</version>
       </dependency>
       <dependency>
-        <groupId>com.github.tomakehurst</groupId>
+        <groupId>org.wiremock</groupId>
         <artifactId>wiremock</artifactId>
         <version>${wiremock.version}</version>
       </dependency>
@@ -260,7 +269,7 @@
       <dependency>
         <groupId>org.apache.commons</groupId>
         <artifactId>commons-compress</artifactId>
-        <version>1.25.0</version>
+        <version>${commons-compress.version}</version>
       </dependency>
       <dependency>
         <groupId>org.jruby</groupId>
@@ -727,6 +736,7 @@
                     <argument>-Dlogging.pattern.console=</argument>
                     <argument>-Dwebgoat.server.directory=${java.io.tmpdir}/webgoat_${webgoat.port}</argument>
                     <argument>-Dwebgoat.user.directory=${java.io.tmpdir}/webgoat_${webgoat.port}</argument>
+
                     <argument>-Dspring.main.banner-mode=off</argument>
                     <argument>--add-opens</argument>
                     <argument>java.base/java.lang=ALL-UNNAMED</argument>
@@ -735,24 +745,18 @@
                     <argument>--add-opens</argument>
                     <argument>java.base/java.lang.reflect=ALL-UNNAMED</argument>
                     <argument>--add-opens</argument>
-                    <argument>java.base/java.text=ALL-UNNAMED</argument>
-                    <argument>--add-opens</argument>
                     <argument>java.desktop/java.beans=ALL-UNNAMED</argument>
                     <argument>--add-opens</argument>
-                    <argument>java.desktop/java.awt.font=ALL-UNNAMED</argument>
-                    <argument>--add-opens</argument>
                     <argument>java.base/sun.nio.ch=ALL-UNNAMED</argument>
                     <argument>--add-opens</argument>
                     <argument>java.base/java.io=ALL-UNNAMED</argument>
                     <argument>--add-opens</argument>
                     <argument>java.base/java.util=ALL-UNNAMED</argument>
-                    <argument>--add-opens</argument>
-                    <argument>java.base/sun.nio.ch=ALL-UNNAMED</argument>
-                    <argument>--add-opens</argument>
-                    <argument>java.base/java.io=ALL-UNNAMED</argument>
                     <argument>${project.build.directory}/webgoat-${project.version}.jar</argument>
                   </arguments>
                   <waitForInterrupt>false</waitForInterrupt>
+                  <waitAfterLaunch>${waittimeForServerStart}</waitAfterLaunch>
+                  <healthCheckUrl>http://127.0.0.1:${webgoat.port}${webgoat.context}login</healthCheckUrl>
                 </configuration>
               </execution>
               <execution>