From 167f7dcd00183fb49b2ed3f3924598e5f7706e83 Mon Sep 17 00:00:00 2001
From: Patrick Boos <patrick.boos@getyourguide.com>
Date: Tue, 17 Jun 2025 11:44:21 +0200
Subject: [PATCH 1/8] [CHK-12099][CHK-12100] Fix security alerts (#216)

---
 build.gradle | 35 ++++++++++++++++-------------------
 1 file changed, 16 insertions(+), 19 deletions(-)

diff --git a/build.gradle b/build.gradle
index 6d69f1c..0a05ec6 100644
--- a/build.gradle
+++ b/build.gradle
@@ -35,6 +35,22 @@ subprojects {
             testRuntimeOnly(libs.junit.platform.launcher)
             testImplementation(libs.mockito.core)
             testImplementation(libs.mockito.junit.jupiter)
+
+            // Security constraints
+            constraints {
+                implementation("ch.qos.logback:logback-core:1.5.15") {
+                    because("versions below 1.5.15 have security vulnerabilities - see dependabot #7, #6")
+                }
+                implementation("ch.qos.logback:logback-classic:1.5.15") {
+                    because("versions below 1.5.15 have security vulnerabilities - see dependabot #7, #6")
+                }
+                implementation("org.springframework:spring-web:6.2.8") {
+                    because("versions below 6.2.8 have security vulnerabilities including CVE-2024-38820 - see dependabot #12")
+                }
+                implementation("org.apache.tomcat.embed:tomcat-embed-core:10.1.42") {
+                    because("versions below 10.1.42 have security vulnerabilities including CVE-2024-56337 - see dependabot #13")
+                }
+            }
         }
 
         jacoco {
@@ -80,23 +96,4 @@ subprojects {
         ruleSets = ["$rootDir/ruleset.xml"]
     }
 
-    // Needed for security. See:
-    // - https://github.com/getyourguide/openapi-validation-java/security/dependabot/7
-    // - https://github.com/getyourguide/openapi-validation-java/security/dependabot/6
-    // Hopefully with spring-boot 3.4.2+ this won't be needed anymore and can be removed.
-    configurations.configureEach {
-        resolutionStrategy.eachDependency {details ->
-            if (details.requested.group == 'ch.qos.logback'
-                && (details.requested.name == 'logback-core' || details.requested.name == 'logback-classic')
-            ) {
-                def parse = { String v -> v.tokenize('.').collect { it.padLeft(3, '0') }.join() }
-                def current = parse(details.requested.version)
-                def minimum = parse('1.5.15')
-                if (current < minimum) {
-                    details.useVersion '1.5.15'
-                    details.because 'Security requirement: forcing logback version'
-                }
-            }
-        }
-    }
 }

From 6c8d41bb082b255948aec4ac3629429010957a3b Mon Sep 17 00:00:00 2001
From: Patrick Boos <patrick.boos@getyourguide.com>
Date: Tue, 17 Jun 2025 12:14:22 +0200
Subject: [PATCH 2/8] [CHK-12099][CHK-12100] Fix security alerts (#217)

---
 build.gradle | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/build.gradle b/build.gradle
index 0a05ec6..326ad98 100644
--- a/build.gradle
+++ b/build.gradle
@@ -35,22 +35,6 @@ subprojects {
             testRuntimeOnly(libs.junit.platform.launcher)
             testImplementation(libs.mockito.core)
             testImplementation(libs.mockito.junit.jupiter)
-
-            // Security constraints
-            constraints {
-                implementation("ch.qos.logback:logback-core:1.5.15") {
-                    because("versions below 1.5.15 have security vulnerabilities - see dependabot #7, #6")
-                }
-                implementation("ch.qos.logback:logback-classic:1.5.15") {
-                    because("versions below 1.5.15 have security vulnerabilities - see dependabot #7, #6")
-                }
-                implementation("org.springframework:spring-web:6.2.8") {
-                    because("versions below 6.2.8 have security vulnerabilities including CVE-2024-38820 - see dependabot #12")
-                }
-                implementation("org.apache.tomcat.embed:tomcat-embed-core:10.1.42") {
-                    because("versions below 10.1.42 have security vulnerabilities including CVE-2024-56337 - see dependabot #13")
-                }
-            }
         }
 
         jacoco {
@@ -79,6 +63,22 @@ subprojects {
         annotationProcessor(libs.lombok)
         testCompileOnly(libs.lombok)
         testAnnotationProcessor(libs.lombok)
+
+        // Security constraints
+        constraints {
+            implementation("ch.qos.logback:logback-core:1.5.15") {
+                because("versions below 1.5.15 have security vulnerabilities - see dependabot #7, #6")
+            }
+            implementation("ch.qos.logback:logback-classic:1.5.15") {
+                because("versions below 1.5.15 have security vulnerabilities - see dependabot #7, #6")
+            }
+            implementation("org.springframework:spring-web:6.2.8") {
+                because("versions below 6.2.8 have security vulnerabilities including CVE-2024-38820 - see dependabot #12")
+            }
+            implementation("org.apache.tomcat.embed:tomcat-embed-core:10.1.42") {
+                because("versions below 10.1.42 have security vulnerabilities including CVE-2024-56337 - see dependabot #13")
+            }
+        }
     }
 
     checkstyle {

From 2735502adbb00f83b3839eb3a4646971bdfa1125 Mon Sep 17 00:00:00 2001
From: Patrick Boos <patrick.boos@getyourguide.com>
Date: Tue, 17 Jun 2025 16:00:32 +0200
Subject: [PATCH 3/8] Remove outdated security constraints

---
 build.gradle | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/build.gradle b/build.gradle
index 326ad98..7213eb4 100644
--- a/build.gradle
+++ b/build.gradle
@@ -66,12 +66,6 @@ subprojects {
 
         // Security constraints
         constraints {
-            implementation("ch.qos.logback:logback-core:1.5.15") {
-                because("versions below 1.5.15 have security vulnerabilities - see dependabot #7, #6")
-            }
-            implementation("ch.qos.logback:logback-classic:1.5.15") {
-                because("versions below 1.5.15 have security vulnerabilities - see dependabot #7, #6")
-            }
             implementation("org.springframework:spring-web:6.2.8") {
                 because("versions below 6.2.8 have security vulnerabilities including CVE-2024-38820 - see dependabot #12")
             }

From c80889d4cafd2cfa2cc899a7f6ae3dc36eaf3a9f Mon Sep 17 00:00:00 2001
From: Patrick Boos <patrick.boos@getyourguide.com>
Date: Wed, 18 Jun 2025 08:06:12 +0200
Subject: [PATCH 4/8] Pin versions for spring-framework and tomcat (due to
 security)

---
 build.gradle | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/build.gradle b/build.gradle
index 7213eb4..f518d0c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -3,6 +3,9 @@ plugins {
     alias(libs.plugins.nexus.publish)
 }
 
+ext['spring-framework.version'] = '6.2.8'
+ext['tomcat.version'] = '10.1.42'
+
 apply from: "${rootDir}/gradle/publish-root.gradle"
 
 allprojects {
@@ -63,16 +66,6 @@ subprojects {
         annotationProcessor(libs.lombok)
         testCompileOnly(libs.lombok)
         testAnnotationProcessor(libs.lombok)
-
-        // Security constraints
-        constraints {
-            implementation("org.springframework:spring-web:6.2.8") {
-                because("versions below 6.2.8 have security vulnerabilities including CVE-2024-38820 - see dependabot #12")
-            }
-            implementation("org.apache.tomcat.embed:tomcat-embed-core:10.1.42") {
-                because("versions below 10.1.42 have security vulnerabilities including CVE-2024-56337 - see dependabot #13")
-            }
-        }
     }
 
     checkstyle {
@@ -89,5 +82,4 @@ subprojects {
         consoleOutput = true
         ruleSets = ["$rootDir/ruleset.xml"]
     }
-
 }

From 4210d9bf366994c2ee2f208203c208dd932d3245 Mon Sep 17 00:00:00 2001
From: Patrick Boos <patrick.boos@getyourguide.com>
Date: Wed, 18 Jun 2025 09:35:14 +0200
Subject: [PATCH 5/8] Also add constraints for security alerts

---
 build.gradle | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/build.gradle b/build.gradle
index f518d0c..da68a22 100644
--- a/build.gradle
+++ b/build.gradle
@@ -66,6 +66,16 @@ subprojects {
         annotationProcessor(libs.lombok)
         testCompileOnly(libs.lombok)
         testAnnotationProcessor(libs.lombok)
+
+        // Security constraintsAdd commentMore actions
+        constraints {
+            implementation("org.springframework:spring-web:6.2.8") {
+                because("versions below 6.2.8 have security vulnerabilities including CVE-2024-38820 - see dependabot #12")
+            }
+            implementation("org.apache.tomcat.embed:tomcat-embed-core:10.1.42") {
+                because("versions below 10.1.42 have security vulnerabilities including CVE-2024-56337 - see dependabot #13")
+            }
+        }
     }
 
     checkstyle {

From 9d5b123f55416158a74e47559c394256087c7876 Mon Sep 17 00:00:00 2001
From: Patrick Boos <patrick.boos@getyourguide.com>
Date: Wed, 18 Jun 2025 09:38:26 +0200
Subject: [PATCH 6/8] Update strange comment

---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index da68a22..312d411 100644
--- a/build.gradle
+++ b/build.gradle
@@ -67,7 +67,7 @@ subprojects {
         testCompileOnly(libs.lombok)
         testAnnotationProcessor(libs.lombok)
 
-        // Security constraintsAdd commentMore actions
+        // Security constraints
         constraints {
             implementation("org.springframework:spring-web:6.2.8") {
                 because("versions below 6.2.8 have security vulnerabilities including CVE-2024-38820 - see dependabot #12")

From ec389ea7db188bcdd8f81fcbb8bb37774745c848 Mon Sep 17 00:00:00 2001
From: Patrick Boos <patrick.boos@getyourguide.com>
Date: Wed, 18 Jun 2025 10:07:05 +0200
Subject: [PATCH 7/8] Fix ClassNotFoundException:
 javax.mail.internet.AddressException (#218)

---
 gradle/libs.versions.toml            | 1 +
 openapi-validation-core/build.gradle | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
index a6c9a54..f90b8ce 100644
--- a/gradle/libs.versions.toml
+++ b/gradle/libs.versions.toml
@@ -36,6 +36,7 @@ mockito-junit-jupiter = { group = "org.mockito", name = "mockito-junit-jupiter",
 junit-jupiter-api = { group = "org.junit.jupiter", name = "junit-jupiter-api", version.ref = "junit-jupiter" }
 junit-jupiter-engine = { group = "org.junit.jupiter", name = "junit-jupiter-engine", version.ref = "junit-jupiter" }
 junit-platform-launcher = { group = "org.junit.platform", name = "junit-platform-launcher", version.ref = "junit-platform" }
+javax-mail = { module = "com.sun.mail:javax.mail", version = "1.6.2" }
 
 [plugins]
 spring-boot = { id = "org.springframework.boot", version.ref = "spring-boot" }
diff --git a/openapi-validation-core/build.gradle b/openapi-validation-core/build.gradle
index ffa8103..4a2962f 100644
--- a/openapi-validation-core/build.gradle
+++ b/openapi-validation-core/build.gradle
@@ -4,6 +4,8 @@ dependencies {
     api project(':openapi-validation-api')
 
     implementation(libs.swagger.request.validator.core)
+    implementation(libs.javax.mail) // needed as otherwise ClassNotFoundException: javax.mail.internet.AddressException
+
     constraints {
         implementation(libs.commons.codec) {
             because 'Apache commons-codec before 1.13 is vulnerable to information exposure. See https://devhub.checkmarx.com/cve-details/Cxeb68d52e-5509/'

From 3cd372375f13d18ee5ac8a7bf92778f722f64c68 Mon Sep 17 00:00:00 2001
From: Patrick Boos <patrick.boos@getyourguide.com>
Date: Wed, 18 Jun 2025 10:09:32 +0200
Subject: [PATCH 8/8] v3.2.1

---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 312d411..81c7f89 100644
--- a/build.gradle
+++ b/build.gradle
@@ -11,7 +11,7 @@ apply from: "${rootDir}/gradle/publish-root.gradle"
 allprojects {
     group = 'com.getyourguide.openapi.validation'
     description = 'OpenAPI Validation library'
-    version = '3.2.0'
+    version = '3.2.1'
 
     java {
         toolchain {