From 343ae50360ddfeeac6a935d8ca177ae6683599b0 Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Wed, 11 Mar 2026 08:56:44 +0100 Subject: [PATCH 1/9] Impl. Gradle version catalog --- build.gradle.kts | 24 ++++----- buildSrc/src/main/kotlin/Versions.kt | 33 ------------ gradle/libs.versions.toml | 57 ++++++++++++++++++++ kafka-connect-fitbit-source/Dockerfile | 2 +- kafka-connect-fitbit-source/build.gradle.kts | 42 +++++++-------- kafka-connect-oura-source/Dockerfile | 2 +- kafka-connect-oura-source/build.gradle.kts | 42 +++++++-------- kafka-connect-rest-source/build.gradle.kts | 16 +++--- oura-library/build.gradle | 18 +++---- 9 files changed, 129 insertions(+), 107 deletions(-) delete mode 100644 buildSrc/src/main/kotlin/Versions.kt create mode 100644 gradle/libs.versions.toml diff --git a/build.gradle.kts b/build.gradle.kts index 92355583..957b3c60 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -1,22 +1,20 @@ import org.radarbase.gradle.plugin.radarKotlin plugins { - id("org.radarbase.radar-root-project") version Versions.radarCommons - id("org.radarbase.radar-dependency-management") version Versions.radarCommons - id("org.radarbase.radar-kotlin") version Versions.radarCommons apply false + alias(libs.plugins.radar.root.project) + alias(libs.plugins.radar.dependency.management) + alias(libs.plugins.radar.kotlin) apply false } repositories { - // Use jcenter for resolving dependencies. - // You can declare any Maven/Ivy/file repository here. mavenCentral() } description = "Kafka connector for REST API sources" radarRootProject { - projectVersion.set(Versions.project) - gradleVersion.set(Versions.wrapper) + projectVersion.set(libs.versions.project) + gradleVersion.set(libs.versions.gradle) } subprojects { @@ -27,16 +25,16 @@ subprojects { /* The entries in the block below are added here to force the version of * transitive dependencies and mitigate reported vulnerabilities */ force( - "org.apache.commons:commons-lang3:3.18.0", + "org.apache.commons:commons-lang3:${rootProject.libs.versions.commonsLang3.get()}", ) } } radarKotlin { - javaVersion.set(Versions.java) - kotlinVersion.set(Versions.kotlin) - slf4jVersion.set(Versions.slf4j) - log4j2Version.set(Versions.log4j2) - junitVersion.set(Versions.junit) + javaVersion.set(rootProject.libs.versions.java.get().toInt()) + kotlinVersion.set(rootProject.libs.versions.kotlin) + slf4jVersion.set(rootProject.libs.versions.slf4j) + log4j2Version.set(rootProject.libs.versions.log4j2) + junitVersion.set(rootProject.libs.versions.junit) } } diff --git a/buildSrc/src/main/kotlin/Versions.kt b/buildSrc/src/main/kotlin/Versions.kt deleted file mode 100644 index 05b55a8d..00000000 --- a/buildSrc/src/main/kotlin/Versions.kt +++ /dev/null @@ -1,33 +0,0 @@ -@Suppress("ConstPropertyName", "MemberVisibilityCanBePrivate") -object Versions { - const val project = "0.7.2" - - const val java = 17 - const val kotlin = "1.9.22" - const val wrapper = "8.13" - - const val radarCommons = "1.2.4" - const val confluent = "7.8.1" - const val kafka = "$confluent-ce" - const val avro = "1.12.0" - - // From image - const val jackson = "2.17.3" - - const val log4j2 = "2.23.1" - const val slf4j = "2.0.13" - const val sentryLog4j = "1.7.30" - const val sentryOpenTelemetryAgent = "8.1.0" - - const val okhttp = "4.12.0" - - const val firebaseAdmin = "9.6.0" - const val radarSchemas = "0.8.14" - const val ktor = "2.3.10" - - const val junit = "5.10.2" - const val wiremock = "3.0.1" - const val mockito = "5.11.0" - - const val nettyVersion = "4.1.125.Final" -} diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml new file mode 100644 index 00000000..824f8f45 --- /dev/null +++ b/gradle/libs.versions.toml @@ -0,0 +1,57 @@ +[versions] +project = "0.7.2" +java = "17" +gradle = "8.13" +kotlin = "1.9.22" +radarCommons = "1.2.4" +confluent = "7.8.1" +avro = "1.12.0" +jackson = "2.17.3" +log4j2 = "2.23.1" +slf4j = "2.0.13" +sentryLog4j = "1.7.30" +sentryOpenTelemetryAgent = "8.1.0" +okhttp = "4.12.0" +firebaseAdmin = "9.6.0" +radarSchemas = "0.8.14" +ktor = "2.3.10" +junit = "5.10.2" +wiremock = "3.0.1" +mockito = "5.11.0" +netty = "4.1.125.Final" +commonsLang3 = "3.18.0" + +[libraries] +radar-commons-kotlin = { group = "org.radarbase", name = "radar-commons-kotlin", version.ref = "radarCommons" } +radar-schemas-commons = { group = "org.radarbase", name = "radar-schemas-commons", version.ref = "radarSchemas" } +kafka-connect-api = { group = "org.apache.kafka", name = "connect-api", version = "7.8.1-ce" } +kafka-connect-avro-converter = { group = "io.confluent", name = "kafka-connect-avro-converter", version.ref = "confluent" } +okhttp = { group = "com.squareup.okhttp3", name = "okhttp", version.ref = "okhttp" } +jackson-bom = { group = "com.fasterxml.jackson", name = "jackson-bom", version.ref = "jackson" } +jackson-annotations = { group = "com.fasterxml.jackson.core", name = "jackson-annotations", version.ref = "jackson" } +jackson-databind = { group = "com.fasterxml.jackson.core", name = "jackson-databind", version.ref = "jackson" } +jackson-dataformat-yaml = { group = "com.fasterxml.jackson.dataformat", name = "jackson-dataformat-yaml", version.ref = "jackson" } +jackson-datatype-jsr310 = { group = "com.fasterxml.jackson.datatype", name = "jackson-datatype-jsr310", version.ref = "jackson" } +jackson-module-kotlin = { group = "com.fasterxml.jackson.module", name = "jackson-module-kotlin", version.ref = "jackson" } +ktor-client-auth = { group = "io.ktor", name = "ktor-client-auth", version.ref = "ktor" } +ktor-client-content-negotiation = { group = "io.ktor", name = "ktor-client-content-negotiation", version.ref = "ktor" } +ktor-serialization-jackson = { group = "io.ktor", name = "ktor-serialization-jackson", version.ref = "ktor" } +ktor-client-cio = { group = "io.ktor", name = "ktor-client-cio-jvm", version.ref = "ktor" } +ktor-serialization-kotlinx-json = { group = "io.ktor", name = "ktor-serialization-kotlinx-json", version.ref = "ktor" } +firebase-admin = { group = "com.google.firebase", name = "firebase-admin", version.ref = "firebaseAdmin" } +avro = { group = "org.apache.avro", name = "avro", version.ref = "avro" } +slf4j-api = { group = "org.slf4j", name = "slf4j-api", version.ref = "slf4j" } +sentry-log4j = { group = "io.sentry", name = "sentry-log4j", version.ref = "sentryLog4j" } +sentry-opentelemetry-agent = { group = "io.sentry", name = "sentry-opentelemetry-agent", version.ref = "sentryOpenTelemetryAgent" } +netty-handler-proxy = { group = "io.netty", name = "netty-handler-proxy", version.ref = "netty" } +netty-handler = { group = "io.netty", name = "netty-handler", version.ref = "netty" } +commons-lang3 = { group = "org.apache.commons", name = "commons-lang3", version.ref = "commonsLang3" } +mockito-core = { group = "org.mockito", name = "mockito-core", version.ref = "mockito" } +wiremock = { group = "com.github.tomakehurst", name = "wiremock", version.ref = "wiremock" } +kotlin-test = { group = "org.jetbrains.kotlin", name = "kotlin-test", version.ref = "kotlin" } +kotlin-test-junit = { group = "org.jetbrains.kotlin", name = "kotlin-test-junit", version.ref = "kotlin" } + +[plugins] +radar-root-project = { id = "org.radarbase.radar-root-project", version.ref = "radarCommons" } +radar-dependency-management = { id = "org.radarbase.radar-dependency-management", version.ref = "radarCommons" } +radar-kotlin = { id = "org.radarbase.radar-kotlin", version.ref = "radarCommons" } diff --git a/kafka-connect-fitbit-source/Dockerfile b/kafka-connect-fitbit-source/Dockerfile index 755c9703..5dcc818f 100644 --- a/kafka-connect-fitbit-source/Dockerfile +++ b/kafka-connect-fitbit-source/Dockerfile @@ -20,7 +20,7 @@ WORKDIR /code ENV GRADLE_USER_HOME=/code/.gradlecache \ GRADLE_OPTS="-Dorg.gradle.vfs.watch=false -Djdk.lang.Process.launchMechanism=vfork" -COPY buildSrc /code/buildSrc +COPY ./gradle/libs.versions.toml /code/gradle/ COPY ./build.gradle.kts ./settings.gradle.kts ./gradle.properties /code/ COPY kafka-connect-rest-source/build.gradle.kts /code/kafka-connect-rest-source/ COPY kafka-connect-fitbit-source/build.gradle.kts /code/kafka-connect-fitbit-source/ diff --git a/kafka-connect-fitbit-source/build.gradle.kts b/kafka-connect-fitbit-source/build.gradle.kts index 10d6ba34..f2d9a551 100644 --- a/kafka-connect-fitbit-source/build.gradle.kts +++ b/kafka-connect-fitbit-source/build.gradle.kts @@ -5,33 +5,33 @@ dependencies { /* The entries in the block below are added here to force the version of * transitive dependencies and mitigate reported vulnerabilities */ - implementation("io.netty:netty-handler-proxy:${Versions.nettyVersion}") - implementation("io.netty:netty-handler:${Versions.nettyVersion}") + implementation(libs.netty.handler.proxy) + implementation(libs.netty.handler) api(project(":kafka-connect-rest-source")) api(project(":oura-library")) - api("io.confluent:kafka-connect-avro-converter:${Versions.confluent}") - api("org.radarbase:radar-schemas-commons:${Versions.radarSchemas}") - implementation("org.radarbase:radar-commons-kotlin:${Versions.radarCommons}") + api(libs.kafka.connect.avro.converter) + api(libs.radar.schemas.commons) + implementation(libs.radar.commons.kotlin) - api("com.squareup.okhttp3:okhttp:${Versions.okhttp}") - implementation(platform("com.fasterxml.jackson:jackson-bom:${Versions.jackson}")) - implementation("com.fasterxml.jackson.dataformat:jackson-dataformat-yaml") - implementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310") - implementation("com.google.firebase:firebase-admin:${Versions.firebaseAdmin}") - implementation("org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.3.41") + api(libs.okhttp) + implementation(platform(libs.jackson.bom)) + implementation(libs.jackson.dataformat.yaml) + implementation(libs.jackson.datatype.jsr310) + implementation(libs.firebase.admin) + implementation("org.jetbrains.kotlin:kotlin-stdlib-jdk8") - implementation("io.ktor:ktor-client-auth:${Versions.ktor}") - implementation("io.ktor:ktor-client-content-negotiation:${Versions.ktor}") - implementation("io.ktor:ktor-serialization-jackson:${Versions.ktor}") - implementation("io.ktor:ktor-client-cio-jvm:${Versions.ktor}") - implementation("io.ktor:ktor-serialization-kotlinx-json:${Versions.ktor}") - implementation("com.fasterxml.jackson.module:jackson-module-kotlin:${Versions.jackson}") + implementation(libs.ktor.client.auth) + implementation(libs.ktor.client.content.negotiation) + implementation(libs.ktor.serialization.jackson) + implementation(libs.ktor.client.cio) + implementation(libs.ktor.serialization.kotlinx.json) + implementation(libs.jackson.module.kotlin) // Included in connector runtime - compileOnly("org.apache.kafka:connect-api:${Versions.kafka}") - compileOnly(platform("com.fasterxml.jackson:jackson-bom:${Versions.jackson}")) - compileOnly("com.fasterxml.jackson.core:jackson-databind") + compileOnly(libs.kafka.connect.api) + compileOnly(platform(libs.jackson.bom)) + compileOnly(libs.jackson.databind) - testImplementation("org.apache.kafka:connect-api:${Versions.kafka}") + testImplementation(libs.kafka.connect.api) } diff --git a/kafka-connect-oura-source/Dockerfile b/kafka-connect-oura-source/Dockerfile index cf3cd2c8..20aeb7f0 100644 --- a/kafka-connect-oura-source/Dockerfile +++ b/kafka-connect-oura-source/Dockerfile @@ -20,7 +20,7 @@ WORKDIR /code ENV GRADLE_USER_HOME=/code/.gradlecache \ GRADLE_OPTS="-Dorg.gradle.vfs.watch=false -Djdk.lang.Process.launchMechanism=vfork" -COPY buildSrc /code/buildSrc +COPY ./gradle/libs.versions.toml /code/gradle/ COPY ./build.gradle.kts ./settings.gradle.kts ./gradle.properties /code/ COPY kafka-connect-oura-source/build.gradle.kts /code/kafka-connect-oura-source/ COPY oura-library/build.gradle /code/oura-library/ diff --git a/kafka-connect-oura-source/build.gradle.kts b/kafka-connect-oura-source/build.gradle.kts index 65a18e42..f038597d 100644 --- a/kafka-connect-oura-source/build.gradle.kts +++ b/kafka-connect-oura-source/build.gradle.kts @@ -5,32 +5,32 @@ dependencies { /* The entries in the block below are added here to force the version of * transitive dependencies and mitigate reported vulnerabilities */ - implementation("io.netty:netty-handler-proxy:${Versions.nettyVersion}") - implementation("io.netty:netty-handler:${Versions.nettyVersion}") + implementation(libs.netty.handler.proxy) + implementation(libs.netty.handler) api(project(":oura-library")) - api("io.confluent:kafka-connect-avro-converter:${Versions.confluent}") - api("org.radarbase:radar-schemas-commons:${Versions.radarSchemas}") - implementation("org.radarbase:radar-commons-kotlin:${Versions.radarCommons}") + api(libs.kafka.connect.avro.converter) + api(libs.radar.schemas.commons) + implementation(libs.radar.commons.kotlin) - api("com.squareup.okhttp3:okhttp:${Versions.okhttp}") - implementation(platform("com.fasterxml.jackson:jackson-bom:${Versions.jackson}")) - implementation("com.fasterxml.jackson.dataformat:jackson-dataformat-yaml") - implementation("com.fasterxml.jackson.datatype:jackson-datatype-jsr310") - implementation("com.google.firebase:firebase-admin:${Versions.firebaseAdmin}") - implementation("org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.8.21") + api(libs.okhttp) + implementation(platform(libs.jackson.bom)) + implementation(libs.jackson.dataformat.yaml) + implementation(libs.jackson.datatype.jsr310) + implementation(libs.firebase.admin) + implementation("org.jetbrains.kotlin:kotlin-stdlib-jdk8") - implementation("io.ktor:ktor-client-auth:${Versions.ktor}") - implementation("io.ktor:ktor-client-content-negotiation:${Versions.ktor}") - implementation("io.ktor:ktor-serialization-jackson:${Versions.ktor}") - implementation("io.ktor:ktor-client-cio-jvm:${Versions.ktor}") - implementation("io.ktor:ktor-serialization-kotlinx-json:${Versions.ktor}") - implementation("com.fasterxml.jackson.module:jackson-module-kotlin:${Versions.jackson}") + implementation(libs.ktor.client.auth) + implementation(libs.ktor.client.content.negotiation) + implementation(libs.ktor.serialization.jackson) + implementation(libs.ktor.client.cio) + implementation(libs.ktor.serialization.kotlinx.json) + implementation(libs.jackson.module.kotlin) // Included in connector runtime - compileOnly("org.apache.kafka:connect-api:${Versions.kafka}") - compileOnly(platform("com.fasterxml.jackson:jackson-bom:${Versions.jackson}")) - compileOnly("com.fasterxml.jackson.core:jackson-databind") + compileOnly(libs.kafka.connect.api) + compileOnly(platform(libs.jackson.bom)) + compileOnly(libs.jackson.databind) - testImplementation("org.apache.kafka:connect-api:${Versions.kafka}") + testImplementation(libs.kafka.connect.api) } diff --git a/kafka-connect-rest-source/build.gradle.kts b/kafka-connect-rest-source/build.gradle.kts index 8c29f835..aef4352b 100644 --- a/kafka-connect-rest-source/build.gradle.kts +++ b/kafka-connect-rest-source/build.gradle.kts @@ -1,22 +1,22 @@ description = "Kafka connector for generic REST API sources" dependencies { - api("com.squareup.okhttp3:okhttp:${Versions.okhttp}") + api(libs.okhttp) // included in runtime - compileOnly("org.apache.kafka:connect-api:${Versions.kafka}") - compileOnly("org.slf4j:slf4j-api:${Versions.slf4j}") + compileOnly(libs.kafka.connect.api) + compileOnly(libs.slf4j.api) - testImplementation("org.mockito:mockito-core:${Versions.mockito}") - testImplementation("com.github.tomakehurst:wiremock:${Versions.wiremock}") + testImplementation(libs.mockito.core) + testImplementation(libs.wiremock) - testImplementation("org.apache.kafka:connect-api:${Versions.kafka}") + testImplementation(libs.kafka.connect.api) // Application monitoring // These dependencies are not used by the REST connector, but copied into the Docker image (Dockerfile) - runtimeOnly("io.sentry:sentry-log4j:${Versions.sentryLog4j}") { + runtimeOnly(libs.sentry.log4j) { // Exclude log4j with security vulnerability (safe version is provided by docker image). exclude(group = "log4j", module = "log4j") } - runtimeOnly("io.sentry:sentry-opentelemetry-agent:${Versions.sentryOpenTelemetryAgent}") + runtimeOnly(libs.sentry.opentelemetry.agent) } diff --git a/oura-library/build.gradle b/oura-library/build.gradle index 25484b46..823a038f 100644 --- a/oura-library/build.gradle +++ b/oura-library/build.gradle @@ -14,23 +14,23 @@ dependencies { // Use the Kotlin JDK 8 standard library. implementation 'org.jetbrains.kotlin:kotlin-stdlib-jdk8' - implementation "com.squareup.okhttp3:okhttp:$Versions.okhttp" + implementation libs.okhttp - implementation "org.radarbase:radar-schemas-commons:$Versions.radarSchemas" + implementation libs.radar.schemas.commons - implementation group: 'com.fasterxml.jackson.core', name: 'jackson-annotations', version: "$Versions.jackson" + implementation libs.jackson.annotations - implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: "$Versions.jackson" + implementation libs.jackson.databind - implementation group: 'org.apache.avro', name: 'avro', version: "$Versions.avro" + implementation libs.avro - implementation "com.fasterxml.jackson.datatype:jackson-datatype-jsr310:$Versions.jackson" + implementation libs.jackson.datatype.jsr310 // Use the Kotlin test library. - testImplementation 'org.jetbrains.kotlin:kotlin-test' + testImplementation libs.kotlin.test // Use the Kotlin JUnit integration. - testImplementation 'org.jetbrains.kotlin:kotlin-test-junit' + testImplementation libs.kotlin.test.junit } project.afterEvaluate { @@ -44,4 +44,4 @@ project.afterEvaluate { } } } -} \ No newline at end of file +} From a52cd5866a7445ea9affac3787a8f79173da7f14 Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Wed, 11 Mar 2026 09:05:07 +0100 Subject: [PATCH 2/9] Remove buildSrc include build project --- buildSrc/build.gradle.kts | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 buildSrc/build.gradle.kts diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts deleted file mode 100644 index dfbb6e6f..00000000 --- a/buildSrc/build.gradle.kts +++ /dev/null @@ -1,7 +0,0 @@ -plugins { - kotlin("jvm") version "1.9.22" -} - -repositories { - mavenCentral() -} From f8bcade67fd1de1e88c61ad572ebc7c74273f4e5 Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Wed, 11 Mar 2026 09:09:39 +0100 Subject: [PATCH 3/9] Upgrade to Gradle 8.14 --- gradle/libs.versions.toml | 2 +- gradle/wrapper/gradle-wrapper.properties | 2 +- kafka-connect-fitbit-source/Dockerfile | 2 +- kafka-connect-oura-source/Dockerfile | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 824f8f45..aa4aa200 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -1,7 +1,7 @@ [versions] project = "0.7.2" java = "17" -gradle = "8.13" +gradle = "8.14" kotlin = "1.9.22" radarCommons = "1.2.4" confluent = "7.8.1" diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties index 37f853b1..ca025c83 100644 --- a/gradle/wrapper/gradle-wrapper.properties +++ b/gradle/wrapper/gradle-wrapper.properties @@ -1,6 +1,6 @@ distributionBase=GRADLE_USER_HOME distributionPath=wrapper/dists -distributionUrl=https\://services.gradle.org/distributions/gradle-8.13-bin.zip +distributionUrl=https\://services.gradle.org/distributions/gradle-8.14-bin.zip networkTimeout=10000 validateDistributionUrl=true zipStoreBase=GRADLE_USER_HOME diff --git a/kafka-connect-fitbit-source/Dockerfile b/kafka-connect-fitbit-source/Dockerfile index 5dcc818f..c1671575 100644 --- a/kafka-connect-fitbit-source/Dockerfile +++ b/kafka-connect-fitbit-source/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM --platform=$BUILDPLATFORM gradle:8.13-jdk17 AS builder +FROM --platform=$BUILDPLATFORM gradle:8.14-jdk17 AS builder RUN mkdir /code WORKDIR /code diff --git a/kafka-connect-oura-source/Dockerfile b/kafka-connect-oura-source/Dockerfile index 20aeb7f0..c532985f 100644 --- a/kafka-connect-oura-source/Dockerfile +++ b/kafka-connect-oura-source/Dockerfile @@ -12,7 +12,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM --platform=$BUILDPLATFORM gradle:8.13-jdk17 AS builder +FROM --platform=$BUILDPLATFORM gradle:8.14-jdk17 AS builder RUN mkdir /code WORKDIR /code From feed64686e9fc8a457f971d3de9488dc985cdacc Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Wed, 11 Mar 2026 09:23:27 +0100 Subject: [PATCH 4/9] Apply March 2026 security updates --- build.gradle.kts | 19 ++++++++++++------- gradle/libs.versions.toml | 11 ++++++----- kafka-connect-fitbit-source/Dockerfile | 2 +- kafka-connect-oura-source/Dockerfile | 2 +- kafka-connect-rest-source/build.gradle.kts | 3 +++ 5 files changed, 23 insertions(+), 14 deletions(-) diff --git a/build.gradle.kts b/build.gradle.kts index 957b3c60..3e037833 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -20,15 +20,20 @@ radarRootProject { subprojects { apply(plugin = "org.radarbase.radar-kotlin") - configurations.all { - resolutionStrategy { - /* The entries in the block below are added here to force the version of - * transitive dependencies and mitigate reported vulnerabilities */ - force( - "org.apache.commons:commons-lang3:${rootProject.libs.versions.commonsLang3.get()}", - ) + // --- Vulnerability fixes start --- + dependencies { + plugins.withType { + constraints { + add("implementation", rootProject.libs.jackson.bom) { + because("Force safe version of Jackson across all modules") + } + add("implementation", rootProject.libs.commons.lang3) { + because("Force safe version of commons-lang3 across all modules") + } + } } } + // --- Vulnerability fixes end --- radarKotlin { javaVersion.set(rootProject.libs.versions.java.get().toInt()) diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index aa4aa200..cee86c6f 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -2,18 +2,19 @@ project = "0.7.2" java = "17" gradle = "8.14" -kotlin = "1.9.22" -radarCommons = "1.2.4" +kotlin = "1.9.24" +radarCommons = "1.2.6" confluent = "7.8.1" avro = "1.12.0" -jackson = "2.17.3" +jackson = "2.20.2" +jacksonAnnotations = "2.20" log4j2 = "2.23.1" slf4j = "2.0.13" sentryLog4j = "1.7.30" sentryOpenTelemetryAgent = "8.1.0" okhttp = "4.12.0" firebaseAdmin = "9.6.0" -radarSchemas = "0.8.14" +radarSchemas = "0.8.16" ktor = "2.3.10" junit = "5.10.2" wiremock = "3.0.1" @@ -28,7 +29,7 @@ kafka-connect-api = { group = "org.apache.kafka", name = "connect-api", version kafka-connect-avro-converter = { group = "io.confluent", name = "kafka-connect-avro-converter", version.ref = "confluent" } okhttp = { group = "com.squareup.okhttp3", name = "okhttp", version.ref = "okhttp" } jackson-bom = { group = "com.fasterxml.jackson", name = "jackson-bom", version.ref = "jackson" } -jackson-annotations = { group = "com.fasterxml.jackson.core", name = "jackson-annotations", version.ref = "jackson" } +jackson-annotations = { group = "com.fasterxml.jackson.core", name = "jackson-annotations", version.ref = "jacksonAnnotations" } jackson-databind = { group = "com.fasterxml.jackson.core", name = "jackson-databind", version.ref = "jackson" } jackson-dataformat-yaml = { group = "com.fasterxml.jackson.dataformat", name = "jackson-dataformat-yaml", version.ref = "jackson" } jackson-datatype-jsr310 = { group = "com.fasterxml.jackson.datatype", name = "jackson-datatype-jsr310", version.ref = "jackson" } diff --git a/kafka-connect-fitbit-source/Dockerfile b/kafka-connect-fitbit-source/Dockerfile index c1671575..ca5fe3e7 100644 --- a/kafka-connect-fitbit-source/Dockerfile +++ b/kafka-connect-fitbit-source/Dockerfile @@ -32,7 +32,7 @@ COPY ./kafka-connect-fitbit-source/src/ /code/kafka-connect-fitbit-source/src RUN gradle jar -FROM confluentinc/cp-kafka-connect-base:7.8.1 +FROM confluentinc/cp-kafka-connect-base:7.8.7 USER appuser diff --git a/kafka-connect-oura-source/Dockerfile b/kafka-connect-oura-source/Dockerfile index c532985f..b5d87718 100644 --- a/kafka-connect-oura-source/Dockerfile +++ b/kafka-connect-oura-source/Dockerfile @@ -32,7 +32,7 @@ COPY ./oura-library/src/ /code/oura-library/src RUN gradle jar -FROM confluentinc/cp-kafka-connect-base:7.8.1 +FROM confluentinc/cp-kafka-connect-base:7.8.7 LABEL org.opencontainers.image.authors="pauline.conde@kcl.ac.uk" diff --git a/kafka-connect-rest-source/build.gradle.kts b/kafka-connect-rest-source/build.gradle.kts index aef4352b..0c5687b4 100644 --- a/kafka-connect-rest-source/build.gradle.kts +++ b/kafka-connect-rest-source/build.gradle.kts @@ -17,6 +17,9 @@ dependencies { runtimeOnly(libs.sentry.log4j) { // Exclude log4j with security vulnerability (safe version is provided by docker image). exclude(group = "log4j", module = "log4j") + exclude(group = "org.slf4j", module = "slf4j-api") + // Exclude Jackson with security vulnerability (safe version is provided by docker image). + exclude(group = "com.fasterxml.jackson.core") } runtimeOnly(libs.sentry.opentelemetry.agent) } From 1e875ea8776606cd3e232fb9880fff1db1ef248c Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Wed, 11 Mar 2026 09:29:05 +0100 Subject: [PATCH 5/9] Clean config of radar-kotlin plugin --- build.gradle.kts | 4 ---- gradle/libs.versions.toml | 1 - 2 files changed, 5 deletions(-) diff --git a/build.gradle.kts b/build.gradle.kts index 3e037833..d4abe47e 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -36,10 +36,6 @@ subprojects { // --- Vulnerability fixes end --- radarKotlin { - javaVersion.set(rootProject.libs.versions.java.get().toInt()) - kotlinVersion.set(rootProject.libs.versions.kotlin) - slf4jVersion.set(rootProject.libs.versions.slf4j) log4j2Version.set(rootProject.libs.versions.log4j2) - junitVersion.set(rootProject.libs.versions.junit) } } diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index cee86c6f..21cb4792 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -16,7 +16,6 @@ okhttp = "4.12.0" firebaseAdmin = "9.6.0" radarSchemas = "0.8.16" ktor = "2.3.10" -junit = "5.10.2" wiremock = "3.0.1" mockito = "5.11.0" netty = "4.1.125.Final" From 05c4cc1b847b8c5e3af2d241114ceaaabb39e34d Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Fri, 20 Mar 2026 08:04:35 +0100 Subject: [PATCH 6/9] Package Sentry Jar in Fitbit connector --- build.gradle.kts | 2 ++ 1 file changed, 2 insertions(+) diff --git a/build.gradle.kts b/build.gradle.kts index d4abe47e..9f2379bb 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -37,5 +37,7 @@ subprojects { radarKotlin { log4j2Version.set(rootProject.libs.versions.log4j2) + sentryEnabled.set(true) + openTelemetryAgentEnabled.set(false) } } From 1969c1cb5cdd4ecb215c51b5a1ef99a37f23c6c5 Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Wed, 11 Mar 2026 09:25:24 +0100 Subject: [PATCH 7/9] Up project version to 0.7.3 --- gradle/libs.versions.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 21cb4792..70f087a1 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -1,5 +1,5 @@ [versions] -project = "0.7.2" +project = "0.7.3" java = "17" gradle = "8.14" kotlin = "1.9.24" From 638d06b6d9d6bee4ce1391b66fd0c8a5e9ceeebc Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Fri, 20 Mar 2026 08:08:11 +0100 Subject: [PATCH 8/9] Impl. Gradle version catalog --- kafka-connect-fitbit-source/build.gradle.kts | 2 +- kafka-connect-oura-source/build.gradle.kts | 2 +- oura-library/build.gradle | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/kafka-connect-fitbit-source/build.gradle.kts b/kafka-connect-fitbit-source/build.gradle.kts index f2d9a551..0bc03bf3 100644 --- a/kafka-connect-fitbit-source/build.gradle.kts +++ b/kafka-connect-fitbit-source/build.gradle.kts @@ -19,7 +19,7 @@ dependencies { implementation(libs.jackson.dataformat.yaml) implementation(libs.jackson.datatype.jsr310) implementation(libs.firebase.admin) - implementation("org.jetbrains.kotlin:kotlin-stdlib-jdk8") + implementation("org.jetbrains.kotlin:kotlin-stdlib") implementation(libs.ktor.client.auth) implementation(libs.ktor.client.content.negotiation) diff --git a/kafka-connect-oura-source/build.gradle.kts b/kafka-connect-oura-source/build.gradle.kts index f038597d..331e830d 100644 --- a/kafka-connect-oura-source/build.gradle.kts +++ b/kafka-connect-oura-source/build.gradle.kts @@ -18,7 +18,7 @@ dependencies { implementation(libs.jackson.dataformat.yaml) implementation(libs.jackson.datatype.jsr310) implementation(libs.firebase.admin) - implementation("org.jetbrains.kotlin:kotlin-stdlib-jdk8") + implementation("org.jetbrains.kotlin:kotlin-stdlib") implementation(libs.ktor.client.auth) implementation(libs.ktor.client.content.negotiation) diff --git a/oura-library/build.gradle b/oura-library/build.gradle index 823a038f..c36b6b3e 100644 --- a/oura-library/build.gradle +++ b/oura-library/build.gradle @@ -12,7 +12,7 @@ repositories { dependencies { // Use the Kotlin JDK 8 standard library. - implementation 'org.jetbrains.kotlin:kotlin-stdlib-jdk8' + implementation 'org.jetbrains.kotlin:kotlin-stdlib' implementation libs.okhttp From df01bd39679d7bd15493b06737a7efe74c7aca70 Mon Sep 17 00:00:00 2001 From: Pim van Nierop Date: Fri, 20 Mar 2026 08:31:40 +0100 Subject: [PATCH 9/9] Apply March 2026 security updates --- build.gradle.kts | 8 ++ gradle/libs.versions.toml | 79 +++++++++++--------- kafka-connect-fitbit-source/build.gradle.kts | 2 +- kafka-connect-oura-source/build.gradle.kts | 2 +- oura-library/build.gradle | 2 +- 5 files changed, 53 insertions(+), 40 deletions(-) diff --git a/build.gradle.kts b/build.gradle.kts index 9f2379bb..7cd939d1 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -33,6 +33,14 @@ subprojects { } } } + configurations.all { + resolutionStrategy.dependencySubstitution { + // Substitute the old group/module with drop-in replacement + substitute(module("org.lz4:lz4-java")) + .using(module(rootProject.libs.lz4.get().toString())) + .because("Force safe version of LZ4 across all modules") + } + } // --- Vulnerability fixes end --- radarKotlin { diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 70f087a1..c4161d60 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -1,55 +1,60 @@ [versions] project = "0.7.3" -java = "17" gradle = "8.14" kotlin = "1.9.24" radarCommons = "1.2.6" confluent = "7.8.1" -avro = "1.12.0" +avro = "1.12.1" +# @pin Upgrade to 2.21.x requires kotlin v2 minimum jackson = "2.20.2" jacksonAnnotations = "2.20" log4j2 = "2.23.1" -slf4j = "2.0.13" +slf4j = "2.0.17" sentryLog4j = "1.7.30" -sentryOpenTelemetryAgent = "8.1.0" +sentryOpenTelemetryAgent = "8.36.0" +# @pin Upgrade to 5.x.x requires kotlin v2 minimum okhttp = "4.12.0" -firebaseAdmin = "9.6.0" +firebaseAdmin = "9.8.0" radarSchemas = "0.8.16" -ktor = "2.3.10" +# @pin Upgrade to 3.x.x requires kotlin v2 minimum +ktor = "2.3.13" wiremock = "3.0.1" -mockito = "5.11.0" -netty = "4.1.125.Final" -commonsLang3 = "3.18.0" +mockito = "5.23.0" +netty = "4.2.10.Final" +commonsLang3 = "3.20.0" +lz4 = "1.10.1" [libraries] -radar-commons-kotlin = { group = "org.radarbase", name = "radar-commons-kotlin", version.ref = "radarCommons" } -radar-schemas-commons = { group = "org.radarbase", name = "radar-schemas-commons", version.ref = "radarSchemas" } -kafka-connect-api = { group = "org.apache.kafka", name = "connect-api", version = "7.8.1-ce" } -kafka-connect-avro-converter = { group = "io.confluent", name = "kafka-connect-avro-converter", version.ref = "confluent" } -okhttp = { group = "com.squareup.okhttp3", name = "okhttp", version.ref = "okhttp" } -jackson-bom = { group = "com.fasterxml.jackson", name = "jackson-bom", version.ref = "jackson" } -jackson-annotations = { group = "com.fasterxml.jackson.core", name = "jackson-annotations", version.ref = "jacksonAnnotations" } -jackson-databind = { group = "com.fasterxml.jackson.core", name = "jackson-databind", version.ref = "jackson" } -jackson-dataformat-yaml = { group = "com.fasterxml.jackson.dataformat", name = "jackson-dataformat-yaml", version.ref = "jackson" } -jackson-datatype-jsr310 = { group = "com.fasterxml.jackson.datatype", name = "jackson-datatype-jsr310", version.ref = "jackson" } -jackson-module-kotlin = { group = "com.fasterxml.jackson.module", name = "jackson-module-kotlin", version.ref = "jackson" } -ktor-client-auth = { group = "io.ktor", name = "ktor-client-auth", version.ref = "ktor" } -ktor-client-content-negotiation = { group = "io.ktor", name = "ktor-client-content-negotiation", version.ref = "ktor" } -ktor-serialization-jackson = { group = "io.ktor", name = "ktor-serialization-jackson", version.ref = "ktor" } -ktor-client-cio = { group = "io.ktor", name = "ktor-client-cio-jvm", version.ref = "ktor" } -ktor-serialization-kotlinx-json = { group = "io.ktor", name = "ktor-serialization-kotlinx-json", version.ref = "ktor" } -firebase-admin = { group = "com.google.firebase", name = "firebase-admin", version.ref = "firebaseAdmin" } -avro = { group = "org.apache.avro", name = "avro", version.ref = "avro" } -slf4j-api = { group = "org.slf4j", name = "slf4j-api", version.ref = "slf4j" } -sentry-log4j = { group = "io.sentry", name = "sentry-log4j", version.ref = "sentryLog4j" } -sentry-opentelemetry-agent = { group = "io.sentry", name = "sentry-opentelemetry-agent", version.ref = "sentryOpenTelemetryAgent" } -netty-handler-proxy = { group = "io.netty", name = "netty-handler-proxy", version.ref = "netty" } -netty-handler = { group = "io.netty", name = "netty-handler", version.ref = "netty" } -commons-lang3 = { group = "org.apache.commons", name = "commons-lang3", version.ref = "commonsLang3" } -mockito-core = { group = "org.mockito", name = "mockito-core", version.ref = "mockito" } -wiremock = { group = "com.github.tomakehurst", name = "wiremock", version.ref = "wiremock" } -kotlin-test = { group = "org.jetbrains.kotlin", name = "kotlin-test", version.ref = "kotlin" } -kotlin-test-junit = { group = "org.jetbrains.kotlin", name = "kotlin-test-junit", version.ref = "kotlin" } +lz4 = { module = "at.yawk.lz4:lz4-java", version.ref = "lz4" } +radar-commons-kotlin = { module = "org.radarbase:radar-commons-kotlin", version.ref = "radarCommons" } +radar-schemas-commons = { module = "org.radarbase:radar-schemas-commons", version.ref = "radarSchemas" } +kafka-connect-api = "org.apache.kafka:connect-api:7.8.1-ce" +kafka-connect-avro-converter = { module = "io.confluent:kafka-connect-avro-converter", version.ref = "confluent" } +okhttp = { module = "com.squareup.okhttp3:okhttp", version.ref = "okhttp" } +jackson-bom = { module = "com.fasterxml.jackson:jackson-bom", version.ref = "jackson" } +jackson-annotations = { module = "com.fasterxml.jackson.core:jackson-annotations", version.ref = "jacksonAnnotations" } +jackson-databind = { module = "com.fasterxml.jackson.core:jackson-databind", version.ref = "jackson" } +jackson-dataformat-yaml = { module = "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml", version.ref = "jackson" } +jackson-datatype-jsr310 = { module = "com.fasterxml.jackson.datatype:jackson-datatype-jsr310", version.ref = "jackson" } +jackson-module-kotlin = { module = "com.fasterxml.jackson.module:jackson-module-kotlin", version.ref = "jackson" } +kotlin-stdlib = { module = "org.jetbrains.kotlin:kotlin-stdlib", version.ref = "kotlin" } +ktor-client-auth = { module = "io.ktor:ktor-client-auth", version.ref = "ktor" } +ktor-client-content-negotiation = { module = "io.ktor:ktor-client-content-negotiation", version.ref = "ktor" } +ktor-serialization-jackson = { module = "io.ktor:ktor-serialization-jackson", version.ref = "ktor" } +ktor-client-cio = { module = "io.ktor:ktor-client-cio-jvm", version.ref = "ktor" } +ktor-serialization-kotlinx-json = { module = "io.ktor:ktor-serialization-kotlinx-json", version.ref = "ktor" } +firebase-admin = { module = "com.google.firebase:firebase-admin", version.ref = "firebaseAdmin" } +avro = { module = "org.apache.avro:avro", version.ref = "avro" } +slf4j-api = { module = "org.slf4j:slf4j-api", version.ref = "slf4j" } +sentry-log4j = { module = "io.sentry:sentry-log4j", version.ref = "sentryLog4j" } +sentry-opentelemetry-agent = { module = "io.sentry:sentry-opentelemetry-agent", version.ref = "sentryOpenTelemetryAgent" } +netty-handler-proxy = { module = "io.netty:netty-handler-proxy", version.ref = "netty" } +netty-handler = { module = "io.netty:netty-handler", version.ref = "netty" } +commons-lang3 = { module = "org.apache.commons:commons-lang3", version.ref = "commonsLang3" } +mockito-core = { module = "org.mockito:mockito-core", version.ref = "mockito" } +wiremock = { module = "com.github.tomakehurst:wiremock", version.ref = "wiremock" } +kotlin-test = { module = "org.jetbrains.kotlin:kotlin-test", version.ref = "kotlin" } +kotlin-test-junit = { module = "org.jetbrains.kotlin:kotlin-test-junit", version.ref = "kotlin" } [plugins] radar-root-project = { id = "org.radarbase.radar-root-project", version.ref = "radarCommons" } diff --git a/kafka-connect-fitbit-source/build.gradle.kts b/kafka-connect-fitbit-source/build.gradle.kts index 0bc03bf3..78dbf5e5 100644 --- a/kafka-connect-fitbit-source/build.gradle.kts +++ b/kafka-connect-fitbit-source/build.gradle.kts @@ -19,7 +19,7 @@ dependencies { implementation(libs.jackson.dataformat.yaml) implementation(libs.jackson.datatype.jsr310) implementation(libs.firebase.admin) - implementation("org.jetbrains.kotlin:kotlin-stdlib") + implementation(libs.kotlin.stdlib) implementation(libs.ktor.client.auth) implementation(libs.ktor.client.content.negotiation) diff --git a/kafka-connect-oura-source/build.gradle.kts b/kafka-connect-oura-source/build.gradle.kts index 331e830d..8ba12ee8 100644 --- a/kafka-connect-oura-source/build.gradle.kts +++ b/kafka-connect-oura-source/build.gradle.kts @@ -18,7 +18,7 @@ dependencies { implementation(libs.jackson.dataformat.yaml) implementation(libs.jackson.datatype.jsr310) implementation(libs.firebase.admin) - implementation("org.jetbrains.kotlin:kotlin-stdlib") + implementation(libs.kotlin.stdlib) implementation(libs.ktor.client.auth) implementation(libs.ktor.client.content.negotiation) diff --git a/oura-library/build.gradle b/oura-library/build.gradle index c36b6b3e..6d0cc80a 100644 --- a/oura-library/build.gradle +++ b/oura-library/build.gradle @@ -12,7 +12,7 @@ repositories { dependencies { // Use the Kotlin JDK 8 standard library. - implementation 'org.jetbrains.kotlin:kotlin-stdlib' + implementation libs.kotlin.stdlib implementation libs.okhttp