From c7e0b54691613578e7e9cc1b055be47bfe6f0b71 Mon Sep 17 00:00:00 2001 From: simonredfern Date: Tue, 12 May 2026 14:47:38 +0200 Subject: [PATCH 1/4] pom.xml bump mysql-connector --- obp-api/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/obp-api/pom.xml b/obp-api/pom.xml index c5ef98268a..ee1149e448 100644 --- a/obp-api/pom.xml +++ b/obp-api/pom.xml @@ -103,7 +103,7 @@ com.mysql mysql-connector-j - 8.0.33 + 8.1.0 From 10d32b8bc2aa680e9caced19e3e54c02a6893025 Mon Sep 17 00:00:00 2001 From: simonredfern Date: Tue, 12 May 2026 15:21:56 +0200 Subject: [PATCH 2/4] pom.xml bump msal4j --- obp-api/pom.xml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/obp-api/pom.xml b/obp-api/pom.xml index ee1149e448..7229a1de59 100644 --- a/obp-api/pom.xml +++ b/obp-api/pom.xml @@ -126,6 +126,13 @@ commons-beanutils 1.10.1 + + + com.microsoft.azure + msal4j + 1.16.2 + junit From cfa05c48841bae28d36be6e9551df9cca0fa7845 Mon Sep 17 00:00:00 2001 From: simonredfern Date: Tue, 12 May 2026 15:34:49 +0200 Subject: [PATCH 3/4] pom.xml bump log4j-api --- obp-api/pom.xml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/obp-api/pom.xml b/obp-api/pom.xml index 7229a1de59..6d23ea4702 100644 --- a/obp-api/pom.xml +++ b/obp-api/pom.xml @@ -133,6 +133,19 @@ msal4j 1.16.2 + + + org.apache.logging.log4j + log4j-api + 2.24.3 + + + org.apache.logging.log4j + log4j-core + 2.24.3 + junit From ef9f0973bffa059a50cb8fe1242eb54b97ef446d Mon Sep 17 00:00:00 2001 From: simonredfern Date: Tue, 12 May 2026 15:59:37 +0200 Subject: [PATCH 4/4] pom.xml Explicit bcprov-jdk15on --- EXTRA_TESTS_TODO.md | 83 +++++++++++++++++++++++++++++++++++++++++++++ obp-api/pom.xml | 9 +++++ 2 files changed, 92 insertions(+) create mode 100644 EXTRA_TESTS_TODO.md diff --git a/EXTRA_TESTS_TODO.md b/EXTRA_TESTS_TODO.md new file mode 100644 index 0000000000..943a7ca521 --- /dev/null +++ b/EXTRA_TESTS_TODO.md @@ -0,0 +1,83 @@ +# Tests to Add — Coverage Gaps from Dependency Bumps + +Tracks dependency bumps where compile + the standard 4-suite smoke test passed, but the code paths that actually exercise the bumped library aren't covered. Production deploys against real backends should smoke-test each item before going live. + +Test suites currently used as the smoke gate: +- `code.api.v7_0_0.Http4s700RoutesTest` +- `code.api.v7_0_0.Http4s700TransactionTest` +- `code.api.http4sbridge.Http4sLiftBridgePropertyTest` +- `code.api.http4sbridge.Http4sServerIntegrationTest` + +Test DB is H2; many integrations are stubbed or absent. + +--- + +## Open coverage gaps + +### `mysql-connector-j` 8.0.33 → 8.1.0 +- **Untested path:** any code that actually opens a MySQL connection. Tests run on H2. +- **Risk:** Oracle renamed the artifact at this boundary and adopted the "innovation release" cadence. Cross-version protocol regressions are uncommon but possible. +- **Suggested smoke test:** start OBP-API against a MySQL 8 database (matching whatever a typical deployment runs), exercise a few core read/write endpoints, check transactions commit and connection pool cycles. + +### `mssql-jdbc:11.2.0.jre11` (still pinned, not yet bumped — see TODO below) +- Same gap as MySQL: H2 in tests, real driver path never exercised. + +### `msal4j` 1.13.0 → 1.16.2 +- **Untested path:** Azure AD integrated authentication for MSSQL. Pulled in via `mssql-jdbc`. No Azure tenant in tests. +- **Risk:** breakage would manifest only when an MSSQL deployment uses `Authentication=ActiveDirectoryIntegrated` / `ActiveDirectoryPassword` / `ActiveDirectoryServicePrincipal`. +- **Suggested smoke test:** if any production deploy uses Azure AD auth for MSSQL, run a real connection attempt against the tenant before promoting the build. + +### `bcprov-jdk15on:1.70` excluded (web3j now uses `bcprov-jdk18on:1.78.1`) +- **Untested path:** web3j's signing / keccak / secp256k1 calls. No web3 tests in the suite. +- **Risk:** BouncyCastle keeps the `org.bouncycastle.*` package stable across the `15on` → `18on` rename, so this *should* be transparent. But web3j 4.9.8 was tested against 1.70. +- **Suggested smoke test:** if any deploy uses the OBP web3 / Ethereum endpoints, sign + recover a known message round-trip; verify a signed transaction is byte-identical to what web3j 1.70 + bcprov 1.70 produced. + +### `protobuf-java` 3.21.9 → 3.25.5 (and `protobuf-java-util:3.21.1` still on the old line) +- **Untested path:** gRPC traffic. No gRPC integration tests are wired into the project. +- **Risk:** wire-format and reflection APIs are stable, but Descriptor / TextFormat edge cases changed across 3.21 → 3.25. +- **Suggested smoke test:** if any deploy uses the gRPC connector for chat/streaming, run a round-trip RPC against the chat service and verify message framing + field round-trip. + +### `snappy-java` 1.1.1.3 → 1.1.10.4 +- **Untested path:** snappy compression as used by Avro and the Kafka client. Compression isn't exercised by integration tests. +- **Risk:** 1.1.x API has been stable since 2014 — low. But the JNI native loader changed in 1.1.8 (more permission-strict on some JVMs). +- **Suggested smoke test:** trigger an Avro serialization that uses snappy codec; check the load-and-decompress roundtrip on each deploy OS/JDK combination. + +### `log4j-api` / `log4j-core` 2.19.0 → 2.24.3 +- **Coverage status:** *adequate*. Tests log heavily through Log4j 2 — appender + formatter paths are well exercised. Listed here for completeness only; no extra test needed. + +### `commons-beanutils` 1.9.2 → 1.10.1 +- **Untested path:** the deserialization paths the CVE fixes. The `everit json-schema` → `commons-validator` → `commons-beanutils` chain is exercised in JSON schema validation tests, but the specific CVE-2025-48734 input shape isn't reproduced. +- **Risk:** the public bean-introspection API is stable across 1.9 → 1.10. Low. +- **Suggested smoke test:** none required; trust the upstream test suite for this one. + +### `postgresql` 42.7.3 → 42.7.7 +- **Untested path:** real Postgres connections. Tests run on H2. +- **Risk:** patch-level bump within 42.7.x — JDBC API surface unchanged. +- **Suggested smoke test:** any deploy on Postgres exercises this naturally on first request; no dedicated test needed. + +### `commons-lang3` 3.14.0 → 3.18.0 +- **Coverage status:** *adequate*. Heavily exercised across the codebase. No extra test needed. + +--- + +## Pending bumps with the same caveat + +Listed for future reference — these will likely need entries here when applied: + +- `mssql-jdbc` 11.2.0.jre11 → 12.6.4.jre11 (CVE-2025-59250) — H2 in tests +- `hydra-client` 1.7.0 → ? (CVE-2026-33504) — usage unknown +- `jackson-databind` 2.12.7.1 → 2.17.x (CVE-2023-35116) — wide blast radius across JSON deserialization +- `protobuf-java-util` 3.21.1 → 3.25.5 (matches main protobuf, deferred pending gRPC bump) +- `oauth2-oidc-sdk` 9.27 → 11.x + `json-smart` 2.4.7 → 2.5.2 (must be coordinated) +- `avro` 1.8.2 → 1.11.x (major; aligns with snappy bump) +- `netty-transport` 4.1.42 → 4.1.118+ (23 CVEs; coordinated with http4s / gRPC) +- `grpc-core` / `grpc-protobuf` 1.48.1 → 1.66+ (6 CVEs; coordinated with protobuf-java-util) + +--- + +## Suggested next steps for closing these gaps + +1. **Add a DB matrix test profile.** A Maven profile that swaps H2 for MySQL / Postgres / MSSQL via Testcontainers would catch driver-level regressions for free on the next bump. One-time setup cost. +2. **Add a `WebhookHttpClient` integration test** that runs against a local OkHttp / wiremock server. Would cover the OkHttp + Kotlin stdlib runtime path and any future OkHttp bump. +3. **Add a tiny web3j signing round-trip test** (deterministic input → known signature). Cheap, catches BouncyCastle regressions. +4. **Add a gRPC ping test** if/when the chat-service gRPC path lands. Pre-requisite for any future grpc-core / protobuf-java-util bump. diff --git a/obp-api/pom.xml b/obp-api/pom.xml index 6d23ea4702..700be4ec38 100644 --- a/obp-api/pom.xml +++ b/obp-api/pom.xml @@ -305,6 +305,15 @@ org.web3j core 4.9.8 + + + + org.bouncycastle + bcprov-jdk15on + + com.zaxxer