Merge branch 'release/v3.68.1-6'

nfranzeck · cesmarvin · commit 7ced201f5406 · 2024-09-18T13:08:10.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v3.68.1-6] - 2024-09-18
+### Changed
+- [#139] Update nexus carp to v1.4.1
+  - This adds safe password generation with `java.security.SecureRandom`
+- Relicense to AGPL-3.0-only
+
 ## [v3.68.1-5] - 2024-09-04
 ### Changed
 - [#137] update nexus-carp version to v1.4.0
diff --git a/Dockerfile b/Dockerfile
@@ -2,15 +2,15 @@
 FROM registry.cloudogu.com/official/java:11.0.24-1 as builder
 LABEL maintainer="hello@cloudogu.com" \
     NAME="official/nexus" \
-    VERSION="3.68.1-5"
+    VERSION="3.68.1-6"
 
 WORKDIR /build
 
 # The version of nexus to install
 ENV NEXUS_VERSION=3.68.1-02 \
     TINI_VERSION=0.19.0 \
     NEXUS_CLAIM_VERSION=1.0.0 \
-    NEXUS_CARP_VERSION=1.4.0 \
+    NEXUS_CARP_VERSION=1.4.1 \
     NEXUS_SCRIPTING_VERSION=0.2.0 \
     SHIRO_VERSION=1.11.0 \
     NEXUS_BUILD_DIR=/build/opt/sonatype/nexus \
@@ -19,7 +19,7 @@ ENV NEXUS_VERSION=3.68.1-02 \
     SHA256_NEXUS_TAR="6a04eb770e0c4415d3033de757b07ddfdfd15beadbf839d4b33438246e4325a7" \
     SHA256_NEXUS_CLAIM="a34608ac7b516d6bc91f8a157bea286919c14e5fb5ecc76fc15edccb35adec42" \
     SHA256_NEXUS_SCRIPTING="60c7f3d8a0c97b1d90d954ebad9dc07dbeb7927934b618c874b2e72295cafb48" \
-    SHA256_NEXUS_CARP="f0899c297fc4f826d33bb7a923356e659ba89e66a3896cad28953c2002bcf8a4"
+    SHA256_NEXUS_CARP="db742df8f4c672d1aaa049efa097756d1f9b86e050331a01406cb97e11c41485"
 
 RUN set -o errexit \
   && set -o nounset \
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -1,5 +1,5 @@
 #!groovy
-@Library(['github.com/cloudogu/ces-build-lib@2.2.1', 'github.com/cloudogu/dogu-build-lib@v2.3.1'])
+@Library(['github.com/cloudogu/ces-build-lib@2.3.0', 'github.com/cloudogu/dogu-build-lib@v2.3.1'])
 import com.cloudogu.ces.cesbuildlib.*
 import com.cloudogu.ces.dogubuildlib.*
 
diff --git a/LICENSE b/LICENSE
diff --git a/Makefile b/Makefile
@@ -1,5 +1,5 @@
-MAKEFILES_VERSION=9.1.0
-VERSION=3.68.1-5
+MAKEFILES_VERSION=9.2.1
+VERSION=3.68.1-6
 
 .DEFAULT_GOAL:=dogu-release
 
diff --git a/README.md b/README.md
@@ -1,9 +1,3 @@
-<img src="https://cloudogu.com/images/dogus/nexus.png" alt="nexus logo" height="100px">
-
-
-[![GitHub license](https://img.shields.io/github/license/cloudogu/nexus.svg)](https://github.com/cloudogu/nexus/blob/master/LICENSE)
-[![GitHub release](https://img.shields.io/github/release/cloudogu/nexus.svg)](https://github.com/cloudogu/nexus/releases)
-
 # Nexus Repository OSS Dogu
 
 ## About this Dogu
@@ -31,15 +25,21 @@ cesapp start nexus
 - [English] [Documentation](docs/getting_started_en.md)
 
 ---
-### What is the Cloudogu EcoSystem?
-The Cloudogu EcoSystem is an open platform, which lets you choose how and where your team creates great software. Each service or tool is delivered as a Dogu, a Docker container. Each Dogu can easily be integrated in your environment just by pulling it from our registry. We have a growing number of ready-to-use Dogus, e.g. SCM-Manager, Jenkins, Nexus, SonarQube, Redmine and many more. Every Dogu can be tailored to your specific needs. Take advantage of a central authentication service, a dynamic navigation, that lets you easily switch between the web UIs and a smart configuration magic, which automatically detects and responds to dependencies between Dogus. The Cloudogu EcoSystem is open source and it runs either on-premises or in the cloud. The Cloudogu EcoSystem is developed by Cloudogu GmbH under [MIT License](https://cloudogu.com/license.html).
+## What is the Cloudogu EcoSystem?
+The Cloudogu EcoSystem is an open platform, which lets you choose how and where your team creates great software. Each service or tool is delivered as a Dogu, a Docker container. Each Dogu can easily be integrated in your environment just by pulling it from our registry.
 
-### How to get in touch?
-Want to talk to the Cloudogu team? Need help or support? There are several ways to get in touch with us:
+We have a growing number of ready-to-use Dogus, e.g. SCM-Manager, Jenkins, Nexus Repository, SonarQube, Redmine and many more. Every Dogu can be tailored to your specific needs. Take advantage of a central authentication service, a dynamic navigation, that lets you easily switch between the web UIs and a smart configuration magic, which automatically detects and responds to dependencies between Dogus.
+
+The Cloudogu EcoSystem is open source and it runs either on-premises or in the cloud. The Cloudogu EcoSystem is developed by Cloudogu GmbH under [AGPL-3.0-only](https://spdx.org/licenses/AGPL-3.0-only.html).
+
+## License
+Copyright © 2020 - present Cloudogu GmbH
+This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, version 3.
+This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details.
+You should have received a copy of the GNU Affero General Public License along with this program. If not, see https://www.gnu.org/licenses/.
+See [LICENSE](LICENSE) for details.
 
-* [Website](https://cloudogu.com)
-* [myCloudogu-Forum](https://forum.cloudogu.com/topic/34?ctx=1)
-* [Email hello@cloudogu.com](mailto:hello@cloudogu.com)
 
 ---
-&copy; 2020 Cloudogu GmbH - MADE WITH :heart:&nbsp;FOR DEV ADDICTS. [Legal notice / Impressum](https://cloudogu.com/imprint.html)
+MADE WITH :heart:&nbsp;FOR DEV ADDICTS. [Legal notice / Imprint](https://cloudogu.com/en/imprint/?mtm_campaign=ecosystem&mtm_kwd=imprint&mtm_source=github&mtm_medium=link)
+
diff --git a/build/make/bats.mk b/build/make/bats.mk
@@ -9,7 +9,7 @@ BATS_SUPPORT=$(BATS_LIBRARY_DIR)/bats-support
 BATS_FILE=$(BATS_LIBRARY_DIR)/bats-file
 BATS_BASE_IMAGE?=bats/bats
 BATS_CUSTOM_IMAGE?=cloudogu/bats
-BATS_TAG?=1.2.1
+BATS_TAG?=1.11.0
 BATS_DIR=build/make/bats
 BATS_WORKDIR="${WORKDIR}"/"${BATS_DIR}"
 
diff --git a/build/make/bats/Dockerfile b/build/make/bats/Dockerfile
@@ -1,7 +1,9 @@
 ARG BATS_BASE_IMAGE
 ARG BATS_TAG
 
-FROM ${BATS_BASE_IMAGE}:${BATS_TAG}
+FROM ${BATS_BASE_IMAGE:-bats/bats}:${BATS_TAG:-1.11.0}
 
 # Make bash more findable by scripts and tests
 RUN apk add make git bash
+# suppress git "detected dubious ownership" error/warning for repos which are checked out later
+RUN git config --global --add safe.directory /workspace
diff --git a/build/make/k8s.mk b/build/make/k8s.mk
@@ -138,7 +138,7 @@ ${K8S_RESOURCE_TEMP_FOLDER}:
 ##@ K8s - Docker
 
 .PHONY: docker-build
-docker-build: check-docker-credentials check-k8s-image-env-var ## Builds the docker image of the K8s app.
+docker-build: check-docker-credentials check-k8s-image-env-var ${BINARY_YQ} ## Builds the docker image of the K8s app.
 	@echo "Building docker image $(IMAGE)..."
 	@DOCKER_BUILDKIT=1 docker build . -t $(IMAGE)
 
diff --git a/build/make/vulnerability-scan.mk b/build/make/vulnerability-scan.mk
@@ -0,0 +1,13 @@
+##@ Vulnerability scan
+
+GOVULNCHECK_BIN=${UTILITY_BIN_PATH}/govulncheck
+GOVULNCHECK_VERSION?=latest
+
+${GOVULNCHECK_BIN}: ${UTILITY_BIN_PATH}
+	$(call go-get-tool,$(GOVULNCHECK_BIN),golang.org/x/vuln/cmd/govulncheck@$(GOVULNCHECK_VERSION))
+
+.PHONY: govulncheck
+govulncheck: ${GOVULNCHECK_BIN} ## This target is used to scan the go repository against known vulnerabilities
+	@echo "Start vulnerability against repository"
+	${GOVULNCHECK_BIN} -show verbose ./...
+	@echo "Finished scan"
diff --git a/docs/gui/release_notes_de.md b/docs/gui/release_notes_de.md
@@ -4,6 +4,10 @@ Im Folgenden finden Sie die Release Notes für das Sonatype Nexus-Dogu.
 
 Technische Details zu einem Release finden Sie im zugehörigen [Changelog](https://docs.cloudogu.com/de/docs/dogus/nexus/CHANGELOG/).
 
+## Release 3.68.1-6
+* Die interne Passwortgenerierung wurde durch eine neue CARP-Version abgesichert.
+* Die Cloudogu-eigenen Quellen werden von der MIT-Lizenz auf die AGPL-3.0-only relizensiert.
+
 ## Release 3.68.1-5
 * Behebung des Problems das BasicAuth-Requests zu Sperren im CAS geführt haben.
 
diff --git a/docs/gui/release_notes_en.md b/docs/gui/release_notes_en.md
@@ -4,6 +4,10 @@ Below you will find the release notes for the Sonatype Nexus Dogu.
 
 Technical details on a release can be found in the corresponding [Changelog](https://docs.cloudogu.com/en/docs/dogus/nexus/CHANGELOG/).
 
+## Release 3.68.1-6
+* The internal password generation has been secured by a new CARP version.
+* Relicense own code to AGPL-3.0-only
+
 ## Release 3.68.1-5
 * Fixes the problem that BasicAuth requests led to locks in the CAS.
 
diff --git a/dogu.json b/dogu.json
@@ -1,6 +1,6 @@
 {
   "Name": "official/nexus",
-  "Version": "3.68.1-5",
+  "Version": "3.68.1-6",
   "DisplayName": "Sonatype Nexus",
   "Description": "The Nexus Repository is like the local warehouse where all of the parts and finished goods used in your software supply chain are stored and distributed.",
   "Url": "http://www.sonatype.org/nexus",

-Original file line number
+Diff line change
 #!groovy
 -@Library(['github.com/cloudogu/ces-build-lib@2.2.1', 'github.com/cloudogu/[email protected]'])
 +@Library(['github.com/cloudogu/ces-build-lib@2.3.0', 'github.com/cloudogu/[email protected]'])
 import com.cloudogu.ces.cesbuildlib.*
 import com.cloudogu.ces.dogubuildlib.*
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"Name": "official/nexus",`
`3`		`- "Version": "3.68.1-5",`
	`3`	`+ "Version": "3.68.1-6",`
`4`	`4`	`"DisplayName": "Sonatype Nexus",`
`5`	`5`	`"Description": "The Nexus Repository is like the local warehouse where all of the parts and finished goods used in your software supply chain are stored and distributed.",`
`6`	`6`	`"Url": "http://www.sonatype.org/nexus",`