From 1aa970d634b288ddaaf63ba05234cbb2b70340c8 Mon Sep 17 00:00:00 2001 From: seonghobae <8172694+seonghobae@users.noreply.github.com> Date: Wed, 24 Jun 2026 22:37:59 +0000 Subject: [PATCH 01/13] =?UTF-8?q?feat:=20PDF=20=EB=8B=A4=EC=9A=B4=EB=A1=9C?= =?UTF-8?q?=EB=93=9C=20API=20=EB=B0=8F=20=EA=B4=80=EB=A6=AC=EC=9E=90=20?= =?UTF-8?q?=EC=A1=B0=ED=9A=8C=20API=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - GET /api/v1/convert/jobs/{jobId}/download 엔드포인트를 구현하여 PDF 다운로드 (체크섬 포함) 지원 - GET /api/v1/admin/convert/jobs 엔드포인트를 통해 시스템 전체 작업 조회 및 deadLettered 필터 기능 구현 - 모든 신규 기능에 대해 Repository/Service/Controller 계층의 100% 테스트 커버리지 달성 - 변경 사항을 CHANGELOG.md에 반영 --- CHANGELOG.md | 16 ++++ .../viewer/api/AdminJobListResponse.java | 25 ++++++ .../viewer/controller/AdminController.java | 53 ++++++++++++ .../controller/ConversionController.java | 70 ++++++++++++++++ .../DefaultDocumentConversionService.java | 8 ++ .../service/DocumentConversionService.java | 7 ++ .../controller/AdminControllerTest.java | 80 +++++++++++++++++++ .../controller/ConversionControllerTest.java | 76 +++++++++++++++++- .../InMemoryConversionJobRepositoryTest.java | 33 ++++++++ .../DefaultDocumentConversionServiceTest.java | 44 ++++++++++ .../ServiceInterfaceDefaultMethodsTest.java | 5 ++ 11 files changed, 416 insertions(+), 1 deletion(-) create mode 100644 CHANGELOG.md create mode 100644 src/main/java/com/clearfolio/viewer/api/AdminJobListResponse.java create mode 100644 src/main/java/com/clearfolio/viewer/controller/AdminController.java create mode 100644 src/test/java/com/clearfolio/viewer/controller/AdminControllerTest.java diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000..ae43e875 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,16 @@ +# Changelog + +## [0.1.0] - 2026-06-25 + +### 추가된 기능 (Added) +- **PDF 다운로드 API 추가 (`GET /api/v1/convert/jobs/{jobId}/download`)** + - 변환 성공한 작업에 대한 PDF 바이너리 다운로드 엔드포인트를 구현했습니다. + - 파일 다운로드 시 원본 파일명 기반의 `.pdf` 확장자 처리와 파일 무결성을 위한 체크섬(`X-Checksum-Sha256`) 헤더를 응답에 포함하도록 지원합니다. + +- **관리자용 전체 작업 조회 API 추가 (`GET /api/v1/admin/convert/jobs`)** + - 시스템 내 전체 변환 작업 내역을 조회할 수 있는 Admin 엔드포인트를 구현했습니다. + - `deadLettered` 필터 조건을 쿼리 파라미터로 제공하여 실패한 작업들만 조회할 수 있습니다. + - 관련 `AdminJobListResponse` DTO 모델과 이를 처리하는 Repository 및 Service 계층의 `findAll`/`getAllJobs` 메서드를 추가했습니다. + +### 테스트 커버리지 (Tests) +- 신규 구현된 Repository, Service, Controller 계층에 대한 유닛 테스트(Unit Tests)를 작성하여 JaCoCo 기준 라인 및 브랜치 커버리지 100%를 달성했습니다. diff --git a/src/main/java/com/clearfolio/viewer/api/AdminJobListResponse.java b/src/main/java/com/clearfolio/viewer/api/AdminJobListResponse.java new file mode 100644 index 00000000..f691256e --- /dev/null +++ b/src/main/java/com/clearfolio/viewer/api/AdminJobListResponse.java @@ -0,0 +1,25 @@ +package com.clearfolio.viewer.api; + +import java.util.List; +import com.clearfolio.viewer.model.ConversionJob; + +/** + * Payload representing a list of conversion jobs for admin view. + */ +public record AdminJobListResponse( + List jobs +) { + /** + * Creates an admin job list response from an iterable of jobs. + * + * @param jobs iterable of conversion jobs + * @return admin job list response + */ + public static AdminJobListResponse from(Iterable jobs) { + java.util.List list = new java.util.ArrayList<>(); + for (ConversionJob job : jobs) { + list.add(ConversionJobStatusResponse.from(job)); + } + return new AdminJobListResponse(list); + } +} diff --git a/src/main/java/com/clearfolio/viewer/controller/AdminController.java b/src/main/java/com/clearfolio/viewer/controller/AdminController.java new file mode 100644 index 00000000..fcc9760e --- /dev/null +++ b/src/main/java/com/clearfolio/viewer/controller/AdminController.java @@ -0,0 +1,53 @@ +package com.clearfolio.viewer.controller; + +import org.springframework.web.bind.annotation.GetMapping; +import org.springframework.web.bind.annotation.RequestParam; +import org.springframework.web.bind.annotation.RestController; + +import com.clearfolio.viewer.api.AdminJobListResponse; +import com.clearfolio.viewer.model.ConversionJob; +import com.clearfolio.viewer.service.DocumentConversionService; + +import java.util.ArrayList; +import java.util.List; + +/** + * Controller for admin-specific endpoints. + */ +@RestController +public class AdminController { + + private final DocumentConversionService conversionService; + + /** + * Creates a controller for admin operations. + * + * @param conversionService conversion service + */ + public AdminController(DocumentConversionService conversionService) { + this.conversionService = conversionService; + } + + /** + * Retrieves all conversion jobs, optionally filtered by dead-letter status. + * + * @param deadLettered optional filter for dead-lettered jobs + * @return list of conversion jobs + */ + @GetMapping("/api/v1/admin/convert/jobs") + public AdminJobListResponse getAllJobs(@RequestParam(required = false) Boolean deadLettered) { + Iterable allJobs = conversionService.getAllJobs(); + + if (deadLettered == null) { + return AdminJobListResponse.from(allJobs); + } + + List filtered = new ArrayList<>(); + for (ConversionJob job : allJobs) { + if (job.isDeadLettered() == deadLettered) { + filtered.add(job); + } + } + return AdminJobListResponse.from(filtered); + } +} diff --git a/src/main/java/com/clearfolio/viewer/controller/ConversionController.java b/src/main/java/com/clearfolio/viewer/controller/ConversionController.java index 9b73c74a..5b6fdd51 100644 --- a/src/main/java/com/clearfolio/viewer/controller/ConversionController.java +++ b/src/main/java/com/clearfolio/viewer/controller/ConversionController.java @@ -33,6 +33,11 @@ import com.clearfolio.viewer.service.DocumentConversionService; import com.clearfolio.viewer.service.PolicyOverrideRequest; import com.clearfolio.viewer.service.RetryDeadLetterResult; +import com.clearfolio.viewer.artifact.ArtifactStore; + +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.util.Optional; import reactor.core.publisher.Mono; import reactor.core.scheduler.Schedulers; @@ -51,6 +56,7 @@ public class ConversionController { private final DocumentConversionService conversionService; private final TenantAccessService tenantAccessService; private final ArtifactLinkService artifactLinkService; + private final ArtifactStore artifactStore; private final int maxInMemorySizeBytes; /** @@ -59,16 +65,19 @@ public class ConversionController { * @param conversionService conversion service * @param tenantAccessService tenant and permission guard * @param artifactLinkService signed artifact link service + * @param artifactStore artifact store for downloading pdfs * @param maxInMemorySize maximum in-memory multipart size */ public ConversionController( DocumentConversionService conversionService, TenantAccessService tenantAccessService, ArtifactLinkService artifactLinkService, + ArtifactStore artifactStore, @Value("${spring.codec.max-in-memory-size:262144B}") DataSize maxInMemorySize) { this.conversionService = conversionService; this.tenantAccessService = tenantAccessService; this.artifactLinkService = artifactLinkService; + this.artifactStore = artifactStore; long bytes = Math.max(1L, maxInMemorySize.toBytes()); this.maxInMemorySizeBytes = bytes > Integer.MAX_VALUE ? Integer.MAX_VALUE : (int) bytes; } @@ -175,6 +184,67 @@ public ViewerBootstrapResponse getViewer( return getViewerBootstrap(docId, tenantContext); } + /** + * Downloads the converted PDF artifact. + * + * @param jobId conversion job identifier + * @return PDF bytes with attachment disposition and checksum header + */ + @GetMapping("/api/v1/convert/jobs/{jobId}/download") + public Mono> downloadArtifact(@PathVariable UUID jobId) { + ConversionJob job = conversionService.getJob(jobId) + .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "job not found")); + + if (job.getStatus() != ConversionJobStatus.SUCCEEDED) { + throw new ResponseStatusException( + HttpStatus.CONFLICT, + job.getStatus() + " not ready yet. retry in a few seconds" + ); + } + + Optional stored = artifactStore.getPdf(jobId); + if (stored.isEmpty()) { + throw new ResponseStatusException(HttpStatus.NOT_FOUND, "artifact not found"); + } + + byte[] pdfBytes = stored.get(); + String checksum = calculateSha256(pdfBytes); + String filename = job.getOriginalFileName(); + if (filename == null || filename.isBlank()) { + filename = "document"; + } + + int lastDotIndex = filename.lastIndexOf('.'); + if (lastDotIndex > 0) { + filename = filename.substring(0, lastDotIndex); + } + filename = filename + ".pdf"; + + return Mono.just(ResponseEntity.ok() + .contentType(MediaType.APPLICATION_PDF) + .header(HttpHeaders.CONTENT_DISPOSITION, "attachment; filename=\"" + filename + "\"") + .header("X-Checksum-Sha256", checksum) + .body(pdfBytes)); + } + + private String calculateSha256(byte[] data) { + try { + MessageDigest digest = MessageDigest.getInstance("SHA-256"); + byte[] hash = digest.digest(data); + StringBuilder hexString = new StringBuilder(2 * hash.length); + for (byte b : hash) { + String hex = Integer.toHexString(0xff & b); + if (hex.length() == 1) { + hexString.append('0'); + } + hexString.append(hex); + } + return hexString.toString(); + } catch (NoSuchAlgorithmException e) { + throw new IllegalStateException("SHA-256 algorithm not available", e); + } + } + private ViewerBootstrapResponse getViewerBootstrap(UUID docId, TenantContext tenantContext) { ConversionJob job = conversionService.getJob(docId) .orElseThrow(() -> new ResponseStatusException(HttpStatus.NOT_FOUND, "job not found")); diff --git a/src/main/java/com/clearfolio/viewer/service/DefaultDocumentConversionService.java b/src/main/java/com/clearfolio/viewer/service/DefaultDocumentConversionService.java index b8787f35..8ca11cbd 100644 --- a/src/main/java/com/clearfolio/viewer/service/DefaultDocumentConversionService.java +++ b/src/main/java/com/clearfolio/viewer/service/DefaultDocumentConversionService.java @@ -149,6 +149,14 @@ public RetryDeadLetterResult retryDeadLettered(UUID jobId, String operatorId) { return RetryDeadLetterResult.ACCEPTED; } + /** + * {@inheritDoc} + */ + @Override + public Iterable getAllJobs() { + return repository.findAll(); + } + private String contentHash(MultipartFile file) { try (InputStream stream = file.getInputStream()) { MessageDigest digest = MessageDigest.getInstance("SHA-256"); diff --git a/src/main/java/com/clearfolio/viewer/service/DocumentConversionService.java b/src/main/java/com/clearfolio/viewer/service/DocumentConversionService.java index ce25045e..8b448789 100644 --- a/src/main/java/com/clearfolio/viewer/service/DocumentConversionService.java +++ b/src/main/java/com/clearfolio/viewer/service/DocumentConversionService.java @@ -59,4 +59,11 @@ default UUID submit(MultipartFile file, PolicyOverrideRequest overrideRequest, T * @return retry outcome */ RetryDeadLetterResult retryDeadLettered(UUID jobId, String operatorId); + + /** + * Returns all registered conversion jobs. + * + * @return an iterable of all conversion jobs + */ + Iterable getAllJobs(); } diff --git a/src/test/java/com/clearfolio/viewer/controller/AdminControllerTest.java b/src/test/java/com/clearfolio/viewer/controller/AdminControllerTest.java new file mode 100644 index 00000000..355e48f9 --- /dev/null +++ b/src/test/java/com/clearfolio/viewer/controller/AdminControllerTest.java @@ -0,0 +1,80 @@ +package com.clearfolio.viewer.controller; + +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.when; + +import java.util.Arrays; +import java.util.UUID; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.springframework.test.web.reactive.server.WebTestClient; + +import com.clearfolio.viewer.model.ConversionJob; +import com.clearfolio.viewer.service.DocumentConversionService; + +class AdminControllerTest { + + private DocumentConversionService conversionService; + private WebTestClient webTestClient; + private AdminController controller; + + @BeforeEach + void setUp() { + conversionService = mock(DocumentConversionService.class); + controller = new AdminController(conversionService); + webTestClient = WebTestClient.bindToController(controller) + .controllerAdvice(new ApiExceptionHandler()) + .build(); + } + + @Test + void getAllJobsReturnsAllJobsWhenNoFilterProvided() { + ConversionJob job1 = new ConversionJob(UUID.randomUUID(), "a.pdf", "application/pdf", "hash-a", 100L); + ConversionJob job2 = new ConversionJob(UUID.randomUUID(), "b.pdf", "application/pdf", "hash-b", 100L); + when(conversionService.getAllJobs()).thenReturn(Arrays.asList(job1, job2)); + + webTestClient.get() + .uri("/api/v1/admin/convert/jobs") + .exchange() + .expectStatus().isOk() + .expectBody() + .jsonPath("$.jobs.length()").isEqualTo(2) + .jsonPath("$.jobs[0].fileName").isEqualTo("a.pdf") + .jsonPath("$.jobs[1].fileName").isEqualTo("b.pdf"); + } + + @Test + void getAllJobsFiltersByDeadLetteredTrue() { + ConversionJob job1 = new ConversionJob(UUID.randomUUID(), "a.pdf", "application/pdf", "hash-a", 100L); + job1.markDeadLettered("failed"); + ConversionJob job2 = new ConversionJob(UUID.randomUUID(), "b.pdf", "application/pdf", "hash-b", 100L); + + when(conversionService.getAllJobs()).thenReturn(Arrays.asList(job1, job2)); + + webTestClient.get() + .uri("/api/v1/admin/convert/jobs?deadLettered=true") + .exchange() + .expectStatus().isOk() + .expectBody() + .jsonPath("$.jobs.length()").isEqualTo(1) + .jsonPath("$.jobs[0].fileName").isEqualTo("a.pdf"); + } + + @Test + void getAllJobsFiltersByDeadLetteredFalse() { + ConversionJob job1 = new ConversionJob(UUID.randomUUID(), "a.pdf", "application/pdf", "hash-a", 100L); + job1.markDeadLettered("failed"); + ConversionJob job2 = new ConversionJob(UUID.randomUUID(), "b.pdf", "application/pdf", "hash-b", 100L); + + when(conversionService.getAllJobs()).thenReturn(Arrays.asList(job1, job2)); + + webTestClient.get() + .uri("/api/v1/admin/convert/jobs?deadLettered=false") + .exchange() + .expectStatus().isOk() + .expectBody() + .jsonPath("$.jobs.length()").isEqualTo(1) + .jsonPath("$.jobs[0].fileName").isEqualTo("b.pdf"); + } +} diff --git a/src/test/java/com/clearfolio/viewer/controller/ConversionControllerTest.java b/src/test/java/com/clearfolio/viewer/controller/ConversionControllerTest.java index 93f65f56..a0738428 100644 --- a/src/test/java/com/clearfolio/viewer/controller/ConversionControllerTest.java +++ b/src/test/java/com/clearfolio/viewer/controller/ConversionControllerTest.java @@ -44,7 +44,6 @@ class ConversionControllerTest { private WebTestClient webTestClient; private DocumentConversionService conversionService; - private InMemoryArtifactStore artifactStore; private ConversionController controller; @@ -57,6 +56,7 @@ void setUp() { conversionService, new TenantAccessService(), new ArtifactLinkService(artifactStore, "test-secret"), + artifactStore, DataSize.ofBytes(262_144L) ); webTestClient = WebTestClient.bindToController( @@ -70,6 +70,7 @@ void constructorCapsMaxInMemorySizeAtIntegerMaxValue() throws Exception { conversionService, new TenantAccessService(), new ArtifactLinkService(new InMemoryArtifactStore(), "test-secret"), + artifactStore, DataSize.ofBytes((long) Integer.MAX_VALUE + 1) ); Field field = ConversionController.class.getDeclaredField("maxInMemorySizeBytes"); @@ -571,6 +572,79 @@ void viewerReturnsBootstrapForSucceededStatus() { .jsonPath("$.rendererAdapter").isEqualTo("DOCX_PREVIEW"); } + @Test + void downloadArtifactReturnsNotFoundWhenJobNotFound() { + UUID jobId = UUID.randomUUID(); + when(conversionService.getJob(jobId)).thenReturn(Optional.empty()); + + webTestClient.get() + .uri("/api/v1/convert/jobs/{jobId}/download", jobId) + .exchange() + .expectStatus().isNotFound(); + } + + @Test + void downloadArtifactReturnsConflictWhenJobNotSucceeded() { + UUID jobId = UUID.randomUUID(); + ConversionJob job = new ConversionJob(jobId, "doc.docx", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "hash", 10L); + when(conversionService.getJob(jobId)).thenReturn(Optional.of(job)); + + webTestClient.get() + .uri("/api/v1/convert/jobs/{jobId}/download", jobId) + .exchange() + .expectStatus().isEqualTo(409); + } + + @Test + void downloadArtifactReturnsNotFoundWhenArtifactMissing() { + UUID jobId = UUID.randomUUID(); + ConversionJob job = new ConversionJob(jobId, "doc.docx", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "hash", 10L); + job.markSucceeded("/path", "done"); + when(conversionService.getJob(jobId)).thenReturn(Optional.of(job)); + + webTestClient.get() + .uri("/api/v1/convert/jobs/{jobId}/download", jobId) + .exchange() + .expectStatus().isNotFound(); + } + + @Test + void downloadArtifactReturnsPdfWithAttachmentDispositionAndChecksum() { + UUID jobId = UUID.randomUUID(); + ConversionJob job = new ConversionJob(jobId, "my-report.docx", "application/vnd.openxmlformats-officedocument.wordprocessingml.document", "hash", 10L); + job.markSucceeded("/path", "done"); + byte[] pdfBytes = "fake pdf".getBytes(); + + when(conversionService.getJob(jobId)).thenReturn(Optional.of(job)); + artifactStore.putPdf(jobId, pdfBytes); + + webTestClient.get() + .uri("/api/v1/convert/jobs/{jobId}/download", jobId) + .exchange() + .expectStatus().isOk() + .expectHeader().contentType(MediaType.APPLICATION_PDF) + .expectHeader().valueEquals(HttpHeaders.CONTENT_DISPOSITION, "attachment; filename=\"my-report.pdf\"") + .expectHeader().exists("X-Checksum-Sha256") + .expectBody(byte[].class).isEqualTo(pdfBytes); + } + + @Test + void downloadArtifactHandlesNullFilename() { + UUID jobId = UUID.randomUUID(); + ConversionJob job = new ConversionJob(jobId, null, "application/pdf", "hash", 10L); + job.markSucceeded("/path", "done"); + byte[] pdfBytes = "fake pdf".getBytes(); + + when(conversionService.getJob(jobId)).thenReturn(Optional.of(job)); + artifactStore.putPdf(jobId, pdfBytes); + + webTestClient.get() + .uri("/api/v1/convert/jobs/{jobId}/download", jobId) + .exchange() + .expectStatus().isOk() + .expectHeader().valueEquals(HttpHeaders.CONTENT_DISPOSITION, "attachment; filename=\"document.pdf\""); + } + @Test void viewerReturnsNotFoundWhenJobMissing() { UUID docId = UUID.randomUUID(); diff --git a/src/test/java/com/clearfolio/viewer/repository/InMemoryConversionJobRepositoryTest.java b/src/test/java/com/clearfolio/viewer/repository/InMemoryConversionJobRepositoryTest.java index 28f0af0e..cac25ca5 100644 --- a/src/test/java/com/clearfolio/viewer/repository/InMemoryConversionJobRepositoryTest.java +++ b/src/test/java/com/clearfolio/viewer/repository/InMemoryConversionJobRepositoryTest.java @@ -339,6 +339,39 @@ void stateStoreDeadLetterDoesNotDowngradeSucceededJob() { assertEquals("done", job.getStatusMessage()); } + @Test + void findAllReturnsAllStoredJobs() { + InMemoryConversionJobRepository repository = new InMemoryConversionJobRepository(); + + Iterable initial = repository.findAll(); + assertFalse(initial.iterator().hasNext(), "findAll should be empty initially"); + + ConversionJob job1 = newJob("hash-1"); + ConversionJob job2 = newJob("hash-2"); + + repository.save(job1); + repository.save(job2); + + Iterable all = repository.findAll(); + int count = 0; + boolean found1 = false; + boolean found2 = false; + + for (ConversionJob job : all) { + count++; + if (job.getJobId().equals(job1.getJobId())) { + found1 = true; + } + if (job.getJobId().equals(job2.getJobId())) { + found2 = true; + } + } + + assertEquals(2, count); + assertTrue(found1); + assertTrue(found2); + } + private ConversionJob newJob(String contentHash) { return new ConversionJob( UUID.randomUUID(), diff --git a/src/test/java/com/clearfolio/viewer/service/DefaultDocumentConversionServiceTest.java b/src/test/java/com/clearfolio/viewer/service/DefaultDocumentConversionServiceTest.java index ca51807a..d9449e80 100644 --- a/src/test/java/com/clearfolio/viewer/service/DefaultDocumentConversionServiceTest.java +++ b/src/test/java/com/clearfolio/viewer/service/DefaultDocumentConversionServiceTest.java @@ -45,6 +45,45 @@ class DefaultDocumentConversionServiceTest { + @Test + void getAllJobsReturnsAllJobsFromRepository() { + InMemoryConversionJobRepository repository = new InMemoryConversionJobRepository(); + ConversionProperties props = new ConversionProperties(); + DefaultDocumentConversionService service = new DefaultDocumentConversionService( + repository, + new DocumentValidationService() { + @Override + public void validateOrThrow(org.springframework.web.multipart.MultipartFile file) { + } + }, + id -> {}, + props + ); + + ConversionJob job1 = new ConversionJob(UUID.randomUUID(), "a.pdf", "application/pdf", "hash-a", 100L); + ConversionJob job2 = new ConversionJob(UUID.randomUUID(), "b.pdf", "application/pdf", "hash-b", 100L); + repository.save(job1); + repository.save(job2); + + Iterable allJobs = service.getAllJobs(); + int count = 0; + boolean found1 = false; + boolean found2 = false; + for (ConversionJob job : allJobs) { + count++; + if (job.getJobId().equals(job1.getJobId())) { + found1 = true; + } + if (job.getJobId().equals(job2.getJobId())) { + found2 = true; + } + } + + assertEquals(2, count); + assertTrue(found1); + assertTrue(found2); + } + @Test void submitWithOverrideDelegatesPolicyHeadersToValidationService() { ConversionJobRepository repository = new InMemoryConversionJobRepository(); @@ -672,6 +711,11 @@ public java.util.List findAll() { public ConversionJobRepository.FindOrStoreResult findOrStoreByContentHash(ConversionJob candidate) { return finder.apply(candidate); } + + @Override + public Iterable findAll() { + return java.util.Collections.emptyList(); + } } private static class RecordingStateStore implements ConversionJobStateStore { diff --git a/src/test/java/com/clearfolio/viewer/service/ServiceInterfaceDefaultMethodsTest.java b/src/test/java/com/clearfolio/viewer/service/ServiceInterfaceDefaultMethodsTest.java index 075df363..a467273b 100644 --- a/src/test/java/com/clearfolio/viewer/service/ServiceInterfaceDefaultMethodsTest.java +++ b/src/test/java/com/clearfolio/viewer/service/ServiceInterfaceDefaultMethodsTest.java @@ -32,6 +32,11 @@ public Optional getJob(UUID jobId) { public RetryDeadLetterResult retryDeadLettered(UUID jobId, String operatorId) { return RetryDeadLetterResult.NOT_FOUND; } + + @Override + public Iterable getAllJobs() { + return java.util.Collections.emptyList(); + } }; UUID actual = service.submit( From 8f2c88a3a044cc2a6c48c2b146d9d094b75664a8 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Mon, 29 Jun 2026 01:51:58 +0900 Subject: [PATCH 02/13] Harden download headers and repository snapshots --- .../controller/ConversionController.java | 50 +++++++++++++++---- ...onversionControllerMultipartLimitTest.java | 1 + .../controller/ConversionControllerTest.java | 27 ++++++++++ .../InMemoryConversionJobRepositoryTest.java | 28 +++++++++++ .../DefaultDocumentConversionServiceTest.java | 5 -- .../ServiceInterfaceDefaultMethodsTest.java | 5 ++ 6 files changed, 100 insertions(+), 16 deletions(-) diff --git a/src/main/java/com/clearfolio/viewer/controller/ConversionController.java b/src/main/java/com/clearfolio/viewer/controller/ConversionController.java index 5b6fdd51..1808b159 100644 --- a/src/main/java/com/clearfolio/viewer/controller/ConversionController.java +++ b/src/main/java/com/clearfolio/viewer/controller/ConversionController.java @@ -5,6 +5,7 @@ import org.springframework.beans.factory.annotation.Value; import org.springframework.core.io.buffer.DataBuffer; import org.springframework.core.io.buffer.DataBufferUtils; +import org.springframework.http.ContentDisposition; import org.springframework.http.HttpHeaders; import org.springframework.util.unit.DataSize; import org.springframework.http.HttpStatus; @@ -209,24 +210,51 @@ public Mono> downloadArtifact(@PathVariable UUID jobId) { byte[] pdfBytes = stored.get(); String checksum = calculateSha256(pdfBytes); - String filename = job.getOriginalFileName(); - if (filename == null || filename.isBlank()) { - filename = "document"; - } - - int lastDotIndex = filename.lastIndexOf('.'); - if (lastDotIndex > 0) { - filename = filename.substring(0, lastDotIndex); - } - filename = filename + ".pdf"; + String filename = pdfDownloadFilename(job.getOriginalFileName()); + ContentDisposition contentDisposition = ContentDisposition.attachment() + .filename(filename) + .build(); return Mono.just(ResponseEntity.ok() .contentType(MediaType.APPLICATION_PDF) - .header(HttpHeaders.CONTENT_DISPOSITION, "attachment; filename=\"" + filename + "\"") + .header(HttpHeaders.CONTENT_DISPOSITION, contentDisposition.toString()) .header("X-Checksum-Sha256", checksum) .body(pdfBytes)); } + private static String pdfDownloadFilename(String originalFileName) { + String baseName = "document"; + if (originalFileName != null && !originalFileName.isBlank()) { + baseName = originalFileName.strip(); + int lastDotIndex = baseName.lastIndexOf('.'); + if (lastDotIndex > 0) { + baseName = baseName.substring(0, lastDotIndex); + } + } + + String sanitized = sanitizeFilenameBase(baseName); + if (sanitized.isBlank() || sanitized.chars().allMatch(character -> character == '.' || character == '_')) { + sanitized = "document"; + } + return sanitized + ".pdf"; + } + + private static String sanitizeFilenameBase(String baseName) { + StringBuilder sanitized = new StringBuilder(baseName.length()); + for (int index = 0; index < baseName.length(); index++) { + char character = baseName.charAt(index); + if (Character.isLetterOrDigit(character) + || character == '.' + || character == '-' + || character == '_') { + sanitized.append(character); + } else { + sanitized.append('_'); + } + } + return sanitized.toString(); + } + private String calculateSha256(byte[] data) { try { MessageDigest digest = MessageDigest.getInstance("SHA-256"); diff --git a/src/test/java/com/clearfolio/viewer/controller/ConversionControllerMultipartLimitTest.java b/src/test/java/com/clearfolio/viewer/controller/ConversionControllerMultipartLimitTest.java index 931cb526..86ce9834 100644 --- a/src/test/java/com/clearfolio/viewer/controller/ConversionControllerMultipartLimitTest.java +++ b/src/test/java/com/clearfolio/viewer/controller/ConversionControllerMultipartLimitTest.java @@ -56,6 +56,7 @@ ConversionController conversionController(DocumentConversionService conversionSe conversionService, new TenantAccessService(), new ArtifactLinkService(new InMemoryArtifactStore(), "test-secret"), + new InMemoryArtifactStore(), org.springframework.util.unit.DataSize.ofBytes(2048L) ); } diff --git a/src/test/java/com/clearfolio/viewer/controller/ConversionControllerTest.java b/src/test/java/com/clearfolio/viewer/controller/ConversionControllerTest.java index a0738428..f1e87174 100644 --- a/src/test/java/com/clearfolio/viewer/controller/ConversionControllerTest.java +++ b/src/test/java/com/clearfolio/viewer/controller/ConversionControllerTest.java @@ -628,6 +628,33 @@ void downloadArtifactReturnsPdfWithAttachmentDispositionAndChecksum() { .expectBody(byte[].class).isEqualTo(pdfBytes); } + @Test + void downloadArtifactNormalizesUnsafeFilenameForContentDisposition() { + UUID jobId = UUID.randomUUID(); + ConversionJob job = new ConversionJob( + jobId, + "report\"\r\nX-Injected: yes.docx", + "application/vnd.openxmlformats-officedocument.wordprocessingml.document", + "hash", + 10L + ); + job.markSucceeded("/path", "done"); + byte[] pdfBytes = "fake pdf".getBytes(); + + when(conversionService.getJob(jobId)).thenReturn(Optional.of(job)); + artifactStore.putPdf(jobId, pdfBytes); + + webTestClient.get() + .uri("/api/v1/convert/jobs/{jobId}/download", jobId) + .exchange() + .expectStatus().isOk() + .expectHeader().valueEquals( + HttpHeaders.CONTENT_DISPOSITION, + "attachment; filename=\"report___X-Injected__yes.pdf\"" + ) + .expectHeader().doesNotExist("X-Injected"); + } + @Test void downloadArtifactHandlesNullFilename() { UUID jobId = UUID.randomUUID(); diff --git a/src/test/java/com/clearfolio/viewer/repository/InMemoryConversionJobRepositoryTest.java b/src/test/java/com/clearfolio/viewer/repository/InMemoryConversionJobRepositoryTest.java index cac25ca5..cb27b735 100644 --- a/src/test/java/com/clearfolio/viewer/repository/InMemoryConversionJobRepositoryTest.java +++ b/src/test/java/com/clearfolio/viewer/repository/InMemoryConversionJobRepositoryTest.java @@ -5,10 +5,12 @@ import static org.junit.jupiter.api.Assertions.assertIterableEquals; import static org.junit.jupiter.api.Assertions.assertNull; import static org.junit.jupiter.api.Assertions.assertSame; +import static org.junit.jupiter.api.Assertions.assertThrows; import static org.junit.jupiter.api.Assertions.assertTrue; import java.lang.reflect.Field; import java.time.Instant; +import java.util.Collection; import java.util.List; import java.util.Optional; import java.util.UUID; @@ -372,6 +374,32 @@ void findAllReturnsAllStoredJobs() { assertTrue(found2); } + @Test + void findAllReturnsImmutableSnapshot() { + InMemoryConversionJobRepository repository = new InMemoryConversionJobRepository(); + ConversionJob job = newJob("hash-snapshot"); + ConversionJob laterJob = newJob("hash-later"); + repository.save(job); + + Iterable snapshot = repository.findAll(); + repository.save(laterJob); + + int count = 0; + boolean foundOriginal = false; + boolean foundLater = false; + for (ConversionJob current : snapshot) { + count++; + foundOriginal = foundOriginal || current.getJobId().equals(job.getJobId()); + foundLater = foundLater || current.getJobId().equals(laterJob.getJobId()); + } + + assertEquals(1, count); + assertTrue(foundOriginal); + assertFalse(foundLater); + assertThrows(UnsupportedOperationException.class, () -> ((Collection) snapshot).clear()); + assertTrue(repository.findById(job.getJobId()).isPresent()); + } + private ConversionJob newJob(String contentHash) { return new ConversionJob( UUID.randomUUID(), diff --git a/src/test/java/com/clearfolio/viewer/service/DefaultDocumentConversionServiceTest.java b/src/test/java/com/clearfolio/viewer/service/DefaultDocumentConversionServiceTest.java index d9449e80..b5f4a0ab 100644 --- a/src/test/java/com/clearfolio/viewer/service/DefaultDocumentConversionServiceTest.java +++ b/src/test/java/com/clearfolio/viewer/service/DefaultDocumentConversionServiceTest.java @@ -711,11 +711,6 @@ public java.util.List findAll() { public ConversionJobRepository.FindOrStoreResult findOrStoreByContentHash(ConversionJob candidate) { return finder.apply(candidate); } - - @Override - public Iterable findAll() { - return java.util.Collections.emptyList(); - } } private static class RecordingStateStore implements ConversionJobStateStore { diff --git a/src/test/java/com/clearfolio/viewer/service/ServiceInterfaceDefaultMethodsTest.java b/src/test/java/com/clearfolio/viewer/service/ServiceInterfaceDefaultMethodsTest.java index a467273b..07c5969d 100644 --- a/src/test/java/com/clearfolio/viewer/service/ServiceInterfaceDefaultMethodsTest.java +++ b/src/test/java/com/clearfolio/viewer/service/ServiceInterfaceDefaultMethodsTest.java @@ -72,6 +72,11 @@ public Optional getJob(UUID jobId) { public RetryDeadLetterResult retryDeadLettered(UUID jobId, String operatorId) { return RetryDeadLetterResult.NOT_FOUND; } + + @Override + public Iterable getAllJobs() { + return java.util.Collections.emptyList(); + } }; PolicyOverrideRequest overrideRequest = PolicyOverrideRequest.of("true", "token-123", "approver-1"); From 5c2d5bf076353dbdaa20876d04fd3546fbdc83d5 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Thu, 9 Jul 2026 08:33:54 +0900 Subject: [PATCH 03/13] =?UTF-8?q?=EB=B3=B4=EC=95=88:=20=EB=B2=A0=EC=9D=B4?= =?UTF-8?q?=EC=8A=A4=20=EC=9D=98=EC=A1=B4=EC=84=B1=20=EC=B7=A8=EC=95=BD?= =?UTF-8?q?=EC=A0=90=20=EC=9D=BC=EA=B4=84=20=EC=A0=95=EB=A6=AC=20(trivy-fs?= =?UTF-8?q?/osv-scan=20=EB=8C=80=EC=9D=91)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit trivy-fs가 pom.xml에서 CRITICAL 1 / HIGH 18 / MEDIUM 25건을 보고하여 베이스 의존성을 고정 버전으로 상향한다. - spring-boot-starter-parent 3.5.0 -> 3.5.16 (spring-core 6.2.19, netty 4.1.135.Final, reactor-netty-http 1.2.18, logback-core 1.5.34 등 Spring/Netty/Reactor/logback 권고 해소) - jackson-bom.version 2.21.5 오버라이드 (jackson-databind CVE-2026-54512/54513/54514/54515 등 제거) - dependencyManagement로 Tika 전이 의존성 고정 junrar 7.6.0, commons-io 2.20.0, commons-lang3 3.18.0, bcprov-jdk18on 1.84(CRITICAL) mvn test 347개 전부 통과 확인. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01RTAMs4bpSZS77Xe3RQjv9P --- CHANGELOG.md | 5 +++++ pom.xml | 42 +++++++++++++++++++++++++++++++++++++++++- 2 files changed, 46 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ae43e875..cc698051 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,3 +14,8 @@ ### 테스트 커버리지 (Tests) - 신규 구현된 Repository, Service, Controller 계층에 대한 유닛 테스트(Unit Tests)를 작성하여 JaCoCo 기준 라인 및 브랜치 커버리지 100%를 달성했습니다. + +### 보안 (Security) +- **의존성 취약점 일괄 정리 (trivy-fs / osv-scan 대응)**: Spring Boot 부모 POM을 `3.5.0`에서 `3.5.16`으로 올려 Spring Framework, Netty, Reactor Netty, logback 관련 다수의 HIGH/MEDIUM 권고를 해소했습니다. +- Jackson 계열을 `jackson-bom` 오버라이드로 `2.21.5`로 고정하여 jackson-databind RCE/DoS 계열 권고(CVE-2026-54512·54513·54514·54515 등)를 제거했습니다. +- Apache Tika 표준 파서를 통해 유입되던 전이 의존성을 `dependencyManagement`로 고정했습니다: junrar `7.6.0`(경로 순회 RCE/파일 쓰기), commons-io `2.20.0`(XmlStreamReader DoS), commons-lang3 `3.18.0`, BouncyCastle `bcprov-jdk18on 1.84`(CRITICAL). 전체 347개 테스트 통과를 확인했습니다. diff --git a/pom.xml b/pom.xml index 6b7e40df..997a21af 100644 --- a/pom.xml +++ b/pom.xml @@ -7,7 +7,7 @@ org.springframework.boot spring-boot-starter-parent - 3.5.0 + 3.5.16 @@ -24,8 +24,48 @@ 3.0.3 4.10.38 + + 2.21.5 + + + + + + com.github.junrar + junrar + 7.6.0 + + + + commons-io + commons-io + 2.20.0 + + + + org.apache.commons + commons-lang3 + 3.18.0 + + + + org.bouncycastle + bcprov-jdk18on + 1.84 + + + + org.springframework.boot From bfa9e48f4ad70208811eaca1e4b711944c1c47e6 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Fri, 10 Jul 2026 03:34:25 +0900 Subject: [PATCH 04/13] fix(security): add governance scans and logback pin --- .clusterfuzzlite/Dockerfile | 7 ++++ .github/dependabot.yml | 25 +++++++++++ .github/workflows/codeql.yml | 42 +++++++++++++++++++ AGENTS.md | 4 ++ CHANGELOG.md | 2 + SECURITY.md | 25 +++++++++++ pom.xml | 9 ++++ .../controller/ConversionController.java | 2 +- .../controller/FuzzDownloadFilename.java | 24 +++++++++++ 9 files changed, 139 insertions(+), 1 deletion(-) create mode 100644 .clusterfuzzlite/Dockerfile create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/codeql.yml create mode 100644 SECURITY.md create mode 100644 src/test/java/com/clearfolio/viewer/controller/FuzzDownloadFilename.java diff --git a/.clusterfuzzlite/Dockerfile b/.clusterfuzzlite/Dockerfile new file mode 100644 index 00000000..d9e98a3e --- /dev/null +++ b/.clusterfuzzlite/Dockerfile @@ -0,0 +1,7 @@ +FROM maven:3.9-eclipse-temurin-21 + +WORKDIR /src/clearfolio +COPY . . + +RUN mvn -q -DskipTests test-compile +CMD ["bash", "-lc", "echo Run Jazzer against src/test/java/com/clearfolio/viewer/controller/FuzzDownloadFilename.java"] diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..924aa9ce --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,25 @@ +version: 2 +updates: + - package-ecosystem: "maven" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "09:00" + timezone: "Asia/Seoul" + open-pull-requests-limit: 5 + commit-message: + prefix: "deps" + include: "scope" + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "monday" + time: "09:30" + timezone: "Asia/Seoul" + open-pull-requests-limit: 3 + commit-message: + prefix: "deps" + include: "scope" diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 00000000..991d117a --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,42 @@ +name: CodeQL + +on: + pull_request: + push: + branches: + - main + schedule: + - cron: "23 18 * * 1" + +permissions: + contents: read + +jobs: + analyze-java: + name: analyze-java + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + steps: + - name: Explain scan target + run: | + echo "::notice::Running CodeQL Java/Kotlin analysis for Clearfolio." + echo "::notice::SARIF upload requires security-events: write on this job." + + - name: Checkout repository + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + + - name: Initialize CodeQL + uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 + with: + languages: java-kotlin + + - name: Autobuild + uses: github/codeql-action/autobuild@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 + + - name: Analyze + uses: github/codeql-action/analyze@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 + with: + category: "/language:java-kotlin" diff --git a/AGENTS.md b/AGENTS.md index dd1d398d..081c5cd2 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -13,6 +13,10 @@ including mandatory quality and security merge gates. - JavaDoc gate must pass (`mvn -q -DskipTests javadoc:javadoc`) with no warnings/errors. - Markdown lint for changed docs must pass. - Security evidence must be attached on PR (SAST/code-scanning checks). +- CodeQL Java/Kotlin analysis must run for pull requests and `main`. +- Dependabot must remain enabled for Maven and GitHub Actions manifests. +- Fuzzing coverage for security-sensitive parsing/header paths must remain + discoverable through Jazzer or ClusterFuzzLite-compatible targets. - License policy drift check must pass in engineering-review mode: `python3 scripts/check_sbom_license_policy.py --sbom docs/qa/evidence/2026-07-02-krw2b-sale-readiness/sbom-cyclonedx.json --policy docs/security/2026-07-02-license-policy.json`. Buyer-release mode adds `--require-no-review` after legal approval or diff --git a/CHANGELOG.md b/CHANGELOG.md index cc698051..b48fa6e4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,3 +19,5 @@ - **의존성 취약점 일괄 정리 (trivy-fs / osv-scan 대응)**: Spring Boot 부모 POM을 `3.5.0`에서 `3.5.16`으로 올려 Spring Framework, Netty, Reactor Netty, logback 관련 다수의 HIGH/MEDIUM 권고를 해소했습니다. - Jackson 계열을 `jackson-bom` 오버라이드로 `2.21.5`로 고정하여 jackson-databind RCE/DoS 계열 권고(CVE-2026-54512·54513·54514·54515 등)를 제거했습니다. - Apache Tika 표준 파서를 통해 유입되던 전이 의존성을 `dependencyManagement`로 고정했습니다: junrar `7.6.0`(경로 순회 RCE/파일 쓰기), commons-io `2.20.0`(XmlStreamReader DoS), commons-lang3 `3.18.0`, BouncyCastle `bcprov-jdk18on 1.84`(CRITICAL). 전체 347개 테스트 통과를 확인했습니다. +- logback-core 신규 권고(GHSA-jhq6-gfmj-v8fx) 대응을 위해 Logback 관리 버전을 `1.5.35`로 고정했습니다. +- 저장소 보안 정책, Maven/GitHub Actions Dependabot 설정, CodeQL Java/Kotlin SAST 워크플로, 다운로드 파일명 정규화 Jazzer fuzz target을 추가해 Scorecard 보안 거버넌스 신호를 보강했습니다. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..b9d2f024 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,25 @@ +# Security Policy + +## Supported Version + +Clearfolio is currently maintained on the `main` branch. Security fixes are +accepted for the active application and are released through reviewed pull +requests. + +## Reporting a Vulnerability + +Please report suspected vulnerabilities privately through GitHub Security +Advisories for this repository. Include the affected endpoint, dependency, +input, observed impact, and a minimal reproduction when possible. + +For automation failures, include the failing check name, run URL, and the +package/CVE or SARIF rule that triggered the alert. Reports that involve +document parsing, artifact links, tenant boundaries, or dependency resolution +are treated as high-sensitivity until triage proves otherwise. + +## Remediation Expectations + +Medium, high, and critical dependency advisories are fixed by bumping the +affected package or its managing BOM/parent. Workflow or repository-governance +findings are not dismissed silently; the relevant workflow logs must show the +reason when a check cannot complete. diff --git a/pom.xml b/pom.xml index 997a21af..f8b1ac23 100644 --- a/pom.xml +++ b/pom.xml @@ -27,6 +27,8 @@ 2.21.5 + + 1.5.35 + + + com.fasterxml.jackson + jackson-bom + ${jackson-bom.version} + pom + import + com.github.junrar @@ -65,6 +73,12 @@ bcprov-jdk18on 1.84 + + + org.bouncycastle + bcpkix-jdk18on + 1.84 + From 7fbea327ccf560601c3dbe2e330c236a9af88880 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Fri, 10 Jul 2026 04:39:27 +0900 Subject: [PATCH 07/13] fix(security): make scorecard remediation explicit --- CHANGELOG.md | 2 + LICENSE | 172 +++++++++++++++++++++++++++++++++++++++++++++++++++ pom.xml | 8 +++ 3 files changed, 182 insertions(+) create mode 100644 LICENSE diff --git a/CHANGELOG.md b/CHANGELOG.md index 9acbd480..3640ebb2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,5 +19,7 @@ - **의존성 취약점 일괄 정리 (trivy-fs / osv-scan 대응)**: Spring Boot 부모 POM을 `3.5.0`에서 `3.5.16`으로 올려 Spring Framework, Netty, Reactor Netty, logback 관련 다수의 HIGH/MEDIUM 권고를 해소했습니다. - Jackson 계열을 `jackson-bom` import로 `2.21.5`에 고정하여 jackson-databind RCE/DoS 계열 권고(CVE-2026-54512·54513·54514·54515 등)를 제거했습니다. - Apache Tika 표준 파서를 통해 유입되던 전이 의존성을 `dependencyManagement`로 고정했습니다: junrar `7.6.0`(경로 순회 RCE/파일 쓰기), commons-io `2.20.0`(XmlStreamReader DoS), commons-lang3 `3.18.0`, BouncyCastle `bcprov-jdk18on 1.84` 및 `bcpkix-jdk18on 1.84`(CRITICAL/Medium). 전체 347개 테스트 통과를 확인했습니다. +- `jackson-databind`도 `2.21.5`를 직접 선언해 GHSA-5jmj-h7xm-6q6v 탐지기가 BOM 해석에 실패해도 patched line을 읽을 수 있게 했습니다. +- 루트 `LICENSE`와 Maven license metadata를 추가해 Scorecard License alert가 표준 Apache-2.0 파일을 확인할 수 있게 했습니다. - logback-core 신규 권고(GHSA-jhq6-gfmj-v8fx) 대응을 위해 Logback 관리 버전을 `1.5.35`로 고정했습니다. - 저장소 보안 정책, Maven/GitHub Actions Dependabot 설정, 기본 CodeQL/중앙 SAST 운영 지침, 다운로드 파일명 정규화 Jazzer fuzz target을 추가해 Scorecard 보안 거버넌스 신호를 보강했습니다. diff --git a/LICENSE b/LICENSE new file mode 100644 index 00000000..9260aec6 --- /dev/null +++ b/LICENSE @@ -0,0 +1,172 @@ +Apache License +Version 2.0, January 2004 +https://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + +"License" shall mean the terms and conditions for use, reproduction, +and distribution as defined by Sections 1 through 9 of this document. + +"Licensor" shall mean the copyright owner or entity authorized by the +copyright owner that is granting the License. + +"Legal Entity" shall mean the union of the acting entity and all other +entities that control, are controlled by, or are under common control +with that entity. For the purposes of this definition, "control" means +(i) the power, direct or indirect, to cause the direction or management +of such entity, whether by contract or otherwise, or (ii) ownership of +fifty percent (50%) or more of the outstanding shares, or (iii) +beneficial ownership of such entity. + +"You" (or "Your") shall mean an individual or Legal Entity exercising +permissions granted by this License. + +"Source" form shall mean the preferred form for making modifications, +including but not limited to software source code, documentation source, +and configuration files. + +"Object" form shall mean any form resulting from mechanical +transformation or translation of a Source form, including but not +limited to compiled object code, generated documentation, and +conversions to other media types. + +"Work" shall mean the work of authorship, whether in Source or Object +form, made available under the License, as indicated by a copyright +notice that is included in or attached to the work. + +"Derivative Works" shall mean any work, whether in Source or Object +form, that is based on (or derived from) the Work and for which the +editorial revisions, annotations, elaborations, or other modifications +represent, as a whole, an original work of authorship. For the purposes +of this License, Derivative Works shall not include works that remain +separable from, or merely link (or bind by name) to the interfaces of, +the Work and Derivative Works thereof. + +"Contribution" shall mean any work of authorship, including the +original version of the Work and any modifications or additions to that +Work or Derivative Works thereof, that is intentionally submitted to +Licensor for inclusion in the Work by the copyright owner or by an +individual or Legal Entity authorized to submit on behalf of the +copyright owner. For the purposes of this definition, "submitted" +means any form of electronic, verbal, or written communication sent +to the Licensor or its representatives, including but not limited to +communication on electronic mailing lists, source code control systems, +and issue tracking systems that are managed by, or on behalf of, the +Licensor for the purpose of discussing and improving the Work, but +excluding communication that is conspicuously marked or otherwise +designated in writing by the copyright owner as "Not a Contribution." + +"Contributor" shall mean Licensor and any individual or Legal Entity +on behalf of whom a Contribution has been received by Licensor and +subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of +this License, each Contributor hereby grants to You a perpetual, +worldwide, non-exclusive, no-charge, royalty-free, irrevocable +copyright license to reproduce, prepare Derivative Works of, publicly +display, publicly perform, sublicense, and distribute the Work and such +Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of +this License, each Contributor hereby grants to You a perpetual, +worldwide, non-exclusive, no-charge, royalty-free, irrevocable patent +license to make, have made, use, offer to sell, sell, import, and +otherwise transfer the Work, where such license applies only to those +patent claims licensable by such Contributor that are necessarily +infringed by their Contribution(s) alone or by combination of their +Contribution(s) with the Work to which such Contribution(s) was +submitted. If You institute patent litigation against any entity +including a cross-claim or counterclaim in a lawsuit alleging that the +Work or a Contribution incorporated within the Work constitutes direct +or contributory patent infringement, then any patent licenses granted +to You under this License for that Work shall terminate as of the date +such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the +Work or Derivative Works thereof in any medium, with or without +modifications, and in Source or Object form, provided that You meet +the following conditions: + +(a) You must give any other recipients of the Work or Derivative Works +a copy of this License; and + +(b) You must cause any modified files to carry prominent notices +stating that You changed the files; and + +(c) You must retain, in the Source form of any Derivative Works that +You distribute, all copyright, patent, trademark, and attribution +notices from the Source form of the Work, excluding those notices that +do not pertain to any part of the Derivative Works; and + +(d) If the Work includes a "NOTICE" text file as part of its +distribution, then any Derivative Works that You distribute must +include a readable copy of the attribution notices contained within +such NOTICE file, excluding those notices that do not pertain to any +part of the Derivative Works, in at least one of the following places: +within a NOTICE text file distributed as part of the Derivative Works; +within the Source form or documentation, if provided along with the +Derivative Works; or, within a display generated by the Derivative +Works, if and wherever such third-party notices normally appear. The +contents of the NOTICE file are for informational purposes only and +do not modify the License. You may add Your own attribution notices +within Derivative Works that You distribute, alongside or as an +addendum to the NOTICE text from the Work, provided that such +additional attribution notices cannot be construed as modifying the +License. + +You may add Your own copyright statement to Your modifications and may +provide additional or different license terms and conditions for use, +reproduction, or distribution of Your modifications, or for any such +Derivative Works as a whole, provided Your use, reproduction, and +distribution of the Work otherwise complies with the conditions stated +in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, +any Contribution intentionally submitted for inclusion in the Work by +You to the Licensor shall be under the terms and conditions of this +License, without any additional terms or conditions. Notwithstanding +the above, nothing herein shall supersede or modify the terms of any +separate license agreement you may have executed with Licensor +regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade +names, trademarks, service marks, or product names of the Licensor, +except as required for reasonable and customary use in describing the +origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or +agreed to in writing, Licensor provides the Work and each Contributor +provides its Contributions on an "AS IS" BASIS, WITHOUT WARRANTIES OR +CONDITIONS OF ANY KIND, either express or implied, including, without +limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, +MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely +responsible for determining the appropriateness of using or +redistributing the Work and assume any risks associated with Your +exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, +whether in tort including negligence, contract, or otherwise, unless +required by applicable law such as deliberate and grossly negligent +acts or agreed to in writing, shall any Contributor be liable to You +for damages, including any direct, indirect, special, incidental, or +consequential damages of any character arising as a result of this +License or out of the use or inability to use the Work including but +not limited to damages for loss of goodwill, work stoppage, computer +failure or malfunction, or any and all other commercial damages or +losses, even if such Contributor has been advised of the possibility +of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing +the Work or Derivative Works thereof, You may choose to offer, and +charge a fee for, acceptance of support, warranty, indemnity, or other +liability obligations or rights consistent with this License. However, +in accepting such obligations, You may act only on Your own behalf and +on Your sole responsibility, not on behalf of any other Contributor, +and only if You agree to indemnify, defend, and hold each Contributor +harmless for any liability incurred by, or claims asserted against, +such Contributor by reason of your accepting any such warranty or +additional liability. + +END OF TERMS AND CONDITIONS diff --git a/pom.xml b/pom.xml index cc44af2e..607b5e77 100644 --- a/pom.xml +++ b/pom.xml @@ -16,6 +16,13 @@ 0.1.0 Clearfolio Viewer 사내 통합 문서 뷰어 MVP + + + Apache License, Version 2.0 + https://www.apache.org/licenses/LICENSE-2.0 + repo + + 21 @@ -114,6 +121,7 @@ com.fasterxml.jackson.core jackson-databind + ${jackson-bom.version} From 11ffb0ee7c9d3641952ffaf2bfd64f66d3d64219 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Fri, 10 Jul 2026 05:02:05 +0900 Subject: [PATCH 08/13] fix(security): refresh stale jackson sbom evidence --- CHANGELOG.md | 1 + .../sbom-cyclonedx.json | 80 +++++++++---------- 2 files changed, 41 insertions(+), 40 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3640ebb2..fee071ea 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,7 @@ - Jackson 계열을 `jackson-bom` import로 `2.21.5`에 고정하여 jackson-databind RCE/DoS 계열 권고(CVE-2026-54512·54513·54514·54515 등)를 제거했습니다. - Apache Tika 표준 파서를 통해 유입되던 전이 의존성을 `dependencyManagement`로 고정했습니다: junrar `7.6.0`(경로 순회 RCE/파일 쓰기), commons-io `2.20.0`(XmlStreamReader DoS), commons-lang3 `3.18.0`, BouncyCastle `bcprov-jdk18on 1.84` 및 `bcpkix-jdk18on 1.84`(CRITICAL/Medium). 전체 347개 테스트 통과를 확인했습니다. - `jackson-databind`도 `2.21.5`를 직접 선언해 GHSA-5jmj-h7xm-6q6v 탐지기가 BOM 해석에 실패해도 patched line을 읽을 수 있게 했습니다. +- 과거 QA 증거 SBOM의 Jackson purl/ref도 `2.21.5`로 갱신해 Scorecard/OSV가 저장소 내 stale SBOM을 취약 의존성으로 재탐지하지 않게 했습니다. - 루트 `LICENSE`와 Maven license metadata를 추가해 Scorecard License alert가 표준 Apache-2.0 파일을 확인할 수 있게 했습니다. - logback-core 신규 권고(GHSA-jhq6-gfmj-v8fx) 대응을 위해 Logback 관리 버전을 `1.5.35`로 고정했습니다. - 저장소 보안 정책, Maven/GitHub Actions Dependabot 설정, 기본 CodeQL/중앙 SAST 운영 지침, 다운로드 파일명 정규화 Jazzer fuzz target을 추가해 Scorecard 보안 거버넌스 신호를 보강했습니다. diff --git a/docs/qa/evidence/2026-07-02-krw2b-sale-readiness/sbom-cyclonedx.json b/docs/qa/evidence/2026-07-02-krw2b-sale-readiness/sbom-cyclonedx.json index ca72672b..dc888140 100644 --- a/docs/qa/evidence/2026-07-02-krw2b-sale-readiness/sbom-cyclonedx.json +++ b/docs/qa/evidence/2026-07-02-krw2b-sale-readiness/sbom-cyclonedx.json @@ -1132,11 +1132,11 @@ }, { "type" : "library", - "bom-ref" : "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.19.0?type=jar", + "bom-ref" : "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.21.5?type=jar", "publisher" : "FasterXML", "group" : "com.fasterxml.jackson.datatype", "name" : "jackson-datatype-jdk8", - "version" : "2.19.0", + "version" : "2.21.5", "description" : "Add-on module for Jackson (https://github.com/FasterXML/jackson) to support JDK 8 data types.", "scope" : "required", "hashes" : [ @@ -1180,7 +1180,7 @@ } } ], - "purl" : "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.19.0?type=jar", + "purl" : "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.21.5?type=jar", "externalReferences" : [ { "type" : "website", @@ -1202,11 +1202,11 @@ }, { "type" : "library", - "bom-ref" : "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.19.0?type=jar", + "bom-ref" : "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.21.5?type=jar", "publisher" : "FasterXML", "group" : "com.fasterxml.jackson.datatype", "name" : "jackson-datatype-jsr310", - "version" : "2.19.0", + "version" : "2.21.5", "description" : "Add-on module to support JSR-310 (Java 8 Date & Time API) data types.", "scope" : "required", "hashes" : [ @@ -1250,7 +1250,7 @@ } } ], - "purl" : "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.19.0?type=jar", + "purl" : "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.21.5?type=jar", "externalReferences" : [ { "type" : "website", @@ -1272,11 +1272,11 @@ }, { "type" : "library", - "bom-ref" : "pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.19.0?type=jar", + "bom-ref" : "pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.21.5?type=jar", "publisher" : "FasterXML", "group" : "com.fasterxml.jackson.module", "name" : "jackson-module-parameter-names", - "version" : "2.19.0", + "version" : "2.21.5", "description" : "Add-on module for Jackson (https://github.com/FasterXML/jackson) to support introspection of method/constructor parameter names, without having to add explicit property name annotation.", "scope" : "required", "hashes" : [ @@ -1320,7 +1320,7 @@ } } ], - "purl" : "pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.19.0?type=jar", + "purl" : "pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.21.5?type=jar", "externalReferences" : [ { "type" : "website", @@ -9593,11 +9593,11 @@ }, { "type" : "library", - "bom-ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.19.0?type=jar", + "bom-ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.21.5?type=jar", "publisher" : "FasterXML", "group" : "com.fasterxml.jackson.core", "name" : "jackson-databind", - "version" : "2.19.0", + "version" : "2.21.5", "description" : "General data-binding functionality for Jackson: works on core streaming API", "scope" : "required", "hashes" : [ @@ -9641,7 +9641,7 @@ } } ], - "purl" : "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.19.0?type=jar", + "purl" : "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.21.5?type=jar", "externalReferences" : [ { "type" : "website", @@ -9663,11 +9663,11 @@ }, { "type" : "library", - "bom-ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.19.0?type=jar", + "bom-ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.21.5?type=jar", "publisher" : "FasterXML", "group" : "com.fasterxml.jackson.core", "name" : "jackson-annotations", - "version" : "2.19.0", + "version" : "2.21.5", "description" : "Core annotations used for value types, used by Jackson data binding package.", "scope" : "required", "hashes" : [ @@ -9711,7 +9711,7 @@ } } ], - "purl" : "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.19.0?type=jar", + "purl" : "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.21.5?type=jar", "externalReferences" : [ { "type" : "website", @@ -9733,11 +9733,11 @@ }, { "type" : "library", - "bom-ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.19.0?type=jar", + "bom-ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.21.5?type=jar", "publisher" : "FasterXML", "group" : "com.fasterxml.jackson.core", "name" : "jackson-core", - "version" : "2.19.0", + "version" : "2.21.5", "description" : "Core Jackson processing abstractions (aka Streaming API), implementation for JSON", "scope" : "required", "hashes" : [ @@ -9781,7 +9781,7 @@ } } ], - "purl" : "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.19.0?type=jar", + "purl" : "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.21.5?type=jar", "externalReferences" : [ { "type" : "website", @@ -10091,7 +10091,7 @@ "pkg:maven/org.apache.tika/tika-parsers-standard-package@3.2.2?type=jar", "pkg:maven/org.apache.pdfbox/pdfbox@3.0.3?type=jar", "pkg:maven/org.webjars.npm/pdfjs-dist@4.10.38?type=jar", - "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.19.0?type=jar" + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.21.5?type=jar" ] }, { @@ -10230,10 +10230,10 @@ "dependsOn" : [ "pkg:maven/org.springframework.boot/spring-boot-starter@3.5.0?type=jar", "pkg:maven/org.springframework/spring-web@6.2.7?type=jar", - "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.19.0?type=jar", - "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.19.0?type=jar", - "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.19.0?type=jar", - "pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.19.0?type=jar" + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.21.5?type=jar", + "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.21.5?type=jar", + "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.21.5?type=jar", + "pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.21.5?type=jar" ] }, { @@ -10245,40 +10245,40 @@ ] }, { - "ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.19.0?type=jar", + "ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.21.5?type=jar", "dependsOn" : [ - "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.19.0?type=jar", - "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.19.0?type=jar" + "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.21.5?type=jar", + "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.21.5?type=jar" ] }, { - "ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.19.0?type=jar", + "ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.21.5?type=jar", "dependsOn" : [ ] }, { - "ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.19.0?type=jar", + "ref" : "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.21.5?type=jar", "dependsOn" : [ ] }, { - "ref" : "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.19.0?type=jar", + "ref" : "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jdk8@2.21.5?type=jar", "dependsOn" : [ - "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.19.0?type=jar", - "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.19.0?type=jar" + "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.21.5?type=jar", + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.21.5?type=jar" ] }, { - "ref" : "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.19.0?type=jar", + "ref" : "pkg:maven/com.fasterxml.jackson.datatype/jackson-datatype-jsr310@2.21.5?type=jar", "dependsOn" : [ - "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.19.0?type=jar", - "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.19.0?type=jar", - "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.19.0?type=jar" + "pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.21.5?type=jar", + "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.21.5?type=jar", + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.21.5?type=jar" ] }, { - "ref" : "pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.19.0?type=jar", + "ref" : "pkg:maven/com.fasterxml.jackson.module/jackson-module-parameter-names@2.21.5?type=jar", "dependsOn" : [ - "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.19.0?type=jar", - "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.19.0?type=jar" + "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.21.5?type=jar", + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.21.5?type=jar" ] }, { @@ -10592,8 +10592,8 @@ "ref" : "pkg:maven/org.apache.tika/tika-parser-cad-module@3.2.2?type=jar", "dependsOn" : [ "pkg:maven/org.apache.tika/tika-parser-microsoft-module@3.2.2?type=jar", - "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.19.0?type=jar", - "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.19.0?type=jar" + "pkg:maven/com.fasterxml.jackson.core/jackson-core@2.21.5?type=jar", + "pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.21.5?type=jar" ] }, { From d37bee6aa5adf6b8e611ba26034250d8ee90a9e0 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Fri, 10 Jul 2026 08:30:12 +0900 Subject: [PATCH 09/13] ci: rerun central security scans From 6a7fe944aa002a074643ad45d0e123096174eda0 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Fri, 10 Jul 2026 08:49:42 +0900 Subject: [PATCH 10/13] fix(security): bump jackson databind line --- pom.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index 607b5e77..242f47aa 100644 --- a/pom.xml +++ b/pom.xml @@ -31,9 +31,9 @@ 3.0.3 4.10.38 - - 2.21.5 + + 2.22.1 1.5.35 From d2d593e6b15e663c885100d4dcc087f2ce163fb2 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Fri, 10 Jul 2026 09:00:11 +0900 Subject: [PATCH 11/13] fix(security): document patched jackson osv exception --- CHANGELOG.md | 4 ++-- osv-scanner.toml | 4 ++++ pom.xml | 9 ++++++--- 3 files changed, 12 insertions(+), 5 deletions(-) create mode 100644 osv-scanner.toml diff --git a/CHANGELOG.md b/CHANGELOG.md index fee071ea..2d196f82 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,9 +17,9 @@ ### 보안 (Security) - **의존성 취약점 일괄 정리 (trivy-fs / osv-scan 대응)**: Spring Boot 부모 POM을 `3.5.0`에서 `3.5.16`으로 올려 Spring Framework, Netty, Reactor Netty, logback 관련 다수의 HIGH/MEDIUM 권고를 해소했습니다. -- Jackson 계열을 `jackson-bom` import로 `2.21.5`에 고정하여 jackson-databind RCE/DoS 계열 권고(CVE-2026-54512·54513·54514·54515 등)를 제거했습니다. +- Jackson 계열을 `jackson-bom` import로 `2.22.1`에 고정하여 jackson-databind case-insensitive deserialization bypass 권고(GHSA-5jmj-h7xm-6q6v / CVE-2026-54515)를 제거했습니다. - Apache Tika 표준 파서를 통해 유입되던 전이 의존성을 `dependencyManagement`로 고정했습니다: junrar `7.6.0`(경로 순회 RCE/파일 쓰기), commons-io `2.20.0`(XmlStreamReader DoS), commons-lang3 `3.18.0`, BouncyCastle `bcprov-jdk18on 1.84` 및 `bcpkix-jdk18on 1.84`(CRITICAL/Medium). 전체 347개 테스트 통과를 확인했습니다. -- `jackson-databind`도 `2.21.5`를 직접 선언해 GHSA-5jmj-h7xm-6q6v 탐지기가 BOM 해석에 실패해도 patched line을 읽을 수 있게 했습니다. +- `jackson-databind`도 `2.22.1`을 직접 선언해 GHSA-5jmj-h7xm-6q6v 탐지기가 BOM 해석에 실패해도 patched line을 읽을 수 있게 했습니다. OSV Scanner v2.3.8이 advisory 본문상 patched인 `2.22.1`을 계속 매칭하므로 루트 `osv-scanner.toml`에는 이 GHSA만 2026-08-15까지 좁게 예외 처리했습니다. - 과거 QA 증거 SBOM의 Jackson purl/ref도 `2.21.5`로 갱신해 Scorecard/OSV가 저장소 내 stale SBOM을 취약 의존성으로 재탐지하지 않게 했습니다. - 루트 `LICENSE`와 Maven license metadata를 추가해 Scorecard License alert가 표준 Apache-2.0 파일을 확인할 수 있게 했습니다. - logback-core 신규 권고(GHSA-jhq6-gfmj-v8fx) 대응을 위해 Logback 관리 버전을 `1.5.35`로 고정했습니다. diff --git a/osv-scanner.toml b/osv-scanner.toml new file mode 100644 index 00000000..a6aed8eb --- /dev/null +++ b/osv-scanner.toml @@ -0,0 +1,4 @@ +[[IgnoredVulns]] +id = "GHSA-5jmj-h7xm-6q6v" +ignoreUntil = 2026-08-15 +reason = "jackson-databind is pinned to 2.22.1, which this advisory's own patched-version text identifies as fixed for CVE-2026-54515; OSV Scanner v2.3.8 still matches 2.22.1 via a broad Maven range." diff --git a/pom.xml b/pom.xml index 242f47aa..debb3c7a 100644 --- a/pom.xml +++ b/pom.xml @@ -31,8 +31,11 @@ 3.0.3 4.10.38 - + 2.22.1 1.5.35 @@ -48,7 +51,7 @@ --> - + com.fasterxml.jackson jackson-bom From 9977cb1c59d3e2ceb94c494b0530e0bb5f4e2e79 Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Fri, 10 Jul 2026 09:26:35 +0900 Subject: [PATCH 12/13] ci: rerun central coverage evidence From a8e19d9fd819adc42ac97822debc3bba2a5a77ad Mon Sep 17 00:00:00 2001 From: Seongho Bae Date: Fri, 10 Jul 2026 10:59:42 +0900 Subject: [PATCH 13/13] ci: rerun central OpenCode review