Category: Uncategorized

Improving the Reproducibility of Spring Boot’s Docker Image Builder

Reproducible builds are big wins for security, maintainability, and sanity. If you don’t like it when nothing has changed, yet your build suddenly breaks or doesn’t produce the same output, then improving reproducibility is for you. By default, Spring Boot’s Docker/OCI image building solutions, bootBuildImage (in Gradle) and spring-boot:build-image (in Maven), do not operate reproducibly. … Continue reading Improving the Reproducibility of Spring Boot’s Docker Image Builder

Shellcheck Scripts Embedded in GitLab CI YAML

I’m a big fan of linters. They detect problems earlier (also known as “shifting to the left”), and the earlier problem detection is, the more efficient remediation is. Therefore, I want to lint as much as possible. Lately, I’ve been working a lot with GitLab CI YAML which oftentimes has shell script embedded in it … Continue reading Shellcheck Scripts Embedded in GitLab CI YAML

Crafting Effective Announcements

The only constant in life is change. Heraclitus In this world of omnipresent change, effective communication is key to survival. Information that will impact others must be shared, and how that sharing is done will be the difference between success and failure. Will recipients of your message be confused, or will the message be clear? … Continue reading Crafting Effective Announcements

Identifying, Reporting, and Fixing CVE-2021-22119: DoS Vulnerability in Spring Security OAuth 2.0

In March 2021, I observed troubling behavior in multiple applications I supported that are built using Spring Boot: they would occasionally stop responding. Eventually, I tracked down the root cause to a DoS (Denial of Service) vulnerability in Spring Security OAuth 2.0: a simple shell script could take down any affected web application. Respecting the … Continue reading Identifying, Reporting, and Fixing CVE-2021-22119: DoS Vulnerability in Spring Security OAuth 2.0

Users and Client Secrets in Keycloak Realm Exports

Keycloak is an open source Identity and Access Management (IAM) solution that’s easy to run in Docker using a Configuration as Code (CAC) strategy enabling a workflow where a git source control repository can be cloned by a developer who can run one non-interactive script that starts Keycloak and gets it into a consistent state … Continue reading Users and Client Secrets in Keycloak Realm Exports

Cypress Testing Integrated with Gradle and Spring Boot

Cypress is a great testing framework for “anything that runs in a browser” allowing for clean, maintainable end to end tests. However, these tests can difficult and annoying to for developers to run, especially those who aren’t front end specialists. The following covers getting existing Cypress tests integrated and easily running within the Gradle-based build … Continue reading Cypress Testing Integrated with Gradle and Spring Boot

Contributing Improved Security to JavaMelody with Content Security Policy

JavaMelody is a web based monitoring tool frequently run in production environments, providing insights including CPU usage, hot spots in code, database connection pool utilization, and more. I’m always on the lookout for ways to improve security, so when a security scan pointed out that the JavaMelody web interface didn’t have a Content Security Policy … Continue reading Contributing Improved Security to JavaMelody with Content Security Policy

Contributing to GitLab and Lighthouse CI

While running Lighthouse CI on GitLab CI, I came across a problem: Lighthouse CI wants information about the current git commit, but it couldn’t get all of that information. In that case, Lighthouse CI falls back to running the git command; however, in my docker images, I don’t have git installed nor did I want to do so. So, I set out to fix this shortcoming in both Lighthouse and GitLab by adding the necessary environment variable to GitLab CI and having Lighthouse use it. The result is that I submitted a PR to Lighthouse that was merged and included in Lighthouse CI 0.7.1 and an MR to GitLab that was merged and included in GitLab 13.11. Now users (including my future self) will have a smooth, Just Works™ experience with these two tools.