5 Commits

Author SHA1 Message Date
johannes c7278d4364 chore(aria): bump hiveops-bom parent -> 1.0.8 (log4j CVE-2026-34479, fleet-wide)
CD - Develop / build-and-scan (push) Has started running
2026-07-15 15:59:19 -04:00
johannes 8c7874e37a fix(security): bump hiveops-bom 1.0.5 -> 1.0.7 — clears httpcore5 + postgresql CVEs
OWASP now fails builds on three HIGH CVEs in transitive deps. bom 1.0.7 takes the upstream
patches (no suppressions):

  postgresql 42.7.11 -> 42.7.13   CVE-2026-54291 (CVSS4 8.2) — channelBinding=require could be
                                  silently downgraded from SCRAM-SHA-256-PLUS, defeating MITM
                                  protection. Affects 42.7.4-42.7.11.
  httpcore5  5.3.6   -> 5.4.3     CVE-2026-54399 (7.5) HTTP/1.1 parser DoS
                                  CVE-2026-54428 (7.5) HTTP/2 HPACK unbounded allocation

httpcore5 arrives transitively via httpclient5, and Apache ships them as a matched pair, so bom 1.0.7
bumps httpclient5 5.5.2 -> 5.6.2 which pulls the fixed core 5.4.3.

Verified locally on this service: builds and tests pass on 1.0.7, and it resolves the patched
versions.

Refs bom#6

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-12 09:54:32 -04:00
johannes 4c6d7c6df7 chore(aria): bump hiveops-bom 1.0.4 -> 1.0.5 (CVE remediation, bom#6)
CD - Develop / build-and-scan (push) Successful in 14m27s
Clears 2026-07 NVD batch (spring-framework 6.2.19 / spring-security 6.5.11 / tomcat 10.1.56).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-05 07:52:40 -04:00
johannes 54a7328599 chore(security): bump hiveops-bom parent to 1.0.4 — CVE remediation (#3)
Boot 3.5.14 + netty/tomcat/jackson/spring-kafka/spring-cloud/spring-ai/commons/
bcprov overrides. Validated via Phase-1 fan-out: builds clean, backend Trivy 0
HIGH/CRITICAL. (Frontend npm axios/form-data handled separately where present.)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 13:40:15 -04:00
johannes e5f25f1c2c feat: Phase 1 — ARIA ATM threat monitoring service
CD - Develop / build-and-deploy (push) Failing after 11m31s
- Spring Boot service on port 8095, database hiveiq_aria
- Flyway schema: threat_ioc, threat_event, precursor_sequence_alert, device_security_posture
- FBI FLASH-20260219-001 IOC seed data (executables, MD5s, directories, registry keys, services)
- ThreatEventClassifier — maps 20+ signal keys to severity + attack phase + IOC match
- ThreatEventIngestionService — persists events, publishes HIGH/CRITICAL to Kafka
- Kafka producer: topic hiveops.aria.threats (AriaThreatEvent payload)
- ThreatIocController — CRUD IOC management (MSP_ADMIN/BCOS_ADMIN)
- ThreatEventIngestionController — agent-facing ingest endpoint with service secret auth
- CI/CD: cd-develop.yml + cd-main.yml
2026-06-14 09:30:46 -04:00