Secure Prometheus Endpoint and Add Dependency Check

[yacosta738]

This PR secures the /management/prometheus actuator endpoint by removing public access and adds the OWASP Dependency-Check plugin to the backend to scan for vulnerable dependencies, enhancing the overall security posture.

---

PR created automatically by Jules for task 10362938633792780114 started by @yacosta738

[cloudflare-workers-and-pages]

Deploying cvix with    Cloudflare Pages

Latest commit:	70d5bf1
Status:	🚫  Build failed.

View logs

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[github-actions]

Hey there and thank you for opening this pull request! 👋🏼

We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted.

Details:

No release type found in pull request title "Secure Prometheus Endpoint and Add Dependency Check". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/

Available types:
 - feat: A new feature
 - fix: A bug fix
 - docs: Documentation only changes
 - style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
 - refactor: A code change that neither fixes a bug nor adds a feature
 - perf: A code change that improves performance
 - test: Adding missing tests or correcting existing tests
 - build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
 - ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
 - chore: Other changes that don't modify src or test files
 - revert: Reverts a previous commit

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

Release Notes

• Security

  • Prometheus metrics endpoint now requires admin authentication

• Chores

  • Added OWASP dependency checking to the build pipeline

_{✏️ Tip: You can customize this high-level summary in your review settings.}

Walkthrough

Three focused changes: removal of redundant TypeScript type declarations for Vue components, addition of an OWASP dependency security check plugin, and tightening security on the Prometheus management endpoint by requiring ADMIN authority instead of permitting public access.

Changes

Cohort / File(s)	Summary
TypeScript Component Types client/apps/webapp/components.d.ts	Removed global TSX support declarations for RouterLink, RouterView, ThemeSwitcher, and UserNav. Local GlobalComponents export within the Vue module declaration remains intact.
Build Security Scanning server/engine/build.gradle.kts	Added OWASP dependency-check plugin to the build pipeline for automated vulnerability scanning of project dependencies.
Endpoint Authorization server/engine/src/main/kotlin/com/cvix/authentication/infrastructure/SecurityConfiguration.kt	Removed permitAll exemption for "/management/prometheus" endpoint, bringing it under the same ADMIN-required authorization as other management endpoints under "/management/**".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

backend, security

Suggested reviewers

• yuniel-acosta

Poem

🔐 Prometheus no longer roams freely,
Dependencies scanned cleanly and deeply,
Types trimmed where they're not needed today,
Security tightens in every way. ✨

---

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

• Ignore

❌ Failed checks (1 error, 1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❌ Error	PR title does not follow Conventional Commits format; it lacks the required type(scope) prefix structure specified in requirements.	Reformat title to follow Conventional Commits: 'fix(security): secure prometheus endpoint and add dependency check' or similar type(scope) structure.
Test Coverage	⚠️ Warning	PR removed public access to /management/prometheus endpoint but added no tests validating the new ADMIN authority requirement.	Add integration tests verifying unauthenticated requests to /management/prometheus are rejected, non-ADMIN users receive 403, and ADMIN users can access.
Clean Architecture Compliance	❓ Inconclusive	Codebase lacks visible Clean Architecture implementation with domain/application/infrastructure separation, CQRS patterns, and handler-based operations. PR changes are security-focused infrastructure adjustments that don't violate unstated architectural principles.	Clarify if Clean Architecture is required. If yes, establish domain layers, implement CQRS with handlers, and ensure framework-agnostic business logic. If no, adopt architecture-appropriate guidelines for the actual layered pattern used.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description check	✅ Passed	PR description directly addresses the changeset, explaining the security enhancements and dependency check additions with clear context and rationale.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Security Review	✅ Passed	Pull request demonstrates strong security practices with proper authorization enforcement, comprehensive security controls including CSRF protection, CORS configuration, OAuth2/JWT authentication, security headers, rate-limiting, and OWASP vulnerability scanning.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/secure-prometheus-endpoint-10362938633792780114

Warning

Review ran into problems

🔥 Problems

Errors were encountered while retrieving linked issues.

Errors (1)

• ENDPOINT-10362938633792780114: Entity not found: Issue - Could not find referenced Issue.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.83%. Comparing base (30ca2d2) to head (70d5bf1).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #552   +/-   ##
=======================================
  Coverage   75.83%   75.83%           
=======================================
  Files         115      115           
  Lines        3824     3824           
  Branches     1003     1003           
=======================================
  Hits         2900     2900           
  Misses        815      815           
  Partials      109      109           

Flag	Coverage Δ
frontend	75.83% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@server/engine/build.gradle.kts`:
- Line 5: The current purgeDependencyCheckDatabase task uses a generic Delete
task with doFirst/doLast lifecycle blocks which breaks deterministic caching;
replace it by adding a custom task class PurgeDependencyCheckDatabaseTask
(subclass DefaultTask) with a `@TaskAction` method (e.g., purge) that performs the
fileTree search and deletes matching files, and then register it via
tasks.register<PurgeDependencyCheckDatabaseTask>("purgeDependencyCheckDatabase")
in AppOwaspPlugin.kt so Gradle can track inputs/outputs and support the build
cache.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find the build-logic directory and explore its structure
echo "=== Repository structure ==="
fd -t d -name 'build-logic' . | head -20

echo -e "\n=== Contents of build-logic ==="
if [ -d "build-logic" ]; then
  find build-logic -type f -name "*.gradle.kts" | head -30
fi

echo -e "\n=== Searching for owasp plugin definition ==="
fd -t f \( -name "*.gradle.kts" -o -name "*.kt" \) build-logic 2>/dev/null | xargs grep -l 'owasp\|dependency.check' 2>/dev/null | head -20

echo -e "\n=== Checking for plugin convention files ==="
fd -t f -path '*/build-logic/*' -name '*Owasp*' -o -path '*/build-logic/*' -name '*owasp*'

echo -e "\n=== Looking at settings.gradle.kts in build-logic ==="
if [ -f "build-logic/settings.gradle.kts" ]; then
  cat -n build-logic/settings.gradle.kts
fi

Repository: dallay/cvix

Length of output: 1795

---

🏁 Script executed:

#!/bin/bash
# Broader search for owasp references
echo "=== Searching entire repo for owasp references ==="
rg -i 'owasp|dependency.check' --type gradle --type kotlin 2>/dev/null | head -30

echo -e "\n=== Checking root settings.gradle.kts for plugin registration ==="
if [ -f "settings.gradle.kts" ]; then
  cat -n settings.gradle.kts | head -50
fi

echo -e "\n=== Looking for how convention plugins are registered ==="
rg -i 'pluginManagement|includeBuild.*build-logic' --type gradle | head -20

echo -e "\n=== Checking if owasp-dependency-check-convention directory exists ==="
find . -type d -name '*owasp*' 2>/dev/null

echo -e "\n=== Verifying the server/engine/build.gradle.kts file ==="
cat -n server/engine/build.gradle.kts | head -15

Repository: dallay/cvix

Length of output: 5881

---

🏁 Script executed:

#!/bin/bash
echo "=== AppOwaspPlugin implementation ==="
cat -n build-logic/analysis-convention/src/main/kotlin/com/cvix/buildlogic/analysis/AppOwaspPlugin.kt

echo -e "\n=== analysis-convention build.gradle.kts ==="
cat -n build-logic/analysis-convention/build.gradle.kts | head -40

Repository: dallay/cvix

Length of output: 7858

---

Fix the custom task: refactor purgeDependencyCheckDatabase to use @TaskAction instead of doFirst/doLast.

The purgeDependencyCheckDatabase task in AppOwaspPlugin.kt uses a generic Delete task with doFirst/doLast blocks (lines 26–47). Per the coding guidelines, never use generic tasks with manual lifecycle blocks—create a custom task class with proper @TaskAction annotation for build cache support and deterministic caching:

abstract class PurgeDependencyCheckDatabaseTask : DefaultTask() {
    `@TaskAction`
    fun purge() {
        println("Purging dependency check database...")
        fileTree(layout.buildDirectory.dir("dependency-check-data").get().asFile) {
            include("*.h2.db")
            include("*.mv.db")
            include("*.trace.db")
            include("*.lock.db")
        }.forEach { it.delete() }
        println("Dependency check database purged successfully.")
    }
}

Then register it as tasks.register<PurgeDependencyCheckDatabaseTask>("purgeDependencyCheckDatabase"). This ensures proper input/output tracking and respects the build cache.

The plugin otherwise follows best practices—uses public APIs, lazy task registration, and centralizes OWASP configuration cleanly.

🤖 Prompt for AI Agents

In `@server/engine/build.gradle.kts` at line 5, The current
purgeDependencyCheckDatabase task uses a generic Delete task with doFirst/doLast
lifecycle blocks which breaks deterministic caching; replace it by adding a
custom task class PurgeDependencyCheckDatabaseTask (subclass DefaultTask) with a
`@TaskAction` method (e.g., purge) that performs the fileTree search and deletes
matching files, and then register it via
tasks.register<PurgeDependencyCheckDatabaseTask>("purgeDependencyCheckDatabase")
in AppOwaspPlugin.kt so Gradle can track inputs/outputs and support the build
cache.

[github-actions]

Qodana for JVM

105 new problems were found

Inspection name	Severity	Problems
Unused symbol	🔶 Warning	48
Invalid YAML configuration	🔶 Warning	9
Vulnerable declared dependency	🔶 Warning	5
Taint analysis	🔶 Warning	4
Potentially ambiguous 'kotlin.coroutine.coroutineContext' usage	🔶 Warning	4
Unresolved reference in KDoc	🔶 Warning	3
Redundant character escape	🔶 Warning	1
Duplicated code fragment	◽️ Notice	11
Unknown HTTP header	◽️ Notice	10
Redundant interpolation prefix	◽️ Notice	4
Multi-dollar interpolation can be used in string literals (available since 2.1)	◽️ Notice	1
Redundant escaped dollar characters in string literals	◽️ Notice	1
String concatenation that can be converted to string template	◽️ Notice	1
If-Null return/break/... foldable to '?:'	◽️ Notice	1
Unnecessary type argument	◽️ Notice	1
Vulnerable declared dependency	◽️ Notice	1

☁️ View the detailed Qodana report

Contact Qodana team

Contact us at qodana-support@jetbrains.com

• Or via our issue tracker: https://jb.gg/qodana-issue
• Or share your feedback: https://jb.gg/qodana-discussions

[github-actions]

Test Results

210 files  ±0  210 suites  ±0   1m 55s ⏱️ -8s
978 tests ±0  978 ✅ ±0  0 💤 ±0  0 ❌ ±0 
982 runs  ±0  982 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit 70d5bf1. ± Comparison against base commit 21cc372.

This pull request removes 4 and adds 4 tests. Note that renamed tests count towards both.

com.cvix.common.domain.bus.MediatorBuilderTest ‑ [1] com.cvix.common.domain.bus.ContinueOnExceptionPublishStrategy@113e5151
com.cvix.common.domain.bus.MediatorBuilderTest ‑ [2] com.cvix.common.domain.bus.ParallelNoWaitPublishStrategy@7c64dd6f
com.cvix.common.domain.bus.MediatorBuilderTest ‑ [3] com.cvix.common.domain.bus.ParallelWhenAllPublishStrategy@3a33f3ae
com.cvix.common.domain.bus.MediatorBuilderTest ‑ [4] com.cvix.common.domain.bus.StopOnExceptionPublishStrategy@259eb66a

com.cvix.common.domain.bus.MediatorBuilderTest ‑ [1] com.cvix.common.domain.bus.ContinueOnExceptionPublishStrategy@55878b0e
com.cvix.common.domain.bus.MediatorBuilderTest ‑ [2] com.cvix.common.domain.bus.ParallelNoWaitPublishStrategy@1fbef3f4
com.cvix.common.domain.bus.MediatorBuilderTest ‑ [3] com.cvix.common.domain.bus.ParallelWhenAllPublishStrategy@7f4b8349
com.cvix.common.domain.bus.MediatorBuilderTest ‑ [4] com.cvix.common.domain.bus.StopOnExceptionPublishStrategy@4dd7d07e