Integrate Trivy Security Scanning and Fix CVE-2025-24813

[devin-ai-integration]

Summary

This PR integrates Trivy security scanning into the CI/CD pipeline and fixes the highest severity vulnerability found in the dependency scan.

Vulnerability Fixed: CVE-2025-24813 (CRITICAL) - Potential RCE and/or information disclosure vulnerability in Apache Tomcat. Fixed by upgrading embedded Tomcat from 9.0.56 to 9.0.99.

Trivy Integration: Added a new security-scan job to the GitHub Actions workflow that:

• Builds the application JAR and extracts dependencies for scanning
• Runs Trivy to scan for vulnerabilities in all dependencies
• Uploads scan results to GitHub Security tab in SARIF format

The initial scan found 93 total vulnerabilities (11 CRITICAL, 42 HIGH, 33 MEDIUM, 7 LOW). This PR addresses the highest severity one.

Updates Since Last Revision

• Updated GitHub Actions to v4: Upgraded actions/checkout, actions/setup-java, and actions/cache from v2 to v4 (v2 is now deprecated and was causing CI failures)
• Updated codeql-action/upload-sarif to v3
• Added Java 17+ compatibility fix: Tomcat 9.0.99 requires --add-opens=java.base/java.io=ALL-UNNAMED when running on Java 17+ due to module access restrictions. This is configured for the bootRun Gradle task.
• Local testing verified: Application starts successfully and responds to requests with the updated Tomcat version

Review & Testing Checklist for Human

• Production deployment configuration: The --add-opens=java.base/java.io=ALL-UNNAMED JVM flag is only configured for bootRun. If deploying to production on Java 17+, this flag must be added to your startup script or JAVA_TOOL_OPTIONS
• Verify Tomcat 9.0.99 compatibility: The upgrade from 9.0.56 to 9.0.99 is significant. Test key endpoints (authentication, article CRUD, GraphQL) to ensure no regressions
• Review CI workflow: The Trivy action uses @master - consider pinning to a specific version for stability
• Note: Trivy scan is configured with exit-code: '0' so it won't block builds on vulnerabilities. Decide if this should be changed to fail on CRITICAL/HIGH findings

Recommended test plan:

1. Run ./gradlew bootRun locally (works on both Java 11 and Java 17 with the JVM args fix)
2. Test authentication flow at /users endpoint
3. Test the /tags endpoint returns valid JSON
4. Verify the Security tab in GitHub shows Trivy scan results after the workflow runs

Notes

• The remaining 92 vulnerabilities (10 CRITICAL, 42 HIGH, etc.) are in transitive dependencies and would require more extensive upgrades to fix
• Trivy scans the extracted JAR contents because direct Gradle dependency scanning requires a lock file
• CI runs on Java 11 where the JVM args workaround is not needed; the --add-opens flag is specifically for Java 17+ local development

Link to Devin run: https://app.devin.ai/sessions/c7b1401cf3ad4d679b07fa901b19478b
Requested by: Marcel Schwager (marcel.schwager@codeium.com) / @marcelschwager-ux

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring