Grails 3-4; resolving gadget vulnerabilities in json deserialization

Grails 3+ depends on Spring Boot 2, which depends on the jackson-databind 2.9.9 library. Since it is vulnerable to multiple kinds of gadget attacks, you might want to upgrade it to the latest version by adding this in your dependencies block:

// blocks some gadget type vulnerabilities

compile "com.fasterxml.jackson.core:jackson-databind:2.9.10.1"

Adding OWASP dependency checks to gradle builds, for continuous integration

Step 1: configure the OWASP dependency check plugin in your build.gradle.

Step 2: Add a dependency check block at the end of your build.gradle where you set up a threshold for the CVSS level that will make your build fail:

dependencyCheck {
    failBuildOnCVSS = 6 // build fails for above average severity scores
}

Grails application.yml: how to have default values for environment variables

When an environment variable is not available in your environment, you might want to have a default value in your configuration without defining it in your application.groovy.

Default values for environment variables is actually supported for the application.yml, this is the syntax:

environments:
  test:
    testValue: ${MY_ENV:test}
    

Grails: serving static content

If you are using the Angular profile for Grails, you might want to serve your compiled Angular code when reaching the server on '/'

First ensure the angular project compiles to ../server/src/main/webapp by changing the outputDir and outputPath.

The modify the UrlMapping to add:

"/"(uri: "/index.html")

And add in the services.yml:

grails:
  resources: # resolve index.html without the static prefix...    pattern: /**