Commit 517913df authored by Rostislav Vatolin [SLB]'s avatar Rostislav Vatolin [SLB]
Browse files

Fix security issues

parent e6f4a5d4
This diff is collapsed.
......@@ -8,8 +8,6 @@
<maven.compiler.source>${java.version}</maven.compiler.source>
<redisson.version>3.13.2</redisson.version>
<protobuf-java.version>3.12.4</protobuf-java.version>
<org.springframework.boot.version>2.4.4</org.springframework.boot.version>
<commons-codec.version>1.15</commons-codec.version>
<!-- When upgrading springfox version make sure to verify how the updated UI is displayed.
Latest versions of springfox library have issues with displaying content
-->
......@@ -36,17 +34,14 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>${org.springframework.boot.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
<version>${org.springframework.boot.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>${org.springframework.boot.version}</version>
</dependency>
<dependency>
<groupId>com.dslplatform</groupId>
......@@ -58,6 +53,15 @@
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger2</artifactId>
<version>${springfox-version}</version>
<exclusions>
<exclusion>
<!--
Excluding com.google.guava:guava:jar:18.0, because it has security vulnerability
-->
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
......@@ -75,7 +79,6 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<version>${org.springframework.boot.version}</version>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
......
......@@ -3,12 +3,11 @@
<modelVersion>4.0.0</modelVersion>
<properties>
<os-core-common.version>0.9.0-rc3</os-core-common.version>
<os-core-common.version>0.9.0-rc7</os-core-common.version>
<java.version>1.8</java.version>
<maven.compiler.target>1.8</maven.compiler.target>
<maven.compiler.source>1.8</maven.compiler.source>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<spring-boot-dependencies.version>2.4.4</spring-boot-dependencies.version>
</properties>
<groupId>org.opengroup.osdu.entitlements.v2</groupId>
......@@ -36,9 +35,9 @@
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<version>${spring-boot-dependencies.version}</version>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-common</artifactId>
<version>${os-core-common.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
......@@ -46,6 +45,20 @@
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-common</artifactId>
<version>${os-core-common.version}</version>
<exclusions>
<exclusion>
<groupId>org.elasticsearch.client</groupId>
<artifactId>elasticsearch-rest-client</artifactId>
</exclusion>
<exclusion>
<groupId>org.elasticsearch</groupId>
<artifactId>elasticsearch</artifactId>
</exclusion>
<exclusion>
<groupId>org.elasticsearch.client</groupId>
<artifactId>elasticsearch-rest-high-level-client</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
</dependencyManagement>
......
......@@ -18,7 +18,6 @@
<reactor.core.version>3.3.0.RELEASE</reactor.core.version>
<springfox-version>2.7.0</springfox-version>
<tomcat-embed-core.version>9.0.37</tomcat-embed-core.version>
<org.springframework.boot.version>2.4.4</org.springframework.boot.version>
</properties>
<dependencies>
......@@ -79,8 +78,6 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<!--<version>2.4.0</version>-->
<version>${spring-boot-dependencies.version}</version>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
......@@ -119,9 +116,6 @@
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
<dependency>
<groupId>io.projectreactor.netty</groupId>
<artifactId>reactor-netty</artifactId>
......@@ -149,7 +143,6 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<version>${spring-boot-dependencies.version}</version>
<scope>test</scope>
<exclusions>
<exclusion>
......
......@@ -13,15 +13,14 @@
<artifactId>entitlements-v2-azure</artifactId>
<properties>
<core-lib-azure.version>0.6.2</core-lib-azure.version>
<reactor.netty.version>0.9.5.RELEASE</reactor.netty.version>
<reactor.core.version>3.3.0.RELEASE</reactor.core.version>
<core-lib-azure.version>0.9.0-rc2</core-lib-azure.version>
<gremlin.version>3.4.10</gremlin.version>
<redisson.version>3.15.3</redisson.version>
<resilience4j.version>1.7.0</resilience4j.version>
<embedded-resdis.version>0.7.1</embedded-resdis.version>
<awaitility.version>3.0.0</awaitility.version>
<awaitility.proxy.version>3.0.0</awaitility.proxy.version>
<json-smart.version>2.4.6</json-smart.version>
</properties>
<dependencies>
......@@ -31,28 +30,11 @@
<version>${project.version}</version>
</dependency>
<!--
Old versions of 'com.nimbusds:oauth2-oidc-sdk' and 'com.microsoft.azure:msal4j' are excluded
because they cannot work with Spring Boot version 2.4.x
New version of 'com.microsoft.azure:msal4j' is added to work with Spring Boot version 2.4.x
Stay tuned for a new version of 'com.azure:azure-identity', they started releasing updates, but it's still in beta.
More details here: https://github.com/Azure/azure-sdk-for-java
-->
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>core-lib-azure</artifactId>
<version>${core-lib-azure.version}</version>
<exclusions>
<exclusion>
<groupId>com.nimbusds</groupId>
<artifactId>oauth2-oidc-sdk</artifactId>
</exclusion>
<exclusion>
<groupId>com.microsoft.azure</groupId>
<artifactId>msal4j</artifactId>
</exclusion>
<!--
Excluding simple-xml because:
There’s a library called xpp3 (the Xml Pull Parser) originally developed by Indiana University’s Extreme! Computing group.
......@@ -71,10 +53,14 @@
</exclusion>
</exclusions>
</dependency>
<!--
Many dependencies contain library with vulnerabilities: net.minidev:json-smart:jar:2.3
because of that we need to enforce the higher version
-->
<dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>msal4j</artifactId>
<version>1.9.1</version>
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
<version>${json-smart.version}</version>
</dependency>
<dependency>
......@@ -90,7 +76,6 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>${spring-boot-dependencies.version}</version>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
......@@ -131,22 +116,15 @@
<groupId>org.apache.tinkerpop</groupId>
<artifactId>gremlin-groovy</artifactId>
<version>${gremlin.version}</version>
</dependency>
<!--
Override the spring-boot version of these dependencies to the ones
required by the azure-core library. This needs to be done for each
app that depends on this library
-->
<dependency>
<groupId>io.projectreactor.netty</groupId>
<artifactId>reactor-netty</artifactId>
<version>${reactor.netty.version}</version>
</dependency>
<dependency>
<groupId>io.projectreactor</groupId>
<artifactId>reactor-core</artifactId>
<version>${reactor.core.version}</version>
<exclusions>
<!--
Excluding org.apache.ivy:ivy:jar:2.3.0 because it has security bugs
-->
<exclusion>
<groupId>org.apache.ivy</groupId>
<artifactId>ivy</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
......@@ -165,7 +143,6 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<version>${spring-boot-dependencies.version}</version>
<scope>test</scope>
<exclusions>
<exclusion>
......
package org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.listmember;
import org.apache.tinkerpop.gremlin.process.traversal.dsl.graph.GraphTraversalSource;
import org.apache.tinkerpop.gremlin.structure.Vertex;
import org.junit.After;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.opengroup.osdu.entitlements.v2.azure.config.CacheConfig;
import org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.addmember.AddMemberRepoGremlin;
import org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.connection.GremlinConnector;
import org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.constant.EdgePropertyNames;
import org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.constant.VertexPropertyNames;
import org.opengroup.osdu.entitlements.v2.logging.AuditLogger;
import org.opengroup.osdu.entitlements.v2.model.ChildrenReference;
......@@ -44,6 +43,13 @@ public class ListMemberRepoGremlinTest {
@MockBean
private CacheConfig cacheConfig;
@After
public void cleanup() {
GraphTraversalSource graphTraversalSource = gremlinConnector.getGraphTraversalSource();
graphTraversalSource.V().drop().iterate();
graphTraversalSource.E().drop().iterate();
}
@Test
public void shouldLoadDirectChildrenSuccessfully() {
GraphTraversalSource graphTraversalSource = gremlinConnector.getGraphTraversalSource();
......
......@@ -8,7 +8,6 @@
<maven.compiler.source>${java.version}</maven.compiler.source>
<redisson.version>3.13.2</redisson.version>
<protobuf-java.version>3.12.4</protobuf-java.version>
<org.springframework.boot.version>2.4.4</org.springframework.boot.version>
<io.undertow.version>2.2.0.Final</io.undertow.version>
<commons-codec.version>1.15</commons-codec.version>
</properties>
......@@ -109,7 +108,6 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<version>${org.springframework.boot.version}</version>
<exclusions>
<exclusion>
<artifactId>tomcat-embed-el</artifactId>
......@@ -128,7 +126,6 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-undertow</artifactId>
<version>${org.springframework.boot.version}</version>
<exclusions>
<exclusion>
<groupId>io.undertow</groupId>
......@@ -162,12 +159,10 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
<version>${org.springframework.boot.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId>
<version>${org.springframework.boot.version}</version>
</dependency>
<dependency>
<groupId>com.dslplatform</groupId>
......@@ -215,7 +210,6 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<version>${org.springframework.boot.version}</version>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment