Merge branch 'fix_deps' into 'master'

Fix security issues

See merge request !74

entitlements-v2-core/pom.xml

@@ -8,8 +8,6 @@
         <maven.compiler.source>${java.version}</maven.compiler.source>
         <redisson.version>3.13.2</redisson.version>
         <protobuf-java.version>3.12.4</protobuf-java.version>
-        <org.springframework.boot.version>2.4.4</org.springframework.boot.version>
-        <commons-codec.version>1.15</commons-codec.version>
         <!-- When upgrading springfox version make sure to verify how the updated UI is displayed.
          Latest versions of springfox library have issues with displaying content
         -->
@@ -36,17 +34,14 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
-            <version>${org.springframework.boot.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-validation</artifactId>
-            <version>${org.springframework.boot.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-security</artifactId>
-            <version>${org.springframework.boot.version}</version>
         </dependency>
         <dependency>
             <groupId>com.dslplatform</groupId>
@@ -58,6 +53,15 @@
             <groupId>io.springfox</groupId>
             <artifactId>springfox-swagger2</artifactId>
             <version>${springfox-version}</version>
+            <exclusions>
+                <exclusion>
+                    <!--
+                    Excluding com.google.guava:guava:jar:18.0, because it has security vulnerability
+                    -->
+                    <groupId>com.google.guava</groupId>
+                    <artifactId>guava</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>io.springfox</groupId>
@@ -75,7 +79,6 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>
             <scope>test</scope>
-            <version>${org.springframework.boot.version}</version>
             <exclusions>
                 <exclusion>
                     <groupId>org.junit.vintage</groupId>

pom.xml

@@ -3,12 +3,11 @@
     <modelVersion>4.0.0</modelVersion>
 
     <properties>
-        <os-core-common.version>0.9.0-rc3</os-core-common.version>
+        <os-core-common.version>0.9.0-rc7</os-core-common.version>
         <java.version>1.8</java.version>
         <maven.compiler.target>1.8</maven.compiler.target>
         <maven.compiler.source>1.8</maven.compiler.source>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <spring-boot-dependencies.version>2.4.4</spring-boot-dependencies.version>
     </properties>
 
     <groupId>org.opengroup.osdu.entitlements.v2</groupId>
@@ -36,9 +35,9 @@
     <dependencyManagement>
         <dependencies>
             <dependency>
-                <groupId>org.springframework.boot</groupId>
-                <artifactId>spring-boot-dependencies</artifactId>
-                <version>${spring-boot-dependencies.version}</version>
+                <groupId>org.opengroup.osdu</groupId>
+                <artifactId>os-core-common</artifactId>
+                <version>${os-core-common.version}</version>
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
@@ -46,6 +45,20 @@
                 <groupId>org.opengroup.osdu</groupId>
                 <artifactId>os-core-common</artifactId>
                 <version>${os-core-common.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.elasticsearch.client</groupId>
+                        <artifactId>elasticsearch-rest-client</artifactId>
+                    </exclusion>
+                    <exclusion>
+                        <groupId>org.elasticsearch</groupId>
+                        <artifactId>elasticsearch</artifactId>
+                    </exclusion>
+                    <exclusion>
+                        <groupId>org.elasticsearch.client</groupId>
+                        <artifactId>elasticsearch-rest-high-level-client</artifactId>
+                    </exclusion>
+                </exclusions>
             </dependency>
         </dependencies>
     </dependencyManagement>

provider/entitlements-v2-aws/pom.xml

@@ -18,7 +18,6 @@
         <reactor.core.version>3.3.0.RELEASE</reactor.core.version>
         <springfox-version>2.7.0</springfox-version>
         <tomcat-embed-core.version>9.0.37</tomcat-embed-core.version>
-        <org.springframework.boot.version>2.4.4</org.springframework.boot.version>
     </properties>
 
     <dependencies>
@@ -79,8 +78,6 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
-            <!--<version>2.4.0</version>-->
-            <version>${spring-boot-dependencies.version}</version>
             <exclusions>
                 <exclusion>
                     <groupId>org.springframework.boot</groupId>
@@ -119,9 +116,6 @@
             <artifactId>spring-security-oauth2-jose</artifactId>
         </dependency>
 
-
-
-
         <dependency>
             <groupId>io.projectreactor.netty</groupId>
             <artifactId>reactor-netty</artifactId>
@@ -149,7 +143,6 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>
-            <version>${spring-boot-dependencies.version}</version>
             <scope>test</scope>
             <exclusions>
                 <exclusion>

provider/entitlements-v2-azure/pom.xml

@@ -13,15 +13,14 @@
     <artifactId>entitlements-v2-azure</artifactId>
 
     <properties>
-        <core-lib-azure.version>0.6.2</core-lib-azure.version>
-        <reactor.netty.version>0.9.5.RELEASE</reactor.netty.version>
-        <reactor.core.version>3.3.0.RELEASE</reactor.core.version>
+        <core-lib-azure.version>0.9.0-rc2</core-lib-azure.version>
         <gremlin.version>3.4.10</gremlin.version>
         <redisson.version>3.15.3</redisson.version>
         <resilience4j.version>1.7.0</resilience4j.version>
         <embedded-resdis.version>0.7.1</embedded-resdis.version>
         <awaitility.version>3.0.0</awaitility.version>
         <awaitility.proxy.version>3.0.0</awaitility.proxy.version>
+        <json-smart.version>2.4.6</json-smart.version>
     </properties>
 
     <dependencies>
@@ -31,28 +30,11 @@
             <version>${project.version}</version>
         </dependency>
 
-        <!--
-        Old versions of 'com.nimbusds:oauth2-oidc-sdk' and 'com.microsoft.azure:msal4j' are excluded
-        because they cannot work with Spring Boot version 2.4.x
-
-        New version of 'com.microsoft.azure:msal4j' is added to work with Spring Boot version 2.4.x
-
-        Stay tuned for a new version of 'com.azure:azure-identity', they started releasing updates, but it's still in beta.
-        More details here: https://github.com/Azure/azure-sdk-for-java
-        -->
         <dependency>
             <groupId>org.opengroup.osdu</groupId>
             <artifactId>core-lib-azure</artifactId>
             <version>${core-lib-azure.version}</version>
             <exclusions>
-                <exclusion>
-                    <groupId>com.nimbusds</groupId>
-                    <artifactId>oauth2-oidc-sdk</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>com.microsoft.azure</groupId>
-                    <artifactId>msal4j</artifactId>
-                </exclusion>
                 <!--
                 Excluding simple-xml because:
                 There’s a library called xpp3 (the Xml Pull Parser) originally developed by Indiana University’s Extreme! Computing group.
@@ -71,10 +53,14 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <!--
+        Many dependencies contain library with vulnerabilities: net.minidev:json-smart:jar:2.3
+        because of that we need to enforce the higher version
+        -->
         <dependency>
-            <groupId>com.microsoft.azure</groupId>
-            <artifactId>msal4j</artifactId>
-            <version>1.9.1</version>
+            <groupId>net.minidev</groupId>
+            <artifactId>json-smart</artifactId>
+            <version>${json-smart.version}</version>
         </dependency>
 
         <dependency>
@@ -90,7 +76,6 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
-            <version>${spring-boot-dependencies.version}</version>
             <exclusions>
                 <exclusion>
                     <groupId>org.springframework.boot</groupId>
@@ -131,22 +116,15 @@
             <groupId>org.apache.tinkerpop</groupId>
             <artifactId>gremlin-groovy</artifactId>
             <version>${gremlin.version}</version>
-        </dependency>
-
-        <!--
-		 Override the spring-boot version of these dependencies to the ones
-		 required by the azure-core library. This needs to be done for each
-		 app that depends on this library
- 		-->
-        <dependency>
-            <groupId>io.projectreactor.netty</groupId>
-            <artifactId>reactor-netty</artifactId>
-            <version>${reactor.netty.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>io.projectreactor</groupId>
-            <artifactId>reactor-core</artifactId>
-            <version>${reactor.core.version}</version>
+            <exclusions>
+                <!--
+                Excluding org.apache.ivy:ivy:jar:2.3.0 because it has security bugs
+                -->
+                <exclusion>
+                    <groupId>org.apache.ivy</groupId>
+                    <artifactId>ivy</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
 
         <dependency>
@@ -165,7 +143,6 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>
-            <version>${spring-boot-dependencies.version}</version>
             <scope>test</scope>
             <exclusions>
                 <exclusion>

provider/entitlements-v2-azure/src/test/java/org/opengroup/osdu/entitlements/v2/azure/spi/gremlin/listmember/ListMemberRepoGremlinTest.java

 package org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.listmember;
 
 import org.apache.tinkerpop.gremlin.process.traversal.dsl.graph.GraphTraversalSource;
-import org.apache.tinkerpop.gremlin.structure.Vertex;
+import org.junit.After;
 import org.junit.Assert;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.opengroup.osdu.entitlements.v2.azure.config.CacheConfig;
 import org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.addmember.AddMemberRepoGremlin;
 import org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.connection.GremlinConnector;
-import org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.constant.EdgePropertyNames;
 import org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.constant.VertexPropertyNames;
 import org.opengroup.osdu.entitlements.v2.logging.AuditLogger;
 import org.opengroup.osdu.entitlements.v2.model.ChildrenReference;
@@ -44,6 +43,13 @@ public class ListMemberRepoGremlinTest {
     @MockBean
     private CacheConfig cacheConfig;
 
+    @After
+    public void cleanup() {
+        GraphTraversalSource graphTraversalSource = gremlinConnector.getGraphTraversalSource();
+        graphTraversalSource.V().drop().iterate();
+        graphTraversalSource.E().drop().iterate();
+    }
+
     @Test
     public void shouldLoadDirectChildrenSuccessfully() {
         GraphTraversalSource graphTraversalSource = gremlinConnector.getGraphTraversalSource();

provider/entitlements-v2-gcp/pom.xml

@@ -8,7 +8,6 @@
         <maven.compiler.source>${java.version}</maven.compiler.source>
         <redisson.version>3.13.2</redisson.version>
         <protobuf-java.version>3.12.4</protobuf-java.version>
-        <org.springframework.boot.version>2.4.4</org.springframework.boot.version>
         <io.undertow.version>2.2.0.Final</io.undertow.version>
         <commons-codec.version>1.15</commons-codec.version>
     </properties>
@@ -109,7 +108,6 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
-            <version>${org.springframework.boot.version}</version>
             <exclusions>
                 <exclusion>
                     <artifactId>tomcat-embed-el</artifactId>
@@ -128,7 +126,6 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-undertow</artifactId>
-            <version>${org.springframework.boot.version}</version>
             <exclusions>
                 <exclusion>
                     <groupId>io.undertow</groupId>
@@ -162,12 +159,10 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-validation</artifactId>
-            <version>${org.springframework.boot.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-security</artifactId>
-            <version>${org.springframework.boot.version}</version>
         </dependency>
         <dependency>
             <groupId>com.dslplatform</groupId>
@@ -215,7 +210,6 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>
             <scope>test</scope>
-            <version>${org.springframework.boot.version}</version>
             <exclusions>
                 <exclusion>
                     <groupId>org.junit.vintage</groupId>