Commit 6e317159 authored by Rostislav Vatolin [SLB]'s avatar Rostislav Vatolin [SLB]
Browse files

Merge branch 'fix_deps' into 'master'

Fix security issues

See merge request !74
parents e6f4a5d4 517913df
Pipeline #39335 passed with stages
in 18 minutes and 17 seconds
This diff is collapsed.
...@@ -8,8 +8,6 @@ ...@@ -8,8 +8,6 @@
<maven.compiler.source>${java.version}</maven.compiler.source> <maven.compiler.source>${java.version}</maven.compiler.source>
<redisson.version>3.13.2</redisson.version> <redisson.version>3.13.2</redisson.version>
<protobuf-java.version>3.12.4</protobuf-java.version> <protobuf-java.version>3.12.4</protobuf-java.version>
<org.springframework.boot.version>2.4.4</org.springframework.boot.version>
<commons-codec.version>1.15</commons-codec.version>
<!-- When upgrading springfox version make sure to verify how the updated UI is displayed. <!-- When upgrading springfox version make sure to verify how the updated UI is displayed.
Latest versions of springfox library have issues with displaying content Latest versions of springfox library have issues with displaying content
--> -->
...@@ -36,17 +34,14 @@ ...@@ -36,17 +34,14 @@
<dependency> <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId> <artifactId>spring-boot-starter-web</artifactId>
<version>${org.springframework.boot.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId> <artifactId>spring-boot-starter-validation</artifactId>
<version>${org.springframework.boot.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId> <artifactId>spring-boot-starter-security</artifactId>
<version>${org.springframework.boot.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>com.dslplatform</groupId> <groupId>com.dslplatform</groupId>
...@@ -58,6 +53,15 @@ ...@@ -58,6 +53,15 @@
<groupId>io.springfox</groupId> <groupId>io.springfox</groupId>
<artifactId>springfox-swagger2</artifactId> <artifactId>springfox-swagger2</artifactId>
<version>${springfox-version}</version> <version>${springfox-version}</version>
<exclusions>
<exclusion>
<!--
Excluding com.google.guava:guava:jar:18.0, because it has security vulnerability
-->
<groupId>com.google.guava</groupId>
<artifactId>guava</artifactId>
</exclusion>
</exclusions>
</dependency> </dependency>
<dependency> <dependency>
<groupId>io.springfox</groupId> <groupId>io.springfox</groupId>
...@@ -75,7 +79,6 @@ ...@@ -75,7 +79,6 @@
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId> <artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope> <scope>test</scope>
<version>${org.springframework.boot.version}</version>
<exclusions> <exclusions>
<exclusion> <exclusion>
<groupId>org.junit.vintage</groupId> <groupId>org.junit.vintage</groupId>
......
...@@ -3,12 +3,11 @@ ...@@ -3,12 +3,11 @@
<modelVersion>4.0.0</modelVersion> <modelVersion>4.0.0</modelVersion>
<properties> <properties>
<os-core-common.version>0.9.0-rc3</os-core-common.version> <os-core-common.version>0.9.0-rc7</os-core-common.version>
<java.version>1.8</java.version> <java.version>1.8</java.version>
<maven.compiler.target>1.8</maven.compiler.target> <maven.compiler.target>1.8</maven.compiler.target>
<maven.compiler.source>1.8</maven.compiler.source> <maven.compiler.source>1.8</maven.compiler.source>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<spring-boot-dependencies.version>2.4.4</spring-boot-dependencies.version>
</properties> </properties>
<groupId>org.opengroup.osdu.entitlements.v2</groupId> <groupId>org.opengroup.osdu.entitlements.v2</groupId>
...@@ -36,9 +35,9 @@ ...@@ -36,9 +35,9 @@
<dependencyManagement> <dependencyManagement>
<dependencies> <dependencies>
<dependency> <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.opengroup.osdu</groupId>
<artifactId>spring-boot-dependencies</artifactId> <artifactId>os-core-common</artifactId>
<version>${spring-boot-dependencies.version}</version> <version>${os-core-common.version}</version>
<type>pom</type> <type>pom</type>
<scope>import</scope> <scope>import</scope>
</dependency> </dependency>
...@@ -46,6 +45,20 @@ ...@@ -46,6 +45,20 @@
<groupId>org.opengroup.osdu</groupId> <groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-common</artifactId> <artifactId>os-core-common</artifactId>
<version>${os-core-common.version}</version> <version>${os-core-common.version}</version>
<exclusions>
<exclusion>
<groupId>org.elasticsearch.client</groupId>
<artifactId>elasticsearch-rest-client</artifactId>
</exclusion>
<exclusion>
<groupId>org.elasticsearch</groupId>
<artifactId>elasticsearch</artifactId>
</exclusion>
<exclusion>
<groupId>org.elasticsearch.client</groupId>
<artifactId>elasticsearch-rest-high-level-client</artifactId>
</exclusion>
</exclusions>
</dependency> </dependency>
</dependencies> </dependencies>
</dependencyManagement> </dependencyManagement>
......
...@@ -18,7 +18,6 @@ ...@@ -18,7 +18,6 @@
<reactor.core.version>3.3.0.RELEASE</reactor.core.version> <reactor.core.version>3.3.0.RELEASE</reactor.core.version>
<springfox-version>2.7.0</springfox-version> <springfox-version>2.7.0</springfox-version>
<tomcat-embed-core.version>9.0.37</tomcat-embed-core.version> <tomcat-embed-core.version>9.0.37</tomcat-embed-core.version>
<org.springframework.boot.version>2.4.4</org.springframework.boot.version>
</properties> </properties>
<dependencies> <dependencies>
...@@ -79,8 +78,6 @@ ...@@ -79,8 +78,6 @@
<dependency> <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId> <artifactId>spring-boot-starter-web</artifactId>
<!--<version>2.4.0</version>-->
<version>${spring-boot-dependencies.version}</version>
<exclusions> <exclusions>
<exclusion> <exclusion>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
...@@ -119,9 +116,6 @@ ...@@ -119,9 +116,6 @@
<artifactId>spring-security-oauth2-jose</artifactId> <artifactId>spring-security-oauth2-jose</artifactId>
</dependency> </dependency>
<dependency> <dependency>
<groupId>io.projectreactor.netty</groupId> <groupId>io.projectreactor.netty</groupId>
<artifactId>reactor-netty</artifactId> <artifactId>reactor-netty</artifactId>
...@@ -149,7 +143,6 @@ ...@@ -149,7 +143,6 @@
<dependency> <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId> <artifactId>spring-boot-starter-test</artifactId>
<version>${spring-boot-dependencies.version}</version>
<scope>test</scope> <scope>test</scope>
<exclusions> <exclusions>
<exclusion> <exclusion>
......
...@@ -13,15 +13,14 @@ ...@@ -13,15 +13,14 @@
<artifactId>entitlements-v2-azure</artifactId> <artifactId>entitlements-v2-azure</artifactId>
<properties> <properties>
<core-lib-azure.version>0.6.2</core-lib-azure.version> <core-lib-azure.version>0.9.0-rc2</core-lib-azure.version>
<reactor.netty.version>0.9.5.RELEASE</reactor.netty.version>
<reactor.core.version>3.3.0.RELEASE</reactor.core.version>
<gremlin.version>3.4.10</gremlin.version> <gremlin.version>3.4.10</gremlin.version>
<redisson.version>3.15.3</redisson.version> <redisson.version>3.15.3</redisson.version>
<resilience4j.version>1.7.0</resilience4j.version> <resilience4j.version>1.7.0</resilience4j.version>
<embedded-resdis.version>0.7.1</embedded-resdis.version> <embedded-resdis.version>0.7.1</embedded-resdis.version>
<awaitility.version>3.0.0</awaitility.version> <awaitility.version>3.0.0</awaitility.version>
<awaitility.proxy.version>3.0.0</awaitility.proxy.version> <awaitility.proxy.version>3.0.0</awaitility.proxy.version>
<json-smart.version>2.4.6</json-smart.version>
</properties> </properties>
<dependencies> <dependencies>
...@@ -31,28 +30,11 @@ ...@@ -31,28 +30,11 @@
<version>${project.version}</version> <version>${project.version}</version>
</dependency> </dependency>
<!--
Old versions of 'com.nimbusds:oauth2-oidc-sdk' and 'com.microsoft.azure:msal4j' are excluded
because they cannot work with Spring Boot version 2.4.x
New version of 'com.microsoft.azure:msal4j' is added to work with Spring Boot version 2.4.x
Stay tuned for a new version of 'com.azure:azure-identity', they started releasing updates, but it's still in beta.
More details here: https://github.com/Azure/azure-sdk-for-java
-->
<dependency> <dependency>
<groupId>org.opengroup.osdu</groupId> <groupId>org.opengroup.osdu</groupId>
<artifactId>core-lib-azure</artifactId> <artifactId>core-lib-azure</artifactId>
<version>${core-lib-azure.version}</version> <version>${core-lib-azure.version}</version>
<exclusions> <exclusions>
<exclusion>
<groupId>com.nimbusds</groupId>
<artifactId>oauth2-oidc-sdk</artifactId>
</exclusion>
<exclusion>
<groupId>com.microsoft.azure</groupId>
<artifactId>msal4j</artifactId>
</exclusion>
<!-- <!--
Excluding simple-xml because: Excluding simple-xml because:
There’s a library called xpp3 (the Xml Pull Parser) originally developed by Indiana University’s Extreme! Computing group. There’s a library called xpp3 (the Xml Pull Parser) originally developed by Indiana University’s Extreme! Computing group.
...@@ -71,10 +53,14 @@ ...@@ -71,10 +53,14 @@
</exclusion> </exclusion>
</exclusions> </exclusions>
</dependency> </dependency>
<!--
Many dependencies contain library with vulnerabilities: net.minidev:json-smart:jar:2.3
because of that we need to enforce the higher version
-->
<dependency> <dependency>
<groupId>com.microsoft.azure</groupId> <groupId>net.minidev</groupId>
<artifactId>msal4j</artifactId> <artifactId>json-smart</artifactId>
<version>1.9.1</version> <version>${json-smart.version}</version>
</dependency> </dependency>
<dependency> <dependency>
...@@ -90,7 +76,6 @@ ...@@ -90,7 +76,6 @@
<dependency> <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId> <artifactId>spring-boot-starter-web</artifactId>
<version>${spring-boot-dependencies.version}</version>
<exclusions> <exclusions>
<exclusion> <exclusion>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
...@@ -131,22 +116,15 @@ ...@@ -131,22 +116,15 @@
<groupId>org.apache.tinkerpop</groupId> <groupId>org.apache.tinkerpop</groupId>
<artifactId>gremlin-groovy</artifactId> <artifactId>gremlin-groovy</artifactId>
<version>${gremlin.version}</version> <version>${gremlin.version}</version>
</dependency> <exclusions>
<!--
<!-- Excluding org.apache.ivy:ivy:jar:2.3.0 because it has security bugs
Override the spring-boot version of these dependencies to the ones -->
required by the azure-core library. This needs to be done for each <exclusion>
app that depends on this library <groupId>org.apache.ivy</groupId>
--> <artifactId>ivy</artifactId>
<dependency> </exclusion>
<groupId>io.projectreactor.netty</groupId> </exclusions>
<artifactId>reactor-netty</artifactId>
<version>${reactor.netty.version}</version>
</dependency>
<dependency>
<groupId>io.projectreactor</groupId>
<artifactId>reactor-core</artifactId>
<version>${reactor.core.version}</version>
</dependency> </dependency>
<dependency> <dependency>
...@@ -165,7 +143,6 @@ ...@@ -165,7 +143,6 @@
<dependency> <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId> <artifactId>spring-boot-starter-test</artifactId>
<version>${spring-boot-dependencies.version}</version>
<scope>test</scope> <scope>test</scope>
<exclusions> <exclusions>
<exclusion> <exclusion>
......
package org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.listmember; package org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.listmember;
import org.apache.tinkerpop.gremlin.process.traversal.dsl.graph.GraphTraversalSource; import org.apache.tinkerpop.gremlin.process.traversal.dsl.graph.GraphTraversalSource;
import org.apache.tinkerpop.gremlin.structure.Vertex; import org.junit.After;
import org.junit.Assert; import org.junit.Assert;
import org.junit.Test; import org.junit.Test;
import org.junit.runner.RunWith; import org.junit.runner.RunWith;
import org.opengroup.osdu.entitlements.v2.azure.config.CacheConfig; import org.opengroup.osdu.entitlements.v2.azure.config.CacheConfig;
import org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.addmember.AddMemberRepoGremlin; import org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.addmember.AddMemberRepoGremlin;
import org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.connection.GremlinConnector; import org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.connection.GremlinConnector;
import org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.constant.EdgePropertyNames;
import org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.constant.VertexPropertyNames; import org.opengroup.osdu.entitlements.v2.azure.spi.gremlin.constant.VertexPropertyNames;
import org.opengroup.osdu.entitlements.v2.logging.AuditLogger; import org.opengroup.osdu.entitlements.v2.logging.AuditLogger;
import org.opengroup.osdu.entitlements.v2.model.ChildrenReference; import org.opengroup.osdu.entitlements.v2.model.ChildrenReference;
...@@ -44,6 +43,13 @@ public class ListMemberRepoGremlinTest { ...@@ -44,6 +43,13 @@ public class ListMemberRepoGremlinTest {
@MockBean @MockBean
private CacheConfig cacheConfig; private CacheConfig cacheConfig;
@After
public void cleanup() {
GraphTraversalSource graphTraversalSource = gremlinConnector.getGraphTraversalSource();
graphTraversalSource.V().drop().iterate();
graphTraversalSource.E().drop().iterate();
}
@Test @Test
public void shouldLoadDirectChildrenSuccessfully() { public void shouldLoadDirectChildrenSuccessfully() {
GraphTraversalSource graphTraversalSource = gremlinConnector.getGraphTraversalSource(); GraphTraversalSource graphTraversalSource = gremlinConnector.getGraphTraversalSource();
......
...@@ -8,7 +8,6 @@ ...@@ -8,7 +8,6 @@
<maven.compiler.source>${java.version}</maven.compiler.source> <maven.compiler.source>${java.version}</maven.compiler.source>
<redisson.version>3.13.2</redisson.version> <redisson.version>3.13.2</redisson.version>
<protobuf-java.version>3.12.4</protobuf-java.version> <protobuf-java.version>3.12.4</protobuf-java.version>
<org.springframework.boot.version>2.4.4</org.springframework.boot.version>
<io.undertow.version>2.2.0.Final</io.undertow.version> <io.undertow.version>2.2.0.Final</io.undertow.version>
<commons-codec.version>1.15</commons-codec.version> <commons-codec.version>1.15</commons-codec.version>
</properties> </properties>
...@@ -109,7 +108,6 @@ ...@@ -109,7 +108,6 @@
<dependency> <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId> <artifactId>spring-boot-starter-web</artifactId>
<version>${org.springframework.boot.version}</version>
<exclusions> <exclusions>
<exclusion> <exclusion>
<artifactId>tomcat-embed-el</artifactId> <artifactId>tomcat-embed-el</artifactId>
...@@ -128,7 +126,6 @@ ...@@ -128,7 +126,6 @@
<dependency> <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-undertow</artifactId> <artifactId>spring-boot-starter-undertow</artifactId>
<version>${org.springframework.boot.version}</version>
<exclusions> <exclusions>
<exclusion> <exclusion>
<groupId>io.undertow</groupId> <groupId>io.undertow</groupId>
...@@ -162,12 +159,10 @@ ...@@ -162,12 +159,10 @@
<dependency> <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId> <artifactId>spring-boot-starter-validation</artifactId>
<version>${org.springframework.boot.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-security</artifactId> <artifactId>spring-boot-starter-security</artifactId>
<version>${org.springframework.boot.version}</version>
</dependency> </dependency>
<dependency> <dependency>
<groupId>com.dslplatform</groupId> <groupId>com.dslplatform</groupId>
...@@ -215,7 +210,6 @@ ...@@ -215,7 +210,6 @@
<groupId>org.springframework.boot</groupId> <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId> <artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope> <scope>test</scope>
<version>${org.springframework.boot.version}</version>
<exclusions> <exclusions>
<exclusion> <exclusion>
<groupId>org.junit.vintage</groupId> <groupId>org.junit.vintage</groupId>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment