From c12778896f75e86e2a1442c6df00921adab39112 Mon Sep 17 00:00:00 2001
From: Manish Jangid <msjangid@amazon.com>
Date: Fri, 20 Jan 2023 14:55:39 +0000
Subject: [PATCH] Fix spring vulnerabilities
---
NOTICE | 16 +++++++-------
notification-core/pom.xml | 16 ++++----------
pom.xml | 2 +-
provider/notification-aws/pom.xml | 22 ++-----------------
.../AwsPubsubRequestBodyExtractorTest.java | 6 ++---
5 files changed, 18 insertions(+), 44 deletions(-)
diff --git a/NOTICE b/NOTICE
index b3825be31..ccb4241fa 100644
--- a/NOTICE
+++ b/NOTICE
@@ -39,6 +39,7 @@ Apache-2.0
========================================================================
The following software have components provided under the terms of this license:
+- AHC/Client (from https://repo1.maven.org/maven2/org/asynchttpclient/async-http-client)
- AMQP 1.0 JMS Spring Boot AutoConfiguration (from https://repo1.maven.org/maven2/org/amqphub/spring/amqp-10-jms-spring-boot-autoconfigure)
- AMQP 1.0 JMS Spring Boot Starter (from https://repo1.maven.org/maven2/org/amqphub/spring/amqp-10-jms-spring-boot-starter)
- ASM based accessors helper used by json-smart (from https://urielch.github.io/)
@@ -77,10 +78,10 @@ The following software have components provided under the terms of this license:
- Apache Log4j SLF4J Binding (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl)
- Apache Log4j to SLF4J Adapter (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-to-slf4j)
- AssertJ Core (from ${project.organization.url}#${project.artifactId})
-- Asynchronous Http Client (from https://repo1.maven.org/maven2/org/asynchttpclient/async-http-client)
- Asynchronous Http Client Netty Utils (from https://repo1.maven.org/maven2/org/asynchttpclient/async-http-client-netty-utils)
- AutoValue Annotations (from https://github.com/google/auto/tree/master/value, https://repo1.maven.org/maven2/com/google/auto/value/auto-value-annotations)
- BSON (from http://bsonspec.org, https://bsonspec.org)
+- BSON Record Codec (from https://www.mongodb.com/)
- Bean Validation API (from http://beanvalidation.org)
- Brave (from https://repo1.maven.org/maven2/io/zipkin/brave/brave)
- Brave Instrumentation: Http Adapters (from https://repo1.maven.org/maven2/io/zipkin/brave/brave-instrumentation-http)
@@ -386,7 +387,7 @@ The following software have components provided under the terms of this license:
- Hamcrest Core (from http://hamcrest.org/, http://hamcrest.org/JavaHamcrest/, https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core)
- JBoss Jakarta Annotations API (from https://github.com/jboss/jboss-jakarta-annotations-api_spec)
- Jackson module: Afterburner (from http://wiki.fasterxml.com/JacksonHome, https://github.com/FasterXML/jackson-modules-base)
-- Jakarta Activation API (from https://github.com/eclipse-ee4j/jaf, https://repo1.maven.org/maven2/jakarta/activation/jakarta.activation-api)
+- Jakarta Activation API (from https://github.com/eclipse-ee4j/jaf, https://github.com/jakartaee/jaf-api, https://repo1.maven.org/maven2/jakarta/activation/jakarta.activation-api)
- Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Jakarta WebSocket - Server API (from https://projects.eclipse.org/projects/ee4j.websocket, https://repo1.maven.org/maven2/org/jboss/spec/javax/websocket/jboss-websocket-api_1.1_spec)
- Jakarta XML Binding API (from https://repo1.maven.org/maven2/jakarta/xml/bind/jakarta.xml.bind-api, https://repo1.maven.org/maven2/org/jboss/spec/javax/xml/bind/jboss-jaxb-api_2.3_spec)
@@ -462,7 +463,7 @@ The following software have components provided under the terms of this license:
- Apache Log4j Core (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core)
- Expression Language 3.0 (from http://el-spec.java.net, http://uel.java.net, https://projects.eclipse.org/projects/ee4j.el)
-- Jakarta Activation API (from https://github.com/eclipse-ee4j/jaf, https://repo1.maven.org/maven2/jakarta/activation/jakarta.activation-api)
+- Jakarta Activation API (from https://github.com/eclipse-ee4j/jaf, https://github.com/jakartaee/jaf-api, https://repo1.maven.org/maven2/jakarta/activation/jakarta.activation-api)
- Java Architecture for XML Binding (from http://jaxb.java.net/, https://repo1.maven.org/maven2/javax/xml/bind/jaxb-api)
- JavaBeans Activation Framework (from https://repo1.maven.org/maven2/com/sun/activation/javax.activation)
- JavaBeans(TM) Activation Framework (from http://java.sun.com/javase/technologies/desktop/javabeans/jaf/index.jsp)
@@ -504,7 +505,7 @@ The following software have components provided under the terms of this license:
- JUnit Jupiter Params (from http://junit.org/junit5/, https://junit.org/junit5/)
- JUnit Platform Commons (from http://junit.org/junit5/, https://junit.org/junit5/)
- JUnit Platform Engine API (from http://junit.org/junit5/, https://junit.org/junit5/)
-- Jakarta Activation API (from https://github.com/eclipse-ee4j/jaf, https://repo1.maven.org/maven2/jakarta/activation/jakarta.activation-api)
+- Jakarta Activation API (from https://github.com/eclipse-ee4j/jaf, https://github.com/jakartaee/jaf-api, https://repo1.maven.org/maven2/jakarta/activation/jakarta.activation-api)
- Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Jakarta Bean Validation API (from https://beanvalidation.org)
- Jakarta Servlet (from https://javaee.github.io/servlet-spec/, https://projects.eclipse.org/projects/ee4j.servlet)
@@ -535,7 +536,7 @@ The following software have components provided under the terms of this license:
- JUnit Jupiter Params (from http://junit.org/junit5/, https://junit.org/junit5/)
- JUnit Platform Commons (from http://junit.org/junit5/, https://junit.org/junit5/)
- JUnit Platform Engine API (from http://junit.org/junit5/, https://junit.org/junit5/)
-- Jakarta Activation API (from https://github.com/eclipse-ee4j/jaf, https://repo1.maven.org/maven2/jakarta/activation/jakarta.activation-api)
+- Jakarta Activation API (from https://github.com/eclipse-ee4j/jaf, https://github.com/jakartaee/jaf-api, https://repo1.maven.org/maven2/jakarta/activation/jakarta.activation-api)
- Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Jakarta Bean Validation API (from https://beanvalidation.org)
- Jakarta Servlet (from https://javaee.github.io/servlet-spec/, https://projects.eclipse.org/projects/ee4j.servlet)
@@ -573,7 +574,7 @@ The following software have components provided under the terms of this license:
- Checker Qual (from https://checkerframework.org)
- Expression Language 3.0 (from http://el-spec.java.net, http://uel.java.net, https://projects.eclipse.org/projects/ee4j.el)
- JBoss Jakarta Annotations API (from https://github.com/jboss/jboss-jakarta-annotations-api_spec)
-- Jakarta Activation API (from https://github.com/eclipse-ee4j/jaf, https://repo1.maven.org/maven2/jakarta/activation/jakarta.activation-api)
+- Jakarta Activation API (from https://github.com/eclipse-ee4j/jaf, https://github.com/jakartaee/jaf-api, https://repo1.maven.org/maven2/jakarta/activation/jakarta.activation-api)
- Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Jakarta Bean Validation API (from https://beanvalidation.org)
- Jakarta Servlet (from https://javaee.github.io/servlet-spec/, https://projects.eclipse.org/projects/ee4j.servlet)
@@ -765,7 +766,6 @@ X11
The following software have components provided under the terms of this license:
- Guava: Google Core Libraries for Java (from http://code.google.com/p/guava-libraries, https://github.com/google/guava, https://repo1.maven.org/maven2/com/google/guava/guava)
-- MongoDB Java Driver (from http://mongodb.org/, http://www.mongodb.org, https://www.mongodb.com/)
========================================================================
cc-pd
@@ -798,4 +798,4 @@ unknown
The following software have components provided under the terms of this license:
- JUnit Jupiter (Aggregator) (from https://junit.org/junit5/)
-- Jakarta Activation API (from https://github.com/eclipse-ee4j/jaf, https://repo1.maven.org/maven2/jakarta/activation/jakarta.activation-api)
+- Jakarta Activation API (from https://github.com/eclipse-ee4j/jaf, https://github.com/jakartaee/jaf-api, https://repo1.maven.org/maven2/jakarta/activation/jakarta.activation-api)
diff --git a/notification-core/pom.xml b/notification-core/pom.xml
index d26a447f9..d187b0547 100644
--- a/notification-core/pom.xml
+++ b/notification-core/pom.xml
@@ -40,7 +40,7 @@
<undertow.version>2.2.19.Final</undertow.version>
<woodstox-core.version>5.3.0</woodstox-core.version>
<log4j.version>2.17.1</log4j.version>
- <os-core-common.version>0.18.0</os-core-common.version>
+ <os-core-common.version>0.19.0-rc5</os-core-common.version>
<google-oauth-client.version>1.33.3</google-oauth-client.version>
<google-api-client.version>1.33.2</google-api-client.version>
</properties>
@@ -154,7 +154,6 @@
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-config</artifactId>
- <version>5.1.6.RELEASE</version>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
@@ -169,31 +168,24 @@
<dependency>
<groupId>org.mockito</groupId>
<artifactId>mockito-core</artifactId>
- <version>2.10.0</version>
+ <version>3.12.0</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-api-mockito2</artifactId>
- <version>2.0.2</version>
+ <version>2.0.9</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.powermock</groupId>
<artifactId>powermock-module-junit4</artifactId>
- <version>2.0.2</version>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>org.mockito</groupId>
- <artifactId>mockito-all</artifactId>
- <version>2.0.2-beta</version>
+ <version>2.0.9</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
- <version>4.12</version>
<scope>test</scope>
</dependency>
<dependency>
diff --git a/pom.xml b/pom.xml
index dd8564556..54bd926b5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -25,7 +25,7 @@
<java.version>8</java.version>
<maven.compiler.target>${java.version}</maven.compiler.target>
<maven.compiler.source>${java.version}</maven.compiler.source>
- <os-core-common.version>0.14.0</os-core-common.version>
+ <os-core-common.version>0.19.0-rc5</os-core-common.version>
<log4j2.version>2.17.1</log4j2.version>
<springfox.version>3.0.0</springfox.version>
<json-smart.version>2.4.7</json-smart.version>
diff --git a/provider/notification-aws/pom.xml b/provider/notification-aws/pom.xml
index 0a1b4ae2a..55463653e 100644
--- a/provider/notification-aws/pom.xml
+++ b/provider/notification-aws/pom.xml
@@ -37,10 +37,8 @@
<maven.compiler.source>${java.version}</maven.compiler.source>
<aws.version>1.11.1018</aws.version>
<log4j2.version>2.17.1</log4j2.version>
- <os-core-common.version>0.14.0</os-core-common.version>
<jackson-databind.version>2.13.2.2</jackson-databind.version>
<jackson.version>2.13.2</jackson.version>
- <spring-webmvc.version>5.3.22</spring-webmvc.version>
<spring-boot-maven-plugin.version>2.7.6</spring-boot-maven-plugin.version>
</properties>
@@ -70,7 +68,6 @@
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-mongodb</artifactId>
- <version>3.4.2</version>
</dependency>
</dependencies>
</dependencyManagement>
@@ -79,7 +76,7 @@
<dependency>
<groupId>org.opengroup.osdu.core.aws</groupId>
<artifactId>os-core-lib-aws</artifactId>
- <version>0.14.0</version>
+ <version>0.19.0-rc3</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk-secretsmanager -->
@@ -103,32 +100,17 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
- <version>${spring-webmvc.version}</version>
</dependency>
<!-- unit test dependencies -->
- <dependency>
- <groupId>org.powermock</groupId>
- <artifactId>powermock-api-mockito2</artifactId>
- <version>2.0.2</version>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>org.powermock</groupId>
- <artifactId>powermock-module-junit4</artifactId>
- <version>2.0.2</version>
- <scope>test</scope>
- </dependency>
<dependency>
<groupId>org.mockito</groupId>
- <artifactId>mockito-all</artifactId>
- <version>2.0.2-beta</version>
+ <artifactId>mockito-core</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
- <version>4.12</version>
<scope>test</scope>
</dependency>
diff --git a/provider/notification-aws/src/test/java/org/opengroup/osdu/notification/provider/aws/AwsPubsubRequestBodyExtractorTest.java b/provider/notification-aws/src/test/java/org/opengroup/osdu/notification/provider/aws/AwsPubsubRequestBodyExtractorTest.java
index d3bfe13ff..021cc17d2 100644
--- a/provider/notification-aws/src/test/java/org/opengroup/osdu/notification/provider/aws/AwsPubsubRequestBodyExtractorTest.java
+++ b/provider/notification-aws/src/test/java/org/opengroup/osdu/notification/provider/aws/AwsPubsubRequestBodyExtractorTest.java
@@ -21,7 +21,7 @@ import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.Mockito;
-import org.mockito.runners.MockitoJUnitRunner;
+import org.mockito.junit.MockitoJUnitRunner;
import org.opengroup.osdu.core.common.logging.JaxRsDpsLog;
@@ -145,8 +145,8 @@ public class AwsPubsubRequestBodyExtractorTest {
Map<String, String> receivedAttributes = service.extractAttributesFromRequestBody();
// Asset
- Assert.assertEquals(receivedAttributes.get("correlation-id"),"39137f49-123-456");
- Assert.assertEquals(receivedAttributes.get("data-partition-id"),"opendes");
+ Assert.assertEquals("39137f49-123-456", receivedAttributes.get("correlation-id"));
+ Assert.assertEquals("opendes", receivedAttributes.get("data-partition-id"));
--
GitLab