Vulnerability Fixes and Workload Identity Enablement

ef0bd52b · Daniel Scholl (MS] · 1024861a · ef0bd52b · ef0bd52b · ef0bd52b
Commit ef0bd52b authored 3 months ago by Daniel Scholl (MS]
--- a/NOTICE
+++ b/NOTICE
@@ -41,12 +41,10 @@ The following software have components provided under the terms of this license:
 - AWS SDK for Java - Core (from https://aws.amazon.com/sdkforjava)
 - Adapter: RxJava (from https://github.com/square/retrofit)
 - Animal Sniffer Annotations (from https://repo1.maven.org/maven2/org/codehaus/mojo/animal-sniffer-annotations)
- Apache Commons BeanUtils (from http://commons.apache.org/proper/commons-beanutils/, https://commons.apache.org/proper/commons-beanutils/, https://repo1.maven.org/maven2/commons-beanutils/commons-beanutils)
 - Apache Commons Codec (from http://commons.apache.org/proper/commons-codec/, https://commons.apache.org/proper/commons-codec/)
 - Apache Commons IO (from http://commons.apache.org/io/, https://commons.apache.org/proper/commons-io/, https://repo1.maven.org/maven2/commons-io/commons-io)
 - Apache Commons Lang (from https://commons.apache.org/proper/commons-lang/)
 - Apache Commons Logging (from http://commons.apache.org/logging/, http://commons.apache.org/proper/commons-logging/, https://commons.apache.org/proper/commons-logging/)
- Apache Commons Validator (from http://commons.apache.org/proper/commons-validator/, http://jakarta.apache.org/commons/${pom.artifactId.substring(8)}/, https://repo1.maven.org/maven2/commons-validator/commons-validator)
 - Apache HTTP transport v2 for the Google HTTP Client Library for Java. (from https://repo1.maven.org/maven2/com/google/http-client/google-http-client-apache-v2)
 - Apache HttpClient (from http://hc.apache.org/httpcomponents-client, http://hc.apache.org/httpcomponents-client-ga)
 - Apache HttpClient Cache (from http://hc.apache.org/httpcomponents-client, http://hc.apache.org/httpcomponents-client-ga)
@@ -54,6 +52,7 @@ The following software have components provided under the terms of this license:
 - Apache Log4j API (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api)
 - Apache Log4j Core (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core)
 - Apache Log4j JUL Handler (from https://logging.apache.org/log4j/3.x/)
+- Apache Log4j SLF4J 2.0 Binding (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j2-impl)
 - Apache Log4j SLF4J Binding (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl)
 - Apache Log4j to SLF4J Adapter (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-to-slf4j)
 - AssertJ Core (from https://assertj.github.io/doc/#assertj-core)
@@ -67,8 +66,6 @@ The following software have components provided under the terms of this license:
 - Byte Buddy (without dependencies) (from https://repo1.maven.org/maven2/net/bytebuddy/byte-buddy)
 - Byte Buddy Java agent (from https://repo1.maven.org/maven2/net/bytebuddy/byte-buddy-agent)
 - ClassMate (from http://github.com/cowtowncoder/java-classmate)
- Collections (from https://repo1.maven.org/maven2/commons-collections/commons-collections)
- Commons Digester (from http://commons.apache.org/digester/)
 - Converter: Jackson (from https://github.com/square/retrofit, https://repo1.maven.org/maven2/com/squareup/retrofit2/converter-jackson)
 - Core functionality for the Reactor Netty library (from https://github.com/reactor/reactor-netty)
 - FindBugs-jsr305 (from http://findbugs.sourceforge.net/)
@@ -105,15 +102,14 @@ The following software have components provided under the terms of this license:
 - JSON library from Android SDK (from http://developer.android.com/sdk)
 - JSONassert (from http://github.com/skyscreamer/yoga, https://github.com/skyscreamer/JSONassert)
 - JSR107 API and SPI (from https://github.com/jsr107/jsr107spec)
+- JSpecify annotations (from http://jspecify.org/)
 - Jackson 2 extensions to the Google HTTP Client Library for Java. (from https://repo1.maven.org/maven2/com/google/http-client/google-http-client-jackson2)
 - Jackson dataformat: CBOR (from http://github.com/FasterXML/jackson-dataformats-binary)
 - Jackson datatype: JSR310 (from http://wiki.fasterxml.com/JacksonModuleJSR310, https://repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jsr310)
 - Jackson datatype: Joda (from http://wiki.fasterxml.com/JacksonModuleJoda, https://github.com/FasterXML/jackson-datatype-joda)
 - Jackson datatype: jdk8 (from https://repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jdk8)
- Jackson module: Afterburner (from http://wiki.fasterxml.com/JacksonHome, https://github.com/FasterXML/jackson-modules-base)
 - Jackson-annotations (from http://github.com/FasterXML/jackson, http://wiki.fasterxml.com/JacksonHome, https://github.com/FasterXML/jackson)
 - Jackson-core (from http://wiki.fasterxml.com/JacksonHome, https://github.com/FasterXML/jackson-core)
- Jackson-dataformat-XML (from http://wiki.fasterxml.com/JacksonExtensionXmlDataBinding, https://github.com/FasterXML/jackson-dataformat-xml)
 - Jackson-dataformat-YAML (from https://github.com/FasterXML/jackson, https://github.com/FasterXML/jackson-dataformats-text)
 - Jackson-module-parameter-names (from https://repo1.maven.org/maven2/com/fasterxml/jackson/module/jackson-module-parameter-names)
 - Jakarta Dependency Injection (from https://github.com/eclipse-ee4j/injection-api)
@@ -134,7 +130,6 @@ The following software have components provided under the terms of this license:
 - Microsoft Azure Java Core Library (from https://github.com/Azure/azure-sdk-for-java)
 - Microsoft Azure Netty HTTP Client Library (from https://github.com/Azure/azure-sdk-for-java)
 - Microsoft Azure SDK for SQL API of Azure Cosmos DB Service (from https://github.com/Azure/azure-sdk-for-java)
- Microsoft Azure client library for Identity (from https://github.com/Azure/azure-sdk-for-java)
 - Mockito (from http://mockito.org, https://github.com/mockito/mockito)
 - MongoDB Driver (from https://www.mongodb.com/)
 - MongoDB Java Driver (from http://mongodb.org/, http://www.mongodb.org, https://www.mongodb.com/)
@@ -169,7 +164,6 @@ The following software have components provided under the terms of this license:
 - Okio (from https://github.com/square/okio/, https://repo1.maven.org/maven2/com/squareup/okio/okio)
 - OpenCensus (from https://github.com/census-instrumentation/opencensus-java, https://github.com/census-instrumentation/opencensus-proto)
 - OpenTelemetry Java (from https://github.com/open-telemetry/opentelemetry-java)
- OpenTelemetry Semantic Conventions Java (from https://github.com/open-telemetry/semantic-conventions-java)
 - Plexus Common Utilities (from http://plexus.codehaus.org/plexus-utils, https://codehaus-plexus.github.io/plexus-utils/, https://repo1.maven.org/maven2/org/codehaus/plexus/plexus-utils)
 - Protocol Buffer extensions to the Google HTTP Client Library for Java. (from https://repo1.maven.org/maven2/com/google/http-client/google-http-client-protobuf)
 - Proton-J (from https://repo1.maven.org/maven2/org/apache/qpid/proton-j)
@@ -214,7 +208,6 @@ The following software have components provided under the terms of this license:
 - Spring Web MVC (from https://github.com/spring-projects/spring-framework, https://repo1.maven.org/maven2/org/springframework/spring-webmvc)
 - Standard Uri Template (from https://std-uritemplate.github.io/)
 - Swagger UI (from <http://webjars.org>, http://webjars.org, https://www.webjars.org)
- Woodstox (from https://github.com/FasterXML/woodstox)
 - aws-encryption-sdk-java (from https://github.com/aws/aws-encryption-sdk-java)
 - datastore-v1-proto-client (from https://repo1.maven.org/maven2/com/google/cloud/datastore/datastore-v1-proto-client)
 - error-prone annotations (from https://repo1.maven.org/maven2/com/google/errorprone/error_prone_annotations)
@@ -275,6 +268,7 @@ The following software have components provided under the terms of this license:
 - tomcat-embed-core (from http://tomcat.apache.org/)
 - tomcat-embed-el (from http://tomcat.apache.org/, https://tomcat.apache.org/)
 - tomcat-embed-websocket (from http://tomcat.apache.org/, https://tomcat.apache.org/)
+- webjars-locator-lite (from https://webjars.org)

 ========================================================================
 BSD-2-Clause
@@ -289,7 +283,6 @@ The following software have components provided under the terms of this license:
 - MinLog (from https://github.com/EsotericSoftware/minlog)
 - Plexus Common Utilities (from http://plexus.codehaus.org/plexus-utils, https://codehaus-plexus.github.io/plexus-utils/, https://repo1.maven.org/maven2/org/codehaus/plexus/plexus-utils)
 - ReflectASM (from https://github.com/EsotericSoftware/reflectasm)
- Stax2 API (from http://github.com/FasterXML/stax2-api)

 ========================================================================
 BSD-3-Clause
@@ -310,7 +303,6 @@ The following software have components provided under the terms of this license:
 - Google OAuth Client Library for Java (from https://repo1.maven.org/maven2/com/google/oauth-client/google-oauth-client)
 - Hamcrest (from http://hamcrest.org/JavaHamcrest/)
 - Hamcrest Core (from http://hamcrest.org/, http://hamcrest.org/JavaHamcrest/, https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core)
- Jackson module: Afterburner (from http://wiki.fasterxml.com/JacksonHome, https://github.com/FasterXML/jackson-modules-base)
 - Jakarta Activation API (from https://github.com/eclipse-ee4j/jaf, https://github.com/jakartaee/jaf-api, https://repo1.maven.org/maven2/jakarta/activation/jakarta.activation-api)
 - Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
 - Jakarta Messaging API (from https://projects.eclipse.org/projects/ee4j.jms)
@@ -334,7 +326,6 @@ BouncyCastle
 The following software have components provided under the terms of this license:

 - Bouncy Castle Provider (from http://www.bouncycastle.org/java.html, https://www.bouncycastle.org/java.html)
- Microsoft Azure client library for Identity (from https://github.com/Azure/azure-sdk-for-java)

 ========================================================================
 CC-BY-2.5
@@ -459,7 +450,6 @@ LGPL-2.1-only
 ========================================================================
 The following software have components provided under the terms of this license:

- Java Native Access Platform (from https://github.com/java-native-access/jna)
 - Javassist (from http://www.javassist.org/, https://www.javassist.org/)
 - Logback Classic Module (from http://logback.qos.ch, https://repo1.maven.org/maven2/ch/qos/logback/logback-classic)
 - Logback Contrib :: JSON :: Classic (from https://repo1.maven.org/maven2/ch/qos/logback/contrib/logback-json-classic)
@@ -493,9 +483,11 @@ The following software have components provided under the terms of this license:
 - Java Client Runtime for AutoRest (from https://github.com/Azure/autorest-clientruntime-for-java)
 - Java JWT (from http://www.jwt.io, https://github.com/auth0/java-jwt)
 - Microsoft Application Insights Java Agent (from https://github.com/Microsoft/ApplicationInsights-Java)
+- Microsoft Azure Identity Brokered Authentication Library (from https://github.com/Azure/azure-sdk-for-java)
 - Microsoft Azure Java Core AMQP Library (from https://github.com/Azure/azure-sdk-for-java)
 - Microsoft Azure Java Core Library (from https://github.com/Azure/azure-sdk-for-java)
 - Microsoft Azure Java JSON Library (from https://github.com/Azure/azure-sdk-for-java)
+- Microsoft Azure Java XML Library (from https://github.com/Azure/azure-sdk-for-java)
 - Microsoft Azure Management Java Core Library (from https://github.com/Azure/azure-sdk-for-java)
 - Microsoft Azure Netty HTTP Client Library (from https://github.com/Azure/azure-sdk-for-java)
 - Microsoft Azure SDK annotations (from https://github.com/Microsoft/java-api-annotations)
@@ -533,12 +525,15 @@ The following software have components provided under the terms of this license:
 - Spring Data for Azure Cosmos DB SQL API (from https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/cosmos/azure-spring-data-cosmos, https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/spring/azure-spring-data-cosmos)
 - System Stubs Core (from https://repo1.maven.org/maven2/uk/org/webcompere/system-stubs-core)
 - adal4j (from https://github.com/AzureAD/azure-activedirectory-library-for-java)
+- javamsalruntime (from https://github.com/AzureAD/microsoft-authentication-library-for-cpp)
 - micrometer-commons (from https://github.com/micrometer-metrics/micrometer)
 - micrometer-core (from https://github.com/micrometer-metrics/micrometer)
 - mockito-inline (from http://mockito.org, https://github.com/mockito/mockito)
 - mockito-junit-jupiter (from https://github.com/mockito/mockito)
 - msal4j (from https://github.com/AzureAD/microsoft-authentication-library-for-java)
+- msal4j-brokers (from https://github.com/AzureAD/microsoft-authentication-library-for-java)
 - msal4j-persistence-extension (from https://github.com/AzureAD/microsoft-authentication-extensions-for-java, https://github.com/AzureAD/microsoft-authentication-library-for-java)
+- webjars-locator-lite (from https://webjars.org)

 ========================================================================
 SAX-PD

--- a/pom.xml
+++ b/pom.xml
@@ -26,7 +26,7 @@
    <maven.compiler.target>17</maven.compiler.target>
    <maven.compiler.source>17</maven.compiler.source>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-    <os-core-common.version>3.2.0</os-core-common.version>
+    <os-core-common.version>3.3.0</os-core-common.version>
    <spring-boot.version>3.3.5</spring-boot.version>
    <spring-security.version>6.3.4</spring-security.version>
    <spring-framework.version>6.1.13</spring-framework.version>

--- a/provider/partition-azure/pom.xml
+++ b/provider/partition-azure/pom.xml
 <?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright © Microsoft Corporation
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->

 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>partition-azure</artifactId>
+  <description>Partition service on Azure</description>
+  <packaging>jar</packaging>
+
  <parent>
    <artifactId>partition</artifactId>
    <groupId>org.opengroup.osdu</groupId>
@@ -8,30 +29,16 @@
    <relativePath>../../pom.xml</relativePath>
  </parent>

-  <modelVersion>4.0.0</modelVersion>
-  <artifactId>partition-azure</artifactId>
-  <description>Partition service on Azure</description>
-  <packaging>jar</packaging>
-
  <properties>
-    <core-lib-azure.version>1.2.0</core-lib-azure.version>
-    <junit.version>4.13.2</junit.version>
-    <reactor-core.version>3.6.4</reactor-core.version>
-    <reactor-netty.version>1.1.17</reactor-netty.version>
-    <nimbus-jose-jwt.version>9.30.2</nimbus-jose-jwt.version>
-    <okhttp.version>4.12.0</okhttp.version>
+    <core-lib-azure.version>2.0.0</core-lib-azure.version>
+    <!-- Plugin Versions -->
+    <surefire-plugin.version>2.22.2</surefire-plugin.version>
+    <jacoco-plugin.version>0.8.12</jacoco-plugin.version>
  </properties>

  <dependencyManagement>
    <dependencies>
-      <dependency>
-	    <groupId>org.springframework.boot</groupId>
-	    <artifactId>spring-boot-dependencies</artifactId>
-	    <version>${spring-boot.version}</version>
-	    <type>pom</type>
-	    <scope>import</scope>
-	  </dependency>
-      <!-- Inherit managed dependencies from core-lib-azure -->
+      <!-- Core Azure Library -->
      <dependency>
        <groupId>org.opengroup.osdu</groupId>
        <artifactId>core-lib-azure</artifactId>
@@ -39,55 +46,28 @@
        <type>pom</type>
        <scope>import</scope>
      </dependency>
-      <dependency>
-          <groupId>org.apache.logging.log4j</groupId>
-          <artifactId>log4j-slf4j-impl</artifactId>
-          <version>${log4j.version}</version>
-      </dependency>
-      <dependency>
-          <groupId>org.apache.logging.log4j</groupId>
-          <artifactId>log4j-to-slf4j</artifactId>
-          <version>${log4j.version}</version>
-      </dependency>
-      <dependency>
-          <groupId>org.apache.logging.log4j</groupId>
-          <artifactId>log4j-api</artifactId>
-          <version>${log4j.version}</version>
-      </dependency>
-      <dependency>
-          <groupId>org.apache.logging.log4j</groupId>
-          <artifactId>log4j-core</artifactId>
-          <version>${log4j.version}</version>
-      </dependency>
-      <dependency>
-          <groupId>org.apache.logging.log4j</groupId>
-          <artifactId>log4j-jul</artifactId>
-          <version>${log4j.version}</version>
-      </dependency>
    </dependencies>
  </dependencyManagement>

  <dependencies>
-    <!-- OSDU dependencies -->
+    <!-- OSDU Dependencies -->
    <dependency>
      <groupId>org.opengroup.osdu</groupId>
      <artifactId>partition-core</artifactId>
-      <version>0.28.0-SNAPSHOT</version>
+      <version>${project.version}</version>
    </dependency>
    <dependency>
      <groupId>org.opengroup.osdu</groupId>
      <artifactId>core-lib-azure</artifactId>
      <version>${core-lib-azure.version}</version>
-      <exclusions>
-        <exclusion>
-          <artifactId>redisson</artifactId>
-          <groupId>org.redisson</groupId>
-        </exclusion>
-      </exclusions>
    </dependency>
+
+    <!-- Spring Dependencies -->
+    <!-- Versions managed by parent pom or os-core-lib-azure pom-->
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-security</artifactId>
+      <version>${spring-boot.version}</version>
      <exclusions>
        <exclusion>
          <groupId>ch.qos.logback</groupId>
@@ -100,79 +80,35 @@
      </exclusions>
    </dependency>
    <dependency>
-      <groupId>org.springframework.security</groupId>
-      <artifactId>spring-security-oauth2-client</artifactId>
-      <exclusions>
-        <exclusion>
-          <artifactId>oauth2-oidc-sdk</artifactId>
-          <groupId>com.nimbusds</groupId>
-        </exclusion>
-      </exclusions>
+      <groupId>org.springdoc</groupId>
+      <artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
    </dependency>
+
+    <!-- Azure Dependencies -->
+    <!-- Versions managed by azure core library -->
    <dependency>
-      <groupId>org.springframework.security</groupId>
-      <artifactId>spring-security-oauth2-jose</artifactId>
+      <groupId>com.azure</groupId>
+      <artifactId>azure-core</artifactId>
    </dependency>
-    <!-- Azure dependencies -->
-    <!-- https://mvnrepository.com/artifact/com.azure/azure-storage-blob -->
    <dependency>
      <groupId>com.azure</groupId>
      <artifactId>azure-data-tables</artifactId>
-      <version>12.3.20</version>
    </dependency>
-    <!-- https://mvnrepository.com/artifact/com.azure/azure-core -->
    <dependency>
      <groupId>com.azure</groupId>
-      <artifactId>azure-core</artifactId>
+      <artifactId>azure-spring-data-cosmos</artifactId>
    </dependency>
-
    <dependency>
      <groupId>com.azure.spring</groupId>
      <artifactId>spring-cloud-azure-starter-active-directory</artifactId>
-      <version>5.13.0</version>
-    </dependency>
-    <!-- Other dependencies -->
-    <dependency>
-      <groupId>org.projectlombok</groupId>
-      <artifactId>lombok</artifactId>
-      <version>1.18.26</version>
-    </dependency>
-    <dependency>
-      <groupId>com.nimbusds</groupId>
-      <artifactId>nimbus-jose-jwt</artifactId>
-      <version>${nimbus-jose-jwt.version}</version>
-    </dependency>
-    <dependency>
-      <groupId>com.squareup.okhttp3</groupId>
-      <artifactId>okhttp</artifactId>
-      <version>${okhttp.version}</version>
-    </dependency>
-    <dependency>
-      <groupId>org.redisson</groupId>
-      <artifactId>redisson</artifactId>
-      <version>3.33.0</version>
-    </dependency>
-    <!-- Test dependencies -->
-    <dependency>
-      <groupId>junit</groupId>
-      <artifactId>junit</artifactId>
-      <version>${junit.version}</version>
-      <scope>test</scope>
    </dependency>
+
+    <!-- Test Scoped Dependencies -->
+    <!-- Versions managed by parent pom unless otherwise specified -->
    <dependency>
      <groupId>org.springframework.boot</groupId>
      <artifactId>spring-boot-starter-test</artifactId>
      <scope>test</scope>
-      <exclusions>
-        <exclusion>
-          <groupId>org.mockito</groupId>
-          <artifactId>mockito-all</artifactId>
-        </exclusion>
-        <exclusion>
-          <groupId>org.junit.vintage</groupId>
-          <artifactId>junit-vintage-engine</artifactId>
-        </exclusion>
-      </exclusions>
    </dependency>
    <dependency>
      <groupId>org.springframework.security</groupId>
@@ -180,19 +116,16 @@
      <scope>test</scope>
    </dependency>
    <dependency>
-      <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-api</artifactId>
-      <version>1.7.36</version>
-    </dependency>
-    <dependency>
-      <groupId>org.redisson</groupId>
-      <artifactId>redisson</artifactId>
-      <version>3.34.1</version>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
    </dependency>
  </dependencies>

+  <!-- Build Configuration -->
  <build>
    <plugins>
+      <!-- Spring Boot Maven Plugin -->
      <plugin>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-maven-plugin</artifactId>
@@ -208,18 +141,22 @@
          </execution>
        </executions>
      </plugin>
+
+      <!-- Surefire Plugin -->
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-surefire-plugin</artifactId>
-        <version>2.22.2</version>
+        <version>${surefire-plugin.version}</version>
        <configuration>
-          <argLine>@{argLine} --add-opens java.base/java.lang=ALL_UNNAMED</argLine>
+          <argLine>@{argLine} --add-opens java.base/java.lang=ALL-UNNAMED</argLine>
        </configuration>
      </plugin>
+
+      <!-- JaCoCo Plugin -->
      <plugin>
        <groupId>org.jacoco</groupId>
        <artifactId>jacoco-maven-plugin</artifactId>
-        <version>0.8.8</version>
+        <version>${jacoco-plugin.version}</version>
        <configuration>
          <excludes>
            <exclude>org/opengroup/osdu/partition/provider/azure/PartitionApplication.class</exclude>
@@ -229,18 +166,18 @@
          </excludes>
        </configuration>
        <executions>
-        <execution>
+          <execution>
            <goals>
-            <goal>prepare-agent</goal>
+              <goal>prepare-agent</goal>
            </goals>
-        </execution>
-        <execution>
+          </execution>
+          <execution>
            <id>report</id>
            <phase>prepare-package</phase>
            <goals>
-            <goal>report</goal>
+              <goal>report</goal>
            </goals>
-        </execution>
+          </execution>
        </executions>
      </plugin>
    </plugins>