Search merge requestshttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests2024-01-09T13:28:24Zhttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/565Vulnerability fixes for jackson-databind2024-01-09T13:28:24ZJayesh BagulVulnerability fixes for jackson-databind* upgrade `jackson-databind` to `2.14.0`
## Type of change
- [ ] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES/NO]
## D...* upgrade `jackson-databind` to `2.14.0`
## Type of change
- [ ] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES/NO]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ ] AWS
- [ ] Azure
- [ ] Google Cloud
- [ ] IBM
## Does this introduce a breaking change?
- [YES/NO]
## What is the current behavior?
## What is the new/expected behavior?
## Have you added/updated Unit Tests and Integration Tests?
## Any other useful informationM21 - Release 0.24VidyaDharani LokamVidyaDharani Lokamhttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/611[MSCOSDU-1894] fix json-smart vulnerability2024-01-03T07:24:23ZVidyaDharani Lokam[MSCOSDU-1894] fix json-smart vulnerability* upgraded `json-smart` to `2.5.0` to remediate vulnerability.
* upgraded `reactor-netty` to `1.1.14`.* upgraded `json-smart` to `2.5.0` to remediate vulnerability.
* upgraded `reactor-netty` to `1.1.14`.M23 - Release 0.26VidyaDharani LokamVidyaDharani Lokamhttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/600[MSCOSDU-1866] fix io.netty, reactor-netty-http vulnerabilities2024-01-01T07:24:06ZVidyaDharani Lokam[MSCOSDU-1866] fix io.netty, reactor-netty-http vulnerabilities# Change details
* upgraded `core-lib-azure` to `0.25.0-rc2`
* upgrade `io.netty:netty-bom` version to `4.1.101.Final`
* upgrade `reactor-netty-http` version to `1.1.13`
# Changes in:
* [ ] GCP
* [x] Azure
* [ ] AWS
* [ ] IBM# Change details
* upgraded `core-lib-azure` to `0.25.0-rc2`
* upgrade `io.netty:netty-bom` version to `4.1.101.Final`
* upgrade `reactor-netty-http` version to `1.1.13`
# Changes in:
* [ ] GCP
* [x] Azure
* [ ] AWS
* [ ] IBMM22 - Release 0.25VidyaDharani LokamVidyaDharani Lokamhttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/587Pull latest os-core-common and update dependancy versions2023-12-04T18:56:59ZSolomon AyalewPull latest os-core-common and update dependancy versions## Type of change
- [ ] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [NO]
## Does this introduce a change in the cloud provi...## Type of change
- [ ] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [NO]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ ] AWS
- [ ] Azure
- [ ] Google Cloud
- [ ] IBM
## Does this introduce a breaking change?
- [NO]
## What is the current behavior?
## What is the new/expected behavior?
same as old
## Have you added/updated Unit Tests and Integration Tests?
## Any other useful informationM22 - Release 0.25https://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/562Full Upgrade of First Party Library Dependencies2023-10-19T11:21:13ZChad LeongFull Upgrade of First Party Library DependenciesThis generated MR upgrades the first party libraries (other OSDU libraries) to utilize the latest release.
The intent is to keep all dependent libraries up to date.
This upgrade can be merged immediately without further approval if the C...This generated MR upgrades the first party libraries (other OSDU libraries) to utilize the latest release.
The intent is to keep all dependent libraries up to date.
This upgrade can be merged immediately without further approval if the CI pipeline reports success.
If this MR has failed, we need to work with the maintainers and affected provider teams to find a solution.
### Dependency Information Before the Upgrade
```
Branch: master
SHA: d9ae2c1e397b62c2e9d9047349083b0f626c111b
Maven: 0.24.0-SNAPSHOT
```
| Maven Dependencies | _Root_ | testing/integration-tests/ |
| ----------------------------------------------------- | ---------- | -------------------------- |
| core-lib-azure | 0.20.0-rc5 | 0.13.0-rc6 |
| core-lib-gc | 0.21.0 | |
| os-core-lib-aws | 0.21.0 | 0.21.0 |
| os-core-common | 0.23.1 | 0.23.1 |
| os-core-lib-ibm | 0.16.0-rc1 | 0.15.2 |
| (3rd Party) org.apache.logging.log4j.log4j-api | 2.17.1 | 2.11.1, 2.13.3 |
| (3rd Party) org.apache.logging.log4j.log4j-core | 2.17.1 | 2.13.3 |
| (3rd Party) org.apache.logging.log4j.log4j-jul | 2.17.1 | 2.13.3 |
| (3rd Party) org.apache.logging.log4j.log4j-slf4j-impl | 2.17.1 | 2.13.3 |
| (3rd Party) org.apache.logging.log4j.log4j-to-slf4j | 2.17.1 | 2.11.2 |
| (3rd Party) org.yaml.snakeyaml | 2.0 | 1.26 |
### Dependency Information After the Upgrade
```
Branch: dependency-upgrade-2
SHA: 0b22dc076fb8cf40aefd0f375d8c22f8c5edbefa
Maven: 0.24.0-SNAPSHOT
```
| Maven Dependencies | _Root_ | testing/integration-tests/ |
| --------------------------------------------------- | ------ | -------------------------- |
| core-lib-azure | 0.23.2 | 0.23.2 |
| core-lib-gc | 0.23.1 | |
| os-core-lib-aws | 0.23.0 | 0.23.0 |
| os-core-common | 0.23.3 | 0.23.3 |
| os-core-lib-ibm | 0.23.0 | 0.23.0 |
| (3rd Party) org.apache.logging.log4j.log4j-api | 2.17.1 | 2.11.1, 2.13.3 |
| (3rd Party) org.apache.logging.log4j.log4j-core | 2.17.1 | 2.13.3 |
| (3rd Party) org.apache.logging.log4j.log4j-to-slf4j | 2.17.1 | 2.11.2 |
| (3rd Party) org.yaml.snakeyaml | 2.0 | 1.26, 1.27, 2.0 |M21 - Release 0.24Chad LeongChad Leonghttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/560fix azure jackson-databind vulnerability2023-10-04T06:19:53ZVidyaDharani Lokamfix azure jackson-databind vulnerability# Change details
* upgrade `jackson-databind` to `2.15.2`
# Changes in:
* [ ] GCP
* [x] Azure
* [ ] AWS
* [ ] IBM# Change details
* upgrade `jackson-databind` to `2.15.2`
# Changes in:
* [ ] GCP
* [x] Azure
* [ ] AWS
* [ ] IBMM21 - Release 0.24VidyaDharani LokamVidyaDharani Lokamhttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/559azure vulnerability fixes2023-09-27T14:30:29ZVidyaDharani Lokamazure vulnerability fixes# Change details
* upgrade `woodstox-core` to `6.4.0`
* excluded unused dependency `documentdb-bulkexecutor`
* upgrade `guava` version to `32.1.2-jre`
* upgrade `io.netty:netty-bom` version to `4.1.98.Final`
# Changes in:
* [ ] GCP
* ...# Change details
* upgrade `woodstox-core` to `6.4.0`
* excluded unused dependency `documentdb-bulkexecutor`
* upgrade `guava` version to `32.1.2-jre`
* upgrade `io.netty:netty-bom` version to `4.1.98.Final`
# Changes in:
* [ ] GCP
* [x] Azure
* [ ] AWS
* [ ] IBMM21 - Release 0.24VidyaDharani LokamVidyaDharani Lokamhttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/28fix whitesoure vulnerabilities2023-08-18T22:16:06ZAliaksei Darafeyeufix whitesoure vulnerabilities```
CORE:
| jackson-databind-2.9.9.jar
| hibernate-validator-6.0.17.Final.jar
| spring-web-5.1.9.RELEASE.jar
| elasticsearch-6.6.2.jar
| snakeyaml-1.23.jar
| commons-codec-1.11.jar
| tomcat-embed-core-9.0.21.jar
| netty-codec-4.1.38.Fina...```
CORE:
| jackson-databind-2.9.9.jar
| hibernate-validator-6.0.17.Final.jar
| spring-web-5.1.9.RELEASE.jar
| elasticsearch-6.6.2.jar
| snakeyaml-1.23.jar
| commons-codec-1.11.jar
| tomcat-embed-core-9.0.21.jar
| netty-codec-4.1.38.Final.jar
| resteasy-jaxrs-3.6.2.Final.jar
| spring-security-core-5.1.6.RELEASE.jar
AZURE:
| jackson-databind-2.9.9.jar
| netty-codec-http-4.1.38.Final.jar
| reactor-netty-0.8.10.RELEASE.jar
| netty-codec-http2-4.1.38.Final.jar
| hibernate-validator-6.0.12.Final.jar
| elasticsearch-6.4.3.jar
| spring-web-5.1.9.RELEASE.jar
| snakeyaml-1.23.jar
| commons-codec-1.11.jar
| tomcat-embed-core-9.0.22.jar
| netty-codec-4.1.38.Final.jar
| log4j-core-2.11.2.jar
| resteasy-jaxrs-3.6.2.Final.jar
```
Note: elasticsearch v6.8.1 due to infra limitationM1 - Release 0.1ethiraj krishnamanaiduNeelesh ThakurSherman YangPavel BachylaYauheni Lesnikauethiraj krishnamanaiduhttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/33upgrade springboot to fix whitesoure vulnerabilities2023-08-18T22:16:00ZAliaksei Darafeyeuupgrade springboot to fix whitesoure vulnerabilitiesM1 - Release 0.1ethiraj krishnamanaiduNitin-slbNeelesh ThakurSherman Yangethiraj krishnamanaiduhttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/55Fix whitesource2023-08-18T22:13:48ZPavel BachylaFix whitesource## Type of change
- [x] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- No
## Does this introduce a change in the cloud provide...## Type of change
- [x] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- No
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ ] AWS
- [ ] Azure
- [ ] GCP
- [ ] IBM
## Does this introduce a breaking change?
- No
## What is the current behavior?
N/A
## What is the new/expected behavior?
N/A
## Have you added/updated Unit Tests and Integration Tests?
N/A
## Any other useful information
Fix Major/Critical/Blocker WhiteSource vulnerabilities except those related to ElasticSearch version limitations and log4j due to incompatibilities with other librariesM1 - Release 0.1ethiraj krishnamanaiduNeelesh ThakurSherman Yangethiraj krishnamanaiduhttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/81(GONRG-1759) Fix Security response headers issue2023-08-18T22:07:42ZIgor Filippov (EPAM)(GONRG-1759) Fix Security response headers issue**Issue**
Testing team reported "VULN-05 HSTS and CSP not implemented properly".
The report is attached to the GONRG-1637: [^API security testing report _Trajectory.pdf].
They say "The HSTS and CSP headers are not implemented. A man-i...**Issue**
Testing team reported "VULN-05 HSTS and CSP not implemented properly".
The report is attached to the GONRG-1637: [^API security testing report _Trajectory.pdf].
They say "The HSTS and CSP headers are not implemented. A man-in-the-middle attacker attempts to intercept traffic from a victim user using an invalid certificate and hopes the user will accept the bad certificate".
Reported contexts: STORAGE, DELIVERY
**Replay and analysis**
Debugged Search service API:
```
curl --location --request POST 'https://os-search-attcrcktoa-uc.a.run.app/api/search/v2/query' \
--header 'Authorization: Bearer <token>' \
--header 'data-partition-id: osdu' \
--header 'Content-Type: application/json' \
--data-raw '{
"kind": "osdu:osdu:*:0.2.0",
"query": "BIR*"
}'
```
- Noticed security headers (Strict-Transport-Security, Content-Security-Policy etc.) absence in responses
- Analyzed Search service Java code
- not found any "active" code for setting security headers on Responses
- found the inactivated class "org.opengroup.osdu.search.middleware.CorrelationIDRequestFilter" designed to set needed headers
- the class is inactivated by the commented "@Component" annotation
- CorrelationIDRequestFilter component should be reviewed, actualized and reactivated
- see the similar functionality code we have in Storage service: GONRG-1756
## Type of change
- [X] Bug Fix
- [ ] Feature
## Does this introduce a change in the core logic?
- [YES]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [x] AWS
- [x] Azure
- [x] GCP
- [x] IBM
## Does this introduce a breaking change?
- [NO]
## Have you added/updated Unit Tests and Integration Tests?
- [NO]M5 - Release 0.8Dmitriy RudkoRostislav Dublin (EPAM)Dmitriy Rudkohttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/101Update libraries to fix CVE security vulnerabilities2023-08-18T22:07:15ZAlok JoshiUpdate libraries to fix CVE security vulnerabilitiesPlease refer to [this MR](https://community.opengroup.org/osdu/platform/system/lib/core/os-core-common/-/merge_requests/75) for more detailsPlease refer to [this MR](https://community.opengroup.org/osdu/platform/system/lib/core/os-core-common/-/merge_requests/75) for more detailsM5 - Release 0.8Alok JoshiAlok Joshihttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/187fix dependencies issues2023-08-18T22:05:43ZYauheni Lesnikaufix dependencies issuesIssue: https://community.opengroup.org/osdu/platform/system/search-service/-/issues/79Issue: https://community.opengroup.org/osdu/platform/system/search-service/-/issues/79M11 - Release 0.14Yauheni LesnikauYauheni Lesnikauhttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/194Vuln fix lucene2023-08-18T22:05:40ZGokul NagareVuln fix luceneM10 - Release 0.13Anuj GuptaShrikant GargAnuj Guptahttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/195log4j-vuln-fix by upgrading to log4j 2.16.0 version2023-08-18T22:05:38ZAshwani Pandeylog4j-vuln-fix by upgrading to log4j 2.16.0 version| module pom changes | Ref Issue
| ------ | ------
| IBM | osdu/platform/system/lib/cloud/ibm/os-core-lib-ibm#2
| core | osdu/platform/system/lib/core/os-core-common#54
Part of the #74 series| module pom changes | Ref Issue
| ------ | ------
| IBM | osdu/platform/system/lib/cloud/ibm/os-core-lib-ibm#2
| core | osdu/platform/system/lib/core/os-core-common#54
Part of the #74 seriesM10 - Release 0.13David Diederichd.diederich@opengroup.orgShrikant GargDavid Diederichd.diederich@opengroup.orghttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/278jackson library version update2023-08-18T22:04:38ZMorris Estepajackson library version updatecommit da35cd9d
Author: Morris Estepa <estepamo@amazon.com>
Date: Fri May 27 2022 15:29:56 GMT-0500 (Central Daylight Time)
jackson-databind fixcommit da35cd9d
Author: Morris Estepa <estepamo@amazon.com>
Date: Fri May 27 2022 15:29:56 GMT-0500 (Central Daylight Time)
jackson-databind fixM13 - Release 0.16Morris EstepaMorris Estepahttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/310fixing tomcat vulnerability2023-08-18T22:04:25ZAshwani Pandeyfixing tomcat vulnerabilityfixing tomcat vulnerabilityfixing tomcat vulnerabilityM13 - Release 0.16Ashwani PandeyAshwani Pandeyhttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/530spring-security-core upgrade2023-07-13T09:13:54Zsagar thapaspring-security-core upgrade# Issue links: -
https://community.opengroup.org/osdu/platform/system/search-service/-/security/vulnerabilities/28318 - AWS
https://community.opengroup.org/osdu/platform/system/search-service/-/security/vulnerabilities/28316 - IBM
http...# Issue links: -
https://community.opengroup.org/osdu/platform/system/search-service/-/security/vulnerabilities/28318 - AWS
https://community.opengroup.org/osdu/platform/system/search-service/-/security/vulnerabilities/28316 - IBM
https://community.opengroup.org/osdu/platform/system/search-service/-/security/vulnerabilities/28317 - search-core
## spring-security-core upgrade affects following cloud provider.
- [x] AWS
- [ ] Azure
- [ ] Google Cloud
- [x] IBM
# Additional information
common core **spring-security-core** is also upgraded as per the vulnerability scan report.M19 - Release 0.22sagar thapasagar thapahttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/492AWS Integration merge2023-07-04T11:19:24ZYash DholakiaAWS Integration merge## Type of change
- [X] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [NO]
## Does this introduce a change in the cloud provi...## Type of change
- [X] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [NO]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [X] AWS
- [ ] Azure
- [ ] Google Cloud
- [ ] IBM
## Does this introduce a breaking change?
- [NO]
## What is the current behavior?
## What is the new/expected behavior?
## Have you added/updated Unit Tests and Integration Tests?
## Any other useful informationM18 - Release 0.21Yash DholakiaYash Dholakiahttps://community.opengroup.org/osdu/platform/system/search-service/-/merge_requests/521Component governance build failure vulnerabilities fixed2023-07-04T10:40:13ZHarshika DhootComponent governance build failure vulnerabilities fixed## Type of change
- [X] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES/NO] NO
## Does this introduce a change in the clou...## Type of change
- [X] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES/NO] NO
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ ] AWS
- [X] Azure
- [ ] Google Cloud
- [ ] IBM
## Does this introduce a breaking change?
- [YES/NO]
## What is the current behavior?
## What is the new/expected behavior?
## Have you added/updated Unit Tests and Integration Tests?
## Any other useful information
https://dev.azure.com/OpenEnergyPlatform/Open%20Energy%20Platform/_componentGovernance/oep-deployment-resources/alert/7921145?typeId=13890738&pipelinesTrackingFilter=0M19 - Release 0.22Harshika DhootHarshika Dhoot