From 56f39b8f0f8862774f04e9eac025e056ccac9073 Mon Sep 17 00:00:00 2001 From: Pavel Bachyla Date: Mon, 9 Nov 2020 19:52:45 +0300 Subject: [PATCH 1/7] Fix WhiteSource alerts --- pom.xml | 64 +++++++++++++++---- provider/search-azure/pom.xml | 4 -- provider/search-byoc/pom.xml | 6 -- provider/search-gcp/pom.xml | 7 -- provider/search-ibm/pom.xml | 20 +++++- search-core/pom.xml | 6 -- .../integration-tests/search-test-aws/pom.xml | 2 +- .../search-test-azure/pom.xml | 2 +- .../search-test-core/pom.xml | 2 +- .../integration-tests/search-test-gcp/pom.xml | 2 +- .../integration-tests/search-test-ibm/pom.xml | 2 +- 11 files changed, 74 insertions(+), 43 deletions(-) diff --git a/pom.xml b/pom.xml index acb6d746..50ce789d 100644 --- a/pom.xml +++ b/pom.xml @@ -26,7 +26,7 @@ org.springframework.boot spring-boot-starter-parent - 2.1.16.RELEASE + 2.1.17.RELEASE @@ -39,6 +39,13 @@ 1.26 1.14 6.1.5.Final + 9.1.2 + 4.5.13 + 5.3.0 + 2020.0.0 + 2.11.1 + 1.31.0 + 1.20 @@ -57,13 +64,12 @@ provider/search-azure provider/search-ibm - org.springframework.boot spring-boot-dependencies - 2.1.16.RELEASE + 2.1.17.RELEASE pom import @@ -149,7 +155,7 @@ org.locationtech.spatial4j spatial4j - 0.6 + 0.7 com.vividsolutions @@ -201,7 +207,7 @@ org.apache.logging.log4j log4j-to-slf4j - 2.13.2 + ${log4j-core.version} org.slf4j @@ -262,17 +268,51 @@ hibernate-validator ${hibernate-validator.version} + + com.nimbusds + nimbus-jose-jwt + ${nimbus-jose-jwt.version} + + + org.apache.httpcomponents + httpclient + ${httpclient.version} + + + com.fasterxml.woodstox + woodstox-core + ${woodstox-core.version} + + + io.projectreactor + reactor-bom + ${reactor-bom.version} + pom + + + org.apache.logging.log4j + log4j-core + ${log4j-core.version} + + + com.google.oauth-client + google-oauth-client + ${google-oauth-client.version} + + + org.apache.commons + commons-compress + ${commons-compress.version} + + + org.apache.logging.log4j + log4j-api + ${log4j-core.version} + - - org.springframework.boot - spring-boot-dependencies - 2.1.7.RELEASE - pom - import - org.projectlombok lombok diff --git a/provider/search-azure/pom.xml b/provider/search-azure/pom.xml index adacd9e2..143d6220 100644 --- a/provider/search-azure/pom.xml +++ b/provider/search-azure/pom.xml @@ -73,12 +73,10 @@ io.projectreactor.netty reactor-netty - 0.9.5.RELEASE io.projectreactor reactor-core - 3.3.0.RELEASE org.powermock @@ -122,11 +120,9 @@ spring-security-test test - org.locationtech.spatial4j spatial4j - 0.7 org.locationtech.jts.io diff --git a/provider/search-byoc/pom.xml b/provider/search-byoc/pom.xml index 9a452184..be46c35a 100644 --- a/provider/search-byoc/pom.xml +++ b/provider/search-byoc/pom.xml @@ -17,7 +17,6 @@ 4.0.0 - org.opengroup.osdu search-byoc 0.0.5-SNAPSHOT In memory implementation of Search service APIs @@ -46,11 +45,6 @@ search-core 0.0.5-SNAPSHOT - - org.opengroup.osdu - os-core-common - 0.0.18 - org.powermock diff --git a/provider/search-gcp/pom.xml b/provider/search-gcp/pom.xml index 56faa1bd..e69ffac8 100644 --- a/provider/search-gcp/pom.xml +++ b/provider/search-gcp/pom.xml @@ -17,7 +17,6 @@ 4.0.0 - org.opengroup.osdu search-gcp 0.0.5-SNAPSHOT Google cloud implementation of Search service APIs @@ -52,12 +51,6 @@ core-lib-gcp 0.1.21 - - org.opengroup.osdu - os-core-common - 0.0.18 - - com.google.cloud google-cloud-datastore diff --git a/provider/search-ibm/pom.xml b/provider/search-ibm/pom.xml index dc9565d9..bc2359c3 100644 --- a/provider/search-ibm/pom.xml +++ b/provider/search-ibm/pom.xml @@ -27,8 +27,19 @@ 0.0.18 org.opengroup.osdu.search.provider.ibm.app.SearchIBMApplication + 1.64 + + + + org.bouncycastle + bcprov-jdk15on + ${bcprov-jdk15on.version} + + + + @@ -54,6 +65,12 @@ org.springframework.security.oauth spring-security-oauth2 2.3.6.RELEASE + + + org.codehaus.jackson + jackson-mapper-asl + + @@ -89,7 +106,6 @@ org.locationtech.spatial4j spatial4j - 0.7 org.locationtech.jts.io @@ -141,8 +157,6 @@ org.mockito mockito-core - 3.0.0 - test diff --git a/search-core/pom.xml b/search-core/pom.xml index c23a35c8..487184f5 100644 --- a/search-core/pom.xml +++ b/search-core/pom.xml @@ -41,12 +41,6 @@ - - org.opengroup.osdu - os-core-common - 0.0.18 - - javax.el javax.el-api diff --git a/testing/integration-tests/search-test-aws/pom.xml b/testing/integration-tests/search-test-aws/pom.xml index aeb7bb14..9e9c90d6 100644 --- a/testing/integration-tests/search-test-aws/pom.xml +++ b/testing/integration-tests/search-test-aws/pom.xml @@ -108,7 +108,7 @@ org.apache.logging.log4j log4j-to-slf4j - 2.11.2 + 2.13.3 diff --git a/testing/integration-tests/search-test-azure/pom.xml b/testing/integration-tests/search-test-azure/pom.xml index 1359ad01..ce3832a8 100644 --- a/testing/integration-tests/search-test-azure/pom.xml +++ b/testing/integration-tests/search-test-azure/pom.xml @@ -132,7 +132,7 @@ org.apache.logging.log4j log4j-core - 2.13.2 + 2.13.3 diff --git a/testing/integration-tests/search-test-core/pom.xml b/testing/integration-tests/search-test-core/pom.xml index 41b61256..d5620fba 100644 --- a/testing/integration-tests/search-test-core/pom.xml +++ b/testing/integration-tests/search-test-core/pom.xml @@ -116,7 +116,7 @@ org.apache.logging.log4j log4j-to-slf4j - 2.11.2 + 2.13.3 org.slf4j diff --git a/testing/integration-tests/search-test-gcp/pom.xml b/testing/integration-tests/search-test-gcp/pom.xml index fff43998..e529d386 100644 --- a/testing/integration-tests/search-test-gcp/pom.xml +++ b/testing/integration-tests/search-test-gcp/pom.xml @@ -115,7 +115,7 @@ org.apache.logging.log4j log4j-to-slf4j - 2.11.2 + 2.13.3 org.slf4j diff --git a/testing/integration-tests/search-test-ibm/pom.xml b/testing/integration-tests/search-test-ibm/pom.xml index 10abb3b9..ba48c563 100644 --- a/testing/integration-tests/search-test-ibm/pom.xml +++ b/testing/integration-tests/search-test-ibm/pom.xml @@ -110,7 +110,7 @@ org.apache.logging.log4j log4j-to-slf4j - 2.11.2 + 2.13.3 org.slf4j -- GitLab From daef2c9b417769bc8c121c685aa6b4df92b4546d Mon Sep 17 00:00:00 2001 From: Pavel Bachyla Date: Tue, 10 Nov 2020 13:36:32 +0300 Subject: [PATCH 2/7] Revert "Fix WhiteSource alerts" This reverts commit 3bd6e85b --- provider/search-byoc/pom.xml | 6 ++++++ provider/search-gcp/pom.xml | 7 +++++++ provider/search-ibm/pom.xml | 20 +++---------------- .../integration-tests/search-test-aws/pom.xml | 2 +- .../search-test-core/pom.xml | 2 +- .../integration-tests/search-test-gcp/pom.xml | 2 +- .../integration-tests/search-test-ibm/pom.xml | 2 +- 7 files changed, 20 insertions(+), 21 deletions(-) diff --git a/provider/search-byoc/pom.xml b/provider/search-byoc/pom.xml index be46c35a..9a452184 100644 --- a/provider/search-byoc/pom.xml +++ b/provider/search-byoc/pom.xml @@ -17,6 +17,7 @@ 4.0.0 + org.opengroup.osdu search-byoc 0.0.5-SNAPSHOT In memory implementation of Search service APIs @@ -45,6 +46,11 @@ search-core 0.0.5-SNAPSHOT + + org.opengroup.osdu + os-core-common + 0.0.18 + org.powermock diff --git a/provider/search-gcp/pom.xml b/provider/search-gcp/pom.xml index e69ffac8..56faa1bd 100644 --- a/provider/search-gcp/pom.xml +++ b/provider/search-gcp/pom.xml @@ -17,6 +17,7 @@ 4.0.0 + org.opengroup.osdu search-gcp 0.0.5-SNAPSHOT Google cloud implementation of Search service APIs @@ -51,6 +52,12 @@ core-lib-gcp 0.1.21 + + org.opengroup.osdu + os-core-common + 0.0.18 + + com.google.cloud google-cloud-datastore diff --git a/provider/search-ibm/pom.xml b/provider/search-ibm/pom.xml index bc2359c3..dc9565d9 100644 --- a/provider/search-ibm/pom.xml +++ b/provider/search-ibm/pom.xml @@ -27,19 +27,8 @@ 0.0.18 org.opengroup.osdu.search.provider.ibm.app.SearchIBMApplication - 1.64 - - - - org.bouncycastle - bcprov-jdk15on - ${bcprov-jdk15on.version} - - - - @@ -65,12 +54,6 @@ org.springframework.security.oauth spring-security-oauth2 2.3.6.RELEASE - - - org.codehaus.jackson - jackson-mapper-asl - - @@ -106,6 +89,7 @@ org.locationtech.spatial4j spatial4j + 0.7 org.locationtech.jts.io @@ -157,6 +141,8 @@ org.mockito mockito-core + 3.0.0 + test diff --git a/testing/integration-tests/search-test-aws/pom.xml b/testing/integration-tests/search-test-aws/pom.xml index 9e9c90d6..aeb7bb14 100644 --- a/testing/integration-tests/search-test-aws/pom.xml +++ b/testing/integration-tests/search-test-aws/pom.xml @@ -108,7 +108,7 @@ org.apache.logging.log4j log4j-to-slf4j - 2.13.3 + 2.11.2 diff --git a/testing/integration-tests/search-test-core/pom.xml b/testing/integration-tests/search-test-core/pom.xml index d5620fba..41b61256 100644 --- a/testing/integration-tests/search-test-core/pom.xml +++ b/testing/integration-tests/search-test-core/pom.xml @@ -116,7 +116,7 @@ org.apache.logging.log4j log4j-to-slf4j - 2.13.3 + 2.11.2 org.slf4j diff --git a/testing/integration-tests/search-test-gcp/pom.xml b/testing/integration-tests/search-test-gcp/pom.xml index e529d386..fff43998 100644 --- a/testing/integration-tests/search-test-gcp/pom.xml +++ b/testing/integration-tests/search-test-gcp/pom.xml @@ -115,7 +115,7 @@ org.apache.logging.log4j log4j-to-slf4j - 2.13.3 + 2.11.2 org.slf4j diff --git a/testing/integration-tests/search-test-ibm/pom.xml b/testing/integration-tests/search-test-ibm/pom.xml index ba48c563..10abb3b9 100644 --- a/testing/integration-tests/search-test-ibm/pom.xml +++ b/testing/integration-tests/search-test-ibm/pom.xml @@ -110,7 +110,7 @@ org.apache.logging.log4j log4j-to-slf4j - 2.13.3 + 2.11.2 org.slf4j -- GitLab From 9b632e34b665dae0afc3459deda90ace86a0b843 Mon Sep 17 00:00:00 2001 From: Pavel Bachyla Date: Tue, 10 Nov 2020 19:10:52 +0300 Subject: [PATCH 3/7] Upgrade log4j and spring boot parent version --- pom.xml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pom.xml b/pom.xml index 50ce789d..df5eafcf 100644 --- a/pom.xml +++ b/pom.xml @@ -26,7 +26,7 @@ org.springframework.boot spring-boot-starter-parent - 2.1.17.RELEASE + 2.1.18.RELEASE @@ -43,7 +43,7 @@ 4.5.13 5.3.0 2020.0.0 - 2.11.1 + 2.13.2 1.31.0 1.20 @@ -69,7 +69,7 @@ org.springframework.boot spring-boot-dependencies - 2.1.17.RELEASE + 2.1.18.RELEASE pom import -- GitLab From 33fd18ec4392b591140f97a14ed4a06747416c60 Mon Sep 17 00:00:00 2001 From: Alok Joshi Date: Tue, 24 Nov 2020 16:52:35 -0600 Subject: [PATCH 4/7] update to fossa maven --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 883b4f64..7f418417 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -43,7 +43,7 @@ include: file: "build/maven.yml" - project: "osdu/platform/ci-cd-pipelines" - file: "scanners/fossa.yml" + file: "scanners/fossa-maven.yml" - project: "osdu/platform/ci-cd-pipelines" file: "scanners/gitlab-ultimate.yml" -- GitLab From 0eac032d061ad8a15539cac77d5751d15ad0caa5 Mon Sep 17 00:00:00 2001 From: Alok Joshi Date: Sun, 13 Dec 2020 23:52:43 -0600 Subject: [PATCH 5/7] update notice file --- NOTICE | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/NOTICE b/NOTICE index 71c41dc0..fb2ab854 100644 --- a/NOTICE +++ b/NOTICE @@ -180,27 +180,34 @@ The following software have components provided under the terms of this license: - Microsoft Application Insights Log4j 2 Appender (from https://github.com/Microsoft/ApplicationInsights-Java) - Microsoft Azure Netty HTTP Client Library (from https://github.com/Azure/azure-sdk-for-java) - Microsoft Azure SDK for SQL API of Azure Cosmos DB Service (from https://github.com/Azure/azure-sdk-for-java) -- Mockito (from http://www.mockito.org) -- Mockito (from http://www.mockito.org) - Mockito (from http://mockito.org) - Mockito (from http://mockito.org) +- Mockito (from http://www.mockito.org) +- Mockito (from http://www.mockito.org) - Msg Simple (from https://github.com/fge/msg-simple) - Netty Reactive Streams Implementation (from ) - Netty/Buffer (from http://netty.io/) +- Netty/Buffer (from http://netty.io/) +- Netty/Codec (from ) - Netty/Codec (from ) - Netty/Codec/HTTP (from ) +- Netty/Codec/HTTP (from ) - Netty/Codec/HTTP2 (from ) - Netty/Codec/Socks (from ) - Netty/Common (from ) +- Netty/Common (from ) +- Netty/Handler (from ) - Netty/Handler (from ) - Netty/Handler/Proxy (from ) - Netty/Resolver (from ) +- Netty/Resolver (from ) - Netty/TomcatNative [BoringSSL - Static] (from ) - Netty/Transport (from http://netty.io/) +- Netty/Transport (from http://netty.io/) +- Netty/Transport/Native/Unix/Common (from ) - Netty/Transport/Native/Unix/Common (from ) - Nimbus Content Type (from https://bitbucket.org/connect2id/nimbus-content-type) - Nimbus JOSE+JWT (from https://bitbucket.org/connect2id/nimbus-jose-jwt) -- Nimbus JOSE+JWT (from https://bitbucket.org/connect2id/nimbus-jose-jwt) - Nimbus LangTag (from https://bitbucket.org/connect2id/nimbus-language-tags) - Nimbus LangTag (from https://bitbucket.org/connect2id/nimbus-language-tags) - Non-Blocking Reactive Foundation for the JVM (from https://github.com/reactor/reactor) @@ -231,7 +238,6 @@ The following software have components provided under the terms of this license: - Simple XML (from http://simple.sourceforge.net) - SnakeYAML (from http://www.snakeyaml.org) - Spatial4J (from http://www.locationtech.org/projects/locationtech.spatial4j) -- Spatial4J (from http://www.locationtech.org/projects/locationtech.spatial4j) - Spring AOP (from https://github.com/spring-projects/spring-framework) - Spring Beans (from https://github.com/spring-projects/spring-framework) - Spring Boot (from http://projects.spring.io/spring-boot/) @@ -370,6 +376,7 @@ The following software have components provided under the terms of this license: - swagger-models (from ) - tomcat-annotations-api (from http://tomcat.apache.org/) - tomcat-embed-core (from http://tomcat.apache.org/) +- tomcat-embed-core (from http://tomcat.apache.org/) - tomcat-embed-el (from http://tomcat.apache.org/) - tomcat-embed-websocket (from http://tomcat.apache.org/) - x-content (from https://github.com/elastic/elasticsearch) @@ -426,6 +433,7 @@ The following software have components provided under the terms of this license: - Mockito (from http://www.mockito.org) - NanoHttpd-Core (from ) - Netty/Codec/HTTP (from ) +- Netty/Codec/HTTP (from ) - Protocol Buffer Java API (from https://developers.google.com/protocol-buffers/) - Protocol Buffers [Util] (from ) - Reflections (from http://github.com/ronmamo/reflections) @@ -520,6 +528,7 @@ The following software have components provided under the terms of this license: - jersey-ext-bean-validation (from ) - jersey-spring4 (from ) - tomcat-embed-core (from http://tomcat.apache.org/) +- tomcat-embed-core (from http://tomcat.apache.org/) ======================================================================== CPL-1.0 @@ -597,6 +606,7 @@ The following software have components provided under the terms of this license: - jersey-media-json-jackson (from git://java.net/jersey~code/project/jersey-media-json-jackson) - jersey-spring4 (from ) - tomcat-embed-core (from http://tomcat.apache.org/) +- tomcat-embed-core (from http://tomcat.apache.org/) ======================================================================== GPL-2.0-or-later @@ -641,6 +651,7 @@ The following software have components provided under the terms of this license: - jersey-media-json-jackson (from git://java.net/jersey~code/project/jersey-media-json-jackson) - jersey-spring4 (from ) - tomcat-embed-core (from http://tomcat.apache.org/) +- tomcat-embed-core (from http://tomcat.apache.org/) ======================================================================== GPL-3.0-only @@ -739,11 +750,13 @@ The following software have components provided under the terms of this license: - Microsoft Azure client library for KeyVault Secrets (from https://github.com/Azure/azure-sdk-for-java) - Microsoft Azure common module for Storage (from https://github.com/Azure/azure-sdk-for-java) - Microsoft Azure internal Avro module for Storage (from https://github.com/Azure/azure-sdk-for-java) -- Mockito (from http://www.mockito.org) - Mockito (from http://mockito.org) - Mockito (from http://www.mockito.org) +- Mockito (from http://www.mockito.org) - Mockito (from http://mockito.org) - Netty/Codec/HTTP (from ) +- Netty/Codec/HTTP (from ) +- Netty/Common (from ) - Netty/Common (from ) - Project Lombok (from https://projectlombok.org) - SLF4J API Module (from http://www.slf4j.org) -- GitLab From 073be5e99706d81805b7f9cee3eb4760008f6827 Mon Sep 17 00:00:00 2001 From: Alok Joshi Date: Wed, 16 Dec 2020 11:20:40 -0600 Subject: [PATCH 6/7] exclude nimbus-jose-jwt from ibm module --- pom.xml | 6 ------ provider/search-ibm/pom.xml | 6 ++++++ search-core/pom.xml | 6 ++++++ 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/pom.xml b/pom.xml index d74141c6..d27511f9 100644 --- a/pom.xml +++ b/pom.xml @@ -39,7 +39,6 @@ 1.26 1.14 6.1.5.Final - 9.1.2 4.5.13 5.3.0 2020.0.0 @@ -268,11 +267,6 @@ hibernate-validator ${hibernate-validator.version} - - com.nimbusds - nimbus-jose-jwt - ${nimbus-jose-jwt.version} - org.apache.httpcomponents httpclient diff --git a/provider/search-ibm/pom.xml b/provider/search-ibm/pom.xml index 7079057c..2e3efdc6 100644 --- a/provider/search-ibm/pom.xml +++ b/provider/search-ibm/pom.xml @@ -38,6 +38,12 @@ org.opengroup.osdu search-core 0.0.5-SNAPSHOT + + + com.nimbusds + nimbus-jose-jwt + + diff --git a/search-core/pom.xml b/search-core/pom.xml index 487184f5..43cab49d 100644 --- a/search-core/pom.xml +++ b/search-core/pom.xml @@ -38,6 +38,7 @@ false ${project.basedir} 9.0.37 + 9.1.2 @@ -73,6 +74,11 @@ + + com.nimbusds + nimbus-jose-jwt + ${nimbus-jose-jwt.version} + com.fasterxml.jackson.core jackson-databind -- GitLab From 24d65738b7c194c4e89f989d13c2992e99cebf48 Mon Sep 17 00:00:00 2001 From: Alok Joshi Date: Wed, 16 Dec 2020 12:15:16 -0600 Subject: [PATCH 7/7] update NOTICE --- NOTICE | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/NOTICE b/NOTICE index fb2ab854..394b6476 100644 --- a/NOTICE +++ b/NOTICE @@ -180,10 +180,10 @@ The following software have components provided under the terms of this license: - Microsoft Application Insights Log4j 2 Appender (from https://github.com/Microsoft/ApplicationInsights-Java) - Microsoft Azure Netty HTTP Client Library (from https://github.com/Azure/azure-sdk-for-java) - Microsoft Azure SDK for SQL API of Azure Cosmos DB Service (from https://github.com/Azure/azure-sdk-for-java) +- Mockito (from http://www.mockito.org) - Mockito (from http://mockito.org) - Mockito (from http://mockito.org) - Mockito (from http://www.mockito.org) -- Mockito (from http://www.mockito.org) - Msg Simple (from https://github.com/fge/msg-simple) - Netty Reactive Streams Implementation (from ) - Netty/Buffer (from http://netty.io/) @@ -208,6 +208,8 @@ The following software have components provided under the terms of this license: - Netty/Transport/Native/Unix/Common (from ) - Nimbus Content Type (from https://bitbucket.org/connect2id/nimbus-content-type) - Nimbus JOSE+JWT (from https://bitbucket.org/connect2id/nimbus-jose-jwt) +- Nimbus JOSE+JWT (from https://bitbucket.org/connect2id/nimbus-jose-jwt) +- Nimbus JOSE+JWT (from https://bitbucket.org/connect2id/nimbus-jose-jwt) - Nimbus LangTag (from https://bitbucket.org/connect2id/nimbus-language-tags) - Nimbus LangTag (from https://bitbucket.org/connect2id/nimbus-language-tags) - Non-Blocking Reactive Foundation for the JVM (from https://github.com/reactor/reactor) -- GitLab