Fix vulnerabilities (#44)

* Migrate to properties files to exclude snakeyaml and resolve further vulnerabilities
* Migrate tests to JUnit5

Signed-off-by: Sebastian Becker <[email protected]>

amphora-common/3RD-PARTY-LICENSES/com.fasterxml.jackson.core_jackson-annotations/NOTICE

@@ -0,0 +1,17 @@
+# Jackson JSON processor
+
+Jackson is a high-performance, Free/Open Source JSON processing library.
+It was originally written by Tatu Saloranta ([email protected]), and has
+been in development since 2007.
+It is currently developed by a community of developers.
+
+## Licensing
+
+Jackson 2.x core and extension components are licensed under Apache License 2.0
+To find the details that apply to this artifact see the accompanying LICENSE file.
+
+## Credits
+
+A list of contributors may be found from CREDITS(-2.x) file, which is included
+in some artifacts (usually source distributions); but is always available
+from the source code management (SCM) system project uses.

amphora-common/3RD-PARTY-LICENSES/org.apache.httpcomponents_httpclient/NOTICE → amphora-common/3RD-PARTY-LICENSES/org.apache.httpcomponents.client5_httpclient5/NOTICE

@@ -1,6 +1,6 @@
 
 Apache HttpClient
-Copyright 1999-2022 The Apache Software Foundation
+Copyright 1999-2021 The Apache Software Foundation
 
 This product includes software developed at
 The Apache Software Foundation (http://www.apache.org/).

amphora-common/3RD-PARTY-LICENSES/commons-logging_commons-logging/NOTICE.txt → amphora-common/3RD-PARTY-LICENSES/org.apache.httpcomponents.core5_httpcore5-h2/NOTICE

@@ -1,6 +1,6 @@
-Apache Commons Logging
-Copyright 2003-2016 The Apache Software Foundation
+
+Apache HttpComponents Core HTTP/2
+Copyright 2005-2021 The Apache Software Foundation
 
 This product includes software developed at
 The Apache Software Foundation (http://www.apache.org/).
-

amphora-common/3RD-PARTY-LICENSES/org.apache.httpcomponents.core5_httpcore5/NOTICE

@@ -0,0 +1,6 @@
+
+Apache HttpComponents Core HTTP/1.1
+Copyright 2005-2021 The Apache Software Foundation
+
+This product includes software developed at
+The Apache Software Foundation (http://www.apache.org/).

amphora-common/3RD-PARTY-LICENSES/org.slf4j_slf4j-api/LICENSE.txt

@@ -0,0 +1,21 @@
+Copyright (c) 2004-2022 QOS.ch Sarl (Switzerland)
+All rights reserved.
+
+Permission is hereby granted, free  of charge, to any person obtaining
+a  copy  of this  software  and  associated  documentation files  (the
+"Software"), to  deal in  the Software without  restriction, including
+without limitation  the rights to  use, copy, modify,  merge, publish,
+distribute,  sublicense, and/or sell  copies of  the Software,  and to
+permit persons to whom the Software  is furnished to do so, subject to
+the following conditions:
+
+The  above  copyright  notice  and  this permission  notice  shall  be
+included in all copies or substantial portions of the Software.
+
+THE  SOFTWARE IS  PROVIDED  "AS  IS", WITHOUT  WARRANTY  OF ANY  KIND,
+EXPRESS OR  IMPLIED, INCLUDING  BUT NOT LIMITED  TO THE  WARRANTIES OF
+MERCHANTABILITY,    FITNESS    FOR    A   PARTICULAR    PURPOSE    AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE,  ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

amphora-common/3RD-PARTY-LICENSES/sbom.xml

@@ -1,11 +1,11 @@
 <attributionReport>
    <dependencies>
       <dependency>
-         <name>Apache Commons Codec</name>
-         <groupId>commons-codec</groupId>
-         <artifactId>commons-codec</artifactId>
-         <version>1.11</version>
-         <projectUrl>http://commons.apache.org/proper/commons-codec/</projectUrl>
+         <name>Apache HttpClient</name>
+         <groupId>org.apache.httpcomponents.client5</groupId>
+         <artifactId>httpclient5</artifactId>
+         <version>5.2.1</version>
+         <projectUrl>https://hc.apache.org/httpcomponents-client-5.0.x/5.2.1/httpclient5/</projectUrl>
          <licenses>
             <license>
                <name>Apache License, Version 2.0</name>
@@ -14,41 +14,28 @@
          </licenses>
       </dependency>
       <dependency>
-         <name>Apache Commons Logging</name>
-         <groupId>commons-logging</groupId>
-         <artifactId>commons-logging</artifactId>
-         <version>1.2</version>
-         <projectUrl>http://commons.apache.org/proper/commons-logging/</projectUrl>
-         <licenses>
-            <license>
-               <name>The Apache Software License, Version 2.0</name>
-               <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
-            </license>
-         </licenses>
-      </dependency>
-      <dependency>
-         <name>Apache HttpClient</name>
-         <groupId>org.apache.httpcomponents</groupId>
-         <artifactId>httpclient</artifactId>
-         <version>4.5.14</version>
-         <projectUrl>http://hc.apache.org/httpcomponents-client-ga</projectUrl>
+         <name>Apache HttpComponents Core HTTP/1.1</name>
+         <groupId>org.apache.httpcomponents.core5</groupId>
+         <artifactId>httpcore5</artifactId>
+         <version>5.2</version>
+         <projectUrl>https://hc.apache.org/httpcomponents-core-5.2.x/5.2/httpcore5/</projectUrl>
          <licenses>
             <license>
                <name>Apache License, Version 2.0</name>
-               <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+               <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
             </license>
          </licenses>
       </dependency>
       <dependency>
-         <name>Apache HttpCore</name>
-         <groupId>org.apache.httpcomponents</groupId>
-         <artifactId>httpcore</artifactId>
-         <version>4.4.16</version>
-         <projectUrl>http://hc.apache.org/httpcomponents-core-ga</projectUrl>
+         <name>Apache HttpComponents Core HTTP/2</name>
+         <groupId>org.apache.httpcomponents.core5</groupId>
+         <artifactId>httpcore5-h2</artifactId>
+         <version>5.2</version>
+         <projectUrl>https://hc.apache.org/httpcomponents-core-5.2.x/5.2/httpcore5-h2/</projectUrl>
          <licenses>
             <license>
                <name>Apache License, Version 2.0</name>
-               <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+               <url>https://www.apache.org/licenses/LICENSE-2.0.txt</url>
             </license>
          </licenses>
       </dependency>
@@ -68,7 +55,7 @@
          <name>Jackson-annotations</name>
          <groupId>com.fasterxml.jackson.core</groupId>
          <artifactId>jackson-annotations</artifactId>
-         <version>2.14.1</version>
+         <version>2.14.2</version>
          <projectUrl>https://github.com/FasterXML/jackson</projectUrl>
          <licenses>
             <license>
@@ -81,7 +68,7 @@
          <name>Jackson-core</name>
          <groupId>com.fasterxml.jackson.core</groupId>
          <artifactId>jackson-core</artifactId>
-         <version>2.14.1</version>
+         <version>2.14.2</version>
          <projectUrl>https://github.com/FasterXML/jackson-core</projectUrl>
          <licenses>
             <license>
@@ -94,7 +81,7 @@
          <name>jackson-databind</name>
          <groupId>com.fasterxml.jackson.core</groupId>
          <artifactId>jackson-databind</artifactId>
-         <version>2.14.1</version>
+         <version>2.14.2</version>
          <projectUrl>https://github.com/FasterXML/jackson</projectUrl>
          <licenses>
             <license>
@@ -116,6 +103,19 @@
             </license>
          </licenses>
       </dependency>
+      <dependency>
+         <name>SLF4J API Module</name>
+         <groupId>org.slf4j</groupId>
+         <artifactId>slf4j-api</artifactId>
+         <version>2.0.6</version>
+         <projectUrl>http://www.slf4j.org</projectUrl>
+         <licenses>
+            <license>
+               <name>MIT License</name>
+               <url>http://www.opensource.org/licenses/mit-license.php</url>
+            </license>
+         </licenses>
+      </dependency>
       <dependency>
          <name>Vavr</name>
          <groupId>io.vavr</groupId>

amphora-common/pom.xml

@@ -18,21 +18,14 @@
     </parent>
     <properties>
         <!-- external dependencies -->
-        <jackson.version>2.14.1</jackson.version>
-        <httpclient.version>4.5.14</httpclient.version>
+        <httpclient.version>5.2.1</httpclient.version>
     </properties>
     <dependencies>
         <!-- internal dependencies -->
         <dependency>
             <groupId>io.carbynestack</groupId>
             <artifactId>mp-spdz-integration</artifactId>
         </dependency>
-        <!-- external dependencies -->
-        <dependency>
-            <groupId>com.fasterxml.jackson.core</groupId>
-            <artifactId>jackson-annotations</artifactId>
-            <version>${jackson.version}</version>
-        </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
@@ -43,8 +36,8 @@
             <artifactId>vavr</artifactId>
         </dependency>
         <dependency>
-            <groupId>org.apache.httpcomponents</groupId>
-            <artifactId>httpclient</artifactId>
+            <groupId>org.apache.httpcomponents.client5</groupId>
+            <artifactId>httpclient5</artifactId>
             <version>${httpclient.version}</version>
         </dependency>
         <dependency>
@@ -55,9 +48,14 @@
 
         <!-- Test dependencies -->
         <dependency>
-            <groupId>junit</groupId>
-            <artifactId>junit</artifactId>
-            <version>${junit.version}</version>
+            <groupId>org.assertj</groupId>
+            <artifactId>assertj-core</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter</artifactId>
+            <version>${junit-jupiter.version}</version>
             <scope>test</scope>
         </dependency>
     </dependencies>

amphora-common/src/main/java/io/carbynestack/amphora/common/AmphoraServiceUri.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2021 - for information on the respective copyright owner
+ * Copyright (c) 2023 - for information on the respective copyright owner
  * see the NOTICE file and/or the repository https://github.com/carbynestack/amphora.
  *
  * SPDX-License-Identifier: Apache-2.0
@@ -15,7 +15,7 @@
 import lombok.AccessLevel;
 import lombok.Data;
 import lombok.Setter;
-import org.apache.http.client.utils.URIBuilder;
+import org.apache.hc.core5.net.URIBuilder;
 
 /**
  * A class, that manages an Amphora Service's URI and provides correct paths for all endpoints. Uses
@@ -131,8 +131,8 @@ URI attachPathParameter(URI uri, String param) {
     path =
         String.format(
             "%s%s%s",
-            path == null || path.length() == 0 ? "" : path,
-            path != null && path.length() > 0 && path.lastIndexOf('/') == path.length() ? "" : "/",
+            path == null || path.isEmpty() ? "" : path,
+            path != null && path.endsWith("/") ? "" : "/",
             param);
     uriBuilder.setPath(path);
     return Try.of(uriBuilder::build)