From 9de95d01f12c37e19d0eaa3106c8be3169b1c7ed Mon Sep 17 00:00:00 2001
From: amvanbaren <aart.vanbaren@eclipse-foundation.org>
Date: Thu, 11 Apr 2024 10:22:41 +0300
Subject: [PATCH] Fix server vulnerabilities

- Remove Google guava
- Remove SPDX tools
- Update bouncycastle to fix CVE-2023-33201
- Update Google cloud to fix CVE-2023-2976
- Add constraint on Eclipse parsson to fix CVE-2023-4043
---
 server/build.gradle                           | 20 +++++++++----------
 .../openvsx/security/TokenService.java        | 18 ++++++++---------
 .../openvsx/storage/StorageMigration.java     |  6 ++++--
 3 files changed, 21 insertions(+), 23 deletions(-)

diff --git a/server/build.gradle b/server/build.gradle
index e079c2faf..bc4eb047a 100644
--- a/server/build.gradle
+++ b/server/build.gradle
@@ -22,10 +22,8 @@ def versions = [
     java: '17',
     flyway: '9.19.1',
     springdoc: '2.1.0',
-    spdx: '2.2.8',
-    gcloud: '2.22.3',
+    gcloud: '2.36.1',
     azure: '12.23.0',
-    guava: '30.0-jre',
     junit: '5.7.1',
     testcontainers: '1.15.2',
     jackson: '2.15.2',
@@ -34,7 +32,7 @@ def versions = [
     bucket4j: '0.9.0',
     ehcache: '3.10.8',
     tika: '2.6.0',
-    bouncycastle: '1.69',
+    bouncycastle: '1.77',
     commons_lang3: '3.12.0',
     httpclient5: '5.2.1',
     jaxb_api: '2.3.1',
@@ -81,7 +79,7 @@ dependencies {
     implementation "org.springframework.security:spring-security-oauth2-jose"
     implementation "org.springframework.session:spring-session-jdbc"
     implementation "org.springframework.retry:spring-retry"
-    implementation "org.bouncycastle:bcpkix-jdk15on:${versions.bouncycastle}"
+    implementation "org.bouncycastle:bcpkix-jdk18on:${versions.bouncycastle}"
     implementation "org.ehcache:ehcache:${versions.ehcache}"
     implementation "com.giffing.bucket4j.spring.boot.starter:bucket4j-spring-boot-starter:${versions.bucket4j}"
     implementation "org.jobrunr:jobrunr-spring-boot-3-starter:${versions.jobrunr}"
@@ -89,7 +87,6 @@ dependencies {
     implementation "com.google.cloud:google-cloud-storage:${versions.gcloud}"
     implementation "com.azure:azure-storage-blob:${versions.azure}"
     implementation "org.springdoc:springdoc-openapi-starter-webmvc-ui:${versions.springdoc}"
-    implementation "com.google.guava:guava:${versions.guava}"
     implementation "com.fasterxml.jackson.core:jackson-core:${versions.jackson}"
     implementation "com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}"
     implementation "com.fasterxml.jackson.core:jackson-databind:${versions.jackson}"
@@ -101,11 +98,6 @@ dependencies {
     implementation "org.apache.commons:commons-lang3:${versions.commons_lang3}"
     implementation "org.apache.httpcomponents.client5:httpclient5:${versions.httpclient5}"
     implementation "org.apache.tika:tika-core:${versions.tika}"
-    implementation("org.spdx:spdx-tools:${versions.spdx}") {
-        exclude group: 'net.sf.saxon'
-        exclude group: 'org.antlr', module: 'antlr'
-        exclude group: 'org.apache.logging.log4j', module: 'log4j-slf4j-impl'
-    }
     implementation "com.github.loki4j:loki-logback-appender:${versions.loki4j}"
     implementation "io.micrometer:micrometer-tracing"
     implementation "io.micrometer:micrometer-tracing-bridge-otel"
@@ -127,6 +119,12 @@ dependencies {
 
     gatling "io.gatling:gatling-core:${versions.gatling}"
     gatling "io.gatling:gatling-app:${versions.gatling}"
+
+    constraints {
+        implementation('org.eclipse.parsson:parsson:1.0.5') {
+            because 'version 1.0.0 pulled from elasticsearch-java has CVE-2023-4043'
+        }
+    }
 }
 
 jooq {
diff --git a/server/src/main/java/org/eclipse/openvsx/security/TokenService.java b/server/src/main/java/org/eclipse/openvsx/security/TokenService.java
index aa6976824..94eb6f352 100644
--- a/server/src/main/java/org/eclipse/openvsx/security/TokenService.java
+++ b/server/src/main/java/org/eclipse/openvsx/security/TokenService.java
@@ -19,7 +19,6 @@
 
 import org.eclipse.openvsx.entities.AuthToken;
 import org.eclipse.openvsx.entities.UserData;
-import org.json.simple.JsonObject;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -166,16 +165,16 @@ protected Pair<OAuth2AccessToken, OAuth2RefreshToken> refreshEclipseToken(AuthTo
         headers.setContentType(MediaType.APPLICATION_JSON);
         headers.setAccept(Arrays.asList(MediaType.APPLICATION_JSON));
 
-        var data = new JsonObject();
-        data.put("grant_type", "refresh_token");
-        data.put("client_id", reg.getClientId());
-        data.put("client_secret", reg.getClientSecret());
-        data.put("refresh_token", token.refreshToken != null ? token.refreshToken : token.accessToken);
-
-        var request = new HttpEntity<String>(data.toJson(), headers);
-        var restTemplate = new RestTemplate();
         var objectMapper = new ObjectMapper();
+        var data = objectMapper.createObjectNode()
+                .put("grant_type", "refresh_token")
+                .put("client_id", reg.getClientId())
+                .put("client_secret", reg.getClientSecret())
+                .put("refresh_token", token.refreshToken != null ? token.refreshToken : token.accessToken);
+
         try {
+            var request = new HttpEntity<>(objectMapper.writeValueAsString(data), headers);
+            var restTemplate = new RestTemplate();
             var response = restTemplate.postForObject(tokenUri, request, String.class);
             var root = objectMapper.readTree(response);
             var newTokenValue = root.get("access_token").asText();
@@ -188,7 +187,6 @@ protected Pair<OAuth2AccessToken, OAuth2RefreshToken> refreshEclipseToken(AuthTo
             var newToken = new OAuth2AccessToken(TokenType.BEARER, newTokenValue, issuedAt, expiresAt);
             var newRefreshToken = new OAuth2RefreshToken(newRefreshTokenValue, issuedAt);
             return Pair.of(newToken, newRefreshToken);
-
         } catch (RestClientException exc) {
             logger.error("Post request failed with URL: " + tokenUri, exc);
         } catch (JsonProcessingException exc) {
diff --git a/server/src/main/java/org/eclipse/openvsx/storage/StorageMigration.java b/server/src/main/java/org/eclipse/openvsx/storage/StorageMigration.java
index 1d8fb397a..884046a5b 100644
--- a/server/src/main/java/org/eclipse/openvsx/storage/StorageMigration.java
+++ b/server/src/main/java/org/eclipse/openvsx/storage/StorageMigration.java
@@ -9,7 +9,6 @@
  ********************************************************************************/
 package org.eclipse.openvsx.storage;
 
-import org.apache.jena.ext.com.google.common.collect.Lists;
 import org.eclipse.openvsx.entities.FileResource;
 import org.eclipse.openvsx.repositories.RepositoryService;
 import org.slf4j.Logger;
@@ -25,6 +24,9 @@
 import org.springframework.web.client.RestTemplate;
 
 import jakarta.persistence.EntityManager;
+
+import java.util.ArrayList;
+import java.util.List;
 import java.util.Map;
 import java.util.concurrent.ConcurrentLinkedQueue;
 import java.util.concurrent.ScheduledFuture;
@@ -69,7 +71,7 @@ public void findResources(ApplicationStartedEvent event) {
             return;
         }
 
-        var migrations = Lists.newArrayList(STORAGE_DB, STORAGE_GOOGLE, STORAGE_AZURE);
+        var migrations = new ArrayList<>(List.of(STORAGE_DB, STORAGE_GOOGLE, STORAGE_AZURE));
         migrations.remove(storageType);
         var migrationCount = new int[migrations.size()];
         for (var i = 0; i < migrations.size(); i++) {