Merge pull request #54 from virtualidentityag/VIC-1851-fix-critical-cves

chore: upgrade library versions and fix CVEs

pom.xml

@@ -16,7 +16,7 @@
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>2.3.5.RELEASE</version>
+    <version>2.7.5</version>
     <relativePath/> <!-- lookup parent from repository -->
   </parent>
 
@@ -27,6 +27,18 @@
     <keycloak.version>17.0.0</keycloak.version>
     <!-- force at least version 2.16 due to https://logging.apache.org/log4j/2.x/security.html -->
     <log4j.version>2.17.1</log4j.version>
+    <openapi.generator.maven.version>6.2.0</openapi.generator.maven.version>
+    <hibernate-search-orm.version>5.11.10.Final</hibernate-search-orm.version>
+    <jackson-databind-nullable.version>0.2.3</jackson-databind-nullable.version>
+    <springfox-swagger2.version>3.0.0</springfox-swagger2.version>
+    <javax.ws.rs-api.version>2.1.1</javax.ws.rs-api.version>
+    <commons-lang3.version>3.11</commons-lang3.version>
+    <liquibase-maven-plugin.version>4.1.1</liquibase-maven-plugin.version>
+    <h2.version>1.4.200</h2.version>
+    <powermock-module-junit4.version>2.0.2</powermock-module-junit4.version>
+    <ehcache.version>2.10.6</ehcache.version>
+    <easy-random-core.version>5.0.0</easy-random-core.version>
+    <spring-boot-autoconfigure.version>2.7.5</spring-boot-autoconfigure.version>
   </properties>
 
   <dependencies>
@@ -52,45 +64,44 @@
       <artifactId>spring-boot-starter-hateoas</artifactId>
     </dependency>
     <dependency>
-      <groupId>org.hibernate.validator</groupId>
-      <artifactId>hibernate-validator</artifactId>
-      <version>6.1.6.Final</version>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-validation</artifactId>
     </dependency>
 
     <!-- Search dependencies -->
     <dependency>
       <groupId>org.hibernate</groupId>
       <artifactId>hibernate-search-orm</artifactId>
-      <version>5.11.5.Final</version>
+      <version>${hibernate-search-orm.version}</version>
     </dependency>
 
     <!-- OpenApi/Swagger dependencies -->
     <dependency>
       <groupId>org.openapitools</groupId>
       <artifactId>openapi-generator-maven-plugin</artifactId>
-      <version>5.1.1</version>
+      <version>${openapi.generator.maven.version}</version>
       <scope>provided</scope>
     </dependency>
     <dependency>
       <groupId>org.openapitools</groupId>
       <artifactId>jackson-databind-nullable</artifactId>
-      <version>0.2.1</version>
+      <version>${jackson-databind-nullable.version}</version>
     </dependency>
     <!-- SpringFox: generate YAML file from POJOs and generate documentation -->
     <dependency>
       <groupId>io.springfox</groupId>
       <artifactId>springfox-swagger2</artifactId>
-      <version>2.9.2</version>
+      <version>${springfox-swagger2.version}</version>
     </dependency>
     <dependency>
       <groupId>io.springfox</groupId>
       <artifactId>springfox-bean-validators</artifactId>
-      <version>2.9.2</version>
+      <version>${springfox-swagger2.version}</version>
     </dependency>
     <dependency>
       <groupId>io.springfox</groupId>
       <artifactId>springfox-swagger-ui</artifactId>
-      <version>2.9.2</version>
+      <version>${springfox-swagger2.version}</version>
     </dependency>
 
     <!-- Keycloak dependencies -->
@@ -112,7 +123,7 @@
     <dependency>
       <groupId>javax.ws.rs</groupId>
       <artifactId>javax.ws.rs-api</artifactId>
-      <version>2.1.1</version>
+      <version>${javax.ws.rs-api.version}</version>
     </dependency>
 
     <!-- Lombok dependencies -->
@@ -126,21 +137,22 @@
     <dependency>
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>
-      <version>3.11</version>
+      <version>${commons-lang3.version}</version>
     </dependency>
 
     <!-- Liquibase -->
     <dependency>
       <groupId>org.liquibase</groupId>
       <artifactId>liquibase-maven-plugin</artifactId>
-      <version>4.1.1</version>
+      <version>${liquibase-maven-plugin.version}</version>
     </dependency>
 
     <!-- Test scope dependencies -->
     <dependency>
       <groupId>com.h2database</groupId>
       <artifactId>h2</artifactId>
       <scope>test</scope>
+      <version>${h2.version}</version>
     </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
@@ -159,18 +171,18 @@
       <artifactId>powermock-module-junit4</artifactId>
       <groupId>org.powermock</groupId>
       <scope>test</scope>
-      <version>2.0.2</version>
+      <version>${powermock-module-junit4.version}</version>
     </dependency>
     <dependency>
       <artifactId>powermock-api-mockito2</artifactId>
       <groupId>org.powermock</groupId>
       <scope>test</scope>
-      <version>2.0.2</version>
+      <version>${powermock-module-junit4.version}</version>
     </dependency>
     <dependency>
       <groupId>net.sf.ehcache</groupId>
       <artifactId>ehcache</artifactId>
-      <version>2.10.6</version>
+      <version>${ehcache.version}</version>
     </dependency>
 
     <!-- https://mvnrepository.com/artifact/org.mariadb.jdbc/mariadb-java-client -->
@@ -199,13 +211,13 @@
     <dependency>
       <groupId>org.jeasy</groupId>
       <artifactId>easy-random-core</artifactId>
-      <version>4.3.0</version>
+      <version>${easy-random-core.version}</version>
       <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-autoconfigure</artifactId>
-      <version>2.3.5.RELEASE</version>
+      <version>${spring-boot-autoconfigure.version}</version>
     </dependency>
   </dependencies>
 
@@ -227,7 +239,7 @@
       <plugin>
         <groupId>org.openapitools</groupId>
         <artifactId>openapi-generator-maven-plugin</artifactId>
-        <version>5.1.1</version>
+        <version>${openapi.generator.maven.version}</version>
         <executions>
           <execution>
             <id>agency-service</id>
@@ -442,7 +454,7 @@
       <plugin>
         <groupId>org.liquibase</groupId>
         <artifactId>liquibase-maven-plugin</artifactId>
-        <version>4.1.1</version>
+        <version>${liquibase-maven-plugin.version}</version>
         <configuration>
           <propertyFile>src/main/resources/liquibase.properties</propertyFile>
         </configuration>

run-trivy.sh

@@ -0,0 +1,2 @@
+rm report*.sarif
+trivy fs --security-checks=config,vuln --severity=CRITICAL --format=sarif --output report.sarif .

src/main/java/de/caritas/cob/agencyservice/api/tenant/MultitenancyWithSingleDomainTenantResolver.java

@@ -1,6 +1,7 @@
 package de.caritas.cob.agencyservice.api.tenant;
 
 import de.caritas.cob.agencyservice.applicationsettingsservice.generated.web.model.ApplicationSettingsDTO;
+import de.caritas.cob.agencyservice.applicationsettingsservice.generated.web.model.ApplicationSettingsDTOMainTenantSubdomainForSingleDomainMultitenancy;
 import de.caritas.cob.agencyservice.applicationsettingsservice.generated.web.model.SettingDTO;
 import de.caritas.cob.agencyservice.config.apiclient.ApplicationSettingsApiControllerFactory;
 import de.caritas.cob.agencyservice.config.apiclient.TenantServiceApiControllerFactory;
@@ -61,7 +62,7 @@ private Optional<Long> resolveFromTenantServiceBasedOnMainTenantSubdomain(String
 
   private Optional<String> getMainTenantSubdomainFromApplicationSettings() {
     ApplicationSettingsDTO applicationSettings = applicationSettingsApiControllerFactory.createControllerApi().getApplicationSettings();
-    SettingDTO mainTenantSubdomainForSingleDomainMultitenancy = applicationSettings.getMainTenantSubdomainForSingleDomainMultitenancy();
+    ApplicationSettingsDTOMainTenantSubdomainForSingleDomainMultitenancy mainTenantSubdomainForSingleDomainMultitenancy = applicationSettings.getMainTenantSubdomainForSingleDomainMultitenancy();
     if (mainTenantSubdomainForSingleDomainMultitenancy == null) {
       return Optional.empty();
     }

src/main/java/de/caritas/cob/agencyservice/config/KeycloakConfiguration.java

@@ -0,0 +1,14 @@
+package de.caritas.cob.agencyservice.config;
+
+import org.keycloak.adapters.KeycloakConfigResolver;
+import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class KeycloakConfiguration {
+  @Bean
+  public KeycloakConfigResolver keyCloakConfigResolver() {
+    return new KeycloakSpringBootConfigResolver();
+  }
+}

src/main/java/de/caritas/cob/agencyservice/config/SecurityConfig.java

@@ -6,8 +6,6 @@
 import de.caritas.cob.agencyservice.filter.HttpTenantFilter;
 import de.caritas.cob.agencyservice.filter.StatelessCsrfFilter;
 import javax.annotation.Nullable;
-import org.keycloak.adapters.KeycloakConfigResolver;
-import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
 import org.keycloak.adapters.springsecurity.KeycloakConfiguration;
 import org.keycloak.adapters.springsecurity.client.KeycloakClientRequestFactory;
 import org.keycloak.adapters.springsecurity.config.KeycloakWebSecurityConfigurerAdapter;
@@ -90,15 +88,6 @@ protected void configure(HttpSecurity http) throws Exception {
         .anyRequest().denyAll();
   }
 
-  /**
-   * Use the KeycloakSpringBootConfigResolver to be able to save the Keycloak settings in the spring
-   * application properties.
-   */
-  @Bean
-  public KeycloakConfigResolver keyCloakConfigResolver() {
-    return new KeycloakSpringBootConfigResolver();
-  }
-
   /**
    * Change springs authentication strategy to be stateless (no session is being created).
    */

src/main/java/de/caritas/cob/agencyservice/config/SpringFoxConfig.java

@@ -34,7 +34,6 @@
  *
  */
 @Configuration
-@EnableSwagger2
 @Import(BeanValidatorPluginsConfiguration.class)
 public class SpringFoxConfig {
 
@@ -76,7 +75,7 @@ private List<SecurityReference> securityReferences() {
         SecurityReference.builder().reference("token").scopes(new AuthorizationScope[0]).build());
   }
 
-  private List<? extends SecurityScheme> securitySchemes() {
+  private List<SecurityScheme> securitySchemes() {
     return singletonList(new ApiKey("Bearer", "Authorization", "header"));
   }
 

src/main/resources/application-testing.properties

@@ -28,9 +28,9 @@ rocket.chat.login.logout.technical.user.automatically=false
 spring.liquibase.enabled=false
 spring.datasource.driver-class-name=org.h2.Driver
 spring.datasource.url=jdbc:h2:mem:db;DB_CLOSE_DELAY=-1
-spring.datasource.schema=classpath*:database/AgencyDatabase.sql
+spring.sql.init.schema-locations=classpath*:database/AgencyDatabase.sql
 spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.H2Dialect
-spring.datasource.sql-script-encoding=UTF-8
+spring.sql.init.encoding=UTF-8
 spring.jpa.open-in-view=false
 
 # CSRF

src/test/java/de/caritas/cob/agencyservice/api/admin/hallink/AgencyLinksBuilderTest.java

@@ -28,19 +28,19 @@ void buildAgencyLinks_Should_returnAgencyLinks_When_AgencyIsSet() {
     assertThat(agencyLinks.getSelf(), notNullValue());
     assertThat(agencyLinks.getSelf().getMethod(), is(MethodEnum.GET));
     assertThat(agencyLinks.getSelf().getHref(),
-        is(String.format("/agencyadmin/agencies/%s", agency.getId())));
+        is(String.format("/${openapi.willBeReplaced.base-path}/agencyadmin/agencies/%s", agency.getId())));
     assertThat(agencyLinks.getDelete(), notNullValue());
     assertThat(agencyLinks.getDelete().getMethod(), is(MethodEnum.DELETE));
     assertThat(agencyLinks.getDelete().getHref(),
-        is(String.format("/agencyadmin/agencies/%s", agency.getId())));
+        is(String.format("/${openapi.willBeReplaced.base-path}/agencyadmin/agencies/%s", agency.getId())));
     assertThat(agencyLinks.getUpdate(), notNullValue());
     assertThat(agencyLinks.getUpdate().getMethod(), is(MethodEnum.PUT));
     assertThat(agencyLinks.getUpdate().getHref(),
-        is(String.format("/agencyadmin/agencies/%s", agency.getId())));
+        is(String.format("/${openapi.willBeReplaced.base-path}/agencyadmin/agencies/%s", agency.getId())));
     assertThat(agencyLinks.getPostcodeRanges(), notNullValue());
     assertThat(agencyLinks.getPostcodeRanges().getMethod(), is(MethodEnum.GET));
     assertThat(agencyLinks.getPostcodeRanges().getHref(),
-        is(String.format("/agencyadmin/postcoderanges/%s", agency.getId())));
+        is(String.format("/${openapi.willBeReplaced.base-path}/agencyadmin/postcoderanges/%s", agency.getId())));
   }
 
   @Test

src/test/java/de/caritas/cob/agencyservice/api/admin/hallink/DiocesePaginationLinkBuilderTest.java

@@ -26,15 +26,15 @@ void buildPaginationLinks_Should_returnPaginationLinks_When_allParametersAreSet(
     assertThat(paginationLinks.getSelf(), notNullValue());
     assertThat(paginationLinks.getSelf().getMethod(), is(MethodEnum.GET));
     assertThat(paginationLinks.getSelf().getHref(),
-        is("/agencyadmin/dioceses?page=2&perPage=20"));
+        is("/${openapi.willBeReplaced.base-path}/agencyadmin/dioceses?page=2&perPage=20"));
     assertThat(paginationLinks.getPrevious(), notNullValue());
     assertThat(paginationLinks.getPrevious().getMethod(), is(MethodEnum.GET));
     assertThat(paginationLinks.getPrevious().getHref(),
-        is("/agencyadmin/dioceses?page=1&perPage=20"));
+        is("/${openapi.willBeReplaced.base-path}/agencyadmin/dioceses?page=1&perPage=20"));
     assertThat(paginationLinks.getNext(), notNullValue());
     assertThat(paginationLinks.getNext().getMethod(), is(MethodEnum.GET));
     assertThat(paginationLinks.getNext().getHref(),
-        is("/agencyadmin/dioceses?page=3&perPage=20"));
+        is("/${openapi.willBeReplaced.base-path}/agencyadmin/dioceses?page=3&perPage=20"));
   }
 
   @Test
@@ -47,7 +47,7 @@ void buildPaginationLinks_Should_havePreviousLink_When_currentPageIsNotTheFirst(
 
     assertThat(paginationLinks.getPrevious(), notNullValue());
     assertThat(paginationLinks.getPrevious().getHref(),
-        endsWith("/agencyadmin/dioceses?page=1&perPage=20"));
+        endsWith("/${openapi.willBeReplaced.base-path}/agencyadmin/dioceses?page=1&perPage=20"));
   }
 
   @Test
@@ -71,7 +71,7 @@ void buildPaginationLinks_Should_haveNextLink_When_currentPageIsNotTheLast() {
 
     assertThat(paginationLinks.getNext(), notNullValue());
     assertThat(paginationLinks.getNext().getHref(),
-        endsWith("/agencyadmin/dioceses?page=3&perPage=20"));
+        endsWith("/${openapi.willBeReplaced.base-path}/agencyadmin/dioceses?page=3&perPage=20"));
   }
 
   @Test
@@ -94,7 +94,7 @@ void buildPaginationLinks_Should_returnSelfLink() {
 
     assertThat(paginationLinks, notNullValue());
     assertThat(paginationLinks.getSelf().getHref(),
-        is("/agencyadmin/dioceses?page=1&perPage=20"));
+        is("/${openapi.willBeReplaced.base-path}/agencyadmin/dioceses?page=1&perPage=20"));
   }
 
   @Test
@@ -104,6 +104,6 @@ void buildPaginationLinks_Should_returnDefaultPaginationValues_When_noParameters
 
     assertThat(paginationLinks, notNullValue());
     assertThat(paginationLinks.getSelf().getHref(),
-        is("/agencyadmin/dioceses?page=1&perPage=20"));
+        is("/${openapi.willBeReplaced.base-path}/agencyadmin/dioceses?page=1&perPage=20"));
   }
 }