- fix 4 Vulnerabilities reported by sonar

.gitignore

@@ -28,4 +28,5 @@ addons/cipa-sml-migration/target/test-classes/global-truststore.jks
 addons/cipa-sml-migration/target/classes/
 addons/cipa-sml-migration/target/
 addons/cipa-sml-migration/.idea/
-.idea/
\ No newline at end of file
+.idea/
+code-coverage
\ No newline at end of file

smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/conversion/ServiceMetadataConverter.java

@@ -22,6 +22,7 @@ import org.w3c.dom.Document;
 import org.w3c.dom.Node;
 import org.xml.sax.SAXException;
 
+import javax.xml.XMLConstants;
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBException;
 import javax.xml.bind.Unmarshaller;
@@ -29,6 +30,7 @@ import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
 import javax.xml.transform.TransformerException;
 import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
@@ -106,14 +108,14 @@ public class ServiceMetadataConverter {
     }
 
     public static String toString(Document doc) throws TransformerException, UnsupportedEncodingException {
-        Transformer transformer = TransformerFactory.newInstance().newTransformer();
+        Transformer transformer = createNewSecureTransformer();
         StringWriter writer = new StringWriter();
         transformer.transform(new DOMSource(doc), new StreamResult(writer));
         return writer.toString();
     }
 
     public static byte[] toByteArray(Document doc) throws TransformerException, UnsupportedEncodingException {
-        Transformer transformer = TransformerFactory.newInstance().newTransformer();
+        Transformer transformer = createNewSecureTransformer();
         ByteArrayOutputStream stream = new ByteArrayOutputStream();
         transformer.transform(new DOMSource(doc), new StreamResult(stream));
         return stream.toByteArray();
@@ -126,6 +128,13 @@ public class ServiceMetadataConverter {
         return dbf.newDocumentBuilder();
     }
 
+    private static Transformer createNewSecureTransformer() throws TransformerConfigurationException {
+        TransformerFactory factory = TransformerFactory.newInstance();
+        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+
+        return factory.newTransformer();
+    }
+
 
 
 

smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/data/dao/utils/SMPSchemaGenerator.java

 package eu.europa.ec.edelivery.smp.data.dao.utils;
 
+import eu.europa.ec.edelivery.smp.logging.SMPLogger;
+import eu.europa.ec.edelivery.smp.logging.SMPLoggerFactory;
+import org.apache.commons.lang3.StringUtils;
 import org.hibernate.boot.MetadataSources;
 import org.hibernate.boot.registry.StandardServiceRegistryBuilder;
 import org.hibernate.boot.spi.MetadataImplementor;
@@ -8,8 +11,10 @@ import org.hibernate.tool.schema.TargetType;
 
 import java.io.File;
 import java.io.IOException;
-import java.nio.file.Path;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.EnumSet;
+import java.util.List;
 
 /**
  * Class generates DDL script for SMP. Purpose of script is to manually run SQL script to create database. And to
@@ -21,18 +26,19 @@ import java.util.*;
 public class SMPSchemaGenerator {
     private static String filenameTemplate = "%s-%s.ddl";
     private static String smpEntityPackageName = "eu.europa.ec.edelivery.smp.data.model";
+    private static final SMPLogger LOG = SMPLoggerFactory.getLogger(SMPSchemaGenerator.class);
 
     public static void main(String[] args) throws IOException, ClassNotFoundException {
 
 
-        String strDialects  = args[0] ; // comma separated dialects
-        String strVersion   = args.length>1?args[1]:"";  // version
-        String exportFolder = args.length>2?args[2]:""; // export folder
+        String strDialects = args[0]; // comma separated dialects
+        String strVersion = args.length > 1 ? args[1] : "";  // version
+        String exportFolder = args.length > 2 ? args[2] : ""; // export folder
         SMPSchemaGenerator sg = new SMPSchemaGenerator();
 
         String[] dialects = strDialects.split(",");
         // execute
-        for (String dialect: dialects) {
+        for (String dialect : dialects) {
             sg.createDDLScript(exportFolder, dialect.trim(), Arrays.asList(smpEntityPackageName.split(",")), strVersion);
         }
 
@@ -51,10 +57,10 @@ public class SMPSchemaGenerator {
         // create export file
         String sqlVer = version;
         int idx = version.indexOf("-SNAPSHOT");
-        if (idx >0) {
+        if (idx > 0) {
             sqlVer = version.substring(0, idx);
         }
-        String filename = createFileName(hibernateDialect,sqlVer );
+        String filename = createFileName(hibernateDialect, sqlVer);
 
         String dialect = getDialect(hibernateDialect);
 
@@ -79,7 +85,9 @@ public class SMPSchemaGenerator {
         // create schema exporter
         SchemaExport export = new SchemaExport();
         File file = new File(exportFolder, filename);
-        file.delete(); // delete if exists
+        if (file.delete()) { // delete if exists
+            LOG.info("File {} deleted!", file.getAbsolutePath());
+        } ;
         export.setOutputFile(file.getAbsolutePath());
         export.setFormat(true);
         export.setDelimiter(";");
@@ -93,27 +101,28 @@ public class SMPSchemaGenerator {
 
     /**
      * Method creates filename based on dialect and version
+     *
      * @param dialect
      * @param version
      * @return file name.
      */
-    public String createFileName(String dialect, String version){
-        String dbName = dialect.substring(dialect.lastIndexOf('.') + 1,dialect.lastIndexOf("Dialect") ).toLowerCase();
+    public String createFileName(String dialect, String version) {
+        String dbName = dialect.substring(dialect.lastIndexOf('.') + 1, dialect.lastIndexOf("Dialect")).toLowerCase();
         return String.format(filenameTemplate, dbName, version);
     }
 
     /**
      * Some dialect are customized in order to generate better SQL DDL script. Method check the dialect and returns
      * the upgrated dialect
+     *
      * @param dialect - original hibernate dialect
      * @return return the customized dialect or the dialects itself if not costumization
      */
-    public String getDialect(String dialect){
-        switch (dialect) {
-            case "org.hibernate.dialect.MySQL5InnoDBDialect":
-                return "eu.europa.ec.edelivery.smp.data.dao.utils.SMPMySQL5InnoDBDialect";
-            default:
-                return dialect;
+    public String getDialect(String dialect) {
+        if (!StringUtils.isBlank(dialect) && dialect.equalsIgnoreCase("org.hibernate.dialect.MySQL5InnoDBDialect")) {
+            return "eu.europa.ec.edelivery.smp.data.dao.utils.SMPMySQL5InnoDBDialect";
+        } else {
+            return dialect;
         }
     }
 
@@ -124,28 +133,27 @@ public class SMPSchemaGenerator {
      */
     public List<Class> getAllEntityClasses(String pckgname) throws ClassNotFoundException {
         ArrayList classes = new ArrayList();
- {
-
-            // Get a File object for the package
-            File directory = null;
-            try {
-                directory = new File(Thread.currentThread().getContextClassLoader().getResource(pckgname.replace('.', '/')).getFile());
-            } catch (NullPointerException x) {
-                throw new ClassNotFoundException(pckgname + " does not appear to be a valid package");
-            }
-            if (directory.exists()) {
-                // Get the list of the files contained in the package
-                String[] files = directory.list();
-                for (int i = 0; i < files.length; i++) {
-                    if (files[i].endsWith(".class")) {
-                        // removes the .class extension
-                        classes.add(Class.forName(pckgname + '.' + files[i].substring(0, files[i].length() - 6)));
-                    }
+
+        // Get a File object for the package
+        File directory = null;
+        try {
+            directory = new File(Thread.currentThread().getContextClassLoader().getResource(pckgname.replace('.', '/')).getFile());
+        } catch (NullPointerException x) {
+            throw new ClassNotFoundException(pckgname + " does not appear to be a valid package");
+        }
+        if (directory.exists()) {
+            // Get the list of the files contained in the package
+            String[] files = directory.list();
+            for (int i = 0; i < files.length; i++) {
+                if (files[i].endsWith(".class")) {
+                    // removes the .class extension
+                    classes.add(Class.forName(pckgname + '.' + files[i].substring(0, files[i].length() - 6)));
                 }
-            } else { ;
-                throw new ClassNotFoundException("Package: "+pckgname + " does not eixsts!");
             }
+        } else {
+            throw new ClassNotFoundException("Package: " + pckgname + " does not eixsts!");
         }
+
         return classes;
     }
 

smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/services/ui/UIServiceGroupService.java

@@ -24,6 +24,7 @@ import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
+import javax.xml.XMLConstants;
 import javax.xml.transform.*;
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
@@ -608,8 +609,11 @@ public class UIServiceGroupService extends UIServiceBase<DBServiceGroup, Service
                 Source xmlInput = new StreamSource(new StringReader(sgExtension.getExtension()));
                 StringWriter stringWriter = new StringWriter();
                 StreamResult xmlOutput = new StreamResult(stringWriter);
+
                 TransformerFactory transformerFactory = TransformerFactory.newInstance();
+                transformerFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
                 transformerFactory.setAttribute("indent-number", 4);
+
                 Transformer transformer = transformerFactory.newTransformer();
                 transformer.setOutputProperty(OutputKeys.INDENT, "yes");
                 transformer.transform(xmlInput, xmlOutput);

smp-server-library/src/main/java/eu/europa/ec/edelivery/smp/sml/SmlClientFactory.java

@@ -159,7 +159,7 @@ public class SmlClientFactory {
             return;
         }
 
-        log.info("Configuring proxy for BDMSL integration client: {}:{}@{}:{}", proxyUser, "########", proxyServer, proxyPort.get());
+        log.info("Configuring proxy for BDMSL integration client: {}:{}@{}:{}", proxyUser, "########", proxyServer,proxyPort.isPresent()? proxyPort.get():"");
         httpConduit.getClient().setProxyServerType(ProxyServerType.HTTP);
         httpConduit.getClient().setProxyServer(proxyServer);
         if (proxyPort.isPresent()) {