[EDELIVERY-12636] upgrade plugins/libraries

dd457f25 · Joze RIHTARSIC · 21bdfe3c · dd457f25 · dd457f25 · dd457f25
Commit dd457f25 authored 1 year ago by Joze RIHTARSIC
--- a/owasp-false-positive-warnings.xml
+++ b/owasp-false-positive-warnings.xml
@@ -3,7 +3,7 @@
              xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"
              xsi:schemaLocation="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd
              https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <!--suppress>
+    <suppress>
        <notes><![CDATA[
   file name: spring-security-crypto-5.8.*.jar
   The data serialized by the application is trusted
@@ -37,16 +37,7 @@
   ]]></notes>
        <cve>CVE-2018-1258</cve>
    </suppress>
-    <suppress>
-        <notes><![CDATA[
-   file name: guava-30.1-jre.jar
-   CVE-2020-8908 -  we don't use com.google.common.io.Files.createTempDir()
-   CVE-2023-2976 - we don't use FileBackedOutputStream
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
-        <cve>CVE-2020-8908</cve>
-        <cve>CVE-2023-2976</cve>
-    </suppress>
+
    <suppress>
        <notes><![CDATA[
        CVE-2020-8908 -  we don't use com.google.common.io.Files.createTempDir()
@@ -91,20 +82,4 @@
        <packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed\-websocket@.*$</packageUrl>
        <cve>CVE-2023-41080</cve>
    </suppress>
-    <suppress>
-        <notes><![CDATA[
-   file name: dom4j-2.1.3/4.jar
-    Used internally by hibernate-envers not exposed to external users/attackers
-   ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.dom4j/dom4j@.*$</packageUrl>
-        <cve>CVE-2023-45960</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-   file name: bdmsl-webapp.war: dom4j-2.1.3.jar
-      Used internally by hibernate-envers not exposed to external users/attackers
-   ]]></notes>
-        <sha1>a75914155a9f5808963170ec20653668a2ffd2fd</sha1>
-        <cve>CVE-2023-45960</cve>
-    </suppress -->
 </suppressions>
--- a/pom.xml
+++ b/pom.xml
@@ -40,8 +40,12 @@ See the Licence for the specific language governing permissions and limitations
    </modules>

    <properties>
+        <prerequisites.maven_min_version>3.5</prerequisites.maven_min_version>
+        <jacocoRemotePort />
+        <jacocoRemoteAddress />
        <!-- the root/main folder of the project used by aggregation plugins (license).
        Alternative ${session.executionRootDirectory} -->
+
        <project.root.baseUri>${maven.multiModuleProjectDirectory}</project.root.baseUri>
        <maven.compiler.target>1.8</maven.compiler.target>
        <maven.compiler.source>1.8</maven.compiler.source>
@@ -50,6 +54,7 @@ See the Licence for the specific language governing permissions and limitations
        <edelivery.dynamic-discovery-client.version>2.1.1-SNAPSHOT</edelivery.dynamic-discovery-client.version>
        <bdmsl-api.version>4.3</bdmsl-api.version>
        <!-- plugin versions -->
+        <maven-enforcer-plugin.version>3.4.1</maven-enforcer-plugin.version>
        <plugin.dependency-check-maven.version>9.0.3</plugin.dependency-check-maven.version>
        <plugin.jacoco-maven-plugin.version>0.8.11</plugin.jacoco-maven-plugin.version>
        <plugin.license-maven-plugin.version>2.3.0</plugin.license-maven-plugin.version>
@@ -65,10 +70,10 @@ See the Licence for the specific language governing permissions and limitations
        <plugin.maven-surefire-plugin.version>3.2.2</plugin.maven-surefire-plugin.version>
        <plugin.maven-war-plugin.version>3.4.0</plugin.maven-war-plugin.version>

-        <aspectj.version>1.9.20.1</aspectj.version>
+        <aspectj.version>1.9.21</aspectj.version>
        <commons-beanutils.version>1.9.4</commons-beanutils.version>
        <commons-collections.version>3.2.2</commons-collections.version>
-        <commons-io.version>2.15.0</commons-io.version>
+        <commons-io.version>2.15.1</commons-io.version>
        <commons-lang3.version>3.14.0</commons-lang3.version>
        <commons-fileupload.version>1.5</commons-fileupload.version>
        <commons-net.version>3.10.0</commons-net.version>
@@ -84,8 +89,7 @@ See the Licence for the specific language governing permissions and limitations
        <hibernate.validator.version>7.0.5.Final</hibernate.validator.version>
        <hibernate.version>5.6.15.Final</hibernate.version>
        <httpclient.version>4.5.14</httpclient.version>
-        <jackson-databind.version>2.15.3</jackson-databind.version>
-        <jackson.version>2.15.3</jackson.version>
+        <jackson.version>2.16.0</jackson.version>
        <javaee-api.version>7.0</javaee-api.version>
        <javax.annotation.version>1.3.2</javax.annotation.version>
        <javax.mail.version>1.6.2</javax.mail.version>
@@ -103,11 +107,11 @@ See the Licence for the specific language governing permissions and limitations
        <mysql.jdbc.version>8.2.0</mysql.jdbc.version>
        <metro.version>2.2.1-1</metro.version>
        <mockito.version>4.11.0</mockito.version>
-        <servlet-api.version>3.0.1</servlet-api.version>
+        <jakarta.servlet-api.version>4.0.2</jakarta.servlet-api.version>

        <spring-modules-jakarta-commons.version>0.8</spring-modules-jakarta-commons.version>
        <spring-boot.version>2.7.18</spring-boot.version>
-        <spring-boot.tomcat.version>9.0.83</spring-boot.tomcat.version>
+        <spring-boot.tomcat.version>9.0.84</spring-boot.tomcat.version>
        <spring.security.version>5.8.8</spring.security.version>
        <spring.version>5.3.31</spring.version>
        <xmlunit.version>2.9.1</xmlunit.version>
@@ -121,7 +125,8 @@ See the Licence for the specific language governing permissions and limitations
        <sonar.language>java</sonar.language>
        <jacoco.append>true</jacoco.append>
        <sonar.binaries>target/classes</sonar.binaries>
-        <sonar.coverage.jacoco.xmlReportPaths>${project.basedir}/target/site/jacoco/jacoco.xml</sonar.coverage.jacoco.xmlReportPaths>
+        <sonar.coverage.jacoco.xmlReportPaths>${project.basedir}/target/site/jacoco/jacoco.xml
+        </sonar.coverage.jacoco.xmlReportPaths>
        <sonar.jacoco.itReportPath>${project.basedir}/../target/jacoco-it.exec</sonar.jacoco.itReportPath>

        <sonar.exclusions>
@@ -145,9 +150,7 @@ See the Licence for the specific language governing permissions and limitations
        </release.arguments>
        <project.scm.id>edelivery-scm</project.scm.id>
    </properties>
-    <prerequisites>
-        <maven>3.6.0</maven>
-    </prerequisites>
+

    <scm>
        <developerConnection>scm:git:https://ec.europa.eu/digital-building-blocks/code/scm/edelivery/smp.git
@@ -486,32 +489,7 @@ See the Licence for the specific language governing permissions and limitations
            <dependency>
                <groupId>com.fasterxml.jackson.core</groupId>
                <artifactId>jackson-databind</artifactId>
-                <version>${jackson-databind.version}</version>
-                <!-- exclude them and then manually include the same version! fix for the springboot
-                 (current springboot uses 2.13.4! and maven upgrade just direct dependencies and not transit
-                  dependencies with latest version!! ) >
-                <exclusions>
-                    <exclusion>
-                        <groupId>com.fasterxml.jackson.core</groupId>
-                        <artifactId>jackson-core</artifactId>
-                    </exclusion>
-                    <exclusion>
-                        <groupId>com.fasterxml.jackson.core</groupId>
-                        <artifactId>jackson-annotations</artifactId>
-                    </exclusion>
-                    <exclusion>
-                        <groupId>com.fasterxml.jackson.datatype</groupId>
-                        <artifactId>jackson-datatype-jsr310</artifactId>
-                    </exclusion>
-                    <exclusion>
-                        <groupId>com.fasterxml.jackson.datatype</groupId>
-                        <artifactId>jackson-datatype-jdk8</artifactId>
-                    </exclusion>
-                    <exclusion>
-                        <groupId>com.fasterxml.jackson.module</groupId>
-                        <artifactId>jackson-module-parameter-names</artifactId>
-                    </exclusion>
-                </exclusions-->
+                <version>${jackson.version}</version>
            </dependency>
            <dependency>
                <groupId>com.fasterxml.jackson.core</groupId>
@@ -592,9 +570,9 @@ See the Licence for the specific language governing permissions and limitations
                <scope>test</scope>
            </dependency>
            <dependency>
-                <groupId>javax.servlet</groupId>
-                <artifactId>javax.servlet-api</artifactId>
-                <version>${servlet-api.version}</version>
+                <groupId>jakarta.servlet</groupId>
+                <artifactId>jakarta.servlet-api</artifactId>
+                <version>${jakarta.servlet-api.version}</version>
                <scope>provided</scope>
            </dependency>
            <dependency>
@@ -680,6 +658,11 @@ See the Licence for the specific language governing permissions and limitations
    <build>
        <pluginManagement>
            <plugins>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-enforcer-plugin</artifactId>
+                    <version>${maven-enforcer-plugin.version}</version>
+                </plugin>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-surefire-plugin</artifactId>
@@ -759,6 +742,25 @@ See the Licence for the specific language governing permissions and limitations
            </plugins>
        </pluginManagement>
        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-enforcer-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>enforce-maven</id>
+                        <goals>
+                            <goal>enforce</goal>
+                        </goals>
+                        <configuration>
+                            <rules>
+                                <requireMavenVersion>
+                                    <version>${prerequisites.maven_min_version}</version>
+                                </requireMavenVersion>
+                            </rules>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>

--- a/smp-resource-extensions/oasis-smp-spi/src/main/java/eu/europa/ec/smp/spi/converter/DomUtils.java
+++ b/smp-resource-extensions/oasis-smp-spi/src/main/java/eu/europa/ec/smp/spi/converter/DomUtils.java
@@ -8,9 +8,9 @@
 * versions of the EUPL (the "Licence");
 * You may not use this work except in compliance with the Licence.
 * You may obtain a copy of the Licence at:
- * 
+ *
 * [PROJECT_HOME]\license\eupl-1.2\license.txt or https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
- * 
+ *
 * Unless required by applicable law or agreed to in writing, software distributed under the Licence is
 * distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the Licence for the specific language governing permissions and limitations under the Licence.
@@ -45,7 +45,7 @@ import static eu.europa.ec.smp.spi.exceptions.ResourceException.ErrorCode.INVALI
 * @author gutowpa
 * @since 3.0.0
 */
-public class DomUtils {
+final public class DomUtils {

    /**
     * Class has only static members. Is not meant to create instances  - also SONAR warning.
@@ -66,6 +66,7 @@ public class DomUtils {
     * @return w3d dom element
     */
    public static Document toSignedServiceMetadata10Document(byte[] serviceMetadataXml) throws ResourceException {
+        LOG.debug("toSignedServiceMetadata10Document");
        try {
            Document docServiceMetadata = parse(serviceMetadataXml);
            Document root = parse(DOC_SIGNED_SERVICE_METADATA_EMPTY.getBytes());
@@ -79,6 +80,11 @@ public class DomUtils {


    public static Document parse(byte[] serviceMetadataXml) throws SAXException, IOException, ParserConfigurationException {
+        if (serviceMetadataXml == null) {
+            LOG.warn("ServiceMetadataXml bytearray is null!");
+            return null;
+        }
+        LOG.debug("Parse document with size [{}]", serviceMetadataXml.length);
        InputStream inputStream = new ByteArrayInputStream(serviceMetadataXml);
        return getDocumentBuilder().parse(inputStream);
    }
@@ -91,6 +97,7 @@ public class DomUtils {
    }

    public static byte[] toByteArray(Document doc) throws TransformerException {
+        LOG.debug("Convert document to byte array");
        Transformer transformer = createNewSecureTransformer();
        ByteArrayOutputStream stream = new ByteArrayOutputStream();
        transformer.transform(new DOMSource(doc), new StreamResult(stream));

--- a/smp-resource-extensions/oasis-smp-spi/src/test/java/eu/europa/ec/smp/spi/converter/ServiceMetadataConverterTest.java
+++ b/smp-resource-extensions/oasis-smp-spi/src/test/java/eu/europa/ec/smp/spi/converter/ServiceMetadataConverterTest.java
@@ -42,7 +42,7 @@ import static org.junit.jupiter.api.Assertions.*;
 /**
 * Created by gutowpa on 05/01/2017.
 */
-public class ServiceMetadataConverterTest {
+class ServiceMetadataConverterTest {

    private static final String NS = "http://docs.oasis-open.org/bdxr/ns/SMP/2016/05";
    private static final String RES_PATH = "/examples/oasis-smp-1.0/";

--- a/smp-resource-extensions/oasis-smp-spi/src/test/java/eu/europa/ec/smp/spi/testutils/XmlTestUtils.java
+++ b/smp-resource-extensions/oasis-smp-spi/src/test/java/eu/europa/ec/smp/spi/testutils/XmlTestUtils.java
@@ -8,9 +8,9 @@
 * versions of the EUPL (the "Licence");
 * You may not use this work except in compliance with the Licence.
 * You may obtain a copy of the Licence at:
- * 
+ *
 * [PROJECT_HOME]\license\eupl-1.2\license.txt or https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
- * 
+ *
 * Unless required by applicable law or agreed to in writing, software distributed under the Licence is
 * distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the Licence for the specific language governing permissions and limitations under the Licence.
@@ -20,26 +20,9 @@
 package eu.europa.ec.smp.spi.testutils;

 import eu.europa.ec.dynamicdiscovery.core.validator.OasisSmpSchemaValidator;
-import gen.eu.europa.ec.ddc.api.smp10.ServiceGroup;
-import gen.eu.europa.ec.ddc.api.smp10.ServiceMetadata;
-import org.w3c.dom.Document;
-import org.w3c.dom.Node;
-import org.xml.sax.SAXException;

-import javax.xml.bind.JAXBContext;
-import javax.xml.bind.JAXBException;
-import javax.xml.bind.Marshaller;
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerException;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.dom.DOMSource;
-import javax.xml.transform.stream.StreamResult;
-import java.io.*;
+import java.io.IOException;
 import java.net.URISyntaxException;
-import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Paths;

@@ -48,67 +31,10 @@ import java.nio.file.Paths;
 */
 public class XmlTestUtils {

-    private static final String UTF_8 = "UTF-8";
-
    public static byte[] loadDocumentAsByteArray(String docResourcePath) throws IOException, URISyntaxException {
        return readAllBytesFromResource(docResourcePath);
    }

-    public static String loadDocumentAsString(String docResourcePath) throws IOException, URISyntaxException {
-        byte[] value = loadDocumentAsByteArray(docResourcePath);
-        return new String(value, StandardCharsets.UTF_8);
-    }
-
-    public static Document loadDocument(String docResourcePath) throws ParserConfigurationException, SAXException, IOException {
-        InputStream inputStream = XmlTestUtils.class.getResourceAsStream(docResourcePath);
-        return getDocumentBuilder().parse(inputStream);
-    }
-
-    public static DocumentBuilder getDocumentBuilder() throws ParserConfigurationException {
-        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-        dbf.setNamespaceAware(true);
-        return dbf.newDocumentBuilder();
-    }
-
-    public static String marshal(Node doc) throws TransformerException, UnsupportedEncodingException {
-        TransformerFactory tf = TransformerFactory.newInstance();
-        Transformer trans = tf.newTransformer();
-        ByteArrayOutputStream stream = new ByteArrayOutputStream();
-        trans.transform(new DOMSource(doc), new StreamResult(stream));
-        return stream.toString(UTF_8);
-    }
-    public static  byte[] marshallToByteArray(Node doc) throws TransformerException, UnsupportedEncodingException {
-        TransformerFactory tf = TransformerFactory.newInstance();
-        Transformer trans = tf.newTransformer();
-        ByteArrayOutputStream stream = new ByteArrayOutputStream();
-        trans.transform(new DOMSource(doc), new StreamResult(stream));
-        return stream.toByteArray();
-    }
-
-    public static byte[] marshallToByteArray(ServiceMetadata serviceMetadata) throws JAXBException {
-        ByteArrayOutputStream stream = new ByteArrayOutputStream();
-        JAXBContext jaxbContext = JAXBContext.newInstance(ServiceMetadata.class);
-        Marshaller jaxbMarshaller = jaxbContext.createMarshaller();
-        jaxbMarshaller.marshal(serviceMetadata, stream);
-        return stream.toByteArray();
-    }
-
-    public static String marshall(ServiceMetadata serviceMetadata) throws JAXBException {
-        StringWriter sw = new StringWriter();
-        JAXBContext jaxbContext = JAXBContext.newInstance(ServiceMetadata.class);
-        Marshaller jaxbMarshaller = jaxbContext.createMarshaller();
-        jaxbMarshaller.marshal(serviceMetadata, sw);
-        return sw.toString();
-    }
-
-    public static String marshall(ServiceGroup serviceGroup) throws JAXBException {
-        StringWriter sw = new StringWriter();
-        JAXBContext jaxbContext = JAXBContext.newInstance(ServiceGroup.class);
-        Marshaller jaxbMarshaller = jaxbContext.createMarshaller();
-        jaxbMarshaller.marshal(serviceGroup, sw);
-        return sw.toString();
-    }
-
    private static byte[] readAllBytesFromResource(String resourcePath) throws URISyntaxException, IOException {
        return Files.readAllBytes(Paths.get(OasisSmpSchemaValidator.class.getResource(resourcePath).toURI()));
    }

--- a/smp-webapp/pom.xml
+++ b/smp-webapp/pom.xml
@@ -62,8 +62,8 @@
            <artifactId>spring-web</artifactId>
        </dependency>
        <dependency>
-            <groupId>javax.servlet</groupId>
-            <artifactId>javax.servlet-api</artifactId>
+            <groupId>jakarta.servlet</groupId>
+            <artifactId>jakarta.servlet-api</artifactId>
        </dependency>
        <dependency>
            <groupId>eu.europa.ec.edelivery</groupId>