diff --git a/owasp-false-positive-warnings.xml b/owasp-false-positive-warnings.xml
index e3801b29e8cd446a0f3a51d019723ec8df1604fe..dd0a4a408e0f284012c40e17f04c025ecf9b0aa5 100644
--- a/owasp-false-positive-warnings.xml
+++ b/owasp-false-positive-warnings.xml
@@ -3,7 +3,7 @@
xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"
xsi:schemaLocation="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd
https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
- <!--suppress>
+ <suppress>
<notes><![CDATA[
file name: spring-security-crypto-5.8.*.jar
The data serialized by the application is trusted
@@ -37,16 +37,7 @@
]]></notes>
<cve>CVE-2018-1258</cve>
</suppress>
- <suppress>
- <notes><![CDATA[
- file name: guava-30.1-jre.jar
- CVE-2020-8908 - we don't use com.google.common.io.Files.createTempDir()
- CVE-2023-2976 - we don't use FileBackedOutputStream
- ]]></notes>
- <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
- <cve>CVE-2020-8908</cve>
- <cve>CVE-2023-2976</cve>
- </suppress>
+
<suppress>
<notes><![CDATA[
CVE-2020-8908 - we don't use com.google.common.io.Files.createTempDir()
@@ -91,20 +82,4 @@
<packageUrl regex="true">^pkg:maven/org\.apache\.tomcat\.embed/tomcat\-embed\-websocket@.*$</packageUrl>
<cve>CVE-2023-41080</cve>
</suppress>
- <suppress>
- <notes><![CDATA[
- file name: dom4j-2.1.3/4.jar
- Used internally by hibernate-envers not exposed to external users/attackers
- ]]></notes>
- <packageUrl regex="true">^pkg:maven/org\.dom4j/dom4j@.*$</packageUrl>
- <cve>CVE-2023-45960</cve>
- </suppress>
- <suppress>
- <notes><![CDATA[
- file name: bdmsl-webapp.war: dom4j-2.1.3.jar
- Used internally by hibernate-envers not exposed to external users/attackers
- ]]></notes>
- <sha1>a75914155a9f5808963170ec20653668a2ffd2fd</sha1>
- <cve>CVE-2023-45960</cve>
- </suppress -->
</suppressions>
diff --git a/pom.xml b/pom.xml
index cca72402fe64428c8004fd50348a8916dc7215de..defb1d94db57d6a5df3e4fb1afbcc85baf54c1e5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -40,8 +40,12 @@ See the Licence for the specific language governing permissions and limitations
</modules>
<properties>
+ <prerequisites.maven_min_version>3.5</prerequisites.maven_min_version>
+ <jacocoRemotePort />
+ <jacocoRemoteAddress />
<!-- the root/main folder of the project used by aggregation plugins (license).
Alternative ${session.executionRootDirectory} -->
+
<project.root.baseUri>${maven.multiModuleProjectDirectory}</project.root.baseUri>
<maven.compiler.target>1.8</maven.compiler.target>
<maven.compiler.source>1.8</maven.compiler.source>
@@ -50,6 +54,7 @@ See the Licence for the specific language governing permissions and limitations
<edelivery.dynamic-discovery-client.version>2.1.1-SNAPSHOT</edelivery.dynamic-discovery-client.version>
<bdmsl-api.version>4.3</bdmsl-api.version>
<!-- plugin versions -->
+ <maven-enforcer-plugin.version>3.4.1</maven-enforcer-plugin.version>
<plugin.dependency-check-maven.version>9.0.3</plugin.dependency-check-maven.version>
<plugin.jacoco-maven-plugin.version>0.8.11</plugin.jacoco-maven-plugin.version>
<plugin.license-maven-plugin.version>2.3.0</plugin.license-maven-plugin.version>
@@ -65,10 +70,10 @@ See the Licence for the specific language governing permissions and limitations
<plugin.maven-surefire-plugin.version>3.2.2</plugin.maven-surefire-plugin.version>
<plugin.maven-war-plugin.version>3.4.0</plugin.maven-war-plugin.version>
- <aspectj.version>1.9.20.1</aspectj.version>
+ <aspectj.version>1.9.21</aspectj.version>
<commons-beanutils.version>1.9.4</commons-beanutils.version>
<commons-collections.version>3.2.2</commons-collections.version>
- <commons-io.version>2.15.0</commons-io.version>
+ <commons-io.version>2.15.1</commons-io.version>
<commons-lang3.version>3.14.0</commons-lang3.version>
<commons-fileupload.version>1.5</commons-fileupload.version>
<commons-net.version>3.10.0</commons-net.version>
@@ -84,8 +89,7 @@ See the Licence for the specific language governing permissions and limitations
<hibernate.validator.version>7.0.5.Final</hibernate.validator.version>
<hibernate.version>5.6.15.Final</hibernate.version>
<httpclient.version>4.5.14</httpclient.version>
- <jackson-databind.version>2.15.3</jackson-databind.version>
- <jackson.version>2.15.3</jackson.version>
+ <jackson.version>2.16.0</jackson.version>
<javaee-api.version>7.0</javaee-api.version>
<javax.annotation.version>1.3.2</javax.annotation.version>
<javax.mail.version>1.6.2</javax.mail.version>
@@ -103,11 +107,11 @@ See the Licence for the specific language governing permissions and limitations
<mysql.jdbc.version>8.2.0</mysql.jdbc.version>
<metro.version>2.2.1-1</metro.version>
<mockito.version>4.11.0</mockito.version>
- <servlet-api.version>3.0.1</servlet-api.version>
+ <jakarta.servlet-api.version>4.0.2</jakarta.servlet-api.version>
<spring-modules-jakarta-commons.version>0.8</spring-modules-jakarta-commons.version>
<spring-boot.version>2.7.18</spring-boot.version>
- <spring-boot.tomcat.version>9.0.83</spring-boot.tomcat.version>
+ <spring-boot.tomcat.version>9.0.84</spring-boot.tomcat.version>
<spring.security.version>5.8.8</spring.security.version>
<spring.version>5.3.31</spring.version>
<xmlunit.version>2.9.1</xmlunit.version>
@@ -121,7 +125,8 @@ See the Licence for the specific language governing permissions and limitations
<sonar.language>java</sonar.language>
<jacoco.append>true</jacoco.append>
<sonar.binaries>target/classes</sonar.binaries>
- <sonar.coverage.jacoco.xmlReportPaths>${project.basedir}/target/site/jacoco/jacoco.xml</sonar.coverage.jacoco.xmlReportPaths>
+ <sonar.coverage.jacoco.xmlReportPaths>${project.basedir}/target/site/jacoco/jacoco.xml
+ </sonar.coverage.jacoco.xmlReportPaths>
<sonar.jacoco.itReportPath>${project.basedir}/../target/jacoco-it.exec</sonar.jacoco.itReportPath>
<sonar.exclusions>
@@ -145,9 +150,7 @@ See the Licence for the specific language governing permissions and limitations
</release.arguments>
<project.scm.id>edelivery-scm</project.scm.id>
</properties>
- <prerequisites>
- <maven>3.6.0</maven>
- </prerequisites>
+
<scm>
<developerConnection>scm:git:https://ec.europa.eu/digital-building-blocks/code/scm/edelivery/smp.git
@@ -486,32 +489,7 @@ See the Licence for the specific language governing permissions and limitations
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
- <version>${jackson-databind.version}</version>
- <!-- exclude them and then manually include the same version! fix for the springboot
- (current springboot uses 2.13.4! and maven upgrade just direct dependencies and not transit
- dependencies with latest version!! ) >
- <exclusions>
- <exclusion>
- <groupId>com.fasterxml.jackson.core</groupId>
- <artifactId>jackson-core</artifactId>
- </exclusion>
- <exclusion>
- <groupId>com.fasterxml.jackson.core</groupId>
- <artifactId>jackson-annotations</artifactId>
- </exclusion>
- <exclusion>
- <groupId>com.fasterxml.jackson.datatype</groupId>
- <artifactId>jackson-datatype-jsr310</artifactId>
- </exclusion>
- <exclusion>
- <groupId>com.fasterxml.jackson.datatype</groupId>
- <artifactId>jackson-datatype-jdk8</artifactId>
- </exclusion>
- <exclusion>
- <groupId>com.fasterxml.jackson.module</groupId>
- <artifactId>jackson-module-parameter-names</artifactId>
- </exclusion>
- </exclusions-->
+ <version>${jackson.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
@@ -592,9 +570,9 @@ See the Licence for the specific language governing permissions and limitations
<scope>test</scope>
</dependency>
<dependency>
- <groupId>javax.servlet</groupId>
- <artifactId>javax.servlet-api</artifactId>
- <version>${servlet-api.version}</version>
+ <groupId>jakarta.servlet</groupId>
+ <artifactId>jakarta.servlet-api</artifactId>
+ <version>${jakarta.servlet-api.version}</version>
<scope>provided</scope>
</dependency>
<dependency>
@@ -680,6 +658,11 @@ See the Licence for the specific language governing permissions and limitations
<build>
<pluginManagement>
<plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-enforcer-plugin</artifactId>
+ <version>${maven-enforcer-plugin.version}</version>
+ </plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
@@ -759,6 +742,25 @@ See the Licence for the specific language governing permissions and limitations
</plugins>
</pluginManagement>
<plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-enforcer-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>enforce-maven</id>
+ <goals>
+ <goal>enforce</goal>
+ </goals>
+ <configuration>
+ <rules>
+ <requireMavenVersion>
+ <version>${prerequisites.maven_min_version}</version>
+ </requireMavenVersion>
+ </rules>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
diff --git a/smp-resource-extensions/oasis-smp-spi/src/main/java/eu/europa/ec/smp/spi/converter/DomUtils.java b/smp-resource-extensions/oasis-smp-spi/src/main/java/eu/europa/ec/smp/spi/converter/DomUtils.java
index 1ab3c8149ef9818022a0469031fdf06a720111d2..72bc03f8a4e1b231bac5b9dd6b1ce69857e45ada 100644
--- a/smp-resource-extensions/oasis-smp-spi/src/main/java/eu/europa/ec/smp/spi/converter/DomUtils.java
+++ b/smp-resource-extensions/oasis-smp-spi/src/main/java/eu/europa/ec/smp/spi/converter/DomUtils.java
@@ -8,9 +8,9 @@
* versions of the EUPL (the "Licence");
* You may not use this work except in compliance with the Licence.
* You may obtain a copy of the Licence at:
- *
+ *
* [PROJECT_HOME]\license\eupl-1.2\license.txt or https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
- *
+ *
* Unless required by applicable law or agreed to in writing, software distributed under the Licence is
* distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the Licence for the specific language governing permissions and limitations under the Licence.
@@ -45,7 +45,7 @@ import static eu.europa.ec.smp.spi.exceptions.ResourceException.ErrorCode.INVALI
* @author gutowpa
* @since 3.0.0
*/
-public class DomUtils {
+final public class DomUtils {
/**
* Class has only static members. Is not meant to create instances - also SONAR warning.
@@ -66,6 +66,7 @@ public class DomUtils {
* @return w3d dom element
*/
public static Document toSignedServiceMetadata10Document(byte[] serviceMetadataXml) throws ResourceException {
+ LOG.debug("toSignedServiceMetadata10Document");
try {
Document docServiceMetadata = parse(serviceMetadataXml);
Document root = parse(DOC_SIGNED_SERVICE_METADATA_EMPTY.getBytes());
@@ -79,6 +80,11 @@ public class DomUtils {
public static Document parse(byte[] serviceMetadataXml) throws SAXException, IOException, ParserConfigurationException {
+ if (serviceMetadataXml == null) {
+ LOG.warn("ServiceMetadataXml bytearray is null!");
+ return null;
+ }
+ LOG.debug("Parse document with size [{}]", serviceMetadataXml.length);
InputStream inputStream = new ByteArrayInputStream(serviceMetadataXml);
return getDocumentBuilder().parse(inputStream);
}
@@ -91,6 +97,7 @@ public class DomUtils {
}
public static byte[] toByteArray(Document doc) throws TransformerException {
+ LOG.debug("Convert document to byte array");
Transformer transformer = createNewSecureTransformer();
ByteArrayOutputStream stream = new ByteArrayOutputStream();
transformer.transform(new DOMSource(doc), new StreamResult(stream));
diff --git a/smp-resource-extensions/oasis-smp-spi/src/test/java/eu/europa/ec/smp/spi/converter/ServiceMetadataConverterTest.java b/smp-resource-extensions/oasis-smp-spi/src/test/java/eu/europa/ec/smp/spi/converter/ServiceMetadataConverterTest.java
index 411bbc25b3acb951bb381e7fbd441679edb63400..8917b58b167d24a8721862d741560d19a173f54f 100644
--- a/smp-resource-extensions/oasis-smp-spi/src/test/java/eu/europa/ec/smp/spi/converter/ServiceMetadataConverterTest.java
+++ b/smp-resource-extensions/oasis-smp-spi/src/test/java/eu/europa/ec/smp/spi/converter/ServiceMetadataConverterTest.java
@@ -42,7 +42,7 @@ import static org.junit.jupiter.api.Assertions.*;
/**
* Created by gutowpa on 05/01/2017.
*/
-public class ServiceMetadataConverterTest {
+class ServiceMetadataConverterTest {
private static final String NS = "http://docs.oasis-open.org/bdxr/ns/SMP/2016/05";
private static final String RES_PATH = "/examples/oasis-smp-1.0/";
diff --git a/smp-resource-extensions/oasis-smp-spi/src/test/java/eu/europa/ec/smp/spi/testutils/XmlTestUtils.java b/smp-resource-extensions/oasis-smp-spi/src/test/java/eu/europa/ec/smp/spi/testutils/XmlTestUtils.java
index 486c3aea05af92dbd33f462255b12596c73c10a1..99d91c8135395b0346525d95571eff965e596d51 100644
--- a/smp-resource-extensions/oasis-smp-spi/src/test/java/eu/europa/ec/smp/spi/testutils/XmlTestUtils.java
+++ b/smp-resource-extensions/oasis-smp-spi/src/test/java/eu/europa/ec/smp/spi/testutils/XmlTestUtils.java
@@ -8,9 +8,9 @@
* versions of the EUPL (the "Licence");
* You may not use this work except in compliance with the Licence.
* You may obtain a copy of the Licence at:
- *
+ *
* [PROJECT_HOME]\license\eupl-1.2\license.txt or https://joinup.ec.europa.eu/collection/eupl/eupl-text-eupl-12
- *
+ *
* Unless required by applicable law or agreed to in writing, software distributed under the Licence is
* distributed on an "AS IS" basis, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the Licence for the specific language governing permissions and limitations under the Licence.
@@ -20,26 +20,9 @@
package eu.europa.ec.smp.spi.testutils;
import eu.europa.ec.dynamicdiscovery.core.validator.OasisSmpSchemaValidator;
-import gen.eu.europa.ec.ddc.api.smp10.ServiceGroup;
-import gen.eu.europa.ec.ddc.api.smp10.ServiceMetadata;
-import org.w3c.dom.Document;
-import org.w3c.dom.Node;
-import org.xml.sax.SAXException;
-import javax.xml.bind.JAXBContext;
-import javax.xml.bind.JAXBException;
-import javax.xml.bind.Marshaller;
-import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
-import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.transform.Transformer;
-import javax.xml.transform.TransformerException;
-import javax.xml.transform.TransformerFactory;
-import javax.xml.transform.dom.DOMSource;
-import javax.xml.transform.stream.StreamResult;
-import java.io.*;
+import java.io.IOException;
import java.net.URISyntaxException;
-import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Paths;
@@ -48,67 +31,10 @@ import java.nio.file.Paths;
*/
public class XmlTestUtils {
- private static final String UTF_8 = "UTF-8";
-
public static byte[] loadDocumentAsByteArray(String docResourcePath) throws IOException, URISyntaxException {
return readAllBytesFromResource(docResourcePath);
}
- public static String loadDocumentAsString(String docResourcePath) throws IOException, URISyntaxException {
- byte[] value = loadDocumentAsByteArray(docResourcePath);
- return new String(value, StandardCharsets.UTF_8);
- }
-
- public static Document loadDocument(String docResourcePath) throws ParserConfigurationException, SAXException, IOException {
- InputStream inputStream = XmlTestUtils.class.getResourceAsStream(docResourcePath);
- return getDocumentBuilder().parse(inputStream);
- }
-
- public static DocumentBuilder getDocumentBuilder() throws ParserConfigurationException {
- DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
- dbf.setNamespaceAware(true);
- return dbf.newDocumentBuilder();
- }
-
- public static String marshal(Node doc) throws TransformerException, UnsupportedEncodingException {
- TransformerFactory tf = TransformerFactory.newInstance();
- Transformer trans = tf.newTransformer();
- ByteArrayOutputStream stream = new ByteArrayOutputStream();
- trans.transform(new DOMSource(doc), new StreamResult(stream));
- return stream.toString(UTF_8);
- }
- public static byte[] marshallToByteArray(Node doc) throws TransformerException, UnsupportedEncodingException {
- TransformerFactory tf = TransformerFactory.newInstance();
- Transformer trans = tf.newTransformer();
- ByteArrayOutputStream stream = new ByteArrayOutputStream();
- trans.transform(new DOMSource(doc), new StreamResult(stream));
- return stream.toByteArray();
- }
-
- public static byte[] marshallToByteArray(ServiceMetadata serviceMetadata) throws JAXBException {
- ByteArrayOutputStream stream = new ByteArrayOutputStream();
- JAXBContext jaxbContext = JAXBContext.newInstance(ServiceMetadata.class);
- Marshaller jaxbMarshaller = jaxbContext.createMarshaller();
- jaxbMarshaller.marshal(serviceMetadata, stream);
- return stream.toByteArray();
- }
-
- public static String marshall(ServiceMetadata serviceMetadata) throws JAXBException {
- StringWriter sw = new StringWriter();
- JAXBContext jaxbContext = JAXBContext.newInstance(ServiceMetadata.class);
- Marshaller jaxbMarshaller = jaxbContext.createMarshaller();
- jaxbMarshaller.marshal(serviceMetadata, sw);
- return sw.toString();
- }
-
- public static String marshall(ServiceGroup serviceGroup) throws JAXBException {
- StringWriter sw = new StringWriter();
- JAXBContext jaxbContext = JAXBContext.newInstance(ServiceGroup.class);
- Marshaller jaxbMarshaller = jaxbContext.createMarshaller();
- jaxbMarshaller.marshal(serviceGroup, sw);
- return sw.toString();
- }
-
private static byte[] readAllBytesFromResource(String resourcePath) throws URISyntaxException, IOException {
return Files.readAllBytes(Paths.get(OasisSmpSchemaValidator.class.getResource(resourcePath).toURI()));
}
diff --git a/smp-webapp/pom.xml b/smp-webapp/pom.xml
index 64ec89eea90a82e41f6fc5f35370e413f74d3032..976fefb1773120e1626ee721d259a17440eb46d9 100644
--- a/smp-webapp/pom.xml
+++ b/smp-webapp/pom.xml
@@ -62,8 +62,8 @@
<artifactId>spring-web</artifactId>
</dependency>
<dependency>
- <groupId>javax.servlet</groupId>
- <artifactId>javax.servlet-api</artifactId>
+ <groupId>jakarta.servlet</groupId>
+ <artifactId>jakarta.servlet-api</artifactId>
</dependency>
<dependency>
<groupId>eu.europa.ec.edelivery</groupId>