(chores): fix security vulnerabilities

Signed-off-by: Abdul Kapti <[email protected]>

README.md

@@ -53,7 +53,7 @@ In addition, the Liferay instance must provide the following dependecies via OSG
 * Apache Commons Logging 1.2
 * Apache Commons Compress 1.20
 * Google Gson 2.8.5
-* Google Guava 21.0
+* Google Guava 31.0.1-jre
 * Jackson Annotations 2.9.8
 * Jackson Core 2.9.8
 * Jackson Databind 2.9.8

backend/src/src-licenseinfo/src/main/java/org/eclipse/sw360/licenseinfo/outputGenerators/OutputGenerator.java

@@ -183,8 +183,8 @@ protected static List<LicenseNameWithText> getSortedLicenseNameWithTexts(Collect
                 .filter(Objects::nonNull)
                 .map(LicenseInfo::getLicenseNamesWithTexts)
                 .filter(Objects::nonNull)
-                .reduce(Sets::union)
-                .orElse(Collections.emptySet());
+                .flatMap(Set::stream)
+                .collect(Collectors.toSet());
 
         return licenseNamesWithText.stream()
                 .filter(licenseNameWithText -> !LicenseNameWithTextUtils.isEmpty(licenseNameWithText))

frontend/sw360-portlet/pom.xml

@@ -259,7 +259,7 @@
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-core</artifactId>
-            <version>5.3.8.RELEASE</version>
+            <version>5.6.2</version>
             <scope>compile</scope>
         </dependency>
 

libraries/lib-datahandler/bnd.bnd

@@ -22,7 +22,10 @@ Export-Package: \
 	org.eclipse.sw360.datahandler.*, \
 	org.ektorp.*, \
 	com.cloudant.*, \
-	com.google.gson.*
+	com.google.gson.*, \
+	com.google.common.*, \
+	com.google.common.util.concurrent.*
+
 
 Import-Package: \
 	com.fasterxml.jackson.*, \
@@ -43,5 +46,10 @@ Conditional-Package: \
 	com.cloudant.*, \
 	com.google.gson.*
 
+# The following resources are not available as OSGI bundles and therefore will be directly included
+Include-Resource: \
+    META-INF/lib/com.google.guava.failureaccess.jar=failureaccess-[0-9]*.jar;lib:=true
+
 Bundle-Classpath: \
-	.
+    ., \
+    META-INF/lib/com.google.guava.failureaccess.jar,

libraries/lib-datahandler/pom.xml

@@ -195,7 +195,10 @@
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
         </dependency>
-
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>failureaccess</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.hamcrest</groupId>
             <artifactId>hamcrest-all</artifactId>

pom.xml

@@ -55,12 +55,12 @@
         <java.version>11</java.version>
         <ektorp.version>1.5.0</ektorp.version>
         <thrift.version>0.14.0</thrift.version>
-        <guava.version>21.0</guava.version>
-        <spring.version>5.2.9.RELEASE</spring.version>
-        <spring-boot.version>2.1.17.RELEASE</spring-boot.version>
-        <spring-restdocs.version>2.0.5.RELEASE</spring-restdocs.version>
-        <spring-security-oauth2.version>2.3.8.RELEASE</spring-security-oauth2.version>
-        <spring-security-jwt.version>1.0.11.RELEASE</spring-security-jwt.version>
+        <guava.version>31.0.1-jre</guava.version>
+        <spring.version>5.3.19</spring.version>
+        <spring-boot.version>2.6.6</spring-boot.version>
+        <spring-restdocs.version>2.0.6.RELEASE</spring-restdocs.version>
+        <spring-security-oauth2.version>2.5.1.RELEASE</spring-security-oauth2.version>
+        <spring-security-jwt.version>1.1.1.RELEASE</spring-security-jwt.version>
 
         <slf4j.version>1.7.30</slf4j.version>
         <log4j2.version>2.17.1</log4j2.version>
@@ -70,7 +70,7 @@
         <junit-dataprovider.version>1.12.0</junit-dataprovider.version>
         <poi.version>4.1.2</poi.version>
 
-        <junit.version>4.13.1</junit.version>
+        <junit.version>4.13.2</junit.version>
         <jgiven.version>0.17.0</jgiven.version>
         <hamcrest.version>1.3</hamcrest.version>
         <mockito.version>1.10.19</mockito.version>
@@ -181,6 +181,11 @@
                 <artifactId>commons-lang3</artifactId>
                 <version>3.8.1</version>
             </dependency>
+            <dependency>
+                <groupId>com.google.guava</groupId>
+                <artifactId>failureaccess</artifactId>
+                <version>1.0.1</version>
+            </dependency>
             <dependency>
                 <groupId>commons-cli</groupId>
                 <artifactId>commons-cli</artifactId>
@@ -212,7 +217,7 @@
             <dependency>
                 <groupId>commons-codec</groupId>
                 <artifactId>commons-codec</artifactId>
-                <version>1.10</version>
+                <version>1.12</version>
             </dependency>
             <dependency>
                 <groupId>com.github.ldriscoll</groupId>

rest/authorization-server/pom.xml

@@ -102,7 +102,37 @@
             <artifactId>spring-boot-starter-test</artifactId>
             <version>${spring-boot.version}</version>
             <scope>test</scope>
+            <exclusions>
+                <exclusion>
+                    <artifactId>commons-logging</artifactId>
+                    <groupId>commons-logging</groupId>
+                </exclusion>
+            <exclusion>
+                <groupId>org.junit.jupiter</groupId>
+                <artifactId>junit-jupiter</artifactId>
+            </exclusion>
+            <exclusion>
+                <groupId>org.junit.vintage</groupId>
+                <artifactId>junit-vintage-engine</artifactId>
+            </exclusion>
+            <exclusion>
+                <groupId>org.mockito</groupId>
+                <artifactId>mockito-junit-jupiter</artifactId>
+            </exclusion>
+            </exclusions>
         </dependency>
+            <dependency>
+                <groupId>junit</groupId>
+                <artifactId>junit</artifactId>
+                <version>${junit.version}</version>
+                <scope>test</scope>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.hamcrest</groupId>
+                        <artifactId>hamcrest-core</artifactId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-test</artifactId>

rest/authorization-server/src/main/java/org/eclipse/sw360/rest/authserver/Sw360AuthorizationServer.java

@@ -12,8 +12,6 @@
 
 import java.util.Properties;
 
-import org.apache.logging.log4j.LogManager;
-import org.apache.logging.log4j.Logger;
 import org.eclipse.sw360.datahandler.common.CommonUtils;
 import org.eclipse.sw360.datahandler.thrift.users.UserGroup;
 import org.eclipse.sw360.rest.common.PropertyUtils;
@@ -27,8 +25,6 @@
 @Import(Sw360CORSFilter.class)
 public class Sw360AuthorizationServer extends SpringBootServletInitializer {
 
-    private static final Logger log = LogManager.getLogger(Sw360AuthorizationServer.class);
-
     private static final String SW360_PROPERTIES_FILE_PATH = "/sw360.properties";
     private static final String DEFAULT_WRITE_ACCESS_USERGROUP = UserGroup.SW360_ADMIN.name();
     private static final String DEFAULT_ADMIN_ACCESS_USERGROUP = UserGroup.SW360_ADMIN.name();

rest/authorization-server/src/main/java/org/eclipse/sw360/rest/authserver/security/basicauth/Sw360LiferayAuthenticationProvider.java

@@ -121,7 +121,7 @@ private boolean liferayAuthCheckRequest(String route, String userParam, String u
             return false;
         }
 
-        RestTemplate restTemplate = restTemplateBuilder.basicAuthorization(user, encodedPassword).build();
+        RestTemplate restTemplate = restTemplateBuilder.basicAuthentication(user, encodedPassword).build();
         ResponseEntity<String> response;
         try {
             response = restTemplate.postForEntity(url, null, String.class);

rest/authorization-server/src/main/java/org/eclipse/sw360/rest/authserver/security/customheaderauth/Sw360CustomHeaderAuthenticationProvider.java

@@ -9,11 +9,8 @@
  */
 package org.eclipse.sw360.rest.authserver.security.customheaderauth;
 
-import org.eclipse.sw360.datahandler.permissions.PermissionUtils;
 import org.eclipse.sw360.datahandler.thrift.users.User;
 import org.eclipse.sw360.rest.authserver.StringTransformer;
-import org.eclipse.sw360.rest.authserver.Sw360AuthorizationServer;
-import org.eclipse.sw360.rest.authserver.security.Sw360GrantedAuthority;
 import org.eclipse.sw360.rest.authserver.security.Sw360GrantedAuthoritiesCalculator;
 import org.eclipse.sw360.rest.authserver.security.Sw360UserDetailsProvider;
 
@@ -27,7 +24,6 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.common.util.OAuth2Utils;
 import org.springframework.security.oauth2.provider.ClientDetails;
 import org.springframework.security.oauth2.provider.ClientDetailsService;

rest/authorization-server/src/test/java/org/eclipse/sw360/rest/authserver/GrantTypeClientCredentialsTestBase.java

@@ -17,7 +17,7 @@
 
 import static org.eclipse.sw360.rest.authserver.security.Sw360GrantedAuthority.BASIC;
 import static org.hamcrest.CoreMatchers.is;
-import static org.junit.Assert.assertThat;
+import static org.hamcrest.MatcherAssert.assertThat;
 
 public abstract class GrantTypeClientCredentialsTestBase extends IntegrationTestBase {
 

rest/authorization-server/src/test/java/org/eclipse/sw360/rest/authserver/GrantTypePasswordTestBase.java

@@ -19,7 +19,7 @@
 
 import static org.eclipse.sw360.rest.authserver.security.Sw360GrantedAuthority.READ;
 import static org.hamcrest.CoreMatchers.is;
-import static org.junit.Assert.assertThat;
+import static org.hamcrest.MatcherAssert.assertThat;
 
 public abstract class GrantTypePasswordTestBase extends IntegrationTestBase {
 

rest/authorization-server/src/test/java/org/eclipse/sw360/rest/authserver/IntegrationTestBase.java

@@ -26,7 +26,6 @@
 import org.junit.Before;
 import org.junit.runner.RunWith;
 import org.mockito.InjectMocks;
-import org.mockito.Mock;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.test.context.SpringBootTest;
@@ -35,6 +34,7 @@
 import org.springframework.boot.web.client.RestTemplateBuilder;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.jwt.Jwt;
 import org.springframework.security.jwt.JwtHelper;
 import org.springframework.security.oauth2.provider.ClientDetails;
@@ -49,11 +49,11 @@
 import java.util.List;
 
 import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.containsInAnyOrder;
-import static org.junit.Assert.assertThat;
-import static org.mockito.Matchers.anyObject;
-import static org.mockito.Matchers.anyString;
-import static org.mockito.Matchers.eq;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
@@ -146,24 +146,24 @@ private void setupLiferayMocks() {
         when(mockedResponseEntity.getBody()).thenReturn("4711");
 
         RestTemplate mockedRestTemplate = mock(RestTemplate.class);
-        when(mockedRestTemplate.postForEntity(anyString(), anyObject(), eq(String.class)))
+        when(mockedRestTemplate.postForEntity(anyString(), any(), eq(String.class)))
                 .thenReturn(mockedResponseEntity);
 
         RestTemplateBuilder mockedRTB = mock(RestTemplateBuilder.class);
-        when(restTemplateBuilder.basicAuthorization(eq(adminTestUser.email), anyString())).thenReturn(mockedRTB);
-        when(restTemplateBuilder.basicAuthorization(eq(normalTestUser.email), anyString())).thenReturn(mockedRTB);
+        when(restTemplateBuilder.basicAuthentication(adminTestUser.email, "password-not-checked-in-test-without-liferay")).thenReturn(mockedRTB);
+        when(restTemplateBuilder.basicAuthentication(normalTestUser.email, "password-not-checked-in-test-without-liferay")).thenReturn(mockedRTB);
         when(mockedRTB.build()).thenReturn(mockedRestTemplate);
 
         // preparation for bad case
         ResponseEntity<String> mockedResponseEntityFail = mock(ResponseEntity.class);
         when(mockedResponseEntityFail.getBody()).thenReturn("Some auth exception");
 
         RestTemplate mockedRestTemplateFail = mock(RestTemplate.class);
-        when(mockedRestTemplateFail.postForEntity(anyString(), anyObject(), eq(String.class)))
+        when(mockedRestTemplateFail.postForEntity(anyString(), any(), eq(String.class)))
                 .thenReturn(mockedResponseEntityFail);
 
         RestTemplateBuilder mockedRTBFail = mock(RestTemplateBuilder.class);
-        when(restTemplateBuilder.basicAuthorization(eq("my-unknown-user"), anyString())).thenReturn(mockedRTBFail);
+        when(restTemplateBuilder.basicAuthentication("my-unknown-user", "pwd")).thenReturn(mockedRTBFail);
         when(mockedRTBFail.build()).thenReturn(mockedRestTemplateFail);
     }
 

rest/authorization-server/src/test/java/org/eclipse/sw360/rest/authserver/client/persistence/OAuthClientRepositoryTest.java

@@ -17,8 +17,8 @@
 
 import java.util.List;
 
+import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.is;
-import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
 
 /**

rest/authorization-server/src/test/java/org/eclipse/sw360/rest/authserver/client/rest/OAuthClientControllerTest.java

@@ -22,8 +22,8 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 
+import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.is;
-import static org.junit.Assert.assertThat;
 import static org.mockito.Mockito.when;
 
 public class OAuthClientControllerTest extends IntegrationTestBase {

rest/resource-server/pom.xml

@@ -140,7 +140,7 @@
         </dependency>
         <dependency>
             <groupId>org.springframework.data</groupId>
-            <artifactId>spring-data-rest-hal-browser</artifactId>
+            <artifactId>spring-data-rest-hal-explorer</artifactId>
             <scope>compile</scope>
             <exclusions>
                 <exclusion>
@@ -183,8 +183,32 @@
                     <artifactId>commons-logging</artifactId>
                     <groupId>commons-logging</groupId>
                 </exclusion>
+            <exclusion>
+                <groupId>org.junit.jupiter</groupId>
+                <artifactId>junit-jupiter</artifactId>
+            </exclusion>
+            <exclusion>
+                <groupId>org.junit.vintage</groupId>
+                <artifactId>junit-vintage-engine</artifactId>
+            </exclusion>
+            <exclusion>
+                <groupId>org.mockito</groupId>
+                <artifactId>mockito-junit-jupiter</artifactId>
+            </exclusion>
             </exclusions>
         </dependency>
+            <dependency>
+                <groupId>junit</groupId>
+                <artifactId>junit</artifactId>
+                <version>${junit.version}</version>
+                <scope>test</scope>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.hamcrest</groupId>
+                        <artifactId>hamcrest-core</artifactId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-test</artifactId>
@@ -238,7 +262,7 @@
         <dependency>
            <groupId>org.springframework.security.oauth.boot</groupId>
            <artifactId>spring-security-oauth2-autoconfigure</artifactId>
-           <version>2.1.17.RELEASE</version>
+           <version>2.6.6</version>
         </dependency>
     </dependencies>
     <dependencyManagement>

rest/resource-server/src/main/java/org/eclipse/sw360/rest/resourceserver/Sw360ResourceServer.java

@@ -27,11 +27,11 @@
 import org.springframework.context.annotation.Import;
 import org.springframework.data.rest.core.config.RepositoryRestConfiguration;
 import org.springframework.data.rest.webmvc.config.RepositoryRestConfigurer;
-import org.springframework.data.rest.webmvc.config.RepositoryRestConfigurerAdapter;
 import org.springframework.hateoas.UriTemplate;
-import org.springframework.hateoas.hal.CurieProvider;
-import org.springframework.hateoas.hal.DefaultCurieProvider;
+import org.springframework.hateoas.mediatype.hal.CurieProvider;
+import org.springframework.hateoas.mediatype.hal.DefaultCurieProvider;
 import org.springframework.web.filter.ForwardedHeaderFilter;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
 
 @SpringBootApplication
 @Import(Sw360CORSFilter.class)
@@ -64,7 +64,7 @@ public class Sw360ResourceServer extends SpringBootServletInitializer {
 
     @Bean
     public CurieProvider curieProvider() {
-        return new DefaultCurieProvider(CURIE_NAMESPACE, new UriTemplate("/docs/{rel}.html"));
+        return new DefaultCurieProvider(CURIE_NAMESPACE, UriTemplate.of("/docs/{rel}.html"));
     }
 
     @Bean
@@ -74,9 +74,9 @@ public ApiTokenAuthenticationFilter authFilterBean() {
 
     @Bean
     public RepositoryRestConfigurer repositoryRestConfigurer() {
-        return new RepositoryRestConfigurerAdapter() {
+        return new RepositoryRestConfigurer() {
             @Override
-            public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config) {
+            public void configureRepositoryRestConfiguration(RepositoryRestConfiguration config,  CorsRegistry cors) {
                 config.setLimitParamName(RestControllerHelper.PAGINATION_PARAM_PAGE_ENTRIES);
                 config.setBasePath(REST_BASE_PATH);
             }