(chores): fix security vulnerabilities

Signed-off-by: Abdul Kapti <[email protected]>
eclipse-sw360 · Apr 11, 2022 · 5904aa3 · 5904aa3
1 parent 05f3130
commit 5904aa3
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 9 deletions.
diff --git a/README.md b/README.md
@@ -53,7 +53,7 @@ In addition, the Liferay instance must provide the following dependecies via OSG
 * Apache Commons Logging 1.2
 * Apache Commons Compress 1.20
 * Google Gson 2.8.5
-* Google Guava 21.0
+* Google Guava 30.1.1-jre
 * Jackson Annotations 2.9.8
 * Jackson Core 2.9.8
 * Jackson Databind 2.9.8

diff --git a/...nseinfo/src/main/java/org/eclipse/sw360/licenseinfo/outputGenerators/OutputGenerator.java b/...nseinfo/src/main/java/org/eclipse/sw360/licenseinfo/outputGenerators/OutputGenerator.java
@@ -183,8 +183,8 @@ protected static List<LicenseNameWithText> getSortedLicenseNameWithTexts(Collect
                 .filter(Objects::nonNull)
                 .map(LicenseInfo::getLicenseNamesWithTexts)
                 .filter(Objects::nonNull)
-                .reduce(Sets::union)
-                .orElse(Collections.emptySet());
+                .flatMap(Set::stream)
+                .collect(Collectors.toSet());
 
         return licenseNamesWithText.stream()
                 .filter(licenseNameWithText -> !LicenseNameWithTextUtils.isEmpty(licenseNameWithText))

diff --git a/frontend/sw360-portlet/pom.xml b/frontend/sw360-portlet/pom.xml
@@ -259,7 +259,7 @@
         <dependency>
             <groupId>org.springframework.security</groupId>
             <artifactId>spring-security-core</artifactId>
-            <version>5.3.8.RELEASE</version>
+            <version>5.3.13.RELEASE</version>
             <scope>compile</scope>
         </dependency>
 

diff --git a/libraries/lib-datahandler/bnd.bnd b/libraries/lib-datahandler/bnd.bnd
@@ -22,7 +22,10 @@ Export-Package: \
 	org.eclipse.sw360.datahandler.*, \
 	org.ektorp.*, \
 	com.cloudant.*, \
-	com.google.gson.*
+	com.google.gson.*, \
+	com.google.common.*, \
+	com.google.common.util.concurrent.*
+
 
 Import-Package: \
 	com.fasterxml.jackson.*, \
@@ -43,5 +46,10 @@ Conditional-Package: \
 	com.cloudant.*, \
 	com.google.gson.*
 
+# The following resources are not available as OSGI bundles and therefore will be directly included
+Include-Resource: \
+    META-INF/lib/com.google.guava.failureaccess.jar=failureaccess-[0-9]*.jar;lib:=true
+
 Bundle-Classpath: \
-	.
+    ., \
+    META-INF/lib/com.google.guava.failureaccess.jar,
diff --git a/libraries/lib-datahandler/pom.xml b/libraries/lib-datahandler/pom.xml
@@ -195,7 +195,10 @@
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
         </dependency>
-
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>failureaccess</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.hamcrest</groupId>
             <artifactId>hamcrest-all</artifactId>

diff --git a/pom.xml b/pom.xml
@@ -55,7 +55,7 @@
         <java.version>11</java.version>
         <ektorp.version>1.5.0</ektorp.version>
         <thrift.version>0.14.0</thrift.version>
-        <guava.version>21.0</guava.version>
+        <guava.version>30.1.1-jre</guava.version>
         <spring.version>5.2.9.RELEASE</spring.version>
         <spring-boot.version>2.1.17.RELEASE</spring-boot.version>
         <spring-restdocs.version>2.0.5.RELEASE</spring-restdocs.version>
@@ -181,6 +181,11 @@
                 <artifactId>commons-lang3</artifactId>
                 <version>3.8.1</version>
             </dependency>
+            <dependency>
+                <groupId>com.google.guava</groupId>
+                <artifactId>failureaccess</artifactId>
+                <version>1.0.1</version>
+            </dependency>
             <dependency>
                 <groupId>commons-cli</groupId>
                 <artifactId>commons-cli</artifactId>

diff --git a/scripts/docker-config/download_dependencies.sh b/scripts/docker-config/download_dependencies.sh
@@ -23,7 +23,7 @@ jar_dependencies=(
   https://search.maven.org/remotecontent?filepath=commons-lang/commons-lang/2.4/commons-lang-2.4.jar
   https://search.maven.org/remotecontent?filepath=commons-logging/commons-logging/1.2/commons-logging-1.2.jar
   https://search.maven.org/remotecontent?filepath=com/google/code/gson/gson/2.8.5/gson-2.8.5.jar
-  https://search.maven.org/remotecontent?filepath=com/google/guava/guava/21.0/guava-21.0.jar
+  https://search.maven.org/remotecontent?filepath=com/google/guava/guava/30.1.1-jre/guava-30.1.1-jre.jar
   https://search.maven.org/remotecontent?filepath=com/fasterxml/jackson/core/jackson-annotations/2.11.3/jackson-annotations-2.11.3.jar
   https://search.maven.org/remotecontent?filepath=com/fasterxml/jackson/core/jackson-core/2.11.3/jackson-core-2.11.3.jar
   https://search.maven.org/remotecontent?filepath=com/fasterxml/jackson/core/jackson-databind/2.11.3/jackson-databind-2.11.3.jar