Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(chores): fix security vulnerabilities #1482

Merged
merged 1 commit into from
Apr 28, 2022
Merged

(chores): fix security vulnerabilities #1482

merged 1 commit into from
Apr 28, 2022

Conversation

akapti
Copy link
Contributor

@akapti akapti commented Mar 9, 2022

Please provide a summary of your changes here.
This PR fixes the security vulnerabilities reported by bot.

Issue: #1481

Suggest Reviewer

Current Issue:

I have fixed all the test cases, but the liferay fails while deployment. we need to fix the liferay deployment issues.

How To Test?

Please test all the functionalities in UI and REST API is working fine.

Checklist

Must:

  • All related issues are referenced in commit messages and in PR
    Signed-off-by: Abdul Kapti [email protected]

@akapti akapti added dependencies Pull requests that update a dependency file do not merge - нет! labels Mar 9, 2022
@akapti
Copy link
Contributor Author

akapti commented Mar 9, 2022
edited
Loading

TOMCAT deployment fails due to following error:

2022-03-09 11:56:07.047 INFO  [fileinstall-/home/akapti/Downloads/liferay-7.3.3/osgi/war][BaseAutoDeployListener:50] Themes for /home/akapti/Downloads/liferay-7.3.3/tomcat-9.0.33/temp/20220309115604244ZMZOZSRL/org.eclipse.sw360.liferay-theme.war copied successfully
09-Mar-2022 11:56:09.365 WARNING [main] com.cloudant.client.api.Database.createIndex Index already exists : '{"name":"byEmailUser","type":"json","index":{"fields":[{"email":"desc"}]}}'
09-Mar-2022 11:56:09.378 WARNING [main] com.cloudant.client.api.Database.createIndex Index already exists : '{"name":"byDepartment","type":"json","index":{"fields":[{"department":"desc"}]}}'
09-Mar-2022 11:56:09.399 WARNING [main] com.cloudant.client.api.Database.createIndex Index already exists : '{"name":"byFirstName","type":"json","index":{"fields":[{"givenname":"desc"}]}}'
09-Mar-2022 11:56:09.444 WARNING [main] com.cloudant.client.api.Database.createIndex Index already exists : '{"name":"byLastName","type":"json","index":{"fields":[{"lastname":"desc"}]}}'
09-Mar-2022 11:56:09.487 WARNING [main] com.cloudant.client.api.Database.createIndex Index already exists : '{"name":"byUserGroup","type":"json","index":{"fields":[{"userGroup":"desc"}]}}'
09-Mar-2022 11:56:09.509 WARNING [main] com.cloudant.client.api.Database.createIndex Index already exists : '{"name":"bySecondaryDepartmentsAndRoles","type":"json","index":{"fields":[{"secondaryDepartmentsAndRoles":"desc"}]}}'
2022-03-09 11:56:18 INFO  ThriftClients:99 - The following configuration will be used for connections to the backend:
	URL                      : http://127.0.0.1:8080
	Proxy                    : null
	Timeout Connecting (ms)  : 5000
	Timeout Read (ms)        : 600000

2022-03-09 11:56:25.501 ERROR [fileinstall-/home/akapti/Downloads/liferay-7.3.3/osgi/modules][LogService:93] Error while starting bundle: file:/home/akapti/Downloads/liferay-7.3.3/osgi/modules/org.eclipse.sw360.common-io-15.1.0-SNAPSHOT.jar 
org.osgi.framework.BundleException: Could not resolve module: sw360-common-io [2286]_  Unresolved requirement: Import-Package: com.google.common.collect; version="[30.1.0,31.0.0)"_    -> Export-Package: com.google.common.collect; bundle-symbolic-name="com.google.guava"; bundle-version="30.1.1.jre"; version="30.1.1"; uses:="com.google.common.base"_       com.google.guava [2285]_         Unresolved requirement: Import-Package: com.google.common.util.concurrent.internal; version="[1.0.0,2.0.0)"_  Unresolved requirement: Import-Package: com.google.common.base; version="[30.1.0,31.0.0)"_    -> Export-Package: com.google.common.base; bundle-symbolic-name="com.google.guava"; bundle-version="30.1.1.jre"; version="30.1.1"_ [Sanitized]
	at org.eclipse.osgi.container.Module.start(Module.java:444)
	at org.eclipse.osgi.internal.framework.EquinoxBundle.start(EquinoxBundle.java:428)
	at org.apache.felix.fileinstall.internal.DirectoryWatcher.startBundle(DirectoryWatcher.java:1297)
	at org.apache.felix.fileinstall.internal.DirectoryWatcher.startBundles(DirectoryWatcher.java:1270)
	at org.apache.felix.fileinstall.internal.DirectoryWatcher.startAllBundles(DirectoryWatcher.java:1259)
	at org.apache.felix.fileinstall.internal.DirectoryWatcher.doProcess(DirectoryWatcher.java:519)
	at org.apache.felix.fileinstall.internal.DirectoryWatcher.process(DirectoryWatcher.java:369)
	at org.apache.felix.fileinstall.internal.DirectoryWatcher.run(DirectoryWatcher.java:320)
2022-03-09 11:56:25.506 ERROR [fileinstall-/home/akapti/Downloads/liferay-7.3.3/osgi/modules][LogService:93] Error while starting bundle: file:/home/akapti/Downloads/liferay-7.3.3/osgi/modules/org.eclipse.sw360.exporters-15.1.0-SNAPSHOT.jar

I tried adding the new guava-30.1.1 jar file inside liferay/deploy/ folder. But still it was throwing the similar error.

Attached the file with complete error log while deploying the application in tomcat:
Deploy_Output_Logs.txt

Modified the bnd.bnd files by adding import for guava library. But couldn't fix the deployment issue.

@akapti akapti added this to the Backlog milestone Mar 9, 2022
@akapti akapti linked an issue Mar 10, 2022 that may be closed by this pull request
potential security vulnerabilities in your dependencies. #1481
Closed
@akapti akapti force-pushed the chores/fixSecurityVulnerabilities branch 3 times, most recently from 8c8a5da to 5904aa3 Compare April 11, 2022 14:40
@akapti akapti added needs code review needs general test This is general testing, meaning that there is no org specific issue to check for needs special test Opposed to general testing, this requires dedicated check at some party's deployment and removed do not merge - нет! needs general test This is general testing, meaning that there is no org specific issue to check for labels Apr 11, 2022
@akapti
Copy link
Contributor Author

akapti commented Apr 11, 2022
edited
Loading

2022-03-09 11:56:25.501 ERROR [fileinstall-/home/akapti/Downloads/liferay-7.3.3/osgi/modules][LogService:93] Error while starting bundle: file:/home/akapti/Downloads/liferay-7.3.3/osgi/modules/org.eclipse.sw360.common-io-15.1.0-SNAPSHOT.jar
org.osgi.framework.BundleException: Could not resolve module: sw360-common-io [2286]_ Unresolved requirement: Import-Package: com.google.common.collect; version="[30.1.0,31.0.0)"_ -> Export-Package: com.google.common.collect; bundle-symbolic-name="com.google.guava"; bundle-version="30.1.1.jre"; version="30.1.1"; uses:="com.google.common.base"_ com.google.guava [2285]_ Unresolved requirement: Import-Package: com.google.common.util.concurrent.internal; version="[1.0.0,2.0.0)"_ Unresolved requirement: Import-Package: com.google.common.base; version="[30.1.0,31.0.0)"_ -> Export-Package: com.google.common.base; bundle-symbolic-name="com.google.guava"; bundle-version="30.1.1.jre"; version="30.1.1"_ [Sanitized]

The above issue has been fixed.

But, I can see the following error in deployment logs, where as sw360 application is working fine and I don't see any more issues with tomcat deployment of web application.
It would be great is couple of more users can try testing it in their machine/environment.

2022-04-12 07:45:24,660 Start Level: Equinox Container: 7166ce92-f7f2-4551-b993-9187fce07299 WARN Ignoring TypeConverter [org.apache.logging.log4j.core.config.plugins.convert.EnumConverter@64918cdf] for type [class org.apache.logging.log4j.core.appender.ConsoleAppender$Target] that conflicts with [org.apache.logging.log4j.core.config.plugins.convert.EnumConverter@55a5b1c2], since they are not comparable.
2022-04-12 07:45:24,682 SCR Component Actor ERROR Could not register mbeans javax.management.InstanceAlreadyExistsException: org.apache.logging.log4j2:type=6914d5e6
	at java.management/com.sun.jmx.mbeanserver.Repository.addMBean(Repository.java:436)
	at java.management/com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerWithRepository(DefaultMBeanServerInterceptor.java:1855)
	at java.management/com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerDynamicMBean(DefaultMBeanServerInterceptor.java:955)
	at java.management/com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerObject(DefaultMBeanServerInterceptor.java:890)
	at java.management/com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.registerMBean(DefaultMBeanServerInterceptor.java:320)
	at java.management/com.sun.jmx.mbeanserver.JmxMBeanServer.registerMBean(JmxMBeanServer.java:522)
	at org.apache.logging.log4j.core.jmx.Server.register(Server.java:400)
	at org.apache.logging.log4j.core.jmx.Server.reregisterMBeansAfterReconfigure(Server.java:168)
	at org.apache.logging.log4j.core.jmx.Server.reregisterMBeansAfterReconfigure(Server.java:141)
	at org.apache.logging.log4j.core.LoggerContext.setConfiguration(LoggerContext.java:637)
	at org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:699)
	at org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:716)
	at org.apache.logging.log4j.core.LoggerContext.start(LoggerContext.java:270)
	at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:155)
	at org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:47)
	at org.apache.logging.log4j.LogManager.getContext(LogManager.java:196)
	at org.apache.logging.log4j.LogManager.getLogger(LogManager.java:599)
	at org.eclipse.sw360.portal.components.FossologyCheckConnectionOnStartupHook.<init>(FossologyCheckConnectionOnStartupHook.java:38)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
	at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
	at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:490)
	at org.apache.felix.scr.impl.inject.ComponentConstructor.newInstance(ComponentConstructor.java:308)
	at org.apache.felix.scr.impl.manager.SingleComponentManager.createImplementationObject(SingleComponentManager.java:278)
	at org.apache.felix.scr.impl.manager.SingleComponentManager.createComponent(SingleComponentManager.java:114)
	at org.apache.felix.scr.impl.manager.SingleComponentManager.getService(SingleComponentManager.java:983)
	at org.apache.felix.scr.impl.manager.SingleComponentManager.getServiceInternal(SingleComponentManager.java:956)
	at org.apache.felix.scr.impl.manager.AbstractComponentManager.activateInternal(AbstractComponentManager.java:756)
	at org.apache.felix.scr.impl.manager.AbstractComponentManager.enableInternal(AbstractComponentManager.java:666)
	at org.apache.felix.scr.impl.manager.AbstractComponentManager$1.run(AbstractComponentManager.java:456)
	at org.apache.felix.scr.impl.ComponentActorThread.run(ComponentActorThread.java:113)
	at java.base/java.lang.Thread.run(Thread.java:829)

@akapti akapti force-pushed the chores/fixSecurityVulnerabilities branch 3 times, most recently from 7659cfe to fbbf933 Compare April 16, 2022 18:27
@akapti
Copy link
Contributor Author

akapti commented Apr 16, 2022
edited
Loading

This PR include following changes:

  • Bumped apache-guava version from 21.0 to 31.0.1-jre.
  • Bumped spring-security version from 5.3.8.RELEASE to 5.6.2.
  • Bumped spring-security-oauth2 version from 2.3.8.RELEASE to 2.5.1.RELEASE.
  • Bumped spring-security-jwt version from 1.0.11.RELEASE to 1.1.1.RELEASE.
  • Bumped spring-boot version from 2.1.17.RELEASE to 2.6.6.
  • Bumped spring-core version from 5.2.9.RELEASE to 5.3.19.
  • Bumped spring-restdocs version from 2.0.5.RELEASE to 2.0.6.RELEASE.
  • Bumped junit version from 4.13.1 to 4.13.2.
  • Fixed all the test case failure due to upgrade is spring dependencies.
  • Removed unused imports.

Task to be done in future:

  • Need to migrate spring-boot Oauth2 library to latest version:
  • Upgrade the OSGI dependent modules (commons-lang and couchdb-lucene) to remove vulnerable log4j dependency.

TESTING

For Testing the PR, You have to place the apache guava 31.0.1-jre.jar file in liferay/osgi/modules folder.

@akapti akapti force-pushed the chores/fixSecurityVulnerabilities branch from fbbf933 to 7fd6302 Compare April 16, 2022 18:36
JaideepPalit
JaideepPalit suggested changes Apr 22, 2022
View reviewed changes
Copy link
Contributor

@JaideepPalit JaideepPalit left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the PR.

There seems to be some issue with

  1. Health api Response structure
  2. Hal Browser
    • Url changed
    • Asking for Password in stage

...urce-server/src/test/java/org/eclipse/sw360/rest/resourceserver/restdocs/HealthSpecTest.java Outdated Show resolved Hide resolved
...urce-server/src/test/java/org/eclipse/sw360/rest/resourceserver/restdocs/HealthSpecTest.java Outdated Show resolved Hide resolved
...urce-server/src/test/java/org/eclipse/sw360/rest/resourceserver/restdocs/HealthSpecTest.java Outdated Show resolved Hide resolved
@akapti akapti force-pushed the chores/fixSecurityVulnerabilities branch from 7fd6302 to c9be58e Compare April 25, 2022 04:38
@akapti
Copy link
Contributor Author

akapti commented Apr 25, 2022
edited
Loading

Reviewed the PR.

There seems to be some issue with

  1. Health api Response structure

Health API (/health) response is not controlled by us, It is provided by Spring Boot.
There has been a change in response structure in spring-boot version 2.2 onwards.
URL for reference: https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.2-Release-Notes#health-endpoint-json
Github Code: https://github.com/spring-projects/spring-boot/blob/v2.6.6/spring-boot-project/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/system/DiskSpaceHealthIndicator.java

  1. Hal Browser

    • Url changed
    • Asking for Password in stage

HAL browser URL is not something managed by us, and the URL changes is due to change in spring-boot version, from version 2.2 onwards spring-data-rest-hal-browser has been deprecated and replaced with spring-data-rest-hal-explorer in latest version of spring-boot. We need to make the changes in SW360 wiki accordingly. One can use following URL as well: https://localhost:8080/resource/api

I need to look into password issue. Thanks.

@akapti akapti force-pushed the chores/fixSecurityVulnerabilities branch from c9be58e to 01710be Compare April 25, 2022 07:37
@akapti
Copy link
Contributor Author

akapti commented Apr 25, 2022

  1. Hal Browser
    • Asking for Password in stage

Issue has been fixed.

@akapti akapti force-pushed the chores/fixSecurityVulnerabilities branch from 01710be to e4ea1e5 Compare April 25, 2022 09:42
@akapti akapti force-pushed the chores/fixSecurityVulnerabilities branch from e4ea1e5 to 2502b58 Compare April 27, 2022 18:07
@ag4ums ag4ums removed needs code review needs general test This is general testing, meaning that there is no org specific issue to check for needs special test Opposed to general testing, this requires dedicated check at some party's deployment dependencies Pull requests that update a dependency file labels Apr 28, 2022
@ag4ums ag4ums merged commit 941683f into eclipse-sw360:master Apr 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JaideepPalit JaideepPalit JaideepPalit requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Backlog
Development

Successfully merging this pull request may close these issues.

potential security vulnerabilities in your dependencies.
3 participants
@akapti @JaideepPalit @ag4ums