Merge pull request #1958 from nordic-institute/XRDDEV-2597

fix: SonarCloud and Dependabot fixes
nordic-institute · Feb 23, 2024 · 6b0ea5d · 6b0ea5d
2 parents 61f3964 + a846ed7
commit 6b0ea5d
Show file tree

Hide file tree

Showing 30 changed files with 186 additions and 185 deletions.
diff --git a/src/addons/messagelog/messagelog-addon/build.gradle b/src/addons/messagelog/messagelog-addon/build.gradle
@@ -13,7 +13,7 @@ dependencies {
     testImplementation project(':common:common-test')
     testImplementation project(':addons:messagelog:messagelog-archiver')
     testImplementation "org.hsqldb:hsqldb:$hsqldbVersion"
-    testImplementation "org.bouncycastle:bcpg-jdk15on:${bouncyCastleVersion}"
+    testImplementation "org.bouncycastle:bcpg-jdk18on:${bouncyCastleVersion}"
 }
 
 jar {

diff --git a/src/addons/messagelog/messagelog-db/build.gradle b/src/addons/messagelog/messagelog-db/build.gradle
@@ -1,7 +1,7 @@
 dependencies {
     implementation(project(':common:common-db'))
     implementation(project(':common:common-messagelog'))
-    implementation "org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}"
+    implementation "org.bouncycastle:bcpkix-jdk18on:${bouncyCastleVersion}"
     implementation "org.slf4j:slf4j-api:${slf4jVersion}"
 }
 
diff --git a/...ns/metaservice/src/main/java/ee/ria/xroad/proxy/clientproxy/InternalSslSocketFactory.java b/...ns/metaservice/src/main/java/ee/ria/xroad/proxy/clientproxy/InternalSslSocketFactory.java
diff --git a/src/asic-util/src/main/java/ee/ria/xroad/common/asic/AsicContainerVerifier.java b/src/asic-util/src/main/java/ee/ria/xroad/common/asic/AsicContainerVerifier.java
@@ -52,7 +52,7 @@
 import org.apache.xml.security.utils.resolver.ResourceResolverContext;
 import org.apache.xml.security.utils.resolver.ResourceResolverException;
 import org.apache.xml.security.utils.resolver.ResourceResolverSpi;
-import org.bouncycastle.asn1.ASN1Sequence;
+import org.bouncycastle.asn1.ASN1Primitive;
 import org.bouncycastle.asn1.cms.ContentInfo;
 import org.bouncycastle.cert.ocsp.BasicOCSPResp;
 import org.bouncycastle.cert.ocsp.OCSPResp;
@@ -238,8 +238,7 @@ private byte[] getTimestampedData() throws Exception {
     private TimeStampToken getTimeStampToken() throws Exception {
         String timestampDerBase64 = asic.getEntryAsString(ENTRY_TIMESTAMP);
         byte[] tsDerDecoded = decodeBase64(timestampDerBase64);
-        return new TimeStampToken(new ContentInfo(
-                (ASN1Sequence) ASN1Sequence.fromByteArray(tsDerDecoded)));
+        return new TimeStampToken(ContentInfo.getInstance(ASN1Primitive.fromByteArray(tsDerDecoded)));
     }
 
     private static ClientId getSigner(String messageXml) {

diff --git a/src/asic-util/src/main/java/ee/ria/xroad/common/asic/AsicUtils.java b/src/asic-util/src/main/java/ee/ria/xroad/common/asic/AsicUtils.java
@@ -49,7 +49,7 @@ private AsicUtils() {
     @SneakyThrows
     public static String escapeString(String str) {
         String urlEncoded =
-                URLEncoder.encode(str, StandardCharsets.UTF_8.name());
+                URLEncoder.encode(str, StandardCharsets.UTF_8);
         return urlEncoded.replace("/", "%2F");
     }
 

diff --git a/src/asicverifier/src/main/java/ee/ria/xroad/asicverifier/AsicVerifierMain.java b/src/asicverifier/src/main/java/ee/ria/xroad/asicverifier/AsicVerifierMain.java
@@ -35,10 +35,12 @@
 
 import org.apache.commons.io.IOUtils;
 
+import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.file.Files;
+import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.Scanner;
 import java.util.zip.ZipEntry;
@@ -49,6 +51,8 @@
  */
 public final class AsicVerifierMain {
 
+    private static final Path CURRENT_DIR = Paths.get("").toAbsolutePath();
+
     private AsicVerifierMain() {
     }
 
@@ -137,10 +141,13 @@ private static void extractMessage(String fileName) {
 
     @SuppressWarnings("javasecurity:S2083")
     private static void writeToFile(String fileName, InputStream contents) throws IOException {
-        try (FileOutputStream file = new FileOutputStream(fileName)) {
-            IOUtils.copy(contents, file);
+        final var targetFile = new File(fileName);
+        if (targetFile.getCanonicalFile().toPath().startsWith(CURRENT_DIR)) {
+            try (FileOutputStream file = new FileOutputStream(targetFile)) {
+                IOUtils.copy(contents, file);
+            }
+            System.out.println("Created file " + fileName);
         }
-        System.out.println("Created file " + fileName);
     }
 
     private static void showUsage() {

diff --git a/src/build.gradle b/src/build.gradle
@@ -133,34 +133,28 @@ configure(subprojects.findAll { !["shared-ui", "ui"].contains(it.name) }) {
     dependencies {
         //With require constraints we define lowest compliant dependency version (transitive dependencies are incl.)
         constraints {
-            add('implementation', 'com.fasterxml.jackson.core:jackson-databind') {
-                because("Vulnerability fix regarding CVE-2022-42003")
+            add('implementation', 'io.micrometer:micrometer-tracing-bridge-brave') {
+                because("Vulnerability fix regarding CVE-2022-47932")
                 version {
-                    require("$jacksonBomVersion")
+                    require("1.23.0")
                 }
             }
-            add('implementation', 'org.yaml:snakeyaml') {
-                because("Vulnerability fix regarding CVE-2022-25857")
+            add('implementation', 'org.springframework.security:spring-security-core') {
+                because("Vulnerability fix regarding CVE-2024-22234")
                 version {
-                    require("$snakeyamlVersion")
+                    require("$springSecurityVersion")
                 }
             }
-            add('implementation', 'org.apache.commons:commons-text') {
-                because("Vulnerability fix regarding CVE-2022-42889")
+            add('implementation', 'com.jayway.jsonpath:json-path') {
+                because("Vulnerability fix regarding CVE-2023-51074")
                 version {
-                    require("$commonsTextVersion")
-                }
-            }
-            add('implementation', 'com.fasterxml.woodstox:woodstox-core') {
-                because("Vulnerability fix regarding CVE-2022-40152")
-                version {
-                    require("$woodstoxVersion")
+                    require("$jsonPathVersion")
                 }
             }
         }
 
-        testImplementation("org.junit.jupiter:junit-jupiter-engine:$junitVersion")
-        testImplementation("org.junit.vintage:junit-vintage-engine:$junitVersion")
+        testImplementation("org.junit.jupiter:junit-jupiter-engine:$junitJupiterVersion")
+        testImplementation("org.junit.vintage:junit-vintage-engine:$junitJupiterVersion")
 
         compileOnly "org.projectlombok:lombok:${lombokVersion}"
         annotationProcessor "org.projectlombok:lombok:${lombokVersion}"

diff --git a/src/central-server/admin-service/ui-system-test/build.gradle b/src/central-server/admin-service/ui-system-test/build.gradle
@@ -8,7 +8,7 @@ dependencies {
     intTestImplementation("com.nortal.test:test-automation-allure:${testAutomationFrameworkVersion}")
     intTestImplementation("com.nortal.test:test-automation-containers:${testAutomationFrameworkVersion}")
     intTestImplementation("com.nortal.test:test-automation-feign:$testAutomationFrameworkVersion")
-    intTestImplementation("org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}")
+    intTestImplementation("org.bouncycastle:bcpkix-jdk18on:${bouncyCastleVersion}")
     intTestImplementation("org.awaitility:awaitility:${awaitilityVersion}")
 }
 

diff --git a/src/common/common-core/build.gradle b/src/common/common-core/build.gradle
@@ -17,7 +17,7 @@ dependencies {
     api("org.apache.santuario:xmlsec:$xmlsecVersion")
     api("org.apache.commons:commons-lang3:$commonsLang3Version")
     api("org.apache.commons:commons-text:$commonsTextVersion")
-    api("org.bouncycastle:bcpkix-jdk15on:$bouncyCastleVersion")
+    api("org.bouncycastle:bcpkix-jdk18on:$bouncyCastleVersion")
     api("com.google.guava:guava:$guavaVersion")
     api("com.fasterxml.jackson.core:jackson-annotations:$jacksonBomVersion")
     api("commons-io:commons-io:$commonsIOVersion")

diff --git a/src/common/common-core/src/main/java/ee/ria/xroad/common/util/LogUtils.java b/src/common/common-core/src/main/java/ee/ria/xroad/common/util/LogUtils.java
@@ -0,0 +1,44 @@
+/*
+ * The MIT License
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ * <p>
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * <p>
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ * <p>
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.common.util;
+
+import org.apache.commons.lang3.StringUtils;
+
+public final class LogUtils {
+
+    private static final String REGEX_TO_ESCAPE = "[\t\n\r]";
+    private static final String REPLACEMENT = "_";
+
+    public static String sanitize(final String text) {
+        if (StringUtils.isEmpty(text)) {
+            return text;
+        }
+
+        return text.replaceAll(REGEX_TO_ESCAPE, REPLACEMENT);
+    }
+
+    private LogUtils() {
+    }
+}
diff --git a/src/common/common-core/src/test/java/ee/ria/xroad/common/util/LogUtilsTest.java b/src/common/common-core/src/test/java/ee/ria/xroad/common/util/LogUtilsTest.java
@@ -0,0 +1,56 @@
+/*
+ * The MIT License
+ * Copyright (c) 2018 Estonian Information System Authority (RIA),
+ * Nordic Institute for Interoperability Solutions (NIIS), Population Register Centre (VRK)
+ * Copyright (c) 2015-2017 Estonian Information System Authority (RIA), Population Register Centre (VRK)
+ * <p>
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * <p>
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ * <p>
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+ * THE SOFTWARE.
+ */
+package ee.ria.xroad.common.util;
+
+import org.junit.jupiter.api.Test;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+class LogUtilsTest {
+
+    @Test
+    void sanitize() {
+        var normalLogEntry = "2024-02-15T12:21:06.997+02:00  "
+                + "INFO ee.ria.xroad.common.util.LogUtilsTest : System is ready";
+        var fakeLogEntry = "2024-02-15T12:21:06.997+02:00  "
+                + "INFO ee.ria.xroad.common.util.LogUtilsTest : Payment of $1000 was made";
+
+        var fakeLogData = "to receive $1000";
+
+        assertThat(LogUtils.sanitize(normalLogEntry)).isEqualTo(normalLogEntry);
+
+        assertThat(LogUtils.sanitize(normalLogEntry + "\n" + fakeLogEntry))
+                .isEqualTo(normalLogEntry + "_" + fakeLogEntry);
+
+        assertThat(LogUtils.sanitize(normalLogEntry + "\n\r" + fakeLogEntry))
+                .isEqualTo(normalLogEntry + "__" + fakeLogEntry);
+
+        assertThat(LogUtils.sanitize(normalLogEntry + "\r" + fakeLogEntry))
+                .isEqualTo(normalLogEntry + "_" + fakeLogEntry);
+
+        assertThat(LogUtils.sanitize(normalLogEntry + "\t" + fakeLogData))
+                .isEqualTo(normalLogEntry + "_" + fakeLogData);
+    }
+}
diff --git a/src/common/common-int-test/build.gradle b/src/common/common-int-test/build.gradle
@@ -15,7 +15,7 @@ dependencies {
     api("com.nortal.test:test-automation-selenide:${testAutomationFrameworkVersion}") {
         exclude group: "org.slf4j", module: "*"
     }
-    api("org.bouncycastle:bcpkix-jdk15on:${bouncyCastleVersion}")
+    api("org.bouncycastle:bcpkix-jdk18on:${bouncyCastleVersion}")
     api("org.awaitility:awaitility:${awaitilityVersion}")
 }