AAP-4 Aktualisierung der Bibliotheken
diff --git a/pom.xml b/pom.xml
index f71f2af..9c27fd5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -11,21 +11,66 @@
<properties>
<skip.asciidoc>false</skip.asciidoc>
- <httpclient.version>4.5.3</httpclient.version>
+ <httpclient.version>4.5.13</httpclient.version>
<gson.version>2.8.0</gson.version>
<log4j.version>1.2.17</log4j.version>
<commons-io.version>2.5</commons-io.version>
<junit.version>4.12</junit.version>
<easymock.version>3.4</easymock.version>
- <powermock-api-easymock.version>1.6.6</powermock-api-easymock.version>
+ <powermock-api-easymock.version>2.0.9</powermock-api-easymock.version>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<servlet-api>2.5</servlet-api>
<maven.test.skip>false</maven.test.skip>
- <jacoco-maven-plugin.version>0.7.9</jacoco-maven-plugin.version>
+ <jacoco-maven-plugin.version>0.8.6</jacoco-maven-plugin.version>
<sonar-maven-plugin.version>3.0.2</sonar-maven-plugin.version>
+ <dependency-check-maven.version>6.1.5</dependency-check-maven.version>
+ <keycloak.version>12.0.4</keycloak.version>
</properties>
+
+ <profiles>
+ <profile>
+ <id>local-fast-build</id>
+ <properties>
+ <skip.asciidoc>true</skip.asciidoc>
+ <maven.test.skip>false</maven.test.skip>
+ </properties>
+ </profile>
+ <profile>
+ <id>securitycheck</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>${dependency-check-maven.version}</version>
+ <configuration>
+ <skipProvidedScope>true</skipProvidedScope>
+ <skipRuntimeScope>true</skipRuntimeScope>
+ <failBuildOnCVSS>7</failBuildOnCVSS>
+ <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
+ <suppressionFiles>${basedir}/securitycheck/suppressed.xml</suppressionFiles>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ </profiles>
+
<dependencies>
<dependency>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>${dependency-check-maven.version}</version>
+ <type>maven-plugin</type>
+ </dependency>
+ <dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>${httpclient.version}</version>
@@ -40,52 +85,11 @@
<artifactId>javax.servlet-api</artifactId>
<version>3.0.1</version>
</dependency>
- <dependency>
+ <!--<dependency>
<groupId>com.auth0</groupId>
<artifactId>java-jwt</artifactId>
- <version>3.2.0</version>
- </dependency>
- <dependency>
- <groupId>org.keycloak</groupId>
- <artifactId>keycloak-core</artifactId>
- <version>3.2.0.Final</version>
- </dependency>
- <dependency>
- <groupId>org.keycloak</groupId>
- <artifactId>keycloak-adapter-core</artifactId>
- <version>3.2.0.Final</version>
- </dependency>
- <dependency>
- <groupId>org.keycloak</groupId>
- <artifactId>keycloak-adapter-spi</artifactId>
- <version>3.2.0.Final</version>
- </dependency>
- <dependency>
- <groupId>org.keycloak</groupId>
- <artifactId>keycloak-servlet-adapter-spi</artifactId>
- <version>3.2.0.Final</version>
- </dependency>
- <dependency>
- <groupId>org.keycloak</groupId>
- <artifactId>keycloak-servlet-filter-adapter</artifactId>
- <version>3.2.0.Final</version>
- </dependency>
- <dependency>
- <groupId>org.keycloak</groupId>
- <artifactId>keycloak-common</artifactId>
- <version>3.2.0.Final</version>
- </dependency>
- <dependency>
- <groupId>org.keycloak</groupId>
- <artifactId>keycloak-model-jpa</artifactId>
- <version>3.2.0.Final</version>
- </dependency>
- <dependency>
- <groupId>org.keycloak</groupId>
- <artifactId>keycloak-services</artifactId>
- <version>3.2.0.Final</version>
- </dependency>
-
+ <version>3.15.0</version>
+ </dependency>-->
<dependency>
<groupId>com.google.code.gson</groupId>
@@ -119,16 +123,6 @@
<version>${commons-io.version}</version>
</dependency>
<dependency>
- <groupId>org.eclipse.persistence</groupId>
- <artifactId>eclipselink</artifactId>
- <version>2.6.4</version>
- </dependency>
- <dependency>
- <groupId>postgresql</groupId>
- <artifactId>postgresql</artifactId>
- <version>9.1-901-1.jdbc4</version>
- </dependency>
- <dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>${junit.version}</version>
@@ -155,11 +149,10 @@
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
<version>${jacoco-maven-plugin.version}</version>
+ <scope>test</scope>
</dependency>
-
</dependencies>
-
<build>
<finalName>${project.artifactId}</finalName>
<plugins>
@@ -172,6 +165,7 @@
<target>1.8</target>
</configuration>
</plugin>
+
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
@@ -185,9 +179,10 @@
</archive>
</configuration>
</plugin>
+
<plugin>
<artifactId>maven-war-plugin</artifactId>
- <version>2.1</version>
+ <version>3.3.1</version>
<configuration>
<archive>
<manifest>
@@ -197,16 +192,19 @@
</archive>
</configuration>
</plugin>
+
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-project-info-reports-plugin</artifactId>
<version>2.7</version>
</plugin>
+
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<version>${sonar-maven-plugin.version}</version>
</plugin>
+
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
@@ -237,6 +235,7 @@
</execution>
</executions>
</plugin>
+
<plugin>
<groupId>org.asciidoctor</groupId>
<artifactId>asciidoctor-maven-plugin</artifactId>
@@ -274,7 +273,6 @@
</attributes>
</configuration>
<executions>
-
<execution>
<id>output-html</id>
<phase>generate-resources</phase>
diff --git a/securitycheck/suppressed.xml b/securitycheck/suppressed.xml
new file mode 100644
index 0000000..7ddc0b5
--- /dev/null
+++ b/securitycheck/suppressed.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+
+ <!-- log4j wird bei uns nur lokal genutzt ohne Netzwerkkommunikation. -->
+ <suppress>
+ <notes><![CDATA[
+ file name: log4j-1.2.16.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/log4j/log4j@.*$</packageUrl>
+ <vulnerabilityName>CVE-2019-17571</vulnerabilityName>
+ </suppress>
+
+ <!-- log4j wird bei uns nur lokal genutzt ohne Netzwerkkommunikation. -->
+ <suppress>
+ <notes><![CDATA[
+ file name: log4j-1.2.16.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/log4j/log4j@.*$</packageUrl>
+ <vulnerabilityName>CVE-2020-9488</vulnerabilityName>
+ </suppress>
+</suppressions>
\ No newline at end of file
diff --git a/src/main/java/org/eclipse/openk/portal/auth2/util/JwtHelper.java b/src/main/java/org/eclipse/openk/portal/auth2/util/JwtHelper.java
index 0830a09..3d3ce96 100644
--- a/src/main/java/org/eclipse/openk/portal/auth2/util/JwtHelper.java
+++ b/src/main/java/org/eclipse/openk/portal/auth2/util/JwtHelper.java
@@ -29,6 +29,7 @@
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.ArrayList;
+import java.util.Base64;
import java.util.List;
import java.util.Map;
@@ -36,7 +37,6 @@
import org.eclipse.openk.portal.common.BackendConfig;
import org.eclipse.openk.portal.common.JsonGeneratorBase;
import org.eclipse.openk.portal.exceptions.PortalInternalServerError;
-import org.keycloak.common.util.Base64Url;
import static org.eclipse.openk.portal.common.JsonGeneratorBase.getGson;
@@ -138,7 +138,8 @@
//parts[2] is the jwtVerifySignature
// decode
- byte[] decoded = Base64Url.decode(jwtPayload);
+ Base64.Decoder decoder = Base64.getDecoder();
+ byte[] decoded = decoder.decode(jwtPayload);
jwtPayload = new String(decoded, StandardCharsets.UTF_8);
logger.debug(jwtPayload);
return getJwtPayloadFromJson(jwtPayload);
diff --git a/src/test/java/org/eclipse/openk/portal/exceptions/PortalExceptionMapperTest.java b/src/test/java/org/eclipse/openk/portal/exceptions/PortalExceptionMapperTest.java
index f62c483..f9506e9 100644
--- a/src/test/java/org/eclipse/openk/portal/exceptions/PortalExceptionMapperTest.java
+++ b/src/test/java/org/eclipse/openk/portal/exceptions/PortalExceptionMapperTest.java
@@ -13,7 +13,6 @@
import static junit.framework.Assert.assertEquals;
-import static junit.framework.Assert.assertTrue;
import org.eclipse.openk.portal.common.JsonGeneratorBase;
import org.eclipse.openk.portal.common.util.ResourceLoaderBase;
@@ -27,7 +26,7 @@
ErrorReturn er = JsonGeneratorBase.getGson().fromJson(json, ErrorReturn.class);
assertEquals(er.getErrorCode(), 404);
- assertTrue(er.getErrorText().equals("lalilu"));
+ assertEquals("lalilu", er.getErrorText());
}
@Test
@@ -41,13 +40,13 @@
@Test
public void testGeneralOKJson() {
String ok = PortalExceptionMapper.getGeneralOKJson();
- assertTrue("{\"ret\":\"OK\"}".equals(ok));
+ assertEquals("{\"ret\":\"OK\"}", ok);
}
@Test
public void testGeneralErrorJson() {
String nok = PortalExceptionMapper.getGeneralErrorJson();
- assertTrue("{\"ret\":\"NOK\"}".equals(nok));
+ assertEquals("{\"ret\":\"NOK\"}", nok);
}
