KON-709 Aktualisierung der Bibliotheken
diff --git a/pom.xml b/pom.xml
index f617fe3..f4113f3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
- <version>2.2.1.RELEASE</version>
+ <version>2.3.9.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>org.eclipse.openk</groupId>
@@ -41,23 +41,63 @@
<flyway.locations>filesystem:src/main/resources/db/migration/</flyway.locations>
<java.version>1.8</java.version>
- <spring-cloud.version>Hoxton.RELEASE</spring-cloud.version>
- <springfox.version>2.9.2</springfox.version>
- <spring-security-test.version>5.2.1.RELEASE</spring-security-test.version>
+ <!--<spring-cloud.version>Hoxton.RELEASE</spring-cloud.version>-->
+ <spring-cloud.version>Hoxton.SR10</spring-cloud.version>
+ <!--<spring-cloud.version>2020.0.0</spring-cloud.version>-->
+ <springfox.version>3.0.0</springfox.version>
+ <spring-security-test.version>5.4.6</spring-security-test.version>
<powerMockReflect.version>2.0.0</powerMockReflect.version>
<sonar-maven-plugin.version>3.2</sonar-maven-plugin.version>
- <jacoco-maven-plugin.version>0.7.9</jacoco-maven-plugin.version>
+ <jacoco-maven-plugin.version>0.8.6</jacoco-maven-plugin.version>
<jruby-complete-version>9.0.0.0</jruby-complete-version>
- <mapstruct.version>1.2.0.Final</mapstruct.version>
+ <mapstruct.version>1.4.2.Final</mapstruct.version>
<flyway-core.version>6.0.8</flyway-core.version>
<postgresql.version>42.2.8</postgresql.version>
<lombock.version>1.18.10</lombock.version>
<h2.version>1.4.200</h2.version>
<jsonwebtoken.version>0.9.1</jsonwebtoken.version>
- <openfeign.version>2.2.0.RELEASE</openfeign.version>
- <keycloak-core.version>3.4.2.Final</keycloak-core.version>
+ <openfeign.version>2.2.7.RELEASE</openfeign.version>
+ <keycloak-core.version>12.0.4</keycloak-core.version>
+ <dependency-check-maven.version>6.1.5</dependency-check-maven.version>
+ <hibernate-core.version>5.4.30.Final</hibernate-core.version>
</properties>
+ <profiles>
+ <profile>
+ <id>local-fast-build</id>
+ <properties>
+ <skip.asciidoc>true</skip.asciidoc>
+ <maven.test.skip>false</maven.test.skip>
+ </properties>
+ </profile>
+ <profile>
+ <id>securitycheck</id>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.owasp</groupId>
+ <artifactId>dependency-check-maven</artifactId>
+ <version>${dependency-check-maven.version}</version>
+ <configuration>
+ <skipProvidedScope>true</skipProvidedScope>
+ <skipRuntimeScope>true</skipRuntimeScope>
+ <failBuildOnCVSS>7</failBuildOnCVSS>
+ <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled>
+ <suppressionFiles>${basedir}/securitycheck/suppressed.xml</suppressionFiles>
+ </configuration>
+ <executions>
+ <execution>
+ <goals>
+ <goal>check</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ </plugins>
+ </build>
+ </profile>
+ </profiles>
+
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
@@ -65,6 +105,10 @@
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-starter-validation</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-ldap</artifactId>
</dependency>
<dependency>
@@ -87,12 +131,10 @@
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-openfeign</artifactId>
- <version>${openfeign.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-netflix-ribbon</artifactId>
- <version>${openfeign.version}</version>
</dependency>
<dependency>
<groupId>org.keycloak</groupId>
@@ -118,7 +160,7 @@
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-core</artifactId>
- <version>5.4.2.Final</version>
+ <version>${hibernate-core.version}</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
@@ -128,9 +170,8 @@
</dependency>
<dependency>
<groupId>org.mapstruct</groupId>
- <artifactId>mapstruct-processor</artifactId>
- <version>${mapstruct.version}</version>
- <scope>provided</scope>
+ <artifactId>mapstruct</artifactId>
+ <version>1.4.2.Final</version>
</dependency>
<dependency>
<groupId>io.jsonwebtoken</groupId>
@@ -141,6 +182,12 @@
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger2</artifactId>
<version>${springfox.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.mapstruct</groupId>
+ <artifactId>mapstruct</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
@@ -195,7 +242,37 @@
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
+ <configuration>
+ <excludes>
+ <exclude>
+ <groupId>org.projectlombok</groupId>
+ <artifactId>lombok</artifactId>
+ </exclude>
+ </excludes>
+ </configuration>
</plugin>
+
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <configuration>
+ <source>${java.version}</source> <!-- or higher, depending on your project -->
+ <target>${java.version}</target> <!-- or higher, depending on your project -->
+ <annotationProcessorPaths>
+ <path>
+ <groupId>org.projectlombok</groupId>
+ <artifactId>lombok</artifactId>
+ <version>${lombok.version}</version>
+ </path>
+ <path>
+ <groupId>org.mapstruct</groupId>
+ <artifactId>mapstruct-processor</artifactId>
+ <version>${mapstruct.version}</version>
+ </path>
+ </annotationProcessorPaths>
+ </configuration>
+ </plugin>
+
<plugin>
<groupId>org.jacoco</groupId>
<artifactId>jacoco-maven-plugin</artifactId>
@@ -224,6 +301,7 @@
</execution>
</executions>
</plugin>
+
<plugin>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId>
diff --git a/securitycheck/suppressed.xml b/securitycheck/suppressed.xml
new file mode 100644
index 0000000..7cefd0c
--- /dev/null
+++ b/securitycheck/suppressed.xml
@@ -0,0 +1,98 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+
+ <!-- Schwachstelle wird bei Keycloak im Code nicht benutzt -->
+ <suppress>
+ <notes><![CDATA[
+ file name: bcprov-jdk15on-1.65.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcprov\-jdk15on@.*$</packageUrl>
+ <cve>CVE-2020-28052</cve>
+ </suppress>
+
+ <!-- Gatekeeper wird bei uns nicht benutzt -->
+ <suppress>
+ <notes><![CDATA[
+ file name: keycloak-core-12.0.4.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-core@.*$</packageUrl>
+ <cve>CVE-2020-14359</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: keycloak-common-12.0.4.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-common@.*$</packageUrl>
+ <cve>CVE-2020-14359</cve>
+ </suppress>
+
+ <!-- Wir benutzen keinen “external identity provider“ -->
+ <suppress>
+ <notes><![CDATA[
+ file name: keycloak-core-12.0.4.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-core@.*$</packageUrl>
+ <cve>CVE-2020-14302</cve>
+ </suppress>
+
+ <!-- CVEs don't have the correct fix versions, fixed in 12.0.2 [1]. -->
+ <suppress>
+ <notes><![CDATA[
+ file name: keycloak-core-12.0.4.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-core@.*$</packageUrl>
+ <cve>CVE-2020-10770</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: keycloak-core-12.0.4.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-core@.*$</packageUrl>
+ <cve>CVE-2020-14302</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: keycloak-core-12.0.4.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-core@.*$</packageUrl>
+ <cve>CVE-2020-1725</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: keycloak-core-12.0.4.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-core@.*$</packageUrl>
+ <cve>CVE-2020-27838</cve>
+ </suppress>
+
+ <!-- CVEs don't have the correct fix versions, fixed in 12.0.2 [1]. -->
+ <suppress>
+ <notes><![CDATA[
+ file name: keycloak-common-12.0.4.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-common@.*$</packageUrl>
+ <cve>CVE-2020-10770</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: keycloak-common-12.0.4.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-common@.*$</packageUrl>
+ <cve>CVE-2020-14302</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: keycloak-common-12.0.4.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-common@.*$</packageUrl>
+ <cve>CVE-2020-1725</cve>
+ </suppress>
+ <suppress>
+ <notes><![CDATA[
+ file name: keycloak-common-12.0.4.jar
+ ]]></notes>
+ <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-common@.*$</packageUrl>
+ <cve>CVE-2020-27838</cve>
+ </suppress>
+
+</suppressions>
\ No newline at end of file
diff --git a/src/main/java/org/eclipse/openk/contactbasedata/config/auth/JwtAuthenticationTokenFilter.java b/src/main/java/org/eclipse/openk/contactbasedata/config/auth/JwtAuthenticationTokenFilter.java
index 5138830..588af4b 100644
--- a/src/main/java/org/eclipse/openk/contactbasedata/config/auth/JwtAuthenticationTokenFilter.java
+++ b/src/main/java/org/eclipse/openk/contactbasedata/config/auth/JwtAuthenticationTokenFilter.java
@@ -15,8 +15,7 @@
package org.eclipse.openk.contactbasedata.config.auth;
-import org.eclipse.openk.contactbasedata.exceptions.UnauthorizedException;
-import org.keycloak.RSATokenVerifier;
+import org.keycloak.TokenVerifier;
import org.keycloak.representations.AccessToken;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
@@ -71,7 +70,7 @@
private void createToken(SecurityContext context, String bearerTkn) throws ServletException {
try {
List<String> allRoles = new ArrayList<>();
- AccessToken token = RSATokenVerifier.create(bearerTkn).getToken();
+ AccessToken token = TokenVerifier.create(bearerTkn, AccessToken.class).getToken();
//Clientroles
token.getResourceAccess().forEach((client, access) -> allRoles.addAll(access.getRoles()));