KON-709 Aktualisierung der Bibliotheken
diff --git a/pom.xml b/pom.xml index f617fe3..f4113f3 100644 --- a/pom.xml +++ b/pom.xml
@@ -20,7 +20,7 @@ <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> - <version>2.2.1.RELEASE</version> + <version>2.3.9.RELEASE</version> <relativePath/> <!-- lookup parent from repository --> </parent> <groupId>org.eclipse.openk</groupId> @@ -41,23 +41,63 @@ <flyway.locations>filesystem:src/main/resources/db/migration/</flyway.locations> <java.version>1.8</java.version> - <spring-cloud.version>Hoxton.RELEASE</spring-cloud.version> - <springfox.version>2.9.2</springfox.version> - <spring-security-test.version>5.2.1.RELEASE</spring-security-test.version> + <!--<spring-cloud.version>Hoxton.RELEASE</spring-cloud.version>--> + <spring-cloud.version>Hoxton.SR10</spring-cloud.version> + <!--<spring-cloud.version>2020.0.0</spring-cloud.version>--> + <springfox.version>3.0.0</springfox.version> + <spring-security-test.version>5.4.6</spring-security-test.version> <powerMockReflect.version>2.0.0</powerMockReflect.version> <sonar-maven-plugin.version>3.2</sonar-maven-plugin.version> - <jacoco-maven-plugin.version>0.7.9</jacoco-maven-plugin.version> + <jacoco-maven-plugin.version>0.8.6</jacoco-maven-plugin.version> <jruby-complete-version>9.0.0.0</jruby-complete-version> - <mapstruct.version>1.2.0.Final</mapstruct.version> + <mapstruct.version>1.4.2.Final</mapstruct.version> <flyway-core.version>6.0.8</flyway-core.version> <postgresql.version>42.2.8</postgresql.version> <lombock.version>1.18.10</lombock.version> <h2.version>1.4.200</h2.version> <jsonwebtoken.version>0.9.1</jsonwebtoken.version> - <openfeign.version>2.2.0.RELEASE</openfeign.version> - <keycloak-core.version>3.4.2.Final</keycloak-core.version> + <openfeign.version>2.2.7.RELEASE</openfeign.version> + <keycloak-core.version>12.0.4</keycloak-core.version> + <dependency-check-maven.version>6.1.5</dependency-check-maven.version> + <hibernate-core.version>5.4.30.Final</hibernate-core.version> </properties> + <profiles> + <profile> + <id>local-fast-build</id> + <properties> + <skip.asciidoc>true</skip.asciidoc> + <maven.test.skip>false</maven.test.skip> + </properties> + </profile> + <profile> + <id>securitycheck</id> + <build> + <plugins> + <plugin> + <groupId>org.owasp</groupId> + <artifactId>dependency-check-maven</artifactId> + <version>${dependency-check-maven.version}</version> + <configuration> + <skipProvidedScope>true</skipProvidedScope> + <skipRuntimeScope>true</skipRuntimeScope> + <failBuildOnCVSS>7</failBuildOnCVSS> + <assemblyAnalyzerEnabled>false</assemblyAnalyzerEnabled> + <suppressionFiles>${basedir}/securitycheck/suppressed.xml</suppressionFiles> + </configuration> + <executions> + <execution> + <goals> + <goal>check</goal> + </goals> + </execution> + </executions> + </plugin> + </plugins> + </build> + </profile> + </profiles> + <dependencies> <dependency> <groupId>org.springframework.boot</groupId> @@ -65,6 +105,10 @@ </dependency> <dependency> <groupId>org.springframework.boot</groupId> + <artifactId>spring-boot-starter-validation</artifactId> + </dependency> + <dependency> + <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-data-ldap</artifactId> </dependency> <dependency> @@ -87,12 +131,10 @@ <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-openfeign</artifactId> - <version>${openfeign.version}</version> </dependency> <dependency> <groupId>org.springframework.cloud</groupId> <artifactId>spring-cloud-starter-netflix-ribbon</artifactId> - <version>${openfeign.version}</version> </dependency> <dependency> <groupId>org.keycloak</groupId> @@ -118,7 +160,7 @@ <dependency> <groupId>org.hibernate</groupId> <artifactId>hibernate-core</artifactId> - <version>5.4.2.Final</version> + <version>${hibernate-core.version}</version> </dependency> <dependency> <groupId>org.projectlombok</groupId> @@ -128,9 +170,8 @@ </dependency> <dependency> <groupId>org.mapstruct</groupId> - <artifactId>mapstruct-processor</artifactId> - <version>${mapstruct.version}</version> - <scope>provided</scope> + <artifactId>mapstruct</artifactId> + <version>1.4.2.Final</version> </dependency> <dependency> <groupId>io.jsonwebtoken</groupId> @@ -141,6 +182,12 @@ <groupId>io.springfox</groupId> <artifactId>springfox-swagger2</artifactId> <version>${springfox.version}</version> + <exclusions> + <exclusion> + <groupId>org.mapstruct</groupId> + <artifactId>mapstruct</artifactId> + </exclusion> + </exclusions> </dependency> <dependency> <groupId>io.springfox</groupId> @@ -195,7 +242,37 @@ <plugin> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-maven-plugin</artifactId> + <configuration> + <excludes> + <exclude> + <groupId>org.projectlombok</groupId> + <artifactId>lombok</artifactId> + </exclude> + </excludes> + </configuration> </plugin> + + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-compiler-plugin</artifactId> + <configuration> + <source>${java.version}</source> <!-- or higher, depending on your project --> + <target>${java.version}</target> <!-- or higher, depending on your project --> + <annotationProcessorPaths> + <path> + <groupId>org.projectlombok</groupId> + <artifactId>lombok</artifactId> + <version>${lombok.version}</version> + </path> + <path> + <groupId>org.mapstruct</groupId> + <artifactId>mapstruct-processor</artifactId> + <version>${mapstruct.version}</version> + </path> + </annotationProcessorPaths> + </configuration> + </plugin> + <plugin> <groupId>org.jacoco</groupId> <artifactId>jacoco-maven-plugin</artifactId> @@ -224,6 +301,7 @@ </execution> </executions> </plugin> + <plugin> <groupId>org.sonarsource.scanner.maven</groupId> <artifactId>sonar-maven-plugin</artifactId>
diff --git a/securitycheck/suppressed.xml b/securitycheck/suppressed.xml new file mode 100644 index 0000000..7cefd0c --- /dev/null +++ b/securitycheck/suppressed.xml
@@ -0,0 +1,98 @@ +<?xml version="1.0" encoding="UTF-8"?> +<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd"> + + <!-- Schwachstelle wird bei Keycloak im Code nicht benutzt --> + <suppress> + <notes><![CDATA[ + file name: bcprov-jdk15on-1.65.jar + ]]></notes> + <packageUrl regex="true">^pkg:maven/org\.bouncycastle/bcprov\-jdk15on@.*$</packageUrl> + <cve>CVE-2020-28052</cve> + </suppress> + + <!-- Gatekeeper wird bei uns nicht benutzt --> + <suppress> + <notes><![CDATA[ + file name: keycloak-core-12.0.4.jar + ]]></notes> + <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-core@.*$</packageUrl> + <cve>CVE-2020-14359</cve> + </suppress> + <suppress> + <notes><![CDATA[ + file name: keycloak-common-12.0.4.jar + ]]></notes> + <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-common@.*$</packageUrl> + <cve>CVE-2020-14359</cve> + </suppress> + + <!-- Wir benutzen keinen “external identity provider“ --> + <suppress> + <notes><![CDATA[ + file name: keycloak-core-12.0.4.jar + ]]></notes> + <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-core@.*$</packageUrl> + <cve>CVE-2020-14302</cve> + </suppress> + + <!-- CVEs don't have the correct fix versions, fixed in 12.0.2 [1]. --> + <suppress> + <notes><![CDATA[ + file name: keycloak-core-12.0.4.jar + ]]></notes> + <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-core@.*$</packageUrl> + <cve>CVE-2020-10770</cve> + </suppress> + <suppress> + <notes><![CDATA[ + file name: keycloak-core-12.0.4.jar + ]]></notes> + <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-core@.*$</packageUrl> + <cve>CVE-2020-14302</cve> + </suppress> + <suppress> + <notes><![CDATA[ + file name: keycloak-core-12.0.4.jar + ]]></notes> + <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-core@.*$</packageUrl> + <cve>CVE-2020-1725</cve> + </suppress> + <suppress> + <notes><![CDATA[ + file name: keycloak-core-12.0.4.jar + ]]></notes> + <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-core@.*$</packageUrl> + <cve>CVE-2020-27838</cve> + </suppress> + + <!-- CVEs don't have the correct fix versions, fixed in 12.0.2 [1]. --> + <suppress> + <notes><![CDATA[ + file name: keycloak-common-12.0.4.jar + ]]></notes> + <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-common@.*$</packageUrl> + <cve>CVE-2020-10770</cve> + </suppress> + <suppress> + <notes><![CDATA[ + file name: keycloak-common-12.0.4.jar + ]]></notes> + <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-common@.*$</packageUrl> + <cve>CVE-2020-14302</cve> + </suppress> + <suppress> + <notes><![CDATA[ + file name: keycloak-common-12.0.4.jar + ]]></notes> + <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-common@.*$</packageUrl> + <cve>CVE-2020-1725</cve> + </suppress> + <suppress> + <notes><![CDATA[ + file name: keycloak-common-12.0.4.jar + ]]></notes> + <packageUrl regex="true">^pkg:maven/org\.keycloak/keycloak\-common@.*$</packageUrl> + <cve>CVE-2020-27838</cve> + </suppress> + +</suppressions> \ No newline at end of file
diff --git a/src/main/java/org/eclipse/openk/contactbasedata/config/auth/JwtAuthenticationTokenFilter.java b/src/main/java/org/eclipse/openk/contactbasedata/config/auth/JwtAuthenticationTokenFilter.java index 5138830..588af4b 100644 --- a/src/main/java/org/eclipse/openk/contactbasedata/config/auth/JwtAuthenticationTokenFilter.java +++ b/src/main/java/org/eclipse/openk/contactbasedata/config/auth/JwtAuthenticationTokenFilter.java
@@ -15,8 +15,7 @@ package org.eclipse.openk.contactbasedata.config.auth; -import org.eclipse.openk.contactbasedata.exceptions.UnauthorizedException; -import org.keycloak.RSATokenVerifier; +import org.keycloak.TokenVerifier; import org.keycloak.representations.AccessToken; import org.springframework.beans.factory.annotation.Value; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; @@ -71,7 +70,7 @@ private void createToken(SecurityContext context, String bearerTkn) throws ServletException { try { List<String> allRoles = new ArrayList<>(); - AccessToken token = RSATokenVerifier.create(bearerTkn).getToken(); + AccessToken token = TokenVerifier.create(bearerTkn, AccessToken.class).getToken(); //Clientroles token.getResourceAccess().forEach((client, access) -> allRoles.addAll(access.getRoles()));