Merge pull request #1397 from Unidata/suppress-spring-cve

upgrade to spring 5

gradle/dependencies.gradle

@@ -87,7 +87,7 @@ libraries["unidata-nexus"] = "edu.ucar.unidata:unidata-nexus-gradle:0.0.1"
 
 ////////////////////////////////////////// Spring //////////////////////////////////////////
 
-versions["spring"] = "4.3.30.RELEASE"
+versions["spring"] = "5.3.20"
 
 libraries["spring-core"] = "org.springframework:spring-core:${versions["spring"]}"
 
@@ -101,7 +101,7 @@ libraries["spring-webmvc"] = "org.springframework:spring-webmvc:${versions["spri
 
 ////////////////////////////////////////// Spring security //////////////////////////////////////////
 
-versions["spring-security"] = "3.2.5.RELEASE"
+versions["spring-security"] = "5.6.5"
 
 libraries["spring-security-config"] = "org.springframework.security:spring-security-config:${versions["spring-security"]}"
 

project-files/owasp-dependency-check/dependency-check-suppression.xml

@@ -67,54 +67,18 @@
   </suppress>
   <suppress>
     <notes><![CDATA[
-      file name: spring-beans-4.3.29.RELEASE.jar
-      reason: only vulnerable for JDK 9+
-     ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.springframework/spring-beans@.*$</packageUrl>
-    <cve>CVE-2022-22965</cve>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-      file name: spring-core-4.3.30.RELEASE.jar
-      reason: (CVE-2016-1000027) this CVE does not point to a vulnerability in the project itself, it is a vulnerability that occurs with improper use of HTTPInvoker, which we do not use.
-      (CVE-2022-22965) only vulnerable for JDK 9+.
-      (CVE-2022-22968) case sensitivity vulnerability in DataBinder disallowedFields, which we do not use
-     ]]></notes>
+      file name: spring-core-5.3.20.jar
+      reason: resolved CVE - only valid if using HTTPInvokerServiceExporter
+      ]]></notes>
     <packageUrl regex="true">^pkg:maven/org\.springframework/spring-core@.*$</packageUrl>
     <cve>CVE-2016-1000027</cve>
-    <cve>CVE-2022-22965</cve>
-    <cve>CVE-2022-22968</cve>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-      file name: spring-context-4.3.30.RELEASE.jar
-      reason: case sensitivity vulnerability in DataBinder disallowedFields, which we do not use
-     ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.springframework/spring-context@.*$</packageUrl>
-    <cve>CVE-2022-22968</cve>
   </suppress>
   <suppress>
-    <notes><![CDATA[
-      file name: spring-expression-4.3.30.RELEASE.jar
-      reason: we do not use SpEL
-     ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.springframework/spring-expression@.*$</packageUrl>
-    <cve>CVE-2022-22950</cve>
-  </suppress>
-  <suppress>
-    <notes><![CDATA[
-      file name: spring-web-4.3.30.RELEASE.jar
+    <notes><![CDATA[(
+      file name: spring-web-5.3.20.jar
       reason: resolved CVE - only valid if using HTTPInvokerServiceExporter
-     ]]></notes>
+      ]]></notes>
     <packageUrl regex="true">^pkg:maven/org\.springframework/spring-web@.*$</packageUrl>
     <cve>CVE-2016-1000027</cve>
   </suppress>
-  <suppress>
-    <notes><![CDATA[
-      file name: spring-webmvc-4.3.30.RELEASE.jar
-      reason: (CVE-2020-5397) vulnerability introduce in 5.2.x
-     ]]></notes>
-    <packageUrl regex="true">^pkg:maven/org\.springframework/spring-webmvc@.*$</packageUrl>
-    <cve>CVE-2020-5397</cve>
-  </suppress>
 </suppressions>

tds/src/main/java/thredds/server/config/TdsContext.java

@@ -41,7 +41,6 @@
 import org.springframework.stereotype.Component;
 import org.springframework.util.StringUtils;
 import org.springframework.web.context.ServletContextAware;
-import org.springframework.web.util.Log4jWebConfigurer;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.NodeList;
@@ -240,7 +239,6 @@ public void destroy() {
     logServerStartup.info("TdsContext: Shutting down collection manager");
     CollectionUpdater.INSTANCE.shutdown();
     logServerStartup.info("TdsContext: shutdownLogging()");
-    Log4jWebConfigurer.shutdownLogging(servletContext);
   }