fix: resolve CVE and log injection (#23)

Co-authored-by: Vitolo-Andrea <[email protected]>

.grype.yaml

@@ -7,4 +7,7 @@ ignore:
   - vulnerability: CVE-2023-3635 # okio-jvm 3.9.0
   - vulnerability: CVE-2023-51074 # json-path 2.9.0
   - vulnerability: CVE-2024-26308 # commons-compress 1.26.2
-  - vulnerability: CVE-2024-25710 # commons-compress 1.26.2
+  - vulnerability: CVE-2024-25710 # commons-compress 1.26.2
+  - vulnerability: CVE-2023-43642 # snappy-java 1.1.10.5
+  - vulnerability: CVE-2023-34455 # snappy-java 1.1.10.5
+  - vulnerability: CVE-2024-22271 # spring-cloud-function-context 4.1.2

pom.xml

@@ -161,6 +161,16 @@
 				<type>pom</type>
 				<scope>import</scope>
 			</dependency>
+			<dependency>
+				<groupId>org.xerial.snappy</groupId>
+				<artifactId>snappy-java</artifactId>
+				<version>1.1.10.5</version>
+			</dependency>
+			<dependency>
+				<groupId>org.springframework.cloud</groupId>
+				<artifactId>spring-cloud-function-context</artifactId>
+				<version>4.1.2</version>
+			</dependency>
 		</dependencies>
 	</dependencyManagement>
 

src/main/java/it/gov/pagopa/common/utils/Utils.java

@@ -29,4 +29,13 @@ public static String createSHA256(String fiscalCode)  {
             throw new EmdEncryptionException("Something went wrong creating SHA256",true,e);
         }
     }
+
+    public static void logInfo(String message){
+        log.info(inputSanify(message));
+    }
+    private static String inputSanify(String message){
+        if (message != null)
+           return message.replaceAll("[\\r\\n]", "");
+       return "[EMD][WARNING] Null log";
+    }
 }

src/main/java/it/gov/pagopa/message/core/event/producer/MessageErrorProducer.java

@@ -1,7 +1,6 @@
 package it.gov.pagopa.message.core.event.producer;
 
 import it.gov.pagopa.message.core.dto.MessageDTO;
-import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.cloud.stream.function.StreamBridge;
 import org.springframework.messaging.Message;
@@ -10,8 +9,9 @@
 import java.util.concurrent.ScheduledExecutorService;
 import java.util.concurrent.TimeUnit;
 
+import static it.gov.pagopa.common.utils.Utils.logInfo;
+
 @Component
-@Slf4j
 public class MessageErrorProducer {
 
   private final String binder;
@@ -27,7 +27,7 @@ public MessageErrorProducer(StreamBridge streamBridge,
   }
 
   public void sendToMessageErrorQueue(Message<MessageDTO> message){
-    log.info("Scheduling message to queue");
+    logInfo("Scheduling message to queue");
       scheduler.schedule(
               () -> streamBridge.send("messageSender-out-0", binder, message),
               5,

src/main/java/it/gov/pagopa/message/core/service/ChannelServiceImpl.java

@@ -8,14 +8,14 @@
 import it.gov.pagopa.message.core.model.Channel;
 import it.gov.pagopa.message.core.model.mapper.ChannelMapperDTOToObject;
 import it.gov.pagopa.message.core.repository.ChannelRepository;
-import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;
 
 import java.time.LocalDateTime;
 import java.util.Optional;
 
+import static it.gov.pagopa.common.utils.Utils.logInfo;
+
 @Service
-@Slf4j
 public class ChannelServiceImpl implements ChannelService {
 
     private final ChannelRepository channelRepository;
@@ -31,46 +31,46 @@ public ChannelServiceImpl(ChannelRepository channelRepository, ChannelMapperObje
 
     @Override
     public ChannelDTO createChannel(ChannelDTO channelDTO) {
-        log.info("[EMD][CREATE-CHANNEL] Received message: {}",channelDTO.toString());
+        logInfo("[EMD][CREATE-CHANNEL] Received message: %s".formatted(channelDTO.toString()));
         Channel channel = mapperToObject.channelDTOMapper(channelDTO);
         channel.setCreationDate(LocalDateTime.now());
         channel.setLastUpdateDate(LocalDateTime.now());
         channel  = channelRepository.save(channel);
-        log.info("[EMD][CREATE-CHANNEL] Created");
+        logInfo("[EMD][CREATE-CHANNEL] Created");
         return mapperToDTO.channelMapper(channel);
     }
 
 
     @Override
     public ChannelDTO deleteChannel(String channelId) {
-        log.info("[EMD][DELETE-CHANNEL] Received  channelId {} ", channelId);
+        logInfo("[EMD][DELETE-CHANNEL] Received  channelId %s ".formatted(channelId));
         Optional<Channel> optionalChannel = channelRepository.findById(channelId);
         if (optionalChannel.isPresent()) {
             Channel channel = optionalChannel.get();
             channel.setState(false);
             channel.setLastUpdateDate(LocalDateTime.now());
             channelRepository.save(channel);
-            log.info("[EMD][CREATE-CHANNEL] Deleted");
+            logInfo("[EMD][CREATE-CHANNEL] Deleted");
             return mapperToDTO.channelMapper(channel);
         } else {
-            log.error("[EMD][DELETE-CHANNEL] Tpp not onboarded");
+            logInfo("[EMD][DELETE-CHANNEL] Tpp not onboarded");
             throw new TppNotOnboardedException("Tpp not onboarded", true, null);
         }
     }
 
     @Override
     public ChannelDTO updateChannel(String channelId) {
-        log.info("[EMD][UPDATE-CHANNEL] Received channelId {} ", channelId);
+        logInfo("[EMD][UPDATE-CHANNEL] Received channelId %s ".formatted(channelId));
         Optional<Channel> optionalChannel = channelRepository.findById(channelId);
         if (optionalChannel.isPresent()) {
             Channel channel = optionalChannel.get();
             channel.setState(true);
             channel.setLastUpdateDate(LocalDateTime.now());
             channelRepository.save(channel);
-            log.info("[EMD][CREATE-CHANNEL] Updated");
+            logInfo("[EMD][CREATE-CHANNEL] Updated");
             return mapperToDTO.channelMapper(channel);
         } else {
-            log.error("[EMD][UPDATE-CHANNEL] Tpp not onboarded");
+            logInfo("[EMD][UPDATE-CHANNEL] Tpp not onboarded");
             throw new TppNotOnboardedException("Tpp not onboarded", true, null);
         }
 

src/main/java/it/gov/pagopa/message/core/service/CitizenServiceImpl.java

@@ -8,14 +8,14 @@
 import it.gov.pagopa.message.core.model.CitizenConsent;
 import it.gov.pagopa.message.core.model.mapper.CitizenConsentMapperDTOToObject;
 import it.gov.pagopa.message.core.repository.CitizenRepository;
-import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;
 
 import java.time.LocalDateTime;
 
+import static it.gov.pagopa.common.utils.Utils.logInfo;
+
 
 @Service
-@Slf4j
 public class CitizenServiceImpl implements CitizenService{
 
     private final CitizenRepository citizenRepository;
@@ -31,47 +31,47 @@ public CitizenServiceImpl(CitizenRepository citizenRepository, CitizenConsentMap
 
     @Override
     public CitizenConsentDTO createCitizenConsent(CitizenConsentDTO citizenConsentDTO) {
-        log.info("[EMD][CREATE-CITIZEN-CONSENT] Received message: {}",citizenConsentDTO.toString());
+        logInfo("[EMD][CREATE-CITIZEN-CONSENT] Received message: %s".formatted(citizenConsentDTO.toString()));
         CitizenConsent citizenConsent = mapperToObject.citizenConsentDTOMapper(citizenConsentDTO);
         String hashedFiscalCode = Utils.createSHA256(citizenConsent.getHashedFiscalCode());
         citizenConsent.setHashedFiscalCode(hashedFiscalCode);
         citizenConsent.setCreationDate(LocalDateTime.now());
         citizenConsent.setLastUpdateDate(LocalDateTime.now());
         citizenConsent  = citizenRepository.save(citizenConsent);
-        log.info("[EMD][CREATE-CITIZEN-CONSENT] Created");
+        logInfo("[EMD][CREATE-CITIZEN-CONSENT] Created");
         return mapperToDTO.citizenConsentMapper(citizenConsent);
     }
 
 
     @Override
     public CitizenConsentDTO deleteCitizenConsent(String fiscalCode, String channelId) {
-        log.info("[EMD][DELETE-CITIZEN-CONSENT] Received hashedFiscalCode: {} and channelId {} ",fiscalCode, channelId);
+        logInfo("[EMD][DELETE-CITIZEN-CONSENT] Received hashedFiscalCode: %s and channelId %s ".formatted(fiscalCode, channelId));
         String hashedFiscalCode = Utils.createSHA256(fiscalCode);
         CitizenConsent citizenConsent = citizenRepository.findByHashedFiscalCodeAndChannelId(hashedFiscalCode,channelId);
         if(citizenConsent == null) {
-            log.error("[EMD][DELETE-CITIZEN-CONSENT] User not onboarded");
+            logInfo("[EMD][DELETE-CITIZEN-CONSENT] User not onboarded");
             throw new UserNotOnboardedException("User not onboarded", true, null);
         }
         citizenConsent.setChannelState(false);
         citizenConsent.setLastUpdateDate(LocalDateTime.now());
         citizenRepository.save(citizenConsent);
-        log.info("[EMD][DELETE-CITIZEN-CONSENT] Deleted");
+        logInfo("[EMD][DELETE-CITIZEN-CONSENT] Deleted");
         return mapperToDTO.citizenConsentMapper(citizenConsent);
     }
 
     @Override
     public CitizenConsentDTO updateCitizenConsent(String fiscalCode, String channelId) {
-        log.info("[EMD][UPDATE-CITIZEN-CONSENT] Received fiscalCode: {} and channelId {} ",fiscalCode, channelId);
+        logInfo("[EMD][UPDATE-CITIZEN-CONSENT] Received fiscalCode: %s and channelId %s ".formatted(fiscalCode, channelId));
         fiscalCode = Utils.createSHA256(fiscalCode);
         CitizenConsent citizenConsent = citizenRepository.findByHashedFiscalCodeAndChannelId(fiscalCode,channelId);
         if(citizenConsent == null) {
-            log.error("[EMD][UPDATE-CITIZEN-CONSENT] User not onboarded");
+            logInfo("[EMD][UPDATE-CITIZEN-CONSENT] User not onboarded");
             throw new UserNotOnboardedException("User not onboarded", true, null);
         }
         citizenConsent.setChannelState(true);
         citizenConsent.setLastUpdateDate(LocalDateTime.now());
         citizenRepository.save(citizenConsent);
-        log.info("[EMD][UPDATE-CITIZEN-CONSENT] Updated");
+        logInfo("[EMD][UPDATE-CITIZEN-CONSENT] Updated");
         return mapperToDTO.citizenConsentMapper(citizenConsent);
     }
 

src/main/java/it/gov/pagopa/message/core/service/MessageCoreServiceImpl.java

@@ -8,14 +8,14 @@
 import it.gov.pagopa.message.core.model.Channel;
 import it.gov.pagopa.message.core.model.CitizenConsent;
 import it.gov.pagopa.message.core.dto.Outcome;
-import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
 
+import static it.gov.pagopa.common.utils.Utils.logInfo;
+
 
-@Slf4j
 @Service
 public class MessageCoreServiceImpl implements MessageCoreService {
 
@@ -35,17 +35,17 @@ public MessageCoreServiceImpl(CitizenConnectorImpl citizenService,
     @Override
     public Outcome sendMessage(MessageDTO messageDTO) {
 
-        log.info("[EMD][SEND-MESSAGE] Recived message: {}",messageDTO);
+        logInfo("[EMD][SEND-MESSAGE] Recived message: %s".formatted(messageDTO));
         String hashedFiscalCode = Utils.createSHA256(messageDTO.getRecipientId());
         ArrayList<CitizenConsent> citizenConsentList =
                 citizenService.getCitizenConsentsEnabled(hashedFiscalCode);
 
         if(citizenConsentList.isEmpty()) {
-            log.info("[EMD][SEND-MESSAGE] Citizen consent list is empty");
+            logInfo("[EMD][SEND-MESSAGE] Citizen consent list is empty");
             return new Outcome(OutcomeStatus.NO_CHANNELS_ENABLED);
         }
 
-        log.info("[EMD][SEND-MESSAGE] Citizen consent list: {}",citizenConsentList);
+        logInfo("[EMD][SEND-MESSAGE] Citizen consent list: %s".formatted(citizenConsentList));
         List<Channel> channelList = tppService.getChannelsList(
                                 citizenConsentList
                                 .stream()
@@ -54,17 +54,17 @@ public Outcome sendMessage(MessageDTO messageDTO) {
                         );
 
         if(channelList.isEmpty()) {
-            log.info("[EMD][SEND-MESSAGE] Channel list is empty");
+            logInfo("[EMD][SEND-MESSAGE] Channel list is empty");
             return new Outcome(OutcomeStatus.NO_CHANNELS_ENABLED);
         }
-        log.info("[EMD][SEND-MESSAGE] Channel list: {}",channelList);
+        logInfo("[EMD][SEND-MESSAGE] Channel list: %s".formatted(channelList));
 
         for (CitizenConsent citizenConsent : citizenConsentList) {
             Iterator<Channel> iterator = channelList.iterator();
             while (iterator.hasNext()) {
                 Channel channel = iterator.next();
                 if (channel.getId().equals(citizenConsent.getChannelId())) {
-                    log.info("[EMD][SEND-MESSAGE] Channel: {}",channel.getBusinessName());
+                    logInfo("[EMD][SEND-MESSAGE] Channel: %s".formatted(channel.getBusinessName()));
                     sendMessageServiceImpl.sendMessage(
                             messageDTO,
                             channel.getMessageUrl(),

src/main/java/it/gov/pagopa/message/core/service/MessageErrorConsumerServiceImpl.java

@@ -3,7 +3,6 @@
 import it.gov.pagopa.common.utils.Constants;
 import it.gov.pagopa.message.core.dto.MessageDTO;
 
-import lombok.extern.slf4j.Slf4j;
 
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.messaging.MessageHeaders;
@@ -13,10 +12,10 @@
 
 import static it.gov.pagopa.common.utils.Constants.ERROR_MSG_AUTH_URL;
 import static it.gov.pagopa.common.utils.Constants.ERROR_MSG_MESSAGE_URL;
+import static it.gov.pagopa.common.utils.Utils.logInfo;
 
 
 @Service
-@Slf4j
 public class MessageErrorConsumerServiceImpl implements MessageErrorConsumerService {
 
     private final SendMessageServiceImpl sendMessageServiceImpl;
@@ -30,18 +29,18 @@ public MessageErrorConsumerServiceImpl(SendMessageServiceImpl sendMessageService
 
     @Override
     public void processCommand(Message<MessageDTO> message) {
-        log.info("[EMD-PROCESS-COMMAND] Queue message received: {}",message.getPayload());
+        logInfo("[EMD-PROCESS-COMMAND] Queue message received: %s".formatted(message.getPayload()));
         MessageHeaders headers = message.getHeaders();
         long retry = getNextRetry(headers);
         if(retry!=0) {
-            log.info("[EMD-PROCESS-COMMAND] Try: {}",retry);
+            logInfo("[EMD-PROCESS-COMMAND] Try: %s".formatted(retry));
             MessageDTO messageDTO = message.getPayload();
             String messageUrl = (String) headers.get(ERROR_MSG_MESSAGE_URL);
             String authenticationUrl = (String) headers.get(ERROR_MSG_AUTH_URL);
             sendMessageServiceImpl.sendMessage(messageDTO, messageUrl, authenticationUrl, retry);
         }
         else
-            log.info("[EMD-PROCESS-COMMAND] Not retryable");
+            logInfo("[EMD-PROCESS-COMMAND] Not retryable");
     }
 
     private long getNextRetry(MessageHeaders headers) {