EPMRPP-87594 fix CVEs

build.gradle

@@ -1,6 +1,6 @@
 plugins {
     id 'io.spring.dependency-management' version '1.0.9.RELEASE'
-    id 'org.springframework.boot' version '2.5.14'
+    id 'org.springframework.boot' version '2.5.15'
     id 'java'
     id "org.owasp.dependencycheck" version "5.3.1"
 }
@@ -49,61 +49,63 @@ dependencyManagement {
 
 dependencies {
     if (releaseMode) {
-        compile 'com.epam.reportportal:commons-dao'
-        compile 'com.epam.reportportal:commons-rules'
-        compile 'com.epam.reportportal:commons-model'
+        implementation 'com.epam.reportportal:commons-dao'
+        implementation 'com.epam.reportportal:commons-rules'
+        implementation 'com.epam.reportportal:commons-model'
     } else {
-        compile 'com.github.reportportal:commons-dao:f042158b'
-        compile 'com.github.reportportal:commons-rules:933ff17d'
-        compile 'com.github.reportportal:commons-model:232e69a5'
+        implementation 'com.github.reportportal:commons-dao:f042158b'
+        implementation 'com.github.reportportal:commons-rules:933ff17d'
+        implementation 'com.github.reportportal:commons-model:232e69a5'
     }
 
     //Fix CVE-2021-41079, CVE-2022-23181, CVE-2021-33037, CVE-2021-30640, CVE-2022-42252
-    compile 'org.apache.tomcat.embed:tomcat-embed-core:9.0.68'
-    compile 'org.apache.tomcat.embed:tomcat-embed-el:9.0.68'
-    compile 'org.apache.tomcat.embed:tomcat-embed-websocket:9.0.68'
+    implementation 'org.apache.tomcat.embed:tomcat-embed-core:9.0.82'
+    implementation 'org.apache.tomcat.embed:tomcat-embed-el:9.0.82'
+    implementation 'org.apache.tomcat.embed:tomcat-embed-websocket:9.0.82'
     //Fix CVE-2020-15522
-    compile 'org.bouncycastle:bcprov-jdk15on:1.69'
+    implementation 'org.bouncycastle:bcprov-jdk15on:1.69'
     //Fix CVE-2015-7501, CVE-2015-4852
-    compile 'commons-collections:commons-collections:3.2.2'
+    implementation 'org.apache.commons:commons-collections4:4.4'
     //Fix CVE-2018-10237
-    compile 'com.google.guava:guava:24.1.1-jre'
+    implementation 'com.google.guava:guava:31.1-jre'
     //Fix CVE-2020-13956
-    compile 'org.apache.httpcomponents:httpclient:4.5.13'
+    implementation 'org.apache.httpcomponents:httpclient:4.5.14'
     //Fix CVE-2022-40152
-    compile 'com.fasterxml.woodstox:woodstox-core:5.4.0'
+    implementation 'com.fasterxml.woodstox:woodstox-core:6.5.1'
 
-    compile 'org.springframework.boot:spring-boot-starter-web'
-    compile 'org.springframework.boot:spring-boot-starter-actuator'
-    compile 'org.springframework.boot:spring-boot-starter-security'
-    compile 'org.springframework.boot:spring-boot-starter-amqp'
+    implementation 'org.springframework.boot:spring-boot-starter-web'
+    implementation 'org.springframework.boot:spring-boot-starter-actuator'
+    implementation 'org.springframework.boot:spring-boot-starter-security'
+    implementation 'org.springframework.boot:spring-boot-starter-amqp'
 
     ///// Security
     //https://nvd.nist.gov/vuln/detail/CVE-2020-5407 AND https://nvd.nist.gov/vuln/detail/CVE-2020-5408
-    compile 'org.springframework.security:spring-security-core:5.5.8'
-    compile 'org.springframework.security:spring-security-config:5.5.8'
-    compile 'org.springframework.security:spring-security-web:5.5.8'
+    implementation 'org.springframework.security:spring-security-core:5.8.5'
+    implementation 'org.springframework.security:spring-security-config:5.8.5'
+    implementation 'org.springframework.security:spring-security-web:5.8.5'
     //
 
-    compile 'org.springframework.security:spring-security-oauth2-client'
+    implementation 'org.springframework.security:spring-security-oauth2-client'
     //Fix CVE-2022-22969
-    compile 'org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE'
-    compile 'org.springframework.security:spring-security-jwt:1.0.11.RELEASE'
-    compile 'org.springframework.security:spring-security-ldap'
-    compile 'org.springframework.security.extensions:spring-security-saml2-core:2.0.0.M31'
+    implementation 'org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE'
+    implementation 'org.springframework.security:spring-security-jwt:1.0.11.RELEASE'
+    implementation 'org.springframework.security:spring-security-ldap'
+    // TODO: consider migration to spring-security-saml2-service-provider
+    implementation 'org.springframework.security.extensions:spring-security-saml2-core:2.0.0.M31'
 //  Temporary fix of https://nvd.nist.gov/vuln/detail/CVE-2019-12400
-    compile 'org.apache.santuario:xmlsec:2.1.7'
-
-    compile 'org.apache.tika:tika-core'
-
-    compile 'javax.inject:javax.inject:1'
-    compile 'io.springfox:springfox-swagger2'
-    compile 'org.apache.commons:commons-compress:1.21'
-    compile 'org.cryptacular:cryptacular:1.1.4'
-    compile 'org.yaml:snakeyaml:1.32'
-    compile 'org.hibernate:hibernate-core:5.4.24.Final'
-    compile 'org.springframework:spring-core:5.3.20'
-    compile "com.rabbitmq:http-client:2.1.0.RELEASE"
+    implementation 'org.apache.santuario:xmlsec:3.0.3'
+
+    implementation 'org.apache.tika:tika-core'
+
+    implementation 'javax.inject:javax.inject:1'
+    implementation 'io.springfox:springfox-swagger2'
+    implementation 'org.apache.commons:commons-compress:1.21'
+    implementation 'org.cryptacular:cryptacular:1.1.4'
+    // TODO: snakeyaml 2.0 supported by Spring Boot 3 only
+    implementation 'org.yaml:snakeyaml:1.33'
+    implementation 'org.hibernate:hibernate-core:5.4.24.Final'
+    implementation 'org.springframework:spring-core:5.3.30'
+    implementation "com.rabbitmq:http-client:5.0.0"
 }
 
 processResources {
@@ -122,4 +124,3 @@ jar.archiveClassifier.set('')
 
 publish.dependsOn build
 publish.mustRunAfter build
-

src/main/java/com/epam/reportportal/auth/AdminPasswordInitializer.java

@@ -7,7 +7,7 @@
 import com.epam.ta.reportportal.entity.user.User;
 import java.util.Optional;
 import javax.persistence.EntityNotFoundException;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Value;

src/main/java/com/epam/reportportal/auth/config/saml/SamlServiceProviderConfiguration.java

@@ -25,6 +25,8 @@
 import com.epam.ta.reportportal.entity.integration.IntegrationType;
 import com.google.common.collect.Lists;
 import org.opensaml.saml.saml2.core.NameID;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
@@ -60,7 +62,9 @@
 @Configuration
 public class SamlServiceProviderConfiguration {
 
-	@Value("${rp.auth.saml.base-path}")
+  private static final Logger LOGGER = LoggerFactory.getLogger(SamlServiceProviderConfiguration.class);
+
+  @Value("${rp.auth.saml.base-path}")
 	private String basePath;
 
 	@Value("${rp.auth.saml.entity-id}")
@@ -148,14 +152,14 @@ private List<ExternalIdentityProviderConfiguration> providers() {
 	}
 
 	private RotatingKeys rotatingKeys() {
-		return new RotatingKeys().setActive(activeKey()).setStandBy(standbyKeys());
+		return new RotatingKeys().setActive(getActiveKey()).setStandBy(standbyKeys());
 	}
 
 	private List<SimpleKey> standbyKeys() {
 		return Collections.emptyList();
 	}
 
-	private SimpleKey activeKey() {
+	private SimpleKey getActiveKey() {
 
 		if (signedRequests) {
 			X509Certificate certificate = CertificationUtil.getCertificateByName(keyAlias, keyStore, keyStorePassword);
@@ -167,7 +171,7 @@ private SimpleKey activeKey() {
 						.setPrivateKey(getEncoder().encodeToString(privateKey.getEncoded()))
 						.setName(activeKeyName);
 			} catch (CertificateEncodingException e) {
-				e.printStackTrace();
+        LOGGER.error("Failed to retrieve active key", e);
 			}
 		}
 		return new SimpleKey();
@@ -192,4 +196,4 @@ public String getBasePath() {
 		}
 	}
 
-}
+}

src/main/java/com/epam/reportportal/auth/integration/ldap/LdapUserReplicator.java

@@ -33,7 +33,7 @@
 import com.epam.ta.reportportal.util.PersonalProjectService;
 import java.util.Map;
 import java.util.Optional;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.ldap.core.DirContextOperations;
 import org.springframework.stereotype.Component;

src/main/java/com/epam/reportportal/auth/integration/parameter/SamlParameter.java

@@ -21,7 +21,7 @@
 import com.epam.ta.reportportal.exception.ReportPortalException;
 import com.epam.ta.reportportal.ws.model.ErrorType;
 import com.epam.ta.reportportal.ws.model.integration.auth.UpdateAuthRQ;
-import org.apache.commons.lang.StringUtils;
+import org.apache.commons.lang3.StringUtils;
 
 import java.util.HashMap;
 import java.util.Map;

src/main/java/com/epam/reportportal/auth/util/CertificationUtil.java

@@ -18,10 +18,17 @@
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Paths;
-import java.security.*;
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.UnrecoverableKeyException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 /**
  * Utility class for loading certificates from trusted stores
@@ -30,7 +37,9 @@
  */
 public class CertificationUtil {
 
-	public static X509Certificate getCertificateByName(String certificateAlias, String trustStoreName, String password) {
+  private static final Logger LOGGER = LoggerFactory.getLogger(CertificationUtil.class);
+
+  public static X509Certificate getCertificateByName(String certificateAlias, String trustStoreName, String password) {
 		try {
 			KeyStore keyStore = KeyStore.getInstance("JKS");
 			loadKeyStore(keyStore, trustStoreName, password);
@@ -67,7 +76,13 @@ private static void loadKeyStore(KeyStore keyStore, String jksPath, String jksPa
 		if (jksPath.startsWith("file://")) {
 			keyStore.load(Files.newInputStream(Paths.get(jksPath.replaceFirst("file://", ""))), password);
 		} else {
-			keyStore.load(ClassLoader.getSystemResourceAsStream(jksPath), password);
+      try (var is = ClassLoader.getSystemResourceAsStream(jksPath)) {
+        keyStore.load(is, password);
+      } catch (Exception e) {
+        LOGGER.error("Failed to load key store", e);
+        throw e;
+      }
+
 		}
 	}
 }