Fix DFC vulnerabilities

- Update DCAE-SDK to version 1.8.10
- Update spring-boot to version 2.7.2
- Update spring to version 5.3.22
- Update tomcat-embed-core to version 9.0.65
- Update classgraph to version 4.8.149
- Update jackson-databind to version 2.13.3
- Update springdoc-openapi-ui to version 1.6.11

Issue-ID: DCAEGEN2-3211
Signed-off-by: Tomasz Wrobel <tomasz.wrobel@nokia.com>
Change-Id: Iab97ade90792708742283cdeec732ca11351ec28

diff --git a/Changelog.md b/Changelog.md
index ce4f0e0..f673306 100644 (file)
--- a/Changelog.md
+++ b/Changelog.md
@@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+## [1.9.0] - 2022/08/26
+### Changed
+- [DCAEGEN2-3211] Fix vulnerabilities
+  - Update DCAE-SDK to version 1.8.10
+  - Update spring-boot to version 2.7.2
+  - Update spring to version 5.3.22
+  - Update tomcat-embed-core to version 9.0.65
+  - Update classgraph to version 4.8.149
+  - Update jackson-databind to version 2.13.3
+  - Update springdoc-openapi-ui to version 1.6.11
+
 ## [1.8.0] - 2022/06/24
 ### Changed
 - [DCAEGEN2-3039] Make certificate dependencies configurable

diff --git a/datafile-app-server/pom.xml b/datafile-app-server/pom.xml
index 14620ed..decf073 100644 (file)
--- a/datafile-app-server/pom.xml
+++ b/datafile-app-server/pom.xml
@@ -27,7 +27,7 @@
     <parent>
         <groupId>org.onap.dcaegen2.collectors</groupId>
         <artifactId>datafile</artifactId>
-        <version>1.8.0-SNAPSHOT</version>
+        <version>${revision}</version>
     </parent>
 
     <groupId>org.onap.dcaegen2.collectors.datafile</groupId>
@@ -37,8 +37,9 @@
     <properties>
         <docker.image.name>onap/${project.groupId}.${project.artifactId}</docker.image.name>
         <maven.build.timestamp.format>yyyyMMdd'T'HHmmss</maven.build.timestamp.format>
-        <docker-client.version>8.7.1</docker-client.version>
-        <tomcat-embed-core.version>9.0.56</tomcat-embed-core.version>
+
+        <!--Skip missing changelog-->
+        <onap-gerrit-review>-changelog-missing</onap-gerrit-review>
     </properties>
 
     <dependencies>
@@ -99,15 +100,9 @@
             <groupId>org.springframework</groupId>
             <artifactId>spring-webmvc</artifactId>
         </dependency>
-        <dependency>
-            <groupId>com.spotify</groupId>
-            <artifactId>docker-client</artifactId>
-            <version>${docker-client.version}</version>
-        </dependency>
         <dependency>
             <groupId>org.apache.tomcat.embed</groupId>
             <artifactId>tomcat-embed-core</artifactId>
-            <version>${tomcat-embed-core.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
@@ -121,6 +116,10 @@
             <groupId>org.apache.httpcomponents.core5</groupId>
             <artifactId>httpcore5</artifactId>
         </dependency>
+        <dependency>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+        </dependency>
 
         <!-- Actuator dependencies -->
         <dependency>
@@ -209,10 +208,6 @@
             <groupId>org.springdoc</groupId>
             <artifactId>springdoc-openapi-data-rest</artifactId>
         </dependency>
-        <dependency>
-            <groupId>com.fasterxml.jackson.core</groupId>
-            <artifactId>jackson-databind</artifactId>
-        </dependency>
     </dependencies>
 
     <build>

diff --git a/datafile-app-server/src/test/java/org/onap/dcaegen2/collectors/datafile/http/HttpClientResponseHelper.java b/datafile-app-server/src/test/java/org/onap/dcaegen2/collectors/datafile/http/HttpClientResponseHelper.java
index 22067d0..c04b1a7 100644 (file)
--- a/datafile-app-server/src/test/java/org/onap/dcaegen2/collectors/datafile/http/HttpClientResponseHelper.java
+++ b/datafile-app-server/src/test/java/org/onap/dcaegen2/collectors/datafile/http/HttpClientResponseHelper.java
@@ -1,6 +1,6 @@
 /*-
  * ============LICENSE_START======================================================================
- * Copyright (C) 2020-2021 Nokia. All rights reserved.
+ * Copyright (C) 2020-2022 Nokia. All rights reserved.
  * ===============================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
  * in compliance with the License. You may obtain a copy of the License at
@@ -27,6 +27,7 @@ import org.apache.http.ProtocolVersion;
 import org.apache.http.StatusLine;
 import org.apache.http.client.methods.CloseableHttpResponse;
 import org.apache.http.params.HttpParams;
+import reactor.core.publisher.Mono;
 import reactor.netty.http.client.HttpClientResponse;
 import reactor.util.context.Context;
 import reactor.util.context.ContextView;
@@ -122,6 +123,11 @@ public class HttpClientResponseHelper {
         public HttpResponseStatus status() {
             return HttpResponseStatus.OK;
         }
+
+        @Override
+        public Mono<HttpHeaders> trailerHeaders() {
+            return null;
+        }
     };
 
     public static final HttpClientResponse RESPONSE_ANY_NO_OK = new HttpClientResponse() {
@@ -193,6 +199,11 @@ public class HttpClientResponseHelper {
         @Override public HttpResponseStatus status() {
             return HttpResponseStatus.NOT_IMPLEMENTED;
         }
+
+        @Override
+        public Mono<HttpHeaders> trailerHeaders() {
+            return null;
+        }
     };
 
     public static final CloseableHttpResponse APACHE_RESPONSE_OK = new CloseableHttpResponse() {

diff --git a/pom.xml b/pom.xml
index 033764c..1b803e4 100644 (file)
--- a/pom.xml
+++ b/pom.xml
@@ -32,8 +32,7 @@
 
     <groupId>org.onap.dcaegen2.collectors</groupId>
     <artifactId>datafile</artifactId>
-    <version>1.8.0-SNAPSHOT</version>
-
+    <version>${revision}</version>
     <name>dcaegen2-collectors.datafile</name>
     <description>datafile collector</description>
     <packaging>pom</packaging>
@@ -50,17 +49,20 @@
     </licenses>
 
     <properties>
+        <revision>1.9.0-SNAPSHOT</revision>
         <java.version>11</java.version>
-        <sdk.version>1.8.8</sdk.version>
+        <sdk.version>1.8.10</sdk.version>
         <apache.httpcomponents.version>4.1.4</apache.httpcomponents.version>
         <apache.commons.version>3.6</apache.commons.version>
         <immutable.version>2.7.1</immutable.version>
-        <spring.version>5.3.14</spring.version>
-        <spring-boot.version>2.4.5</spring-boot.version>
+        <spring.version>5.3.22</spring.version>
+        <spring-boot.version>2.7.2</spring-boot.version>
         <commons-io.version>2.8.0</commons-io.version>
         <commons-net.version>3.3</commons-net.version>
         <projectreactor.version>2020.0.2</projectreactor.version>
         <httpcomponents.core5.version>5.0.3</httpcomponents.core5.version>
+        <tomcat-embed-core.version>9.0.65</tomcat-embed-core.version>
+        <io.github.classgraph.version>4.8.149</io.github.classgraph.version>
 
         <!-- LOGGING SETTINGS -->
         <slf4j.version>1.7.25</slf4j.version>
@@ -75,7 +77,7 @@
         <jcraft.version>0.1.54</jcraft.version>
         <springfox.version>3.0.0</springfox.version>
         <awaitility.version>3.1.6</awaitility.version>
-        <jackson-databind.version>2.11.4</jackson-databind.version>
+        <jackson-databind.version>2.13.3</jackson-databind.version>
         <powermock.version>2.0.9</powermock.version>
 
         <!-- Plugin versions -->
@@ -86,7 +88,7 @@
         <sonar.coverage.jacoco.xmlReportPaths>
             ${project.reporting.outputDirectory}/jacoco-ut/jacoco.xml
         </sonar.coverage.jacoco.xmlReportPaths>
-        <springdoc-openapi-ui.version>1.5.3</springdoc-openapi-ui.version>
+        <springdoc-openapi-ui.version>1.6.11</springdoc-openapi-ui.version>
     </properties>
 
     <dependencyManagement>
@@ -132,6 +134,11 @@
                 <artifactId>gson</artifactId>
                 <version>${immutable.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.apache.tomcat.embed</groupId>
+                <artifactId>tomcat-embed-core</artifactId>
+                <version>${tomcat-embed-core.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.springframework</groupId>
                 <artifactId>spring-web</artifactId>
@@ -164,6 +171,11 @@
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
+            <dependency>
+                <groupId>io.github.classgraph</groupId>
+                <artifactId>classgraph</artifactId>
+                <version>${io.github.classgraph.version}</version>
+            </dependency>
             <dependency>
                 <groupId>commons-io</groupId>
                 <artifactId>commons-io</artifactId>

diff --git a/version.properties b/version.properties
index 3c57200..f9146bd 100644 (file)
--- a/version.properties
+++ b/version.properties
@@ -1,5 +1,5 @@
 major=1\r
-minor=8\r
+minor=9\r
 patch=0\r
 base_version=${major}.${minor}.${patch}\r
 release_version=${base_version}\r