Fix vulnerability issue in multivimproxy

upgrade springframework from 3.x to 4.x

CVE-2016-6812
CVE-2018-1270
CVE-2018-11039
SONATYPE-2015-0002
CVE-2014-3578
CVE-2018-1257
CVE-2017-12624
CVE-2018-8039

Change-Id: I671cf3c3fa29a4d935867d5030d77668a785dd88
Issue-ID: VFC-1187
Signed-off-by: Victor Gao <victor.gao@huawei.com>

diff --git a/service/pom.xml b/service/pom.xml
index 498ff56..da71144 100644 (file)
--- a/service/pom.xml
+++ b/service/pom.xml
@@ -64,11 +64,22 @@
             <artifactId>com.springsource.org.apache.commons.codec</artifactId>\r
             <version>1.3.0</version>\r
         </dependency>\r
+        <dependency>\r
+            <groupId>commons-collections</groupId>\r
+            <artifactId>commons-collections</artifactId>\r
+            <version>3.2.2</version>\r
+        </dependency>\r
         <dependency>\r
             <groupId>net.sf.json-lib</groupId>\r
             <artifactId>json-lib</artifactId>\r
             <version>2.4</version>\r
             <classifier>jdk15</classifier>\r
+            <exclusions>\r
+                <exclusion>\r
+                    <groupId>commons-collections</groupId>\r
+                    <artifactId>commons-collections</artifactId>\r
+                </exclusion>\r
+            </exclusions>\r
         </dependency>\r
         <!--  dependency>\r
             <groupId>org.eclipse.jetty.orbit</groupId>\r
@@ -91,7 +102,7 @@
         <dependency>\r
             <groupId>org.springframework</groupId>\r
             <artifactId>spring-tx</artifactId>\r
-            <version>3.1.0.RELEASE</version>\r
+            <version>3.1.2.RELEASE</version>\r
         </dependency>\r
         <dependency>\r
             <groupId>org.mybatis</groupId>\r
@@ -138,53 +149,64 @@
         <dependency>\r
             <groupId>org.springframework</groupId>\r
             <artifactId>spring-core</artifactId>\r
-            <version>3.1.0.RELEASE</version>\r
+            <version>4.3.18.RELEASE</version>\r
         </dependency>\r
         <dependency>\r
             <groupId>org.springframework</groupId>\r
             <artifactId>spring-aop</artifactId>\r
-            <version>3.1.0.RELEASE</version>\r
+            <version>4.3.18.RELEASE</version>\r
         </dependency>\r
         <dependency>\r
             <groupId>org.springframework</groupId>\r
             <artifactId>spring-beans</artifactId>\r
-            <version>3.1.0.RELEASE</version>\r
+            <version>4.3.18.RELEASE</version>\r
         </dependency>\r
         <dependency>\r
             <groupId>org.springframework</groupId>\r
             <artifactId>spring-context</artifactId>\r
-            <version>3.1.0.RELEASE</version>\r
+            <version>4.3.18.RELEASE</version>\r
         </dependency>\r
         <dependency>\r
             <groupId>org.springframework</groupId>\r
             <artifactId>spring-jdbc</artifactId>\r
-            <version>3.1.0.RELEASE</version>\r
+            <version>4.3.18.RELEASE</version>\r
         </dependency>\r
         <dependency>\r
             <groupId>org.springframework</groupId>\r
             <artifactId>spring-web</artifactId>\r
             <version>3.2.14.RELEASE</version>\r
         </dependency>\r
-        <dependency>\r
+        <!--dependency>\r
             <groupId>org.springframework</groupId>\r
             <artifactId>spring-asm</artifactId>\r
-            <version>3.1.0.RELEASE</version>\r
-        </dependency>\r
+            <version>4.3.18.RELEASE</version>\r
+        </dependency-->\r
         <dependency>\r
             <groupId>org.springframework</groupId>\r
             <artifactId>spring-expression</artifactId>\r
-            <version>3.1.0.RELEASE</version>\r
+            <version>4.3.18.RELEASE</version>\r
         </dependency>\r
         <dependency>\r
             <groupId>org.springframework</groupId>\r
             <artifactId>spring-test</artifactId>\r
-            <version>3.1.0.RELEASE</version>\r
+            <version>4.3.18.RELEASE</version>\r
         </dependency>\r
 \r
+        <dependency>\r
+            <groupId>org.apache.cxf</groupId>\r
+            <artifactId>cxf-rt-transports-http</artifactId>\r
+            <version>3.1.17</version>\r
+        </dependency>\r
         <dependency>\r
             <groupId>org.apache.cxf</groupId>\r
             <artifactId>cxf-rt-frontend-jaxrs</artifactId>\r
-            <version>3.1.6</version>\r
+            <version>3.1.17</version>\r
+                       <exclusions>\r
+                <exclusion>\r
+                    <groupId>org.apache.cxf</groupId>\r
+                    <artifactId>cxf-rt-transports-http</artifactId>\r
+                </exclusion>\r
+            </exclusions>\r
         </dependency>\r
         <!-- UT coverage dependency start -->\r
         <dependency>\r

diff --git a/service/src/main/java/org/onap/vfc/nfvo/multivimproxy/service/activator/ROAMultivimProxyServicePostProcessor.java b/service/src/main/java/org/onap/vfc/nfvo/multivimproxy/service/activator/ROAMultivimProxyServicePostProcessor.java
deleted file mode 100644 (file)
index fd3f1bc..0000000
--- a/service/src/main/java/org/onap/vfc/nfvo/multivimproxy/service/activator/ROAMultivimProxyServicePostProcessor.java
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright 2016 Huawei Technologies Co., Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.onap.vfc.nfvo.multivimproxy.service.activator;
-
-import org.onap.vfc.nfvo.multivimproxy.service.adapter.inf.IMultivimProxyAdapterMgrService;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.BeansException;
-import org.springframework.beans.factory.config.DestructionAwareBeanPostProcessor;
-
-/**
- * <br>
- * <p>
- * </p>
- * 
- * @author
- * @version VFC 1.0 Sep 22, 2016
- */
-public class ROAMultivimProxyServicePostProcessor implements DestructionAwareBeanPostProcessor {
-
-    private static final Logger LOG = LoggerFactory.getLogger(ROAMultivimProxyServicePostProcessor.class);
-
-    @Override
-    public Object postProcessAfterInitialization(Object bean, String name) throws BeansException {
-        if(bean instanceof IMultivimProxyAdapterMgrService) {
-            LOG.warn("Register to Microservice BUS!");
-            IMultivimProxyAdapterMgrService proxyAdapterSvc = (IMultivimProxyAdapterMgrService)bean;
-            proxyAdapterSvc.register();
-        }
-
-        return bean;
-    }
-
-    @Override
-    public Object postProcessBeforeInitialization(Object bean, String name) throws BeansException {
-        // TODO Auto-generated method stub
-        return bean;
-    }
-
-    @Override
-    public void postProcessBeforeDestruction(Object bean, String name) throws BeansException {
-        // TODO Auto-generated method stub
-
-    }
-
-}

diff --git a/service/src/main/resources/spring/multivimproxy/services.xml b/service/src/main/resources/spring/multivimproxy/services.xml
index 135b1d9..33bdb01 100644 (file)
--- a/service/src/main/resources/spring/multivimproxy/services.xml
+++ b/service/src/main/resources/spring/multivimproxy/services.xml
@@ -35,7 +35,7 @@
     http://cxf.apache.org/transports/http/configuration
     http://cxf.apache.org/schemas/configuration/http-conf.xsd
     http://www.springframework.org/schema/aop
-    http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">
+    http://www.springframework.org/schema/aop/spring-aop.xsd">
 
     <!-- these are included in the dependency jar -->
     <import resource="classpath:META-INF/cxf/cxf.xml" />