Remove CLM issues with commons-collections

We know that we are not configuring an LDAP PIP in our
use of the XACML open source. The LDAP implementation
uses Apache Velocity, which uses a very old version
of commons-collections that has security issues. So
we can exclude commons-collections from the build.

Issue-ID: POLICY-504
Change-Id: I6d90731e601f58c8edaca6fe02df30ee2a090c2f
Signed-off-by: Pamela Dragosh <pdragosh@research.att.com>

diff --git a/controlloop/common/eventmanager/pom.xml b/controlloop/common/eventmanager/pom.xml
index d0ce651..6264e7e 100644 (file)
--- a/controlloop/common/eventmanager/pom.xml
+++ b/controlloop/common/eventmanager/pom.xml
@@ -48,6 +48,15 @@
       <artifactId>xacml</artifactId>
       <version>1.0.1</version>
       <scope>provided</scope>
+      <exclusions>
+        <!-- The LDAP PIP uses velocity which pulls this insecure jar in. We
+        are not using that PIP and can safely exclude this jar to resolve CLM issue.
+         -->
+        <exclusion>
+          <groupId>commons-collections</groupId>
+          <artifactId>commons-collections</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.onap.policy.drools-applications.controlloop.common.actors</groupId>

diff --git a/controlloop/common/guard/pom.xml b/controlloop/common/guard/pom.xml
index 36c7e19..ae3dbde 100644 (file)
--- a/controlloop/common/guard/pom.xml
+++ b/controlloop/common/guard/pom.xml
@@ -20,6 +20,15 @@
       <groupId>com.att.research.xacml</groupId>
       <artifactId>xacml-pdp</artifactId>
       <version>1.0.1</version>
+      <exclusions>
+        <!-- The LDAP PIP uses velocity which pulls this insecure jar in. We
+        are not using that PIP and can safely exclude this jar to resolve CLM issue.
+         -->
+        <exclusion>
+          <groupId>commons-collections</groupId>
+          <artifactId>commons-collections</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>junit</groupId>

diff --git a/controlloop/packages/artifacts/pom.xml b/controlloop/packages/artifacts/pom.xml
index 0965fa0..3b49a75 100644 (file)
--- a/controlloop/packages/artifacts/pom.xml
+++ b/controlloop/packages/artifacts/pom.xml
@@ -190,6 +190,15 @@
       <artifactId>xacml-pdp</artifactId>
       <version>1.0.1</version>
       <type>jar</type>
+      <exclusions>
+        <!-- The LDAP PIP uses velocity which pulls this insecure jar in. We
+        are not using that PIP and can safely exclude this jar to resolve CLM issue.
+         -->
+        <exclusion>
+          <groupId>commons-collections</groupId>
+          <artifactId>commons-collections</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
   </dependencies>
 </project>

diff --git a/controlloop/templates/template.demo/pom.xml b/controlloop/templates/template.demo/pom.xml
index f2700e7..ab69975 100644 (file)
--- a/controlloop/templates/template.demo/pom.xml
+++ b/controlloop/templates/template.demo/pom.xml
@@ -132,6 +132,15 @@
       <artifactId>xacml</artifactId>
       <version>1.0.1</version>
       <scope>test</scope>
+      <exclusions>
+        <!-- The LDAP PIP uses velocity which pulls this insecure jar in. We
+        are not using that PIP and can safely exclude this jar to resolve CLM issue.
+         -->
+        <exclusion>
+          <groupId>commons-collections</groupId>
+          <artifactId>commons-collections</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>com.att.research.xacml</groupId>