Fixed the rest of the Security Issues

*Introduce Gson Against Jackson library
*Delete posix library with strong copyleft licenses

Change-Id: I37ec6a359912481d1546293a8a8aeeedd6c907e2
Issue-ID: DCAEGEN2-426
Signed-off-by: wasala <przemyslaw.wasala@nokia.com>

diff --git a/pom.xml b/pom.xml
index ccaa988..8c652d4 100644 (file)
--- a/pom.xml
+++ b/pom.xml
@@ -404,6 +404,11 @@
         <version>${immutable.version}</version>
         <scope>provided</scope>
       </dependency>
+      <dependency>
+        <groupId>org.immutables</groupId>
+        <artifactId>gson</artifactId>
+        <version>${immutable.version}</version>
+      </dependency>
       <dependency>
         <groupId>com.spotify</groupId>
         <artifactId>docker-maven-plugin</artifactId>
@@ -424,11 +429,6 @@
         <artifactId>plexus-utils</artifactId>
         <version>3.1.0</version>
       </dependency>
-      <dependency>
-        <groupId>com.github.jnr</groupId>
-        <artifactId>jnr-posix</artifactId>
-        <version>3.0.44</version>
-      </dependency>
       <dependency>
         <groupId>org.apache.httpcomponents</groupId>
         <artifactId>httpclient</artifactId>
@@ -454,11 +454,6 @@
         <artifactId>spring-context</artifactId>
         <version>5.0.5.RELEASE</version>
       </dependency>
-      <dependency>
-        <groupId>com.fasterxml.jackson.datatype</groupId>
-        <artifactId>jackson-datatype-jdk8</artifactId>
-        <version>2.9.5</version>
-      </dependency>
       <dependency>
         <groupId>org.apache.tomcat.embed</groupId>
         <artifactId>tomcat-embed-core</artifactId>

diff --git a/prh-aai-client/pom.xml b/prh-aai-client/pom.xml
index 390e053..49f0dce 100644 (file)
--- a/prh-aai-client/pom.xml
+++ b/prh-aai-client/pom.xml
@@ -46,6 +46,10 @@
       <groupId>org.immutables</groupId>
       <artifactId>value</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.immutables</groupId>
+      <artifactId>gson</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.apache.httpcomponents</groupId>
       <artifactId>httpclient</artifactId>
@@ -66,10 +70,6 @@
       <groupId>org.apache.commons</groupId>
       <artifactId>commons-lang3</artifactId>
     </dependency>
-    <dependency>
-      <groupId>com.fasterxml.jackson.datatype</groupId>
-      <artifactId>jackson-datatype-jdk8</artifactId>
-    </dependency>
 
     <!-- LOGGING DEPENDENCIES-->
     <dependency>

diff --git a/prh-aai-client/src/main/java/org/onap/dcaegen2/services/config/AAIHttpClientConfiguration.java b/prh-aai-client/src/main/java/org/onap/dcaegen2/services/config/AAIHttpClientConfiguration.java
index 4b17b4b..f9cbeb1 100644 (file)
--- a/prh-aai-client/src/main/java/org/onap/dcaegen2/services/config/AAIHttpClientConfiguration.java
+++ b/prh-aai-client/src/main/java/org/onap/dcaegen2/services/config/AAIHttpClientConfiguration.java
@@ -20,16 +20,16 @@
 package org.onap.dcaegen2.services.config;
 
 
-import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
-import org.immutables.value.Value;
 import java.io.Serializable;
+import org.immutables.gson.Gson;
+import org.immutables.value.Value;
 import org.springframework.stereotype.Component;
 
 
 @Component
 @Value.Immutable(prehash = true)
 @Value.Style(builder = "new")
-@JsonDeserialize(builder = ImmutableAAIHttpClientConfiguration.Builder.class)
+@Gson.TypeAdapters
 public abstract class AAIHttpClientConfiguration implements Serializable {
 
     private static final long serialVersionUID = 1L;

diff --git a/prh-app-server/pom.xml b/prh-app-server/pom.xml
index 1b5ed13..e5f2c8c 100644 (file)
--- a/prh-app-server/pom.xml
+++ b/prh-app-server/pom.xml
@@ -107,10 +107,22 @@
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-web</artifactId>
+      <exclusions>
+        <exclusion>
+          <artifactId>jackson-databind</artifactId>
+          <groupId>com.fasterxml.jackson.core</groupId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-webflux</artifactId>
+      <exclusions>
+        <exclusion>
+          <artifactId>jackson-databind</artifactId>
+          <groupId>com.fasterxml.jackson.core</groupId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>com.spotify</groupId>
@@ -128,14 +140,6 @@
       <groupId>org.codehaus.plexus</groupId>
       <artifactId>plexus-utils</artifactId>
     </dependency>
-    <dependency>
-      <groupId>com.github.jnr</groupId>
-      <artifactId>jnr-posix</artifactId>
-    </dependency>
-    <dependency>
-      <groupId>com.fasterxml.jackson.datatype</groupId>
-      <artifactId>jackson-datatype-jdk8</artifactId>
-    </dependency>
     <dependency>
       <groupId>org.apache.tomcat.embed</groupId>
       <artifactId>tomcat-embed-core</artifactId>
@@ -223,6 +227,12 @@
         <version>2.0.1.RELEASE</version>
         <type>pom</type>
         <scope>import</scope>
+        <exclusions>
+          <exclusion>
+            <artifactId>jackson-databind</artifactId>
+            <groupId>com.fasterxml.jackson.core</groupId>
+          </exclusion>
+        </exclusions>
       </dependency>
     </dependencies>
   </dependencyManagement>

diff --git a/prh-app-server/src/main/java/org/onap/dcaegen2/services/prh/MainApp.java b/prh-app-server/src/main/java/org/onap/dcaegen2/services/prh/MainApp.java
index 2671669..fd86448 100644 (file)
--- a/prh-app-server/src/main/java/org/onap/dcaegen2/services/prh/MainApp.java
+++ b/prh-app-server/src/main/java/org/onap/dcaegen2/services/prh/MainApp.java
@@ -20,7 +20,9 @@
 package org.onap.dcaegen2.services.prh;
 
 import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.EnableAutoConfiguration;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.autoconfigure.jackson.JacksonAutoConfiguration;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.ComponentScan;
 import org.springframework.context.annotation.Configuration;
@@ -35,6 +37,7 @@ import org.springframework.scheduling.concurrent.ConcurrentTaskScheduler;
 @Configuration
 @ComponentScan
 @EnableScheduling
+@EnableAutoConfiguration(exclude = {JacksonAutoConfiguration.class})
 public class MainApp {
 
     public static void main(String[] args) {

diff --git a/prh-app-server/src/main/java/org/onap/dcaegen2/services/prh/configuration/PrhAppConfig.java b/prh-app-server/src/main/java/org/onap/dcaegen2/services/prh/configuration/PrhAppConfig.java
index 37b17f6..6f077a3 100644 (file)
--- a/prh-app-server/src/main/java/org/onap/dcaegen2/services/prh/configuration/PrhAppConfig.java
+++ b/prh-app-server/src/main/java/org/onap/dcaegen2/services/prh/configuration/PrhAppConfig.java
@@ -19,28 +19,29 @@
  */
 package org.onap.dcaegen2.services.prh.configuration;
 
-import com.fasterxml.jackson.core.JsonParseException;
-import com.fasterxml.jackson.databind.JsonMappingException;
-import com.fasterxml.jackson.databind.JsonNode;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.databind.node.NullNode;
-import com.fasterxml.jackson.databind.node.ObjectNode;
-import com.fasterxml.jackson.datatype.jdk8.Jdk8Module;
+import static org.apache.tomcat.util.file.ConfigFileLoader.getInputStream;
+
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
+import com.google.gson.JsonSyntaxException;
+import com.google.gson.TypeAdapterFactory;
 import java.io.BufferedInputStream;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.InputStreamReader;
 import java.time.LocalDateTime;
 import java.time.format.DateTimeFormatter;
-import java.util.Optional;
+import java.util.ServiceLoader;
 import javax.validation.constraints.NotEmpty;
+import javax.validation.constraints.NotNull;
 import org.onap.dcaegen2.services.config.AAIHttpClientConfiguration;
 import org.onap.dcaegen2.services.config.DmaapConsumerConfiguration;
 import org.onap.dcaegen2.services.config.DmaapPublisherConfiguration;
-import org.onap.dcaegen2.services.config.ImmutableAAIHttpClientConfiguration;
-import org.onap.dcaegen2.services.config.ImmutableDmaapConsumerConfiguration;
-import org.onap.dcaegen2.services.config.ImmutableDmaapPublisherConfiguration;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.boot.context.properties.ConfigurationProperties;
@@ -76,49 +77,54 @@ public class PrhAppConfig implements AppConfig {
 
     public void initFileStreamReader() {
 
-        ObjectMapper jsonObjectMapper = new ObjectMapper().registerModule(new Jdk8Module());
-        JsonNode jsonNode;
+        GsonBuilder gsonBuilder = new GsonBuilder();
+        ServiceLoader.load(TypeAdapterFactory.class).forEach(gsonBuilder::registerTypeAdapterFactory);
+        JsonParser parser = new JsonParser();
+        JsonObject jsonObject;
         try (InputStream inputStream = getInputStream(filepath)) {
-            ObjectNode root = (ObjectNode) jsonObjectMapper.readTree(inputStream);
-            jsonNode = Optional.ofNullable(root.get(CONFIG).get(AAI).get(AAI_CONFIG)).orElse(NullNode.getInstance());
-            aaiHttpClientConfiguration = jsonObjectMapper
-                .treeToValue(jsonNode, ImmutableAAIHttpClientConfiguration.class);
-            jsonNode = Optional.ofNullable(root.get(CONFIG).get(DMAAP).get(DMAAP_CONSUMER))
-                .orElse(NullNode.getInstance());
-            dmaapConsumerConfiguration = jsonObjectMapper
-                .treeToValue(jsonNode, ImmutableDmaapConsumerConfiguration.class);
-            jsonNode = Optional.ofNullable(root.get(CONFIG).get(DMAAP).get(DMAAP_PRODUCER))
-                .orElse(NullNode.getInstance());
-            dmaapPublisherConfiguration = jsonObjectMapper
-                .treeToValue(jsonNode, ImmutableDmaapPublisherConfiguration.class);
+            JsonElement rootElement = parser.parse(new InputStreamReader(inputStream));
+            if (rootElement.isJsonObject()) {
+                jsonObject = rootElement.getAsJsonObject();
+                aaiHttpClientConfiguration = deserializeType(gsonBuilder,
+                    jsonObject.getAsJsonObject(CONFIG).getAsJsonObject(AAI).getAsJsonObject(AAI_CONFIG),
+                    AAIHttpClientConfiguration.class);
+
+                dmaapConsumerConfiguration = deserializeType(gsonBuilder,
+                    jsonObject.getAsJsonObject(CONFIG).getAsJsonObject(DMAAP).getAsJsonObject(DMAAP_CONSUMER),
+                    DmaapConsumerConfiguration.class);
+
+                dmaapPublisherConfiguration = deserializeType(gsonBuilder,
+                    jsonObject.getAsJsonObject(CONFIG).getAsJsonObject(DMAAP).getAsJsonObject(DMAAP_PRODUCER),
+                    DmaapPublisherConfiguration.class);
+            }
+
         } catch (FileNotFoundException e) {
             logger
                 .error(
                     "Configuration PrhAppConfig initFileStreamReader()::FileNotFoundException :: Execution Time - {}:{}",
                     dateTimeFormatter.format(
                         LocalDateTime.now()), e);
-        } catch (JsonParseException e) {
-            logger
-                .error(
-                    "Configuration PrhAppConfig initFileStreamReader()::JsonParseException :: Execution Time - {}:{}",
-                    dateTimeFormatter.format(
-                        LocalDateTime.now()), e);
-        } catch (JsonMappingException e) {
+        } catch (IOException e) {
             logger
                 .error(
-                    "Configuration PrhAppConfig initFileStreamReader()::JsonMappingException :: Execution Time - {}:{}",
+                    "Configuration PrhAppConfig initFileStreamReader()::IOException :: Execution Time - {}:{}",
                     dateTimeFormatter.format(
                         LocalDateTime.now()), e);
-        } catch (IOException e) {
+        } catch (JsonSyntaxException e) {
             logger
                 .error(
-                    "Configuration PrhAppConfig initFileStreamReader()::IOException :: Execution Time - {}:{}",
+                    "Configuration PrhAppConfig initFileStreamReader()::JsonSyntaxException :: Execution Time - {}:{}",
                     dateTimeFormatter.format(
                         LocalDateTime.now()), e);
         }
     }
 
-    InputStream getInputStream(String filepath) throws FileNotFoundException {
+    private <T> T deserializeType(@NotNull GsonBuilder gsonBuilder, @NotNull JsonObject jsonObject,
+        @NotNull Class<T> type) {
+        return gsonBuilder.create().fromJson(jsonObject, type);
+    }
+
+    InputStream getInputStream(@NotNull String filepath) throws FileNotFoundException {
         return new BufferedInputStream(new FileInputStream(filepath));
     }
 

diff --git a/prh-dmaap-client/pom.xml b/prh-dmaap-client/pom.xml
index 4d93831..6354374 100644 (file)
--- a/prh-dmaap-client/pom.xml
+++ b/prh-dmaap-client/pom.xml
@@ -45,8 +45,8 @@
       <artifactId>value</artifactId>
     </dependency>
     <dependency>
-      <groupId>com.fasterxml.jackson.datatype</groupId>
-      <artifactId>jackson-datatype-jdk8</artifactId>
+      <groupId>org.immutables</groupId>
+      <artifactId>gson</artifactId>
     </dependency>
 
     <!-- LOGGING DEPENDENCIES -->

diff --git a/prh-dmaap-client/src/main/java/org/onap/dcaegen2/services/config/DmaapConsumerConfiguration.java b/prh-dmaap-client/src/main/java/org/onap/dcaegen2/services/config/DmaapConsumerConfiguration.java
index 9b322c9..de24cae 100644 (file)
--- a/prh-dmaap-client/src/main/java/org/onap/dcaegen2/services/config/DmaapConsumerConfiguration.java
+++ b/prh-dmaap-client/src/main/java/org/onap/dcaegen2/services/config/DmaapConsumerConfiguration.java
@@ -19,7 +19,7 @@
  */
 package org.onap.dcaegen2.services.config;
 
-import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import org.immutables.gson.Gson;
 import org.immutables.value.Value;
 import org.springframework.stereotype.Component;
 
@@ -29,7 +29,7 @@ import org.springframework.stereotype.Component;
 @Component
 @Value.Immutable(prehash = true)
 @Value.Style(builder = "new")
-@JsonDeserialize(builder = ImmutableDmaapConsumerConfiguration.Builder.class)
+@Gson.TypeAdapters
 public abstract class DmaapConsumerConfiguration implements DmaapCustomConfig {
 
     private static final long serialVersionUID = 1L;

diff --git a/prh-dmaap-client/src/main/java/org/onap/dcaegen2/services/config/DmaapPublisherConfiguration.java b/prh-dmaap-client/src/main/java/org/onap/dcaegen2/services/config/DmaapPublisherConfiguration.java
index 6607853..50a79dd 100644 (file)
--- a/prh-dmaap-client/src/main/java/org/onap/dcaegen2/services/config/DmaapPublisherConfiguration.java
+++ b/prh-dmaap-client/src/main/java/org/onap/dcaegen2/services/config/DmaapPublisherConfiguration.java
@@ -19,7 +19,7 @@
  */
 package org.onap.dcaegen2.services.config;
 
-import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
+import org.immutables.gson.Gson;
 import org.immutables.value.Value;
 import org.springframework.stereotype.Component;
 
@@ -29,7 +29,7 @@ import org.springframework.stereotype.Component;
 @Component
 @Value.Immutable(prehash = true)
 @Value.Style(builder = "new")
-@JsonDeserialize(builder = ImmutableDmaapPublisherConfiguration.Builder.class)
+@Gson.TypeAdapters
 public abstract class DmaapPublisherConfiguration implements DmaapCustomConfig {
 
     private static final long serialVersionUID = 1L;
@@ -42,6 +42,4 @@ public abstract class DmaapPublisherConfiguration implements DmaapCustomConfig {
     public static DmaapPublisherConfiguration.Builder builder() {
         return ImmutableDmaapPublisherConfiguration.builder();
     }
-
-
 }