From: Michael Arrastia <MArrasti@amdocs.com>
Date: Wed, 6 Jun 2018 12:27:52 +0000 (+0100)
Subject: Fix Fortify scan vulnerabilities
X-Git-Tag: 1.3.0~27
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;ds=sidebyside;h=refs%2Fchanges%2F77%2F50677%2F1;p=aai%2Fchamp.git

Fix Fortify scan vulnerabilities

Change-Id: I9a402ca1bb1755cf5ff9fc04eba781ed7f2b4a1c
Issue-ID: AAI-1193
Signed-off-by: Michael Arrastia <MArrasti@amdocs.com>
---

diff --git a/champ-lib/champ-core/src/main/java/org/onap/aai/champcore/graph/impl/TinkerpopTransaction.java b/champ-lib/champ-core/src/main/java/org/onap/aai/champcore/graph/impl/TinkerpopTransaction.java
index 5db9cba..f78abea 100644
--- a/champ-lib/champ-core/src/main/java/org/onap/aai/champcore/graph/impl/TinkerpopTransaction.java
+++ b/champ-lib/champ-core/src/main/java/org/onap/aai/champcore/graph/impl/TinkerpopTransaction.java
@@ -20,8 +20,7 @@
  */
 package org.onap.aai.champcore.graph.impl;
 
-import java.util.UUID;
-
+import java.security.SecureRandom;
 import org.apache.tinkerpop.gremlin.structure.Graph;
 import org.onap.aai.champcore.ChampTransaction;
 import org.onap.aai.champcore.exceptions.ChampTransactionException;
@@ -31,68 +30,68 @@ import org.slf4j.LoggerFactory;
 public class TinkerpopTransaction extends ChampTransaction {
 
   private static final int COMMIT_RETRY_COUNT = 3;
-  
+
   /** Threaded Tinkerpop transaction. */
   protected Graph threadedTransaction;
 
-  
+
   private static final Logger LOGGER = LoggerFactory.getLogger(TinkerpopTransaction.class);
 
   protected TinkerpopTransaction() { }
-  
-  
+
+
   /**
    * Creates a new transaction instance.
-   * 
+   *
    * @param aGraphInstance - Instance of the graph to request the transaction from.
    */
   public TinkerpopTransaction(Graph aGraphInstance) {
     super();
-    
+
     if(!aGraphInstance.features().graph().supportsTransactions()) {
       throw new UnsupportedOperationException();
     }
-  
+
     // Request a threaded transaction object from the graph.
     this.threadedTransaction = aGraphInstance.tx().createThreadedTx();
-    
+
     LOGGER.info("Open transaction - id: " + id);
   }
-  
+
   @Override
   public String id() {
     return id.toString();
   }
-  
+
   public Graph getGraphInstance() {
     return threadedTransaction;
   }
 
   @Override
   public void commit() throws ChampTransactionException {
-    
-    LOGGER.debug("Commiting transaction - " + id); 
-    
-    final long initialBackoff = (int) (Math.random() * 50);
+
+    LOGGER.debug("Commiting transaction - " + id);
+
+    final long initialBackoff = (int)(new SecureRandom().nextDouble() * 50);
 
     // If something goes wrong, we will retry a couple of times before
     // giving up.
     for (int i = 0; i < COMMIT_RETRY_COUNT; i++) {
-          
+
       try {
-        
+
         // Do the commit.
         threadedTransaction.tx().commit();
         LOGGER.info("Committed transaction - id: " + id);
         return;
-        
+
       } catch (Throwable e) {
-        
+
         LOGGER.debug("Transaction " + id + " failed to commit due to: " + e.getMessage());
-        
+
         // Have we used up all of our retries?
         if (i == COMMIT_RETRY_COUNT - 1) {
-          
+
           LOGGER.error("Maxed out commit attempt retries, client must handle exception and retry", e);
           threadedTransaction.tx().rollback();
           throw new ChampTransactionException(e);
@@ -101,13 +100,13 @@ public class TinkerpopTransaction extends ChampTransaction {
         // Calculate how long we will wait before retrying...
         final long backoff = (long) Math.pow(2, i) * initialBackoff;
         LOGGER.warn("Caught exception while retrying transaction commit, retrying in " + backoff + " ms");
-          
+
         // ...and sleep before trying the commit again.
         try {
           Thread.sleep(backoff);
-          
+
         } catch (InterruptedException ie) {
-          
+
           LOGGER.info("Interrupted while backing off on transaction commit");
           Thread.interrupted();
           return;
@@ -118,41 +117,41 @@ public class TinkerpopTransaction extends ChampTransaction {
 
   @Override
   public void rollback() throws ChampTransactionException {
-      
-    long initialBackoff = (int) (Math.random() * 50);
 
-    
+    long initialBackoff = (int)(new SecureRandom().nextDouble() * 50);
+
+
     // If something goes wrong, we will retry a couple of times before
     // giving up.
     for (int i = 0; i < COMMIT_RETRY_COUNT; i++) {
-            
+
       try {
-      
-        threadedTransaction.tx().rollback(); 
+
+        threadedTransaction.tx().rollback();
         LOGGER.info("Rolled back transaction - id: " + id);
         return;
-        
+
       } catch (Throwable e) {
-        
+
         LOGGER.debug("Transaction " + id + " failed to roll back due to: " + e.getMessage());
-        
+
         // Have we used up all of our retries?
         if (i == COMMIT_RETRY_COUNT - 1) {
-          
+
           LOGGER.error("Maxed out rollback attempt retries, client must handle exception and retry", e);
           throw new ChampTransactionException(e);
         }
-  
+
         // Calculate how long we will wait before retrying...
         final long backoff = (long) Math.pow(2, i) * initialBackoff;
         LOGGER.warn("Caught exception while retrying transaction roll back, retrying in " + backoff + " ms");
-          
+
         // ...and sleep before trying the commit again.
         try {
           Thread.sleep(backoff);
-          
+
         } catch (InterruptedException ie) {
-          
+
           LOGGER.info("Interrupted while backing off on transaction rollback");
           Thread.interrupted();
           return;
diff --git a/champ-lib/champ-core/src/main/java/org/onap/aai/champcore/ie/GraphMLImporterExporter.java b/champ-lib/champ-core/src/main/java/org/onap/aai/champcore/ie/GraphMLImporterExporter.java
index a41f159..9f2f719 100644
--- a/champ-lib/champ-core/src/main/java/org/onap/aai/champcore/ie/GraphMLImporterExporter.java
+++ b/champ-lib/champ-core/src/main/java/org/onap/aai/champcore/ie/GraphMLImporterExporter.java
@@ -97,6 +97,7 @@ public class GraphMLImporterExporter implements Importer, Exporter {
 
 		try {
 			final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+			factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); 
 			final DocumentBuilder builder = factory.newDocumentBuilder();
 			final InputSource inputSource = new InputSource(is);
 		    final Document doc = builder.parse(inputSource);
diff --git a/champ-lib/champ-janus/src/main/java/org/onap/aai/champjanus/graph/impl/JanusChampGraphImpl.java b/champ-lib/champ-janus/src/main/java/org/onap/aai/champjanus/graph/impl/JanusChampGraphImpl.java
index 2ae4ea4..906c767 100644
--- a/champ-lib/champ-janus/src/main/java/org/onap/aai/champjanus/graph/impl/JanusChampGraphImpl.java
+++ b/champ-lib/champ-janus/src/main/java/org/onap/aai/champjanus/graph/impl/JanusChampGraphImpl.java
@@ -41,6 +41,7 @@ import org.onap.aai.champcore.schema.DefaultChampSchemaEnforcer;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.security.SecureRandom;
 import java.time.temporal.ChronoUnit;
 import java.util.*;
 import java.util.concurrent.ExecutionException;
@@ -78,7 +79,7 @@ public final class JanusChampGraphImpl extends AbstractTinkerpopChampGraph {
       janusGraphBuilder.set(janusGraphProperty.getKey(), janusGraphProperty.getValue());
     }
     
-    janusGraphBuilder.set(JANUS_UNIQUE_SUFFIX, ((short) new Random().nextInt(Short.MAX_VALUE)+""));
+    janusGraphBuilder.set(JANUS_UNIQUE_SUFFIX, ((short) new SecureRandom().nextInt(Short.MAX_VALUE)+""));
 
     final Object storageBackend = builder.graphConfiguration.get("storage.backend");
 
diff --git a/champ-lib/champ-titan/src/main/java/org/onap/aai/champtitan/graph/impl/TitanChampGraphImpl.java b/champ-lib/champ-titan/src/main/java/org/onap/aai/champtitan/graph/impl/TitanChampGraphImpl.java
index d72d69d..f3d821c 100644
--- a/champ-lib/champ-titan/src/main/java/org/onap/aai/champtitan/graph/impl/TitanChampGraphImpl.java
+++ b/champ-lib/champ-titan/src/main/java/org/onap/aai/champtitan/graph/impl/TitanChampGraphImpl.java
@@ -20,6 +20,7 @@
  */
 package org.onap.aai.champtitan.graph.impl;
 
+import java.security.SecureRandom;
 import java.time.temporal.ChronoUnit;
 import java.util.*;
 import java.util.Map.Entry;
@@ -31,8 +32,6 @@ import org.apache.tinkerpop.gremlin.process.traversal.dsl.graph.GraphTraversal;
 import org.apache.tinkerpop.gremlin.structure.Edge;
 import org.apache.tinkerpop.gremlin.structure.Vertex;
 import org.onap.aai.champcore.ChampCapabilities;
-import org.onap.aai.champcore.FormatMapper;
-import org.onap.aai.champcore.Formatter;
 import org.onap.aai.champcore.exceptions.ChampIndexNotExistsException;
 import org.onap.aai.champcore.exceptions.ChampSchemaViolationException;
 import org.onap.aai.champcore.graph.impl.AbstractTinkerpopChampGraph;
@@ -96,7 +95,7 @@ public final class TitanChampGraphImpl extends AbstractTinkerpopChampGraph {
       titanGraphBuilder.set(titanGraphProperty.getKey(), titanGraphProperty.getValue());
     }
 
-    titanGraphBuilder.set(TITAN_UNIQUE_SUFFIX, ((short) new Random().nextInt(Short.MAX_VALUE)+""));
+    titanGraphBuilder.set(TITAN_UNIQUE_SUFFIX, ((short) new SecureRandom().nextInt(Short.MAX_VALUE)+""));
     
     final Object storageBackend = builder.graphConfiguration.get("storage.backend");