From: Fiete Ostkamp <Fiete.Ostkamp@telekom.de>
Date: Sun, 1 Jun 2025 09:26:36 +0000 (+0200)
Subject: Update vulnerable dependencies
X-Git-Tag: 2.1.0^0
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=73dbfc31de1be9747df2b93b6234cfcc2e810a2d;p=aai%2Fsparky-be.git

Update vulnerable dependencies

- update logback (1.2.3 -> 1.2.13)
- update guava (26.0-jre -> 33.4.8-jre)
- update dom4j (2.1.1 -> 2.1.4)
- update gson (2.8.5 -> 2.8.9)
- update camel (2.21.1 -> 2.21.5)
- make junit test scoped

Issue-ID: AAI-4166
Change-Id: Ifee29bd8b92ecec68f1075db63a34f134806a790
Signed-off-by: Fiete Ostkamp <Fiete.Ostkamp@telekom.de>
---

diff --git a/sparkybe-onap-application/pom.xml b/sparkybe-onap-application/pom.xml
index c21e070..079ab42 100644
--- a/sparkybe-onap-application/pom.xml
+++ b/sparkybe-onap-application/pom.xml
@@ -21,12 +21,15 @@
         <serverPort>9517</serverPort>
         <sslport>8000</sslport>
         <nexusproxy>https://nexus.onap.org</nexusproxy>
-        <camel-spring-boot.version>2.21.1</camel-spring-boot.version>
+        <camel-spring-boot.version>2.21.5</camel-spring-boot.version>
         <config-home>${basedir}/</config-home>
         <version.aai-schema>1.12.10</version.aai-schema>
         <sitePath>/content/sites/site/org/onap/aai/sparky-be/${project.artifactId}/${project.version}</sitePath>
         <nexusproxy>https://nexus.onap.org</nexusproxy>
         <spring.boot.version>1.5.21.RELEASE</spring.boot.version>
+        <logback.version>1.2.13</logback.version>
+        <guava.version>33.4.8-jre</guava.version>
+        <gson.version>2.8.9</gson.version>
         <shemaUnpackVersion>onap</shemaUnpackVersion>
         <!-- docker related properties -->
         <docker.image.name>sparky-be</docker.image.name>
@@ -61,7 +64,22 @@
             <dependency>
                 <groupId>ch.qos.logback</groupId>
                 <artifactId>logback-classic</artifactId>
-                <version>1.2.13</version>
+                <version>${logback.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>ch.qos.logback</groupId>
+                <artifactId>logback-core</artifactId>
+                <version>${logback.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.google.guava</groupId>
+                <artifactId>guava</artifactId>
+                <version>${guava.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.google.code.gson</groupId>
+                <artifactId>gson</artifactId>
+                <version>${gson.version}</version>
             </dependency>
 
         </dependencies>
@@ -95,6 +113,18 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-test</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>junit</groupId>
+                    <artifactId>junit</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>
+            <scope>test</scope>
         </dependency>
 
         <dependency>
@@ -189,7 +219,6 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>33.3.1-jre</version>
         </dependency>
 
         <dependency>
@@ -202,7 +231,7 @@
             <groupId>org.dom4j</groupId>
             <artifactId>dom4j</artifactId>
             <scope>provided</scope>
-            <version>2.1.1</version>
+            <version>2.1.4</version>
         </dependency>
 
         <dependency>
diff --git a/sparkybe-onap-application/src/test/java/org/onap/aai/sparky/aggregatevnf/AggregateSummaryProcessorTest.java b/sparkybe-onap-application/src/test/java/org/onap/aai/sparky/aggregatevnf/AggregateSummaryProcessorTest.java
index 7c325b3..6dbe9e8 100644
--- a/sparkybe-onap-application/src/test/java/org/onap/aai/sparky/aggregatevnf/AggregateSummaryProcessorTest.java
+++ b/sparkybe-onap-application/src/test/java/org/onap/aai/sparky/aggregatevnf/AggregateSummaryProcessorTest.java
@@ -72,7 +72,7 @@ public class AggregateSummaryProcessorTest {
   @Value("${schema.ingest.file}") String schemaIngestFileLocation;
 
   @Test
-  public void someTest() throws RestClientException, JsonProcessingException {
+  public void thatAggregateSummaryWorks() throws RestClientException, JsonProcessingException {
     when(searchServiceAdapter.doPost(Mockito.any(), Mockito.any())).thenReturn(operationResult);
     when(operationResult.wasSuccessful()).thenReturn(true);
 
diff --git a/sparkybe-onap-service/pom.xml b/sparkybe-onap-service/pom.xml
index 6e293c4..f4bb53c 100644
--- a/sparkybe-onap-service/pom.xml
+++ b/sparkybe-onap-service/pom.xml
@@ -20,7 +20,7 @@
 		<serverPort>9517</serverPort>
 		<sslport>8000</sslport>
 		<nexusproxy>https://nexus.onap.org</nexusproxy>
-		<camel-spring-boot.version>2.21.1</camel-spring-boot.version>
+		<camel-spring-boot.version>2.21.5</camel-spring-boot.version>
 		<config-home>${basedir}/</config-home>
 		<version.aai.aai-schema-ingest>1.4.1</version.aai.aai-schema-ingest>
 		<version.aai-schema>1.12.10</version.aai-schema>
@@ -28,6 +28,9 @@
 		<onap.nexus.url>https://neexus.onap.org</onap.nexus.url>
 		<jacoco.line.coverage.limit>0.53</jacoco.line.coverage.limit>
 		<spring.boot.version>1.5.22.RELEASE</spring.boot.version>
+		<guava.version>33.4.8-jre</guava.version>
+		<gson.version>2.8.9</gson.version>
+		<logback.version>1.2.13</logback.version>
 	</properties>
 
 	<dependencyManagement>
@@ -51,7 +54,17 @@
 			<dependency>
 				<groupId>ch.qos.logback</groupId>
 				<artifactId>logback-classic</artifactId>
-				<version>1.2.3</version>
+				<version>${logback.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>ch.qos.logback</groupId>
+				<artifactId>logback-core</artifactId>
+				<version>${logback.version}</version>
+			</dependency>
+			<dependency>
+				<groupId>com.google.code.gson</groupId>
+				<artifactId>gson</artifactId>
+				<version>${gson.version}</version>
 			</dependency>
 		</dependencies>
 	</dependencyManagement>
@@ -134,7 +147,6 @@ some of the depedencies should probably have a scope of provided so they don't a
 			<artifactId>commons-io</artifactId>
 			</dependency>
 
-		<!-- https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-util -->
 		<dependency>
 			<groupId>org.eclipse.jetty</groupId>
 			<artifactId>jetty-util</artifactId>
@@ -146,32 +158,16 @@ some of the depedencies should probably have a scope of provided so they don't a
 			<artifactId>camel-servlet-starter</artifactId>
 		</dependency>
 
-		<!-- https://mvnrepository.com/artifact/commons-cli/commons-cli -->
 		<dependency>
 			<groupId>commons-cli</groupId>
 			<artifactId>commons-cli</artifactId>
 			<version>1.2</version>
 		</dependency>
 
-		<!-- <dependency> <groupId>org.apache.tomcat.embed</groupId> <artifactId>tomcat-embed-jasper</artifactId>
-			</dependency> -->
-
-
-		<!-- https://mvnrepository.com/artifact/org.apache.camel/camel-http-common -->
-		<!-- <dependency> <groupId>org.apache.camel</groupId> <artifactId>camel-http</artifactId>
-			<version>2.15.5</version> </dependency> <dependency> <groupId>abc.def</groupId>
-			<artifactId>att-camel-dme2-servlet</artifactId> <version>2.15.5</version>
-			<scope>system</scope> <systemPath>x:/222/att-camel-dme2-servlet-2.15.5.jar</systemPath>
-			</dependency> <dependency> <groupId>abc.def</groupId> <artifactId>att-camel-static-content</artifactId>
-			<version>2.11.2.1</version> <scope>system</scope> <systemPath>x:/222/att-camel-static-content-2.11.2.1.jar</systemPath>
-			</dependency> -->
-
-		<!-- Utility dependencies -->
-
 		<dependency>
 			<groupId>com.google.guava</groupId>
 			<artifactId>guava</artifactId>
-			<version>26.0-jre</version>
+			<version>${guava.version}</version>
 		</dependency>
 
 
@@ -186,7 +182,7 @@ some of the depedencies should probably have a scope of provided so they don't a
 			<groupId>org.dom4j</groupId>
 			<artifactId>dom4j</artifactId>
 			<scope>provided</scope>
-			<version>2.1.1</version>
+			<version>2.1.4</version>
 		</dependency>
 
 		<dependency>
@@ -213,11 +209,11 @@ some of the depedencies should probably have a scope of provided so they don't a
 			<version>${version.aai-schema}</version>
 		</dependency>
 
-    	<dependency>
-		    <groupId>org.onap.aai.aai-common</groupId>
-		    <artifactId>aai-schema-ingest</artifactId>
-		    <version>${version.aai.aai-schema-ingest}</version>
-		    <exclusions>
+		<dependency>
+			<groupId>org.onap.aai.aai-common</groupId>
+			<artifactId>aai-schema-ingest</artifactId>
+			<version>${version.aai.aai-schema-ingest}</version>
+			<exclusions>
 				<exclusion>
 					<groupId>org.slf4j</groupId>
 					<artifactId>slf4j-log4j12</artifactId>
@@ -230,8 +226,8 @@ some of the depedencies should probably have a scope of provided so they don't a
 					<groupId>org.powermock</groupId>
 					<artifactId>powermock-api-mockito</artifactId>
 				</exclusion>
-		    </exclusions>
-	    </dependency>
+			</exclusions>
+		</dependency>
 
 		<dependency>
 			<groupId>org.onap.aai</groupId>
@@ -239,7 +235,6 @@ some of the depedencies should probably have a scope of provided so they don't a
 			<version>1.3.0</version>
 		</dependency>
 
-		<!-- https://mvnrepository.com/artifact/org.restlet.jee/org.restlet.ext.servlet -->
 		<dependency>
 			<groupId>org.restlet.jee</groupId>
 			<artifactId>org.restlet.ext.servlet</artifactId>