From: dhanush.p <dhanush.p@t-systems.com>
Date: Fri, 26 Dec 2025 12:15:01 +0000 (+0100)
Subject: [SDC]: PSA issue fixes and CVE issue fixes
X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=cd73cb8ddd358ed9916b3e7d33d4b1aaf695b972;p=sdc.git

[SDC]: PSA issue fixes and CVE issue fixes

Issue-ID: SDC-4780
Change-Id: If44267cba2a09d2b8bab36f022c5e0060d8251ce
Signed-off-by: dhanush.p <dhanush.p@t-systems.com>
---

diff --git a/asdctool/sdc-cassandra-init/Dockerfile b/asdctool/sdc-cassandra-init/Dockerfile
index 11c3e87bc7..093466de8a 100644
--- a/asdctool/sdc-cassandra-init/Dockerfile
+++ b/asdctool/sdc-cassandra-init/Dockerfile
@@ -1,42 +1,39 @@
+# Base image
 FROM eclipse-temurin:11-jre-jammy
-
 # Create a new group and user
-RUN addgroup sdc && \
-    adduser --gecos "sdc sdc,1,1,1" --disabled-password --ingroup sdc --shell /bin/sh sdc
-
+RUN addgroup --system sdc && \
+    adduser --system --ingroup sdc --shell /bin/sh sdc
 USER sdc
-
+WORKDIR /home/sdc
 # Create Cassandra configuration directory and file
 RUN mkdir -p ~/.cassandra/ && \
     echo '[cql]' > ~/.cassandra/cqlshrc && \
-    echo 'version=3.4.4' >> ~/.cassandra/cqlshrc
-
+    echo 'version=3.4.4' >> ~/.cassandra/cqlshrc && \
+    chmod 600 ~/.cassandra/cqlshrc
+# Switch to root to install necessary packages
 USER root
-
-# Update package list and install necessary packages
 RUN apt-get update --allow-releaseinfo-change && \
-    apt-get purge python* -y && \
-    apt-get install -y python3-pip && \
+    apt-get install -y --no-install-recommends \
+        python3-pip \
+        libffi-dev \
+        libxml2-dev \
+        curl \
+        wget \
+        perl \
+        ntp \
+        apt-transport-https && \
     python3 -m pip install --upgrade pip && \
     pip3 install --no-cache-dir cqlsh==6.1.0 && \
-    mkdir -p ~/.cassandra/ && \
-    echo '[cql]' > ~/.cassandra/cqlshrc && \
-    echo 'version=3.4.4' >> ~/.cassandra/cqlshrc && \
-    apt-get install -y \
-    libffi-dev \
-    libxml2-dev && \
-    apt-get clean
-
-# Remove bash only if absolutely necessary
-RUN apt-get remove bash -y --allow-remove-essential || true
-
+    apt-get purge -y python3-dev python3-apt && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /root/.cache/pip
+# Switch back to system user for runtime
 USER sdc
-
+WORKDIR /home/sdc
 # Copy sdctool tar and startup
 COPY --chown=sdc:sdc sdctool.tar /home/sdc/sdctool.tar
 COPY --chown=sdc:sdc scripts /home/sdc/scripts
 COPY --chown=sdc:sdc startup.sh /home/sdc
-
 # Extract and prepare sdctool
 RUN tar -xvf /home/sdc/sdctool.tar -C /home/sdc && \
     rm /home/sdc/sdctool.tar && \
@@ -50,6 +47,7 @@ RUN tar -xvf /home/sdc/sdctool.tar -C /home/sdc && \
     chmod +x /home/sdc/scripts/* && \
     cp -r /home/sdc/scripts/janusgraph.properties /home/sdc/sdctool/config && \
     cp -r /home/sdc/scripts/configuration.yaml /home/sdc/sdctool/config
-
-# Define entrypoint
-ENTRYPOINT [ "sh", "-c", "/home/sdc/startup.sh" ]
+# Ensure all scripts are executable and owned by sdc
+RUN find /home/sdc -type f -name "*.sh" -exec chmod 750 {} \; && \
+    chown -R sdc:sdc /home/sdc
+ENTRYPOINT ["/bin/sh", "/home/sdc/startup.sh"]
diff --git a/catalog-be/pom.xml b/catalog-be/pom.xml
index 09a9cde875..cd820974a3 100644
--- a/catalog-be/pom.xml
+++ b/catalog-be/pom.xml
@@ -388,7 +388,7 @@
         <dependency>
             <groupId>org.eclipse.jgit</groupId>
             <artifactId>org.eclipse.jgit</artifactId>
-            <version>3.4.1.201406201815-r</version>
+            <version>6.9.0.202403050737-r</version>
         </dependency>
 
         <!-- spring - used by A4C -->
diff --git a/catalog-be/sdc-backend-init/Dockerfile b/catalog-be/sdc-backend-init/Dockerfile
index 90cadfe244..3473a0d763 100644
--- a/catalog-be/sdc-backend-init/Dockerfile
+++ b/catalog-be/sdc-backend-init/Dockerfile
@@ -5,35 +5,33 @@ USER root
 # Needed for pycurl
 ENV PYCURL_SSL_LIBRARY=openssl
 
-# Install packages only needed for building
+RUN apk update && apk upgrade && apk add --no-cache expat apk-tools
+
+# Install only runtime packages and build dependencies temporarily
 RUN apk update && \
-    apk add binutils jq libpng && \
-    apk add --no-cache \
-        libcurl && \
-    apk add --no-cache --virtual .build-dependencies \
+    apk add --no-cache libcurl jq libpng python3 py3-pip && \
+    apk add --no-cache --virtual .build-deps \
         libressl-dev \
         libffi-dev \
         libxml2-dev \
         build-base \
         curl-dev && \
-    # needed libcurl to install correctly \
-    python -m pip install --upgrade pip && \
-    pip install 'pycurl==7.44.1' && \
-    apk del .build-dependencies
+    pip install --no-cache-dir pycurl==7.44.1 && \
+    apk del .build-deps
 
 ENV ONAP_LOG=/home/onap/logs
-RUN mkdir $ONAP_LOG && chown onap:onap $ONAP_LOG
+RUN mkdir -p $ONAP_LOG && chown onap:onap $ONAP_LOG
 
 # user/group are the same as in integration/docker/onap-python base image
 ENV user=onap group=onap
 
 USER onap
 
-# Copy scripts and install them
+# Copy scripts and install them under sdc user
 COPY --chown=onap:onap scripts /home/onap/scripts
 
 RUN chmod -R a+rx /home/onap/scripts && \
-    cd /home/onap/scripts && \
+   cd /home/onap/scripts && \
     pip install --user .
 
 # Ensure ALL .local/bin scripts are accessible to any UID
@@ -41,20 +39,15 @@ RUN chmod -R a+rx /home/onap/.local && \
     chmod -R a+rx /home/onap/.local/bin && \
     chmod -R a+rx /home/onap
 
-# Make sure PATH includes .local/bin
+# Add .local/bin to PATH and Python site-packages to PYTHONPATH
 ENV PATH=$PATH:/home/onap/.local/bin
 ENV PYTHONPATH=/home/onap/.local/lib/python3.9/site-packages:$PYTHONPATH
 
 # Copy other required files
 COPY --chown=onap:onap normatives.tar.gz /home/onap/
-COPY --chown=onap:onap custom-scripts/create_consumer_and_user.sh /home/onap/create_consumer_and_user.sh												
-
+COPY --chown=onap:onap custom-scripts/create_consumer_and_user.sh /home/onap/create_consumer_and_user.sh
 COPY --chown=onap:onap custom-scripts/check_backend.sh /home/onap/check_backend.sh
-										
-
 COPY --chown=onap:onap custom-scripts/import_normatives.sh /home/onap/import_normatives.sh
-											
-
 COPY --chown=onap:onap startup.sh /home/onap/startup.sh
 
 RUN chmod a+rx /home/onap/*.sh
diff --git a/catalog-fe/sdc-frontend/Dockerfile b/catalog-fe/sdc-frontend/Dockerfile
index 1c7a0602ad..adf05352f5 100644
--- a/catalog-fe/sdc-frontend/Dockerfile
+++ b/catalog-fe/sdc-frontend/Dockerfile
@@ -3,11 +3,12 @@ FROM onap/integration-java11:10.0.0
 USER root
 ARG JETTY_FOLDER=/app/jetty
 
-# Install curl for Alpine
-RUN apk update && apk add curl jq gettext
+RUN apk update && \
+    apk add --no-cache curl jq && \
+    rm -rf /var/cache/apk/*
 
-# Create the Jetty folder and necessary config directories
-RUN mkdir -p $JETTY_FOLDER/ && chown onap:onap $JETTY_FOLDER
+# Create Jetty folder and set permissions
+RUN mkdir -p $JETTY_FOLDER && chown onap:onap $JETTY_FOLDER
 
 ENV JETTY_HOME=$JETTY_FOLDER
 ENV JETTY_BASE=$JETTY_FOLDER
@@ -15,6 +16,7 @@ ENV JETTY_USER=onap
 ENV JETTY_GROUP=onap
 
 #Download jetty
+
 RUN wget -q https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/${jetty-distribution.version}/jetty-distribution-${jetty-distribution.version}.tar.gz --tries=3 -O $JETTY_FOLDER/jetty.tar.gz && \
         tar xz -C $JETTY_FOLDER -f $JETTY_FOLDER/jetty.tar.gz --strip 1 && \
         rm -rf $JETTY_FOLDER/jetty.tar.gz
@@ -47,22 +49,22 @@ COPY --chown=onap:onap artifacts/files/org.onap.sdc.p12 $JETTY_FOLDER/etc/
 COPY --chown=onap:onap artifacts/files/org.onap.sdc.trust.jks $JETTY_FOLDER/etc/
 
 # Set permissions
-RUN chown -R onap:onap $JETTY_FOLDER/* && \
-    chmod 770 $JETTY_FOLDER/startup.sh && \
-    chmod 770 $JETTY_FOLDER/set-http-module.sh && $JETTY_FOLDER/set-http-module.sh && \
-    chmod 755 $JETTY_FOLDER/setup-keystore-truststore.sh && \
-    chmod 755 $JETTY_FOLDER/ready-probe.sh && \
-    chmod 755 $JETTY_FOLDER/config/catalog-fe/* && \
-    chmod 644 $JETTY_FOLDER/etc/* && \
-    chmod 770 /tmp/logback.xml && \
-    chmod 755 $JETTY_FOLDER/config/onboarding-fe/* && \
-    chmod 755 $JETTY_FOLDER/start.d/*
+RUN chown -R onap:onap $JETTY_FOLDER && \
+    chmod 770 $JETTY_FOLDER/startup.sh $JETTY_FOLDER/set-http-module.sh && \
+    chmod 755 $JETTY_FOLDER/setup-keystore-truststore.sh $JETTY_FOLDER/ready-probe.sh && \
+    chmod 755 $JETTY_FOLDER/config/catalog-fe/* $JETTY_FOLDER/config/onboarding-fe/* $JETTY_FOLDER/start.d/* && \
+    chmod 644 $JETTY_FOLDER/etc/* && chmod 770 /tmp/logback.xml && \
+    # Run HTTP module setup
+    $JETTY_FOLDER/set-http-module.sh && \
+    # Clean apk cache to minimize image size
+    rm -rf /var/cache/apk/*
 
 # Add Jetty rewrite and configuration settings
 RUN echo "etc/rewrite-root-to-sdc1.xml" >> "$JETTY_FOLDER/start.d/rewrite.ini" && \
-echo "jetty.httpConfig.sendServerVersion=false" >> "$JETTY_FOLDER/start.d/start.ini"
+    echo "jetty.httpConfig.sendServerVersion=false" >> "$JETTY_FOLDER/start.d/start.ini"
+
 
 USER onap
 WORKDIR $JETTY_FOLDER
 
-ENTRYPOINT [ "sh", "-c", "${JETTY_HOME}/startup.sh"]
+ENTRYPOINT [ "sh", "-c", "${JETTY_HOME}/startup.sh" ]
diff --git a/integration-tests/pom.xml b/integration-tests/pom.xml
index 378b1e5915..bf27d04969 100644
--- a/integration-tests/pom.xml
+++ b/integration-tests/pom.xml
@@ -900,7 +900,7 @@ limitations under the License.
                                 </env>
                                 <hostname>sdc-cs-init</hostname>
                                 <wait>
-                                    <time>400000</time>
+                                    <time>600000</time>
                                     <log>SdcSchemaFileImport successfully completed</log>
                                 </wait>
                                 <network>
diff --git a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/Dockerfile b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/Dockerfile
index 7532413931..4138560038 100644
--- a/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/Dockerfile
+++ b/openecomp-be/dist/sdc-onboard-backend-docker/artifacts/Dockerfile
@@ -1,33 +1,29 @@
 FROM onap/integration-java11:10.0.0
 
-# Switch to root user for system installations
 USER root
 ARG JETTY_FOLDER=/app/jetty
 
 # Install necessary packages and dependencies
 RUN set -ex && \
     apk update && \
-    apk add --no-cache \
-        wget \
-        build-base \
-        libffi-dev \
-        libxml2-dev \
-	libressl-dev && \
-    apk update
+    apk add --no-cache --virtual .build-deps \
+        build-base libffi-dev libxml2-dev libressl-dev wget
 
 ENV JETTY_HOME=$JETTY_FOLDER
 ENV JETTY_BASE=$JETTY_FOLDER
 ENV JETTY_USER=onap
 ENV JETTY_GROUP=onap
 
-RUN mkdir $JETTY_FOLDER && chown onap:onap $JETTY_FOLDER
+RUN mkdir -p $JETTY_FOLDER && chown onap:onap $JETTY_FOLDER
 
 USER onap
 
-#Download jetty
-RUN wget -q https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/${jetty-distribution.version}/jetty-distribution-${jetty-distribution.version}.tar.gz --tries=3 -O $JETTY_FOLDER/jetty.tar.gz && \
-        tar xz -C $JETTY_FOLDER -f $JETTY_FOLDER/jetty.tar.gz --strip 1 && \
-        rm -rf $JETTY_FOLDER/jetty.tar.gz
+# Download jetty
+RUN wget -q https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/${jetty-distribution.version}/jetty-distribution-${jetty-distribution.version}.tar.gz \
+    --tries=3 -O $JETTY_FOLDER/jetty.tar.gz && \
+    tar xz -C $JETTY_FOLDER -f $JETTY_FOLDER/jetty.tar.gz --strip 1 && \
+    rm -rf $JETTY_FOLDER/jetty.tar.gz
+
 RUN sed -i 's/"jetty"/"onap"/g' $JETTY_FOLDER/etc/jetty-setuid.xml
 
 # Download OpenTelemetry Java Agent
@@ -40,14 +36,22 @@ ADD --chown=onap:onap api-docs.war           $JETTY_FOLDER/webapps/
 COPY --chown=onap:onap startup.sh $JETTY_FOLDER/
 COPY --chown=onap:onap scripts/cleanup_jettydir.sh $JETTY_FOLDER/
 COPY --chown=onap:onap scripts/create_jetty_modules.sh $JETTY_FOLDER/
+
 # Set executable permissions on the startup script
-RUN chmod 770 $JETTY_FOLDER/startup.sh
-RUN chmod 770 $JETTY_FOLDER/cleanup_jettydir.sh && $JETTY_FOLDER/cleanup_jettydir.sh
-RUN chmod +x $JETTY_FOLDER/create_jetty_modules.sh && $JETTY_FOLDER/create_jetty_modules.sh
+RUN chmod 770 $JETTY_FOLDER/startup.sh && \
+    chmod 770 $JETTY_FOLDER/cleanup_jettydir.sh && $JETTY_FOLDER/cleanup_jettydir.sh && \
+    chmod +x $JETTY_FOLDER/create_jetty_modules.sh && $JETTY_FOLDER/create_jetty_modules.sh
 
+#Copy configuration files
 COPY --chown=onap:onap files/logback.xml $JETTY_FOLDER/config/onboarding-be/
 COPY --chown=onap:onap files/org.onap.sdc.p12 $JETTY_FOLDER/etc/
 COPY --chown=onap:onap files/org.onap.sdc.trust.jks $JETTY_FOLDER/etc/
 COPY --chown=onap:onap files/base_template.yaml $JETTY_BASE/resources/
 COPY --chown=onap:onap files/base_template.env $JETTY_BASE/resources/
-ENTRYPOINT [ "sh", "-c", "${JETTY_HOME}/startup.sh"]
+
+
+USER root
+RUN apk del .build-deps
+
+USER onap
+ENTRYPOINT ["sh", "-c", "${JETTY_HOME}/startup.sh"]
diff --git a/pom.xml b/pom.xml
index 6057125345..fa700c6e6f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -79,9 +79,9 @@ Modifications copyright (c) 2018-2019 Nokia
     <ws.rs.version>2.1.6</ws.rs.version>
     <javax.validation.version>2.0.1.Final</javax.validation.version>
 
-    <jetty.version>9.4.51.v20230217</jetty.version>
+    <jetty.version>9.4.54.v20240208</jetty.version>
     <jetty-distribution.version>${jetty.version}</jetty-distribution.version>
-    <cxf.version>3.6.1</cxf.version>
+    <cxf.version>3.6.3</cxf.version>
 
     <org.owasp.esapi.version>2.4.0.0</org.owasp.esapi.version>
     <org.dom4j.version>2.1.3</org.dom4j.version>
@@ -109,6 +109,7 @@ Modifications copyright (c) 2018-2019 Nokia
     <!-- Logging start -->
     <!-- logback -->
     <logback.version>1.2.12</logback.version>
+    <logstash.encoder.version>7.3</logstash.encoder.version>
     <slf4j-api.version>1.7.36</slf4j-api.version>
     <commons-codec>1.15</commons-codec>
     <janino.version>3.1.9</janino.version>
@@ -279,10 +280,16 @@ Modifications copyright (c) 2018-2019 Nokia
         <artifactId>swagger-maven-plugin</artifactId>
         <version>${swagger-core-mvn-plugin.version}</version>
       </dependency>
+      <dependency>
+        <groupId>net.logstash.logback</groupId>
+        <artifactId>logstash-logback-encoder</artifactId>
+        <version>${logstash.encoder.version}</version> 
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
   <dependencies>
+    
     <dependency>
       <!-- must be on the classpath -->
       <groupId>org.jacoco</groupId>
@@ -411,7 +418,7 @@ Modifications copyright (c) 2018-2019 Nokia
     <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-core</artifactId>
-      <version>5.6.3</version>
+      <version>5.6.10</version>
       <exclusions>
         <exclusion>
           <groupId>org.springframework</groupId>
@@ -437,12 +444,16 @@ Modifications copyright (c) 2018-2019 Nokia
          <artifactId>spring-core</artifactId>
        </exclusion>
      </exclusions>
-   </dependency>
+    </dependency>
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-core</artifactId>
       <version>${spring.version}</version>
     </dependency>
+    <dependency>
+      <groupId>net.logstash.logback</groupId>
+      <artifactId>logstash-logback-encoder</artifactId>
+    </dependency>
   </dependencies>
 
   <reporting>
diff --git a/utils/webseal-simulator/pom.xml b/utils/webseal-simulator/pom.xml
index 244f7dea3d..8d85fef479 100644
--- a/utils/webseal-simulator/pom.xml
+++ b/utils/webseal-simulator/pom.xml
@@ -137,7 +137,7 @@
             </exclusions>
         </dependency>
 
-        <!-- Proxy servlet -->
+        <!-- Proxy servlet  -->
         <dependency>
             <groupId>com.typesafe</groupId>
             <artifactId>config</artifactId>
diff --git a/utils/webseal-simulator/sdc-simulator/Dockerfile b/utils/webseal-simulator/sdc-simulator/Dockerfile
index 3fb82bc92b..daa86dd769 100644
--- a/utils/webseal-simulator/sdc-simulator/Dockerfile
+++ b/utils/webseal-simulator/sdc-simulator/Dockerfile
@@ -48,4 +48,4 @@ COPY --chown=onap:onap startup.sh $JETTY_FOLDER/
 
 RUN chmod 770 $JETTY_FOLDER/startup.sh
 
-ENTRYPOINT [ "sh", "-c", "${JETTY_HOME}/startup.sh"]
+ENTRYPOINT [ "sh", "-c", "${JETTY_HOME}/startup.sh"]
\ No newline at end of file