From ca685bb55cd192ab58c62663a31f5292697a4182 Mon Sep 17 00:00:00 2001
From: vasraz <vasyl.razinkov@est.tech>
Date: Thu, 11 Jun 2020 17:05:29 +0100
Subject: [PATCH] Fix Critical security vulnerability

com.fasterxml.jackson.core : jackson-databind : 2.9.9

Change-Id: I81af7879cb1fbcd158177a3dc220b704ff2f3388
Signed-off-by: Vasyl Razinkov <vasyl.razinkov@est.tech>
Issue-ID: SDC-3111
---
 asdctool/pom.xml                                   | 44 ++++++++++--
 catalog-be/pom.xml                                 | 79 +++++++++++++++++++---
 catalog-dao/pom.xml                                |  6 ++
 catalog-fe/pom.xml                                 |  7 +-
 catalog-model/pom.xml                              | 25 ++++++-
 common-app-api/pom.xml                             | 12 ++++
 common-be/pom.xml                                  | 25 ++++++-
 .../onap-configuration-management-core/pom.xml     |  6 ++
 common/onap-tosca-datatype/pom.xml                 | 11 +++
 onboarding/pom.xml                                 |  7 +-
 .../backend/openecomp-sdc-security-util/pom.xml    | 13 +++-
 openecomp-be/lib/openecomp-common-lib/pom.xml      |  6 ++
 pom.xml                                            |  4 +-
 test-apis-ci/pom.xml                               |  7 +-
 ui-ci/pom.xml                                      | 26 ++++++-
 utils/DmaapPublisher/pom.xml                       |  5 --
 16 files changed, 252 insertions(+), 31 deletions(-)

diff --git a/asdctool/pom.xml b/asdctool/pom.xml
index b685620bab..76cd7b4840 100644
--- a/asdctool/pom.xml
+++ b/asdctool/pom.xml
@@ -48,19 +48,34 @@
       <version>${project.version}</version>
       <scope>compile</scope>
     </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-core</artifactId>
+      <version>${jackson.version}</version>
+    </dependency>
 
     <dependency>
       <groupId>org.openecomp.sdc.be</groupId>
       <artifactId>catalog-dao</artifactId>
       <version>${project.version}</version>
-      <scope>compile</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
       <groupId>org.openecomp.sdc.be</groupId>
       <artifactId>catalog-model</artifactId>
       <version>${project.version}</version>
-      <scope>compile</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
 
@@ -73,6 +88,10 @@
       <classifier>classes</classifier>
 
       <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
         <exclusion>
           <groupId>org.openecomp.ecompsdkos</groupId>
           <artifactId>epsdk-fw</artifactId>
@@ -296,7 +315,12 @@
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
       <version>${jackson.version}</version>
-      <scope>compile</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <!-- Explicitly specified in order to override older version included by epsdk-fw -->
@@ -390,7 +414,12 @@
       <groupId>com.fasterxml.jackson.dataformat</groupId>
       <artifactId>jackson-dataformat-yaml</artifactId>
       <version>${jackson.version}</version>
-      <scope>compile</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <!-- CASSANDRA -->
@@ -437,7 +466,12 @@
       <groupId>de.ruedigermoeller</groupId>
       <artifactId>fst</artifactId>
       <version>2.47</version>
-      <scope>compile</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <!-- testing -->
diff --git a/catalog-be/pom.xml b/catalog-be/pom.xml
index 7f34e15c56..47650bd8c7 100644
--- a/catalog-be/pom.xml
+++ b/catalog-be/pom.xml
@@ -37,18 +37,33 @@
     </dependency>
 
     <!--JSON and YAML Parsing-->
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-core</artifactId>
+      <version>${jackson.version}</version>
+    </dependency>
     <dependency>
       <groupId>com.fasterxml.jackson.dataformat</groupId>
       <artifactId>jackson-dataformat-yaml</artifactId>
       <version>${jackson.version}</version>
-      <scope>compile</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
       <version>${jackson.version}</version>
-      <scope>compile</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
@@ -63,6 +78,12 @@
       <groupId>io.swagger.core.v3</groupId>
       <artifactId>swagger-jaxrs2</artifactId>
       <version>${swagger.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>io.swagger.core.v3</groupId>
@@ -75,7 +96,12 @@
       <groupId>org.openecomp.sdc</groupId>
       <artifactId>common-app-api</artifactId>
       <version>${project.version}</version>
-      <scope>compile</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
@@ -95,14 +121,24 @@
       <groupId>org.openecomp.sdc.be</groupId>
       <artifactId>catalog-dao</artifactId>
       <version>${project.version}</version>
-      <scope>compile</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
       <groupId>org.openecomp.sdc.be</groupId>
       <artifactId>catalog-model</artifactId>
       <version>${project.version}</version>
-      <scope>compile</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
@@ -141,7 +177,12 @@
       <groupId>org.glassfish.jersey.media</groupId>
       <artifactId>jersey-media-json-jackson</artifactId>
       <version>${jersey-bom.version}</version>
-      <scope>compile</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
@@ -510,6 +551,10 @@
           <groupId>com.att.aft</groupId>
           <artifactId>dme2</artifactId>
         </exclusion>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
       </exclusions>
     </dependency>
     <dependency>
@@ -672,6 +717,12 @@
       <groupId>org.onap.sdc.common</groupId>
       <artifactId>onap-tosca-datatype</artifactId>
       <version>${project.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.apache.commons</groupId>
@@ -688,11 +739,17 @@
       <artifactId>security-util-lib</artifactId>
       <version>${security.util.lib.version}</version>
     </dependency>
-        <dependency>
-            <groupId>org.openecomp.sdc.core</groupId>
-            <artifactId>openecomp-tosca-lib</artifactId>
-            <version>${project.version}</version>
-        </dependency>
+    <dependency>
+      <groupId>org.openecomp.sdc.core</groupId>
+      <artifactId>openecomp-tosca-lib</artifactId>
+      <version>${project.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
   </dependencies>
 
   <build>
diff --git a/catalog-dao/pom.xml b/catalog-dao/pom.xml
index ba2ec97c3b..06cb1e81a0 100644
--- a/catalog-dao/pom.xml
+++ b/catalog-dao/pom.xml
@@ -128,6 +128,12 @@ Modifications copyright (c) 2018 Nokia
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
       <version>${jackson.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
diff --git a/catalog-fe/pom.xml b/catalog-fe/pom.xml
index 3781bb59e3..60353a8ec3 100644
--- a/catalog-fe/pom.xml
+++ b/catalog-fe/pom.xml
@@ -135,7 +135,12 @@
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
       <version>${jackson.version}</version>
-      <scope>compile</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
diff --git a/catalog-model/pom.xml b/catalog-model/pom.xml
index 051313602f..98e8c24d26 100644
--- a/catalog-model/pom.xml
+++ b/catalog-model/pom.xml
@@ -28,6 +28,11 @@
       <version>${junitJupiter.version}</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-core</artifactId>
+      <version>${jackson.version}</version>
+    </dependency>
 
     <!-- Common of SDC -->
     <dependency>
@@ -35,6 +40,12 @@
       <artifactId>common-app-api</artifactId>
       <version>${project.version}</version>
       <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
@@ -70,6 +81,12 @@
       <artifactId>catalog-dao</artifactId>
       <version>${project.version}</version>
       <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
@@ -315,7 +332,13 @@
 			<groupId>org.openecomp.sdc.core</groupId>
 			<artifactId>openecomp-tosca-lib</artifactId>
 			<version>${project.version}</version>
-		</dependency>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
 
   </dependencies>
   <build>
diff --git a/common-app-api/pom.xml b/common-app-api/pom.xml
index 210a9b25a6..323bcf822b 100644
--- a/common-app-api/pom.xml
+++ b/common-app-api/pom.xml
@@ -113,6 +113,12 @@
       <artifactId>jersey-media-json-jackson</artifactId>
       <version>${jersey-bom.version}</version>
       <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-annotations</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <!-- Aspects -->
@@ -142,6 +148,12 @@
       <artifactId>jackson-databind</artifactId>
       <version>${jackson.version}</version>
       <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
diff --git a/common-be/pom.xml b/common-be/pom.xml
index f08154f707..2005537798 100644
--- a/common-be/pom.xml
+++ b/common-be/pom.xml
@@ -28,12 +28,23 @@
       <scope>test</scope>
     </dependency>
 
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-core</artifactId>
+      <version>${jackson.version}</version>
+    </dependency>
+
     <!-- Common of SD&C -->
     <dependency>
       <groupId>org.openecomp.sdc</groupId>
       <artifactId>common-app-api</artifactId>
       <version>${project.version}</version>
-      <scope>compile</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
@@ -68,6 +79,12 @@
       <artifactId>jackson-databind</artifactId>
       <version>${jackson.version}</version>
       <scope>provided</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
@@ -104,6 +121,12 @@
       <groupId>org.onap.sdc.common</groupId>
       <artifactId>onap-tosca-datatype</artifactId>
       <version>${tosca.datatype.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.onap.sdc.sdc-tosca</groupId>
diff --git a/common/onap-common-configuration-management/onap-configuration-management-core/pom.xml b/common/onap-common-configuration-management/onap-configuration-management-core/pom.xml
index eed797829e..1583aa90d0 100755
--- a/common/onap-common-configuration-management/onap-configuration-management-core/pom.xml
+++ b/common/onap-common-configuration-management/onap-configuration-management-core/pom.xml
@@ -48,6 +48,12 @@
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>com.fasterxml.jackson.dataformat</groupId>
diff --git a/common/onap-tosca-datatype/pom.xml b/common/onap-tosca-datatype/pom.xml
index 6292c561c1..91b4202b09 100644
--- a/common/onap-tosca-datatype/pom.xml
+++ b/common/onap-tosca-datatype/pom.xml
@@ -59,10 +59,21 @@
       <artifactId>commons-beanutils</artifactId>
       <version>${commons-beanutils}</version>
     </dependency>
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-core</artifactId>
+      <version>${jackson.version}</version>
+    </dependency>
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
       <version>${jackson.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>org.mockito</groupId>
diff --git a/onboarding/pom.xml b/onboarding/pom.xml
index 7d3f967638..c86cca4ef8 100644
--- a/onboarding/pom.xml
+++ b/onboarding/pom.xml
@@ -91,7 +91,6 @@
     <javax.el-api.version>3.0.1-b04</javax.el-api.version>
     <javax.inject.version>1</javax.inject.version>
     <javax.servlet.version>2.5</javax.servlet.version>
-    <jackson.version>2.9.9</jackson.version>
     <jackson.annotations.version>${jackson.version}</jackson.annotations.version>
     <jackson.dataformat.version>${jackson.version}</jackson.dataformat.version>
     <jcommander.version>1.58</jcommander.version>
@@ -236,6 +235,12 @@
         <groupId>com.fasterxml.jackson.core</groupId>
         <artifactId>jackson-databind</artifactId>
         <version>${jackson.version}</version>
+        <exclusions>
+          <exclusion>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-core</artifactId>
+          </exclusion>
+        </exclusions>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.dataformat</groupId>
diff --git a/openecomp-be/backend/openecomp-sdc-security-util/pom.xml b/openecomp-be/backend/openecomp-sdc-security-util/pom.xml
index d9370ac6af..9d0c33ee63 100644
--- a/openecomp-be/backend/openecomp-sdc-security-util/pom.xml
+++ b/openecomp-be/backend/openecomp-sdc-security-util/pom.xml
@@ -37,10 +37,21 @@
       <version>4.7</version>
     </dependency>
 
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-core</artifactId>
+      <version>${jackson.version}</version>
+    </dependency>
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
-      <version>2.9.9</version>
+      <version>${jackson.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
diff --git a/openecomp-be/lib/openecomp-common-lib/pom.xml b/openecomp-be/lib/openecomp-common-lib/pom.xml
index 5a4e78698c..647675f840 100644
--- a/openecomp-be/lib/openecomp-common-lib/pom.xml
+++ b/openecomp-be/lib/openecomp-common-lib/pom.xml
@@ -54,6 +54,12 @@
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>com.amdocs.zusammen</groupId>
diff --git a/pom.xml b/pom.xml
index 798ab3aabc..6b04d6f89e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -67,8 +67,8 @@ Modifications copyright (c) 2018-2019 Nokia
     <jetty.version>9.4.18.v20190429</jetty.version>
 
     <!-- JSON and YAML Parsing -->
-    <jackson.version>2.9.9</jackson.version>
-    <jackson-annotations.version>2.9.9</jackson-annotations.version>
+    <jackson.version>2.10.0</jackson.version>
+    <jackson-annotations.version>${jackson.version}</jackson-annotations.version>
     <jackson.mapper.version>1.9.13</jackson.mapper.version>
     <clearspring.version>2.1.1</clearspring.version>
 
diff --git a/test-apis-ci/pom.xml b/test-apis-ci/pom.xml
index 1613c476f6..cfe1ac99ed 100644
--- a/test-apis-ci/pom.xml
+++ b/test-apis-ci/pom.xml
@@ -306,7 +306,12 @@
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
       <version>${jackson.version}</version>
-      <scope>compile</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
diff --git a/ui-ci/pom.xml b/ui-ci/pom.xml
index da09985cca..4c24d2d5d5 100644
--- a/ui-ci/pom.xml
+++ b/ui-ci/pom.xml
@@ -86,11 +86,22 @@
       <scope>compile</scope>
     </dependency>
 
+    <dependency>
+      <groupId>com.fasterxml.jackson.core</groupId>
+      <artifactId>jackson-core</artifactId>
+      <version>${jackson.version}</version>
+    </dependency>
+
     <dependency>
       <groupId>org.openecomp.sdc</groupId>
       <artifactId>test-apis-ci</artifactId>
       <version>${project.version}</version>
-      <scope>compile</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
@@ -175,7 +186,12 @@
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
       <version>${jackson.version}</version>
-      <scope>compile</scope>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
@@ -261,6 +277,12 @@
         to browsermob-core -->
       <artifactId>browsermob-core</artifactId>
       <version>2.1.4</version>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.jackson.core</groupId>
+          <artifactId>jackson-core</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
 
     <dependency>
diff --git a/utils/DmaapPublisher/pom.xml b/utils/DmaapPublisher/pom.xml
index b2b013e2a2..1a8cf652c2 100644
--- a/utils/DmaapPublisher/pom.xml
+++ b/utils/DmaapPublisher/pom.xml
@@ -6,11 +6,6 @@
   <artifactId>dmaap-publisher</artifactId>
   <version>1.0.0</version>
 
-
-  <properties>
-    <fasterxml.jackson.version>2.8.6</fasterxml.jackson.version>
-  </properties>
-
   <dependencies>
     <!--JUnit Jupiter Engine to depend on the JUnit5 engine and JUnit 5 API -->
     <dependency>
-- 
2.16.6