From 911ba91349d7e1701dd813080f2fb866529c9449 Mon Sep 17 00:00:00 2001
From: Fiete Ostkamp <Fiete.Ostkamp@telekom.de>
Date: Wed, 19 Feb 2025 13:38:07 +0100
Subject: [PATCH] Fix Security Vulnerabilities

- update logback (1.2.3 -> 1.2.13)
- update gson (2.8.4 -> 2.8.9)
- remove declaration of org.json (it's still a transitive
  dependency of the sdc-distribution-client), but in a newer version
- exclude mockito-core and powermock compile time deps that are pulled
  in by eelf-core
- resolve build warning about undeclared plugin version
  for the versions-maven-plugin

Issue-ID: MULTICLOUD-1507
Change-Id: Ica649d5225804afbc483f12e890f7cb08569d898
Signed-off-by: Fiete Ostkamp <Fiete.Ostkamp@telekom.de>
---
 .gitignore                                         |  1 +
 .../k8s/engine/K8sArtifactForwarderTest.java       | 72 +++++++++++-----------
 artifactbroker/pom.xml                             | 32 ++++++----
 3 files changed, 57 insertions(+), 48 deletions(-)

diff --git a/.gitignore b/.gitignore
index 5abd1e9..f53107e 100644
--- a/.gitignore
+++ b/.gitignore
@@ -26,3 +26,4 @@ multivimbroker/test-reports/
 
 # Docs related
 docs/html
+*.log
diff --git a/artifactbroker/plugins/forwarding-plugins/src/test/java/org/onap/policy/distribution/forwarding/k8s/engine/K8sArtifactForwarderTest.java b/artifactbroker/plugins/forwarding-plugins/src/test/java/org/onap/policy/distribution/forwarding/k8s/engine/K8sArtifactForwarderTest.java
index 58c9c69..38b7b3d 100644
--- a/artifactbroker/plugins/forwarding-plugins/src/test/java/org/onap/policy/distribution/forwarding/k8s/engine/K8sArtifactForwarderTest.java
+++ b/artifactbroker/plugins/forwarding-plugins/src/test/java/org/onap/policy/distribution/forwarding/k8s/engine/K8sArtifactForwarderTest.java
@@ -5,20 +5,20 @@
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
- * 
+ *
  * SPDX-License-Identifier: Apache-2.0
  * ============LICENSE_END=========================================================
  */
 
-package org.onap.policy.distribution.forwarding.k8.engine;
+package org.onap.policy.distribution.forwarding.k8s.engine;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.fail;
@@ -129,7 +129,7 @@ public class K8sArtifactForwarderTest {
             Type type = new TypeToken<ArrayList<VfModuleModel>>() {}.getType();
             Gson gson = new Gson();
             vfModuleModels = gson.fromJson(data, type);
-                
+
             //vfModuleModels= GsonUtil.parseJsonArrayWithGson(data, VfModuleModel.class);
             assertEquals(4, vfModuleModels.size());
         } catch (final Exception e) {
@@ -188,10 +188,10 @@ public class K8sArtifactForwarderTest {
         private List<IArtifactInfo> relatedArtifactsInfo;
 
         ArtifactInfoImpl(){}
-        
+
         private ArtifactInfoImpl(IArtifactInfo iArtifactInfo){
             artifactName = iArtifactInfo.getArtifactName();
-            artifactType = iArtifactInfo.getArtifactType(); 
+            artifactType = iArtifactInfo.getArtifactType();
             artifactURL = iArtifactInfo.getArtifactURL();
             artifactChecksum = iArtifactInfo.getArtifactChecksum();
             artifactDescription = iArtifactInfo.getArtifactDescription();
@@ -201,10 +201,10 @@ public class K8sArtifactForwarderTest {
             generatedArtifact = iArtifactInfo.getGeneratedArtifact();
             relatedArtifactsInfo = iArtifactInfo.getRelatedArtifacts();
             relatedArtifacts = fillRelatedArtifactsUUID(relatedArtifactsInfo);
-            
+
         }
-        
-        
+
+
         private List<String> fillRelatedArtifactsUUID(List<IArtifactInfo> relatedArtifactsInfo) {
             List<String> relatedArtifactsUUID = null;
             if ( relatedArtifactsInfo != null && !relatedArtifactsInfo.isEmpty()) {
@@ -215,55 +215,55 @@ public class K8sArtifactForwarderTest {
             }
             return relatedArtifactsUUID;
         }
-    
+
         public String getArtifactName() {
             return artifactName;
         }
-    
+
         public void setArtifactName(String artifactName) {
             this.artifactName = artifactName;
         }
-    
+
         public String getArtifactType() {
             return artifactType;
         }
-    
+
         public void setArtifactType(String artifactType) {
             this.artifactType = artifactType;
         }
-    
+
         public String getArtifactURL() {
             return artifactURL;
         }
-    
+
         public void setArtifactURL(String artifactURL) {
             this.artifactURL = artifactURL;
         }
-    
+
         public String getArtifactChecksum() {
             return artifactChecksum;
         }
-    
+
         public void setArtifactChecksum(String artifactChecksum) {
             this.artifactChecksum = artifactChecksum;
         }
-    
+
         public String getArtifactDescription() {
             return artifactDescription;
         }
-    
+
         public void setArtifactDescription(String artifactDescription) {
             this.artifactDescription = artifactDescription;
         }
-    
+
         public Integer getArtifactTimeout() {
             return artifactTimeout;
         }
-    
+
         public void setArtifactTimeout(Integer artifactTimeout) {
             this.artifactTimeout = artifactTimeout;
         }
-    
+
         @Override
         public String toString() {
             return "BaseArtifactInfoImpl [artifactName=" + artifactName
@@ -274,39 +274,39 @@ public class K8sArtifactForwarderTest {
                     + ", artifactUUID=" + artifactUUID
                     + ", artifactTimeout=" + artifactTimeout + "]";
         }
-    
+
         public String getArtifactVersion() {
             return artifactVersion;
         }
-    
+
         public void setArtifactVersion(String artifactVersion) {
             this.artifactVersion = artifactVersion;
         }
-    
+
         public String getArtifactUUID() {
             return artifactUUID;
         }
-    
+
         public void setArtifactUUID(String artifactUUID) {
             this.artifactUUID = artifactUUID;
         }
-    
+
         public String getGeneratedFromUUID() {
             return generatedFromUUID;
         }
-    
+
         public void setGeneratedFromUUID(String generatedFromUUID) {
             this.generatedFromUUID = generatedFromUUID;
         }
-        
+
         public IArtifactInfo getGeneratedArtifact() {
             return generatedArtifact;
         }
-    
+
         public void setGeneratedArtifact(IArtifactInfo generatedArtifact) {
             this.generatedArtifact = generatedArtifact;
         }
-        
+
         public List<IArtifactInfo> getRelatedArtifacts(){
             List<IArtifactInfo> temp = new ArrayList<IArtifactInfo>();
             if( relatedArtifactsInfo != null ){
@@ -314,19 +314,19 @@ public class K8sArtifactForwarderTest {
             }
             return temp;
         }
-        
+
         public void setRelatedArtifacts(List<String> relatedArtifacts) {
             this.relatedArtifacts = relatedArtifacts;
         }
-    
+
         public void setRelatedArtifactsInfo(List<IArtifactInfo> relatedArtifactsInfo) {
             this.relatedArtifactsInfo = relatedArtifactsInfo;
         }
-        
+
         public List<String> getRelatedArtifactsUUID(){
             return relatedArtifacts;
         }
-    
+
     }
 
 
diff --git a/artifactbroker/pom.xml b/artifactbroker/pom.xml
index 7cd8c94..1c873fb 100644
--- a/artifactbroker/pom.xml
+++ b/artifactbroker/pom.xml
@@ -25,15 +25,17 @@
     <version>1.9.1-SNAPSHOT</version>
     <packaging>pom</packaging>
     <name>multicloud-framework-artifactbroker</name>
-    <description>artifact  broker</description>
+    <description>artifact broker</description>
     <properties>
         <encoding>UTF-8</encoding>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <nexusproxy>https://nexus.onap.org</nexusproxy>
-        <version.logback>1.2.3</version.logback>
         <policy.common.version>1.3.4</policy.common.version>
         <policy.engine.version>1.3.5</policy.engine.version>
+        <logback.version>1.2.13</logback.version>
+        <jackson.version>2.12.7</jackson.version>
+        <gson.version>2.8.9</gson.version>
         <sonar.language>java</sonar.language>
         <sonar.coverage.jacoco.xmlReportPaths>
             ${project.reporting.outputDirectory}/jacoco-ut/jacoco.xml
@@ -78,12 +80,12 @@
         <dependency>
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-core</artifactId>
-            <version>${version.logback}</version>
+            <version>${logback.version}</version>
         </dependency>
         <dependency>
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-classic</artifactId>
-            <version>${version.logback}</version>
+            <version>${logback.version}</version>
         </dependency>
         <dependency>
             <groupId>org.onap.policy.common</groupId>
@@ -94,6 +96,16 @@
             <groupId>org.onap.policy.common</groupId>
             <artifactId>ONAP-Logging</artifactId>
             <version>${policy.common.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.mockito</groupId>
+                    <artifactId>mockito-core</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.powermock</groupId>
+                    <artifactId>powermock-module-junit4</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.onap.policy.common</groupId>
@@ -103,17 +115,12 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>2.12.3</version>
+            <version>${jackson.version}</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-core</artifactId>
-            <version>2.12.3</version>
-        </dependency>
-        <dependency>
-            <groupId>org.json</groupId>
-            <artifactId>json</artifactId>
-            <version>20160810</version>
+            <version>${jackson.version}</version>
         </dependency>
         <dependency>
             <groupId>org.onap.policy.common</groupId>
@@ -143,7 +150,7 @@
         <dependency>
             <groupId>com.google.code.gson</groupId>
             <artifactId>gson</artifactId>
-            <version>2.8.4</version>
+            <version>${gson.version}</version>
         </dependency>
     </dependencies>
     <build>
@@ -239,6 +246,7 @@
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>versions-maven-plugin</artifactId>
+                <version>2.18.0</version>
                 <configuration>
                     <generateBackupPoms>false</generateBackupPoms>
                 </configuration>
-- 
2.16.6