From 4a1cd7d20355ccf09b1d6ae133ea2a3702416ffd Mon Sep 17 00:00:00 2001
From: Murali-P <murali.p@huawei.com>
Date: Fri, 9 Mar 2018 10:54:43 +0530
Subject: [PATCH] Remove jackson to avoid security issues

Fix security issues raised by LF

Issue-ID: VNFSDK-161

Change-Id: I9cd93c56897b63e6153da06d11fc9b39a20f541b
Signed-off-by: Murali-P <murali.p@huawei.com>
---
 vnfmarket-be/vnf-sdk-marketplace/pom.xml           | 20 +-----
 .../onap/vnfsdk/marketplace/common/JsonUtil.java   | 75 ----------------------
 .../validatelifecycle/LifecycleTestExceutor.java   | 11 ++--
 .../vnfsdk/marketplace/wrapper/PackageWrapper.java |  5 +-
 .../marketplace/resource/PackageResourceTest.java  | 18 ------
 5 files changed, 10 insertions(+), 119 deletions(-)
 delete mode 100644 vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/common/JsonUtil.java

diff --git a/vnfmarket-be/vnf-sdk-marketplace/pom.xml b/vnfmarket-be/vnf-sdk-marketplace/pom.xml
index 0f4fd776..cce15648 100644
--- a/vnfmarket-be/vnf-sdk-marketplace/pom.xml
+++ b/vnfmarket-be/vnf-sdk-marketplace/pom.xml
@@ -76,7 +76,7 @@
 		<dependency>
 			<groupId>io.swagger</groupId>
 			<artifactId>swagger-jersey2-jaxrs</artifactId>
-			<version>1.5.3</version>
+			<version>1.5.18</version>
 		</dependency>
 		<!-- jersey -->
 		<dependency>
@@ -163,22 +163,8 @@
 			<artifactId>ant</artifactId>
 			<version>1.8.2</version>
 			<scope>test</scope>
-		</dependency>
-                <dependency>
-                        <groupId>com.fasterxml.jackson.core</groupId>
-                        <artifactId>jackson-databind</artifactId>
-                        <version>2.9.4</version>
-                </dependency>
-		<dependency>
-			<groupId>org.codehaus.jackson</groupId>
-			<artifactId>jackson-jaxrs</artifactId>
-			<version>1.9.13</version>
-		</dependency>
-		<dependency>
-			<groupId>org.codehaus.jackson</groupId>
-			<artifactId>jackson-mapper-asl</artifactId>
-			<version>1.9.13</version>
-		</dependency>
+		</dependency>              
+		
 		
 		<dependency>
 			<groupId>org.apache.commons</groupId>
diff --git a/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/common/JsonUtil.java b/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/common/JsonUtil.java
deleted file mode 100644
index 1a47522c..00000000
--- a/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/common/JsonUtil.java
+++ /dev/null
@@ -1,75 +0,0 @@
-/*
- * Copyright 2016 Huawei Technologies Co., Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.onap.vnfsdk.marketplace.common;
-
-import java.io.IOException;
-
-import org.codehaus.jackson.map.DeserializationConfig;
-import org.codehaus.jackson.map.ObjectMapper;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-/**
- * Json tools class, packaging a number of commonly used Json methods.<br>
- * 
- * @author
- * @version GSO 0.5 2016-08-26
- */
-public final class JsonUtil {
-
-    private static final Logger LOGGER = LoggerFactory.getLogger(JsonUtil.class);
-
-    private JsonUtil() {
-    }
-
-    /**
-     * Convert object to JSON.<br>
-     * 
-     * @param obj The object to be converted
-     * @return The JSON string
-     * @since GSO 0.5
-     */
-    public static String toJson(Object obj) {
-        try {
-            return new ObjectMapper().writeValueAsString(obj);
-        } catch (IOException ex) {
-            LOGGER.error("Parser to json error.", ex);
-            throw new IllegalArgumentException("Parser obj to json error, obj = " + obj, ex);
-        }
-    }
-
-    /**
-     * Convert JSON to object.<br>
-     * 
-     * @param jsonStr The JSON to be converted
-     * @param objClass The object class
-     * @return The objClass object
-     * @since GSO 0.5
-     */
-    public static <T> T fromJson(String jsonStr, Class<T> objClass) {
-        try {
-            ObjectMapper mapper = new ObjectMapper();
-            mapper.configure(DeserializationConfig.Feature.FAIL_ON_UNKNOWN_PROPERTIES, false);
-            return mapper.readValue(jsonStr, objClass);
-        } catch (IOException ex) {
-            LOGGER.error("Parser to object error.", ex);
-            throw new IllegalArgumentException(
-                    "Parser json to object error, json = " + jsonStr + ", expect class = " + objClass, ex);
-        }
-    }
-
-}
diff --git a/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/onboarding/hooks/validatelifecycle/LifecycleTestExceutor.java b/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/onboarding/hooks/validatelifecycle/LifecycleTestExceutor.java
index f48a07f3..d3f161f9 100644
--- a/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/onboarding/hooks/validatelifecycle/LifecycleTestExceutor.java
+++ b/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/onboarding/hooks/validatelifecycle/LifecycleTestExceutor.java
@@ -23,7 +23,6 @@ import org.apache.http.entity.ContentType;
 import org.apache.http.entity.mime.MultipartEntityBuilder;
 import org.onap.vnfsdk.marketplace.common.CommonConstant;
 import org.onap.vnfsdk.marketplace.common.FileUtil;
-import org.onap.vnfsdk.marketplace.common.JsonUtil;
 import org.onap.vnfsdk.marketplace.msb.MsbDetails;
 import org.onap.vnfsdk.marketplace.msb.MsbDetailsHolder;
 import org.onap.vnfsdk.marketplace.onboarding.entity.OnBoradingRequest;
@@ -129,11 +128,11 @@ public class LifecycleTestExceutor {
 			return result;
 		}
 
-		String rawDataJson = JsonUtil.toJson(oLifeCycleTestReq);
-		if (null == rawDataJson) {
-			logger.error("Failed to convert LifeCycleTestReq object to Json String !!!");
-			return result;
-		}
+		String rawDataJson = ""; //TBD - Use Gson - jackson has security issue//JsonUtil.toJson(oLifeCycleTestReq);
+//		if (null == rawDataJson) {
+//			logger.error("Failed to convert LifeCycleTestReq object to Json String !!!");
+//			return result;
+//		}
 
 		RestResponse oResponse = RestfulClient.sendPostRequest(oMsbDetails.getDefaultServer().getHost(),
 				oMsbDetails.getDefaultServer().getPort(), CommonConstant.LifeCycleTest.LIFECYCLE_TEST_URL, rawDataJson);
diff --git a/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/wrapper/PackageWrapper.java b/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/wrapper/PackageWrapper.java
index d779bf5f..d793a32b 100644
--- a/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/wrapper/PackageWrapper.java
+++ b/vnfmarket-be/vnf-sdk-marketplace/src/main/java/org/onap/vnfsdk/marketplace/wrapper/PackageWrapper.java
@@ -38,7 +38,6 @@ import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
 import org.onap.validation.csar.CsarValidator;
 import org.onap.vnfsdk.marketplace.common.CommonConstant;
 import org.onap.vnfsdk.marketplace.common.FileUtil;
-import org.onap.vnfsdk.marketplace.common.JsonUtil;
 import org.onap.vnfsdk.marketplace.common.RestUtil;
 import org.onap.vnfsdk.marketplace.common.ToolUtil;
 import org.onap.vnfsdk.marketplace.db.entity.PackageData;
@@ -86,8 +85,8 @@ public class PackageWrapper {
             return Response.status(Status.EXPECTATION_FAILED).build();
         }
 
-        ValidateLifecycleTestResponse lyfValidateResp =
-                JsonUtil.fromJson(reqParam, ValidateLifecycleTestResponse.class);
+        ValidateLifecycleTestResponse lyfValidateResp = null; //TBD - Use Gson - jackson has security issue/
+                //JsonUtil.fromJson(reqParam, ValidateLifecycleTestResponse.class);
         if(!checkOperationSucess(lyfValidateResp)) {
             return Response.status(Status.EXPECTATION_FAILED).build();
         }
diff --git a/vnfmarket-be/vnf-sdk-marketplace/src/test/java/org/onap/vnfsdk/marketplace/resource/PackageResourceTest.java b/vnfmarket-be/vnf-sdk-marketplace/src/test/java/org/onap/vnfsdk/marketplace/resource/PackageResourceTest.java
index 12812006..d1562f8f 100644
--- a/vnfmarket-be/vnf-sdk-marketplace/src/test/java/org/onap/vnfsdk/marketplace/resource/PackageResourceTest.java
+++ b/vnfmarket-be/vnf-sdk-marketplace/src/test/java/org/onap/vnfsdk/marketplace/resource/PackageResourceTest.java
@@ -35,13 +35,10 @@ import java.util.zip.ZipOutputStream;
 
 import javax.ws.rs.core.Response;
 
-import org.apache.ibatis.exceptions.PersistenceException;
-import org.codehaus.jackson.JsonNode;
 import org.glassfish.jersey.media.multipart.FormDataContentDisposition;
 import org.junit.Before;
 import org.junit.Test;
 import org.onap.vnfsdk.marketplace.common.FileUtil;
-import org.onap.vnfsdk.marketplace.common.JsonUtil;
 import org.onap.vnfsdk.marketplace.common.ToolUtil;
 import org.onap.vnfsdk.marketplace.db.entity.PackageData;
 import org.onap.vnfsdk.marketplace.db.impl.MarketplaceDaoImpl;
@@ -1032,21 +1029,6 @@ public class PackageResourceTest {
         assertEquals(res, true);
     }
 
-    @Test
-    public void testToJson() {
-        List<String> listObj = new ArrayList<String>();
-        listObj.add("test");
-        String res = JsonUtil.toJson(listObj);
-        assertNotNull(res);
-    }
-
-    @Test
-    public void testfromJson() {
-
-        String carJson = "{ \"brand\" : \"Mercedes\", \"doors\" : 5 }";
-        JsonNode res = JsonUtil.fromJson(carJson, JsonNode.class);
-        assertNotNull(res);
-    }
 
     @Test
     public void testUnzip() {
-- 
2.16.6