Fix critical security issues

-change pom dependencies version

Change-Id: I8ea5410575f95e7054ca2d93a1c712a12607893a
Issue-ID: EXTAPI-126
Signed-off-by: romaingimbert <romain.gimbert@orange.com>

diff --git a/pom.xml b/pom.xml
index e7768ff..ddd06a9 100644 (file)
--- a/pom.xml
+++ b/pom.xml
@@ -113,13 +113,17 @@
                                        <groupId>org.apache.tomcat.embed</groupId>
                                        <artifactId>tomcat-embed-core</artifactId>
                                </exclusion>
+                               <exclusion>
+                                       <groupId>com.fasterxml.jackson.core</groupId>
+                                       <artifactId>jackson-databind</artifactId>
+                               </exclusion>
                        </exclusions>
                </dependency>
 
                <dependency>
                        <groupId>org.apache.tomcat.embed</groupId>
                        <artifactId>tomcat-embed-core</artifactId>
-                       <version>8.5.33</version>
+                       <version>8.5.32</version>
                </dependency>
 
                <dependency>
@@ -159,7 +163,7 @@
                <dependency>
                        <groupId>commons-beanutils</groupId>
                        <artifactId>commons-beanutils</artifactId>
-                       <version>1.9.0</version>
+                       <version>1.7.0</version>
                </dependency>
 
                <dependency>

diff --git a/src/main/java/org/onap/nbi/apis/servicecatalog/ServiceSpecificationService.java b/src/main/java/org/onap/nbi/apis/servicecatalog/ServiceSpecificationService.java
index 69e4a51..228e12d 100644 (file)
--- a/src/main/java/org/onap/nbi/apis/servicecatalog/ServiceSpecificationService.java
+++ b/src/main/java/org/onap/nbi/apis/servicecatalog/ServiceSpecificationService.java
@@ -19,7 +19,6 @@ import java.util.ArrayList;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
-import org.apache.commons.collections.CollectionUtils;
 import org.onap.nbi.apis.servicecatalog.jolt.FindServiceSpecJsonTransformer;
 import org.onap.nbi.apis.servicecatalog.jolt.GetServiceSpecJsonTransformer;
 import org.onap.nbi.apis.serviceorder.ServiceCatalogUrl;
@@ -27,6 +26,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
+import org.springframework.util.CollectionUtils;
 import org.springframework.util.MultiValueMap;
 
 @Service
@@ -67,7 +67,7 @@ public class ServiceSpecificationService {
     public List<LinkedHashMap> find(MultiValueMap<String, String> parametersMap) {
         List<LinkedHashMap> sdcResponse = sdcClient.callFind(parametersMap);
         List<LinkedHashMap> serviceCatalogResponse = new ArrayList<>();
-        if(CollectionUtils.isNotEmpty(sdcResponse)){
+        if(!CollectionUtils.isEmpty(sdcResponse)){
             serviceCatalogResponse =
                 findServiceSpecJsonTransformer.transform(sdcResponse);
         }

diff --git a/src/main/java/org/onap/nbi/apis/servicecatalog/ToscaInfosProcessor.java b/src/main/java/org/onap/nbi/apis/servicecatalog/ToscaInfosProcessor.java
index 6b70a18..54b5486 100644 (file)
--- a/src/main/java/org/onap/nbi/apis/servicecatalog/ToscaInfosProcessor.java
+++ b/src/main/java/org/onap/nbi/apis/servicecatalog/ToscaInfosProcessor.java
@@ -13,6 +13,8 @@
  */
 package org.onap.nbi.apis.servicecatalog;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
@@ -26,15 +28,13 @@ import java.util.Map.Entry;
 import java.util.Set;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
-import org.apache.commons.collections.CollectionUtils;
 import org.apache.commons.io.FileUtils;
 import org.onap.nbi.exceptions.TechnicalException;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.dataformat.yaml.YAMLFactory;
+import org.springframework.util.CollectionUtils;
 
 @Service
 public class ToscaInfosProcessor {
@@ -96,7 +96,7 @@ public class ToscaInfosProcessor {
             Object aDefault = parameter.get("default");
             if (parameter.get("entry_schema") != null) {
                 ArrayList entrySchema = (ArrayList) parameter.get("entry_schema");
-                if (CollectionUtils.isNotEmpty(entrySchema)) {
+                if (!CollectionUtils.isEmpty(entrySchema)) {
                     buildCharacteristicValuesFormShema(parameterType, serviceSpecCharacteristicValues, aDefault,
                             entrySchema);
                 }
@@ -110,7 +110,7 @@ public class ToscaInfosProcessor {
         LinkedHashMap constraints = (LinkedHashMap) entrySchema.get(0);
         if (constraints != null) {
             ArrayList constraintsList = (ArrayList) constraints.get("constraints");
-            if (CollectionUtils.isNotEmpty(constraintsList)) {
+            if (!CollectionUtils.isEmpty(constraintsList)) {
                 LinkedHashMap valuesMap = (LinkedHashMap) constraintsList.get(0);
                 if (valuesMap != null) {
                     List<Object> values = (List<Object>) valuesMap.get("valid_values");

diff --git a/src/main/java/org/onap/nbi/apis/serviceinventory/ServiceInventoryService.java b/src/main/java/org/onap/nbi/apis/serviceinventory/ServiceInventoryService.java
index d38d012..1564e9c 100644 (file)
--- a/src/main/java/org/onap/nbi/apis/serviceinventory/ServiceInventoryService.java
+++ b/src/main/java/org/onap/nbi/apis/serviceinventory/ServiceInventoryService.java
@@ -16,7 +16,6 @@ import java.util.ArrayList;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
-import org.apache.commons.collections.CollectionUtils;
 import org.onap.nbi.apis.serviceinventory.jolt.FindServiceInventoryJsonTransformer;
 import org.onap.nbi.apis.serviceinventory.jolt.GetServiceInventoryJsonTransformer;
 import org.onap.nbi.exceptions.BackendFunctionalException;
@@ -25,6 +24,7 @@ import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.stereotype.Service;
+import org.springframework.util.CollectionUtils;
 import org.springframework.util.MultiValueMap;
 import org.springframework.util.StringUtils;
 
@@ -137,7 +137,7 @@ public class ServiceInventoryService {
             buildServiceInstances(serviceInstances, customerId, serviceName);
         }
         List<LinkedHashMap> serviceInventoryResponse = new ArrayList<>();
-        if(CollectionUtils.isNotEmpty(serviceInstances)){
+        if(!CollectionUtils.isEmpty(serviceInstances)){
             serviceInventoryResponse =
                 findServiceInventoryJsonTransformer.transform(serviceInstances);
             for (LinkedHashMap serviceInventory : serviceInventoryResponse) {