Fix critical security issues

-change pom dependencies version

Change-Id: Ib378ac1d8a05345494dcda0299dd5715b04de14e
Issue-ID: EXTAPI-126
Signed-off-by: romaingimbert <romain.gimbert@orange.com>

diff --git a/pom.xml b/pom.xml
index 0aa9fde..1a42cd8 100644 (file)
--- a/pom.xml
+++ b/pom.xml
@@ -120,6 +120,12 @@
                        </exclusions>
                </dependency>
 
+               <dependency>
+                       <groupId>com.fasterxml.jackson.core</groupId>
+                       <artifactId>jackson-databind</artifactId>
+                       <version>2.8.11.2</version>
+               </dependency>
+
                <dependency>
                        <groupId>org.apache.tomcat.embed</groupId>
                        <artifactId>tomcat-embed-core</artifactId>
@@ -163,7 +169,7 @@
                <dependency>
                        <groupId>commons-beanutils</groupId>
                        <artifactId>commons-beanutils</artifactId>
-                       <version>1.7.0</version>
+                       <version>1.9.3</version>
                </dependency>
 
                <dependency>
@@ -227,6 +233,12 @@
                        <groupId>com.bazaarvoice.jolt</groupId>
                        <artifactId>json-utils</artifactId>
                        <version>0.1.0</version>
+                       <exclusions>
+                               <exclusion>
+                                       <groupId>com.fasterxml.jackson.core</groupId>
+                                       <artifactId>jackson-databind</artifactId>
+                               </exclusion>
+                       </exclusions>
                </dependency>
 
                <!-- test -->
@@ -259,6 +271,12 @@
                        <artifactId>spring-cloud-contract-wiremock</artifactId>
                        <version>1.0.0.RELEASE</version>
                        <scope>test</scope>
+                       <exclusions>
+                               <exclusion>
+                                       <groupId>com.fasterxml.jackson.core</groupId>
+                                       <artifactId>jackson-databind</artifactId>
+                               </exclusion>
+                       </exclusions>
                </dependency>
 
                <dependency>
@@ -293,6 +311,12 @@
                        <groupId>org.onap.msb.java-sdk</groupId>
                        <artifactId>msb-java-sdk</artifactId>
                        <version>1.1.1</version>
+                       <exclusions>
+                               <exclusion>
+                                       <groupId>com.fasterxml.jackson.core</groupId>
+                                       <artifactId>jackson-databind</artifactId>
+                               </exclusion>
+                       </exclusions>
                </dependency>
 
        </dependencies>

diff --git a/src/main/java/org/onap/nbi/apis/hub/service/EventFactory.java b/src/main/java/org/onap/nbi/apis/hub/service/EventFactory.java
index 8083fff..b2a017c 100644 (file)
--- a/src/main/java/org/onap/nbi/apis/hub/service/EventFactory.java
+++ b/src/main/java/org/onap/nbi/apis/hub/service/EventFactory.java
@@ -16,6 +16,7 @@
 package org.onap.nbi.apis.hub.service;
 
 import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.MappingJsonFactory;
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import org.onap.nbi.apis.hub.model.Event;
@@ -30,7 +31,7 @@ import java.util.UUID;
 
 public class EventFactory {
 
-    private static final ObjectMapper mapper = new ObjectMapper();
+    private static final ObjectMapper mapper = new ObjectMapper(new MappingJsonFactory());
 
     public static Event getEvent(EventType eventType, ServiceOrder serviceOrder, ServiceOrderItem serviceOrderItem) {
         Event event = new Event();

diff --git a/src/main/java/org/onap/nbi/apis/serviceorder/utils/JsonEntityConverter.java b/src/main/java/org/onap/nbi/apis/serviceorder/utils/JsonEntityConverter.java
index 7be84c2..1821f0a 100644 (file)
--- a/src/main/java/org/onap/nbi/apis/serviceorder/utils/JsonEntityConverter.java
+++ b/src/main/java/org/onap/nbi/apis/serviceorder/utils/JsonEntityConverter.java
@@ -15,6 +15,7 @@
  */
 package org.onap.nbi.apis.serviceorder.utils;
 
+import com.fasterxml.jackson.databind.MappingJsonFactory;
 import java.io.IOException;
 import org.onap.nbi.apis.serviceorder.model.orchestrator.ServiceOrderInfo;
 import com.fasterxml.jackson.databind.ObjectMapper;
@@ -24,7 +25,7 @@ public final class JsonEntityConverter {
     private JsonEntityConverter() {
     }
 
-    private static final ObjectMapper MAPPER = new ObjectMapper();
+    private static final ObjectMapper MAPPER = new ObjectMapper(new MappingJsonFactory());
 
     public static String convertServiceOrderInfoToJson(ServiceOrderInfo serviceOrderInfo) {
         return MAPPER.valueToTree(serviceOrderInfo).toString();

diff --git a/src/main/java/org/onap/nbi/commons/JacksonFilter.java b/src/main/java/org/onap/nbi/commons/JacksonFilter.java
index 07c113e..97f6cf2 100644 (file)
--- a/src/main/java/org/onap/nbi/commons/JacksonFilter.java
+++ b/src/main/java/org/onap/nbi/commons/JacksonFilter.java
@@ -15,6 +15,7 @@
  */
 package org.onap.nbi.commons;
 
+import com.fasterxml.jackson.databind.MappingJsonFactory;
 import java.math.BigDecimal;
 import java.util.ArrayList;
 import java.util.Arrays;
@@ -59,7 +60,7 @@ public class JacksonFilter {
     }
 
     public static <R> ObjectNode createNode(R bean, JsonRepresentation jsonRepresentation) {
-        ObjectMapper mapper = new ObjectMapper();
+        ObjectMapper mapper = new ObjectMapper(new MappingJsonFactory());
         return JacksonFilter.createNode(mapper, bean, jsonRepresentation.getAttributes());
     }