From 5d5c39e47357f34c20ec53799442e3df107a5c24 Mon Sep 17 00:00:00 2001
From: Tomasz Wrobel <tomasz.wrobel@nokia.com>
Date: Thu, 23 Dec 2021 13:43:31 +0100
Subject: [PATCH] [OOM-CERT-SERVICE]Fix Apache log4j2 vulnerability

- Top up spring-boot to 2.5.8
- Top up Apache log4j2 to 2.17.1
- Top up spring-boot-starter-log4j2 to 2.6.2
- Add miising validator bean

Issue-ID: OOM-2903
Signed-off-by: Tomasz Wrobel <tomasz.wrobel@nokia.com>
Change-Id: I816c59e39344bb1fcc2833bcbd58af7fc1c30d78
---
 certService/pom.xml                                | 29 +++++++++++++--
 .../validation/ValidatorConfiguration.java         | 35 ++++++++++++++++++
 certServicePostProcessor/pom.xml                   | 20 +++++++++--
 pom.xml                                            | 42 ++++++++++++++++------
 4 files changed, 110 insertions(+), 16 deletions(-)
 create mode 100644 certService/src/main/java/org/onap/oom/certservice/certification/configuration/validation/ValidatorConfiguration.java

diff --git a/certService/pom.xml b/certService/pom.xml
index 7f559469..13fed005 100644
--- a/certService/pom.xml
+++ b/certService/pom.xml
@@ -32,8 +32,24 @@
             <artifactId>spring-boot-starter-web</artifactId>
         </dependency>
         <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-log4j2</artifactId>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-slf4j-impl</artifactId>
+            <version>${log4j2.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-api</artifactId>
+            <version>${log4j2.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core</artifactId>
+            <version>${log4j2.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-jul</artifactId>
+            <version>${log4j2.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -78,7 +94,14 @@
         <dependency>
             <groupId>org.springframework.cloud</groupId>
             <artifactId>spring-cloud-starter-config</artifactId>
-            <version>${spring-cloud-starter-config.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.cloud</groupId>
+            <artifactId>spring-cloud-starter-bootstrap</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.hibernate.validator</groupId>
+            <artifactId>hibernate-validator</artifactId>
         </dependency>
     </dependencies>
 
diff --git a/certService/src/main/java/org/onap/oom/certservice/certification/configuration/validation/ValidatorConfiguration.java b/certService/src/main/java/org/onap/oom/certservice/certification/configuration/validation/ValidatorConfiguration.java
new file mode 100644
index 00000000..952e59f2
--- /dev/null
+++ b/certService/src/main/java/org/onap/oom/certservice/certification/configuration/validation/ValidatorConfiguration.java
@@ -0,0 +1,35 @@
+/*
+ * ============LICENSE_START=======================================================
+ * oom-certservice-api
+ * ================================================================================
+ * Copyright (C) 2021 Nokia. All rights reserved.
+ * ================================================================================
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ * ============LICENSE_END=========================================================
+ */
+
+
+package org.onap.oom.certservice.certification.configuration.validation;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.validation.beanvalidation.LocalValidatorFactoryBean;
+
+@Configuration
+public class ValidatorConfiguration {
+
+    @Bean
+    public LocalValidatorFactoryBean validator() {
+        return new LocalValidatorFactoryBean();
+    }
+}
diff --git a/certServicePostProcessor/pom.xml b/certServicePostProcessor/pom.xml
index c410a40a..5ea30809 100644
--- a/certServicePostProcessor/pom.xml
+++ b/certServicePostProcessor/pom.xml
@@ -166,8 +166,24 @@
             <artifactId>slf4j-api</artifactId>
         </dependency>
         <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-log4j2</artifactId>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-slf4j-impl</artifactId>
+            <version>${log4j2.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-api</artifactId>
+            <version>${log4j2.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core</artifactId>
+            <version>${log4j2.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-jul</artifactId>
+            <version>${log4j2.version}</version>
         </dependency>
         <dependency>
             <groupId>org.bouncycastle</groupId>
diff --git a/pom.xml b/pom.xml
index 587d2d87..75c90ff0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -40,13 +40,14 @@
         <!-- Dependencies -->
         <assertj-core.version>3.15.0</assertj-core.version>
         <mockito-core.version>3.2.4</mockito-core.version>
-        <spring-core.version>5.2.3.RELEASE</spring-core.version>
-        <spring-boot-starter.version>2.2.4.RELEASE</spring-boot-starter.version>
         <maven-javadoc-plugin.version>3.1.1</maven-javadoc-plugin.version>
         <maven-surefire-plugin.version>3.0.0-M4</maven-surefire-plugin.version>
-        <spring-boot-starter-actuator.version>2.2.4.RELEASE</spring-boot-starter-actuator.version>
-        <spring-boot-starter-log4j2.version>2.1.5.RELEASE</spring-boot-starter-log4j2.version>
-        <spring-cloud-starter-config.version>2.2.1.RELEASE</spring-cloud-starter-config.version>
+        <spring-boot-starter.version>2.5.8</spring-boot-starter.version>
+        <spring-boot-starter-actuator.version>2.6.1</spring-boot-starter-actuator.version>
+        <spring-boot-starter-log4j2.version>2.6.2</spring-boot-starter-log4j2.version>
+
+        <spring.cloud-version>2020.0.3</spring.cloud-version>
+
         <springdoc-openapi-ui.version>1.2.30</springdoc-openapi-ui.version>
         <bouncycastle.version>1.60</bouncycastle.version>
         <docker-maven-plugin.version>0.33.0</docker-maven-plugin.version>
@@ -58,7 +59,7 @@
         <commons-io.version>2.6</commons-io.version>
         <junit.version>5.5.2</junit.version>
         <mockito-junit-jupiter.version>2.17.0</mockito-junit-jupiter.version>
-
+        <log4j2.version>2.17.1</log4j2.version>
         <!-- Docker -->
         <skipDockerPush>true</skipDockerPush>
         <maven.build.timestamp.format>yyyyMMdd'T'HHmmss</maven.build.timestamp.format>
@@ -184,11 +185,11 @@
                     </exclusion>
                 </exclusions>
             </dependency>
-            <dependency>
-                <groupId>org.springframework.boot</groupId>
-                <artifactId>spring-boot-starter-log4j2</artifactId>
-                <version>${spring-boot-starter-log4j2.version}</version>
-            </dependency>
+<!--            <dependency>-->
+<!--                <groupId>org.springframework.boot</groupId>-->
+<!--                <artifactId>spring-boot-starter-log4j2</artifactId>-->
+<!--                <version>${spring-boot-starter-log4j2.version}</version>-->
+<!--            </dependency>-->
             <dependency>
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-starter-test</artifactId>
@@ -281,6 +282,25 @@
                 <scope>test</scope>
             </dependency>
 
+            <dependency>
+                <groupId>org.hibernate.validator</groupId>
+                <artifactId>hibernate-validator</artifactId>
+                <version>6.2.1.Final</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.logging.log4j</groupId>
+                <artifactId>log4j-bom</artifactId>
+                <version>${log4j2.version}</version>
+                <scope>import</scope>
+                <type>pom</type>
+            </dependency>
+            <dependency>
+                <groupId>org.springframework.cloud</groupId>
+                <artifactId>spring-cloud-dependencies</artifactId>
+                <version>${spring.cloud-version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 
-- 
2.16.6