From 1b152bb4b1a70f30790d8ed66b0294d911d7ccee Mon Sep 17 00:00:00 2001
From: vv770d <vv770d@att.com>
Date: Tue, 14 Dec 2021 23:28:16 +0000
Subject: [DCAE/ves] Remediation for Log4Shell vulnerability

Change-Id: I74221f5e661c1065d94542df403dd2134f7d93e1
Signed-off-by: vv770d <vv770d@att.com>
Issue-ID: DCAEGEN2-3022
---
 Changelog.md       | 138 +++++++++++++++++++++++++++++++----------------------
 pom.xml            |  17 +++++--
 version.properties |   2 +-
 3 files changed, 96 insertions(+), 61 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index 91cf77bb..c8997400 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -4,65 +4,89 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
-## [1.6.0] - 13/05/2020
-        - [DCAEGEN2-608](https://jira.onap.org/browse/DCAEGEN2-608) - Expose Prometheus API for performance tests
-## [1.6.1] - 21/05/2020
-        - [DCAEGEN2-608](https://jira.onap.org/browse/DCAEGEN2-608) - Deployment Prometheus and Grafana on RKE for perf tests
-## [1.6.2] - 01/06/2020
-        - [DCAEGEN2-2245](https://jira.onap.org/browse/DCAEGEN2-2245) - Code improvements 
-          Increase code coverage:
-           - HeaderUtil
-           - EnvProps
-           - WebMvcConfig 
-## [1.7.0] - 09/07/2020
-        - [DCAEGEN2-2254](https://jira.onap.org/browse/DCAEGEN2-2254) - Update schema to CommonEventFormat_30.2_ONAP in the eventListerner/v7 interface
-## [1.7.1] - 13/07/2020
-        - [DCAEGEN2-1484](https://jira.onap.org/browse/DCAEGEN2-1484) - VESCollector DMaap publish optimization
-        - [DCAEGEN2-2254](https://jira.onap.org/browse/DCAEGEN2-2254) - Add new data-format for 30.2_ONAP schema version
-## [1.7.2] - 04/08/2020
-        - [DCAEGEN2-1771](https://jira.onap.org/browse/DCAEGEN2-1771) - Add StndDefined event routing to dmaap streams defined in namespace event field - no second stage event validation.
-          Fix error response model
-          Update DPO model
-## [1.7.3] - 10/08/2020
-        - [DCAEGEN2-2264](https://jira.onap.org/browse/DCAEGEN2-2264) - Add implementation of stndDefined fields validation
-## [1.7.4] - 04/08/2020
-        - [DCAEGEN2-2212](https://jira.onap.org/browse/DCAEGEN2-2212) - Config fetch for VESCollector through DCAE-SDK (CBS Client)
-        - [DCAEGEN2-2264](https://jira.onap.org/browse/DCAEGEN2-2264) - Post stndDefined implementation fixes  
-## [1.7.5] - 09/09/2020
-        - [DCAEGEN2-2264](https://jira.onap.org/browse/DCAEGEN2-2264) - Update schema-map.json
-        - [DCAEGEN2-2426](https://jira.onap.org/browse/DCAEGEN2-2426) - Fix bug throwing exception when first event is collected
-## [1.7.6] - 18/09/2020
-        - [DCAEGEN-2374](https://jira.onap.org/browse/DCAEGEN2-2374) - Fix an error reported by DMaapEventPublisher test when pk is not available.
-        - [DCAEGEN2-2453](https://jira.onap.org/browse/DCAEGEN2-2453) - Fix VES problem with subsequent fetching from CBS.
-## [1.7.7] - 29/09/2020
-         - [DCAEGEN2-2462](https://jira.onap.org/browse/DCAEGEN2-2462) - Adapt schema-map.json and test files to updated 3GPP repos 
-## [1.7.8] - 13/10/2020
-          - [DCAEGEN2-2478](https://jira.onap.org/browse/DCAEGEN2-2478) - Add logs from external-repo-manager lib
-## [1.7.9] - 01/11/2020
-         -  [DCAEGEN2-2495](https://jira.onap.org/browse/DCAEGEN2-2495) - Ves Collector is down because of java heap space
-## [1.7.10] - 10/02/2021
-         -  [DCAEGEN2-2593](https://jira.onap.org/browse/DCAEGEN2-2593) - Vulnerability removal for ves collector
-## [1.7.11] - 18/02/2021
-         -  [DCAEGEN2-2593](https://jira.onap.org/browse/DCAEGEN2-2593) - Vulnerability removal for ves collector
-            Fix sonar reporting problem
-## [1.8.0] - 24/02/2021
-         -  [DCAEGEN2-2477](https://jira.onap.org/browse/DCAEGEN2-2477) - Update VESCollector CommonEventSchema to ONAP/Honolulu version            
-## [1.9.0] - 18/03/2021
-         -  [DCAEGEN2-2682](https://jira.onap.org/browse/DCAEGEN2-2682) - Update libraries
-## [1.9.1] - 22/03/2021
-         -  [DCAEGEN2-2683](https://jira.onap.org/browse/DCAEGEN2-2683) - Enable Spring Prometheus metrics end-point in VES
-            Remove mvn profile for enable/disable Prometheus metrics
-## [1.9.2] - 14/05/2021
-         -  [DCAEGEN2-2683](https://jira.onap.org/browse/DCAEGEN2-2683) - Enable Spring Prometheus metrics end-point in VES
-            Temporary add mvn profile for enabling/disabling Prometheus metrics            
-## [1.10.0] - 11/06/2021
+## [1.10.2] - 2021/12/14
+         - [DCAEGEN2-3022] - Remediation for Log4Shell vulnerability
+
+## [1.10.1] - 2021/08/31
+         -  [DCAEGEN2-1483](https://jira.onap.org/browse/DCAEGEN2-2719) - CBS-Client supporting configMap
+            - update CBS-Client from 1.8.0 to 1.8.7 in order to enable config file support
+            - fix ambiguous spring-boot-maven-plugin import - set it to 2.4.3
+            - fix ambiguous base docker image - set it to openjdk:11.0.11-jre-slim
+
+## [1.10.0] - 2021/06/11
          -  [DCAEGEN2-1483](https://jira.onap.org/browse/DCAEGEN2-1483) - VESCollector Event ordering
             - remove cambria, add DmaaP client
             - sending event for many topics at once is no longer supported
             - add backward compatibility status codes
             - add additional validation for batchEvent            
-## [1.10.1] - 31/08/2021
-         -  [DCAEGEN2-1483](https://jira.onap.org/browse/DCAEGEN2-2719) - CBS-Client supporting configMap
-            - update CBS-Client from 1.8.0 to 1.8.7 in order to enable config file support
-            - fix ambiguous spring-boot-maven-plugin import - set it to 2.4.3
-            - fix ambiguous base docker image - set it to openjdk:11.0.11-jre-slim
+
+## [1.9.2] - 2021/05/14
+         -  [DCAEGEN2-2683](https://jira.onap.org/browse/DCAEGEN2-2683) - Enable Spring Prometheus metrics end-point in VES
+            Temporary add mvn profile for enabling/disabling Prometheus metrics            
+
+## [1.9.1] - 2021/03/22
+         -  [DCAEGEN2-2683](https://jira.onap.org/browse/DCAEGEN2-2683) - Enable Spring Prometheus metrics end-point in VES
+            Remove mvn profile for enable/disable Prometheus metrics
+
+## [1.9.0] - 2021/03/18
+         -  [DCAEGEN2-2682](https://jira.onap.org/browse/DCAEGEN2-2682) - Update libraries
+
+## [1.8.0] - 2021/02/24
+         -  [DCAEGEN2-2477](https://jira.onap.org/browse/DCAEGEN2-2477) - Update VESCollector CommonEventSchema to ONAP/Honolulu version            
+
+## [1.7.11] - 2021/02/18
+         -  [DCAEGEN2-2593](https://jira.onap.org/browse/DCAEGEN2-2593) - Vulnerability removal for ves collector
+            Fix sonar reporting problem
+
+## [1.7.10] - 2021/02/10
+         -  [DCAEGEN2-2593](https://jira.onap.org/browse/DCAEGEN2-2593) - Vulnerability removal for ves collector
+
+## [1.7.9] - 2020/11/01
+         -  [DCAEGEN2-2495](https://jira.onap.org/browse/DCAEGEN2-2495) - Ves Collector is down because of java heap space
+
+## [1.7.8] - 2020/10/13
+          - [DCAEGEN2-2478](https://jira.onap.org/browse/DCAEGEN2-2478) - Add logs from external-repo-manager lib
+
+## [1.7.7] - 2020/09/29
+         - [DCAEGEN2-2462](https://jira.onap.org/browse/DCAEGEN2-2462) - Adapt schema-map.json and test files to updated 3GPP repos 
+
+## [1.7.6] - 2020/09/18
+        - [DCAEGEN-2374](https://jira.onap.org/browse/DCAEGEN2-2374) - Fix an error reported by DMaapEventPublisher test when pk is not available.
+        - [DCAEGEN2-2453](https://jira.onap.org/browse/DCAEGEN2-2453) - Fix VES problem with subsequent fetching from CBS.
+
+## [1.7.5] - 2020/09/09
+        - [DCAEGEN2-2264](https://jira.onap.org/browse/DCAEGEN2-2264) - Update schema-map.json
+        - [DCAEGEN2-2426](https://jira.onap.org/browse/DCAEGEN2-2426) - Fix bug throwing exception when first event is collected
+
+## [1.7.4] - 2020/08/04
+        - [DCAEGEN2-2212](https://jira.onap.org/browse/DCAEGEN2-2212) - Config fetch for VESCollector through DCAE-SDK (CBS Client)
+        - [DCAEGEN2-2264](https://jira.onap.org/browse/DCAEGEN2-2264) - Post stndDefined implementation fixes  
+
+## [1.7.3] - 2020/08/10
+        - [DCAEGEN2-2264](https://jira.onap.org/browse/DCAEGEN2-2264) - Add implementation of stndDefined fields validation
+
+## [1.7.2] - 2020/08/04
+        - [DCAEGEN2-1771](https://jira.onap.org/browse/DCAEGEN2-1771) - Add StndDefined event routing to dmaap streams defined in namespace event field - no second stage event validation.
+          Fix error response model
+          Update DPO model
+
+## [1.7.1] - 2020/07/13
+        - [DCAEGEN2-1484](https://jira.onap.org/browse/DCAEGEN2-1484) - VESCollector DMaap publish optimization
+        - [DCAEGEN2-2254](https://jira.onap.org/browse/DCAEGEN2-2254) - Add new data-format for 30.2_ONAP schema version
+
+## [1.7.0] - 2020/07/09
+        - [DCAEGEN2-2254](https://jira.onap.org/browse/DCAEGEN2-2254) - Update schema to CommonEventFormat_30.2_ONAP in the eventListerner/v7 interface
+
+## [1.6.2] - 2020/06/01
+        - [DCAEGEN2-2245](https://jira.onap.org/browse/DCAEGEN2-2245) - Code improvements 
+          Increase code coverage:
+           - HeaderUtil
+           - EnvProps
+           - WebMvcConfig 
+
+## [1.6.1] - 2020/05/21
+        - [DCAEGEN2-608](https://jira.onap.org/browse/DCAEGEN2-608) - Deployment Prometheus and Grafana on RKE for perf tests
+
+## [1.6.0] - 2020/05/13
+        - [DCAEGEN2-608](https://jira.onap.org/browse/DCAEGEN2-608) - Expose Prometheus API for performance tests
+
diff --git a/pom.xml b/pom.xml
index b4fb8830..acfb8183 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0"?>
 <!--
     ================================================================================
-	Copyright (c) 2017-2019 AT&T Intellectual Property. All rights reserved.
+	Copyright (c) 2017-2019,2021 AT&T Intellectual Property. All rights reserved.
 	Copyright (c) 2020-2021 Nokia. All rights reserved.
 	================================================================================
 	Licensed under the Apache License, Version 2.0 (the "License"); you may not
@@ -24,7 +24,7 @@
   </parent>
   <groupId>org.onap.dcaegen2.collectors.ves</groupId>
   <artifactId>VESCollector</artifactId>
-  <version>1.10.1-SNAPSHOT</version>
+  <version>1.10.2-SNAPSHOT</version>
   <name>dcaegen2-collectors-ves</name>
   <description>VESCollector</description>
   <properties>
@@ -65,7 +65,8 @@
     <commons-collections.version>3.2.2</commons-collections.version>
     <commons-configuration.version>1.10</commons-configuration.version>
     <vavr.version>0.10.3</vavr.version>
-    <spring-boot-starter-log4j2.version>2.4.3</spring-boot-starter-log4j2.version>
+    <spring-boot-starter-log4j2.version>2.6.1</spring-boot-starter-log4j2.version>
+    <log4j.version>2.16.0</log4j.version>
     <springfox-swagger2.version>3.0.0</springfox-swagger2.version>
     <assertj-core.version>3.19.0</assertj-core.version>
     <spring-boot-starter-test.version>2.2.13.RELEASE</spring-boot-starter-test.version>
@@ -393,6 +394,16 @@
       <artifactId>spring-boot-starter-log4j2</artifactId>
       <version>${spring-boot-starter-log4j2.version}</version>
     </dependency>
+    <dependency>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-core</artifactId>
+      <version>${log4j.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-api</artifactId>
+      <version>${log4j.version}</version>
+    </dependency>
     <dependency>
       <groupId>io.springfox</groupId>
       <artifactId>springfox-swagger2</artifactId>
diff --git a/version.properties b/version.properties
index 81b72c03..6569402c 100644
--- a/version.properties
+++ b/version.properties
@@ -1,6 +1,6 @@
 major=1
 minor=10
-patch=1
+patch=2
 base_version=${major}.${minor}.${patch}
 release_version=${base_version}
 snapshot_version=${base_version}-SNAPSHOT
-- 
cgit 1.2.3-korg