Fixed Some Vulnerability Issues

Fixed the fastjson issue
Fixed the retrofit issue

Change-Id: Ife7dca0f0aeaf09c753615ef870b84867a970c8d
Issue-ID: HOLMES-345
Signed-off-by: GuangrongFu <fu.guangrong@zte.com.cn>

4 files changed, 33 insertions, 23 deletions

diff --git a/pom.xml b/pom.xml
index cb7bf34..9abc7e5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -107,9 +107,18 @@
                     <groupId>org.checkerframework</groupId>

                     <artifactId>checker-qual</artifactId>

                 </exclusion>

+                <exclusion>

+                    <groupId>com.squareup.retrofit2</groupId>

+                    <artifactId>retrofit</artifactId>

+                </exclusion>

             </exclusions>

         </dependency>

         <dependency>

+            <groupId>com.squareup.retrofit2</groupId>

+            <artifactId>retrofit</artifactId>

+            <version>2.5.0</version>

+        </dependency>

+        <dependency>

             <groupId>org.reflections</groupId>

             <artifactId>reflections</artifactId>

             <version>0.9.9</version>

@@ -313,10 +322,11 @@
             <version>3.2.2</version>

         </dependency>

         <dependency>

-            <groupId>com.alibaba</groupId>

-            <artifactId>fastjson</artifactId>

-            <version>1.2.49</version>

+            <groupId>com.google.code.gson</groupId>

+            <artifactId>gson</artifactId>

+            <version>2.8.6</version>

         </dependency>

+

         <dependency>

             <groupId>org.glassfish.jersey.core</groupId>

             <artifactId>jersey-server</artifactId>

diff --git a/rulemgt/src/main/java/org/onap/holmes/rulemgt/bolt/enginebolt/EngineWrapper.java b/rulemgt/src/main/java/org/onap/holmes/rulemgt/bolt/enginebolt/EngineWrapper.java
index b0bd1f5..479437e 100644
--- a/rulemgt/src/main/java/org/onap/holmes/rulemgt/bolt/enginebolt/EngineWrapper.java
+++ b/rulemgt/src/main/java/org/onap/holmes/rulemgt/bolt/enginebolt/EngineWrapper.java
@@ -1,5 +1,5 @@
 /**

- * Copyright 2017 ZTE Corporation.

+ * Copyright 2017-2020 ZTE Corporation.

  *

  * Licensed under the Apache License, Version 2.0 (the "License");

  * you may not use this file except in compliance with the License.

@@ -15,17 +15,18 @@
  */

 package org.onap.holmes.rulemgt.bolt.enginebolt;

 

-import com.alibaba.fastjson.JSON;

-import com.alibaba.fastjson.JSONObject;

-import javax.inject.Inject;

+import com.google.gson.JsonObject;

+import com.google.gson.JsonParser;

 import lombok.extern.slf4j.Slf4j;

 import org.apache.http.HttpResponse;

 import org.jvnet.hk2.annotations.Service;

+import org.onap.holmes.common.exception.CorrelationException;

 import org.onap.holmes.common.utils.HttpsUtils;

 import org.onap.holmes.rulemgt.bean.request.CorrelationCheckRule4Engine;

 import org.onap.holmes.rulemgt.bean.request.CorrelationDeployRule4Engine;

 import org.onap.holmes.rulemgt.constant.RuleMgtConstant;

-import org.onap.holmes.common.exception.CorrelationException;

+

+import javax.inject.Inject;

 

 @Service

 @Slf4j

@@ -44,9 +45,8 @@ public class EngineWrapper {
         if (response.getStatusLine().getStatusCode() == RuleMgtConstant.RESPONSE_STATUS_OK) {

             log.info("Succeeded in calling the rule deployment RESTful API from the engine management service.");

             try {

-               // JSONObject json = JSONObject.fromObject(HttpsUtils.extractResponseEntity(response));

-                JSONObject json=  JSON.parseObject(HttpsUtils.extractResponseEntity(response));

-                return json.get(RuleMgtConstant.PACKAGE).toString();

+                JsonObject json = JsonParser.parseString(HttpsUtils.extractResponseEntity(response)).getAsJsonObject();

+                return json.get(RuleMgtConstant.PACKAGE).getAsString();

             } catch (Exception e) {

                 throw new CorrelationException("Failed to parse the value returned by the engine management service.", e);

             }

diff --git a/rulemgt/src/main/java/org/onap/holmes/rulemgt/dcae/DcaeConfigurationPolling.java b/rulemgt/src/main/java/org/onap/holmes/rulemgt/dcae/DcaeConfigurationPolling.java
index dcd530c..e6bc790 100644
--- a/rulemgt/src/main/java/org/onap/holmes/rulemgt/dcae/DcaeConfigurationPolling.java
+++ b/rulemgt/src/main/java/org/onap/holmes/rulemgt/dcae/DcaeConfigurationPolling.java
@@ -1,5 +1,5 @@
 /**
- * Copyright 2017 ZTE Corporation.
+ * Copyright 2017-2020 ZTE Corporation.
  * <p>
  * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except
  * in compliance with the License. You may obtain a copy of the License at
@@ -13,14 +13,8 @@
  */
 package org.onap.holmes.rulemgt.dcae;
 
-import com.alibaba.fastjson.JSONObject;
-
-import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.util.HashMap;
-import java.util.List;
-import javax.ws.rs.core.MediaType;
 
+import com.google.gson.Gson;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.http.HttpResponse;
 import org.apache.http.client.methods.HttpDelete;
@@ -39,6 +33,12 @@ import org.onap.holmes.rulemgt.bean.request.RuleCreateRequest;
 import org.onap.holmes.rulemgt.bean.response.RuleQueryListResponse;
 import org.onap.holmes.rulemgt.bean.response.RuleResult4API;
 
+import javax.ws.rs.core.MediaType;
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.util.HashMap;
+import java.util.List;
+
 @Slf4j
 public class DcaeConfigurationPolling implements Runnable {
 
@@ -106,7 +106,7 @@ public class DcaeConfigurationPolling implements Runnable {
             httpClient = HttpsUtils.getConditionalHttpsClient(HttpsUtils.DEFUALT_TIMEOUT);
             HttpResponse httpResponse = HttpsUtils.get(httpGet, headers, httpClient);
             String response = HttpsUtils.extractResponseEntity(httpResponse);
-            return JSONObject.parseObject(response, RuleQueryListResponse.class);
+            return GsonUtil.jsonToBean(response, RuleQueryListResponse.class);
         } finally {
             httpGet.releaseConnection();
             closeHttpClient(httpClient);
diff --git a/rulemgt/src/test/java/org/onap/holmes/rulemgt/dcae/DcaeConfigurationPollingTest.java b/rulemgt/src/test/java/org/onap/holmes/rulemgt/dcae/DcaeConfigurationPollingTest.java
index 53e60c8..6b640b2 100644
--- a/rulemgt/src/test/java/org/onap/holmes/rulemgt/dcae/DcaeConfigurationPollingTest.java
+++ b/rulemgt/src/test/java/org/onap/holmes/rulemgt/dcae/DcaeConfigurationPollingTest.java
@@ -1,5 +1,5 @@
 /**
- * Copyright 2017 ZTE Corporation.
+ * Copyright 2017-2020 ZTE Corporation.
  * <p>
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,7 +15,6 @@
  */
 package org.onap.holmes.rulemgt.dcae;
 
-import com.alibaba.fastjson.JSONObject;
 import org.apache.http.HttpResponse;
 import org.apache.http.StatusLine;
 import org.apache.http.client.methods.HttpDelete;
@@ -31,6 +30,7 @@ import org.junit.runner.RunWith;
 import org.onap.holmes.common.dcae.DcaeConfigurationQuery;
 import org.onap.holmes.common.dcae.entity.DcaeConfigurations;
 import org.onap.holmes.common.dcae.entity.Rule;
+import org.onap.holmes.common.utils.GsonUtil;
 import org.onap.holmes.common.utils.HttpsUtils;
 import org.onap.holmes.rulemgt.bean.response.RuleQueryListResponse;
 import org.onap.holmes.rulemgt.bean.response.RuleResult4API;
@@ -82,7 +82,7 @@ public class DcaeConfigurationPollingTest {
         expect(HttpsUtils.getConditionalHttpsClient(30000)).andReturn(clientMock);
         expect(HttpsUtils.get(anyObject(HttpGet.class), anyObject(HashMap.class), anyObject(CloseableHttpClient.class)))
                 .andReturn(httpResponseMock);
-        expect(HttpsUtils.extractResponseEntity(httpResponseMock)).andReturn(JSONObject.toJSONString(ruleQueryListResponse));
+        expect(HttpsUtils.extractResponseEntity(httpResponseMock)).andReturn(GsonUtil.beanToJson(ruleQueryListResponse));
         clientMock.close();
         expectLastCall();