From bd0767fc08a46c290b7a5d2f5dde1688c681cf0d Mon Sep 17 00:00:00 2001
From: Prudence Au <prudence.au@amdocs.com>
Date: Wed, 4 Sep 2019 19:57:07 -0400
Subject: Address vulnerability issues.

- exclude commons-beanutils from spring-boot-starter-velocity
- upgrade handlebars to version 4.1.2
- upgrade logback-classic to version 1.2.3
- upgrade xstream to version 1.4.11.1
- exclude dom4j from spring-boot-starter-velocity
- upgrade camel-core to version 2.21.5
- exclude struts-core from spring-boot-starter-velocity
- upgrade plexus-utils to version 3.0.22

Issue-ID: LOG-827
Issue-ID: LOG-1116
Issue-ID: LOG-1121
Issue-ID: LOG-1122
Issue-ID: LOG-1123
Issue-ID: LOG-1124
Issue-ID: LOG-1062
Issue-ID: LOG-1063
Signed-off-by: Prudence Au <prudence.au@amdocs.com>
Change-Id: Ib851883ba4338f800523bbdbdb714e39549e5ecd
---
 pom.xml                                            | 65 ++++++++++++++++++----
 .../unittest/service/SdncContextBuilderTest.java   |  3 +-
 2 files changed, 56 insertions(+), 12 deletions(-)

diff --git a/pom.xml b/pom.xml
index bb6cbc7..0b8c922 100644
--- a/pom.xml
+++ b/pom.xml
@@ -31,7 +31,7 @@ limitations under the License.
     </parent>
 
     <properties>
-        <camel-spring-boot.version>2.21.1</camel-spring-boot.version>
+        <camel-spring-boot.version>2.21.5</camel-spring-boot.version>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <swagger.directory>${project.build.directory}/generated-resources/swagger</swagger.directory>
         <!--docker -->
@@ -114,6 +114,20 @@ limitations under the License.
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-velocity</artifactId>
             <version>1.4.7.RELEASE</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>commons-beanutils</groupId>
+                    <artifactId>commons-beanutils</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>dom4j</groupId>
+                    <artifactId>dom4j</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.struts</groupId>
+                    <artifactId>struts-core</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
            <groupId>com.sun.jersey</groupId>
@@ -132,15 +146,6 @@ limitations under the License.
             <artifactId>camel-spring-boot-starter</artifactId>
             <version>${camel-spring-boot.version}</version>
         </dependency>
-        <dependency>
-            <groupId>org.apache.camel</groupId>
-            <artifactId>camel-core</artifactId>
-            <version>${camel-spring-boot.version}</version>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.camel</groupId>
-            <artifactId>camel-servlet-starter</artifactId>
-        </dependency>
         <!-- swagger dependencies -->
         <dependency>
             <groupId>io.swagger</groupId>
@@ -184,7 +189,13 @@ limitations under the License.
         <dependency>
             <groupId>org.onap.aai</groupId>
             <artifactId>rest-client</artifactId>
-            <version>1.2.1</version>
+            <version>1.3.0</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>ch.qos.logback</groupId>
+                    <artifactId>logback-classic</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <!-- Drools dependencies -->
         <dependency>
@@ -196,8 +207,26 @@ limitations under the License.
                     <groupId>commons-codec</groupId>
                     <artifactId>commons-codec</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>com.thoughtworks.xstream</groupId>
+                    <artifactId>xstream</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.codehaus.plexus</groupId>
+                    <artifactId>plexus-utils</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
+        <dependency>
+            <groupId>com.thoughtworks.xstream</groupId>
+            <artifactId>xstream</artifactId>
+            <version>1.4.11.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.codehaus.plexus</groupId>
+            <artifactId>plexus-utils</artifactId>
+            <version>3.0.22</version>
+        </dependency>
 
         <!-- Test dependencies -->
         <dependency>
@@ -225,6 +254,10 @@ limitations under the License.
                     <groupId>com.fasterxml.jackson.core</groupId>
                     <artifactId>jackson-databind</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>com.github.jknack</groupId>
+                    <artifactId>handlebars</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
@@ -242,6 +275,16 @@ limitations under the License.
             <artifactId>jackson-annotations</artifactId>
             <version>2.9.0</version>
         </dependency>
+        <dependency>
+            <groupId>com.github.jknack</groupId>
+            <artifactId>handlebars</artifactId>
+            <version>4.1.2</version>
+        </dependency>
+        <dependency>
+            <groupId>ch.qos.logback</groupId>
+            <artifactId>logback-classic</artifactId>
+            <version>1.2.3</version>
+        </dependency>
     </dependencies>
 
     <build>
diff --git a/src/test/java/org/onap/pomba/contextbuilder/sdnc/unittest/service/SdncContextBuilderTest.java b/src/test/java/org/onap/pomba/contextbuilder/sdnc/unittest/service/SdncContextBuilderTest.java
index b7fbd33..daa0cf7 100644
--- a/src/test/java/org/onap/pomba/contextbuilder/sdnc/unittest/service/SdncContextBuilderTest.java
+++ b/src/test/java/org/onap/pomba/contextbuilder/sdnc/unittest/service/SdncContextBuilderTest.java
@@ -30,6 +30,7 @@ import com.github.jknack.handlebars.internal.Files;
 import com.github.tomakehurst.wiremock.junit.WireMockRule;
 import java.io.File;
 import java.io.IOException;
+import java.nio.charset.Charset;
 import java.text.MessageFormat;
 import java.util.Collections;
 import javax.servlet.http.HttpServletRequest;
@@ -212,7 +213,7 @@ public class SdncContextBuilderTest {
 
     private void addResponse(String url, String responseFile, WireMockRule thisMock) throws IOException {
         File file = new File(ClassLoader.getSystemResource(responseFile).getFile());
-        String payload = Files.read(file);
+        String payload = Files.read(file, Charset.defaultCharset());
         thisMock.stubFor(get(url).willReturn(okJson(payload)));
     }
 
-- 
cgit 1.2.3-korg