[OOM-CERT-SERVICE] Fix vulnerabilities for Kohn

- update gson to 2.9.0 - update commons-io to 2.11.0 - update httpclient to 4.5.13 - update bcprov-jdk15on to 1.70 - left version of sonar-go-pluging at 1.1.1.2000 - fix the implementation in respect to the update - include py3.8 fix (https://gerrit.onap.org/r/c/oom/platform/cert-service/+/130574) Issue-ID: OOM-2985 Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de> Change-Id: I0d6b775c3f09b283900981c49db4abaf80d33b11
author: Andreas Geissler <andreas-geissler@telekom.de> 2022-09-12 13:27:04 +0200
committer: Andreas Geissler <andreas-geissler@telekom.de> 2022-09-20 10:08:05 +0200
commit: 0587da741a0edad6e5eefedbc1d200f0e2c81f2b (patch)
tree: 2db6f1849ce6c01e2ee945ae8a50e3459bae054e
parent: 187d1435142c50e627890ddd5049a9f43ebbe1a2 (diff)
12 files changed, 41 insertions, 26 deletions
diff --git a/certService/pom.xml b/certService/pom.xml
index 13fed005..973da643 100644
--- a/certService/pom.xml
+++ b/certService/pom.xml
@@ -18,10 +18,10 @@
     <parent>
         <groupId>org.onap.oom.platform.cert-service</groupId>
         <artifactId>oom-certservice</artifactId>
-        <version>2.5.0-SNAPSHOT</version>
+        <version>2.6.0-SNAPSHOT</version>
     </parent>
     <artifactId>oom-certservice-api</artifactId>
-    <version>2.5.0-SNAPSHOT</version>
+    <version>2.6.0-SNAPSHOT</version>
     <name>oom-certservice-api</name>
     <description>OOM Certification Service Api</description>
     <packaging>jar</packaging>
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java
index 463451bd..3fac6656 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpMessageHelper.java
@@ -31,10 +31,11 @@ import java.security.Signature;
 import java.security.SignatureException;
 import java.util.Date;
 
+import org.bouncycastle.asn1.ASN1Encoding;
 import org.bouncycastle.asn1.ASN1EncodableVector;
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.DERBitString;
-import org.bouncycastle.asn1.DEROutputStream;
+import org.bouncycastle.asn1.ASN1OutputStream;
 import org.bouncycastle.asn1.DERSequence;
 import org.bouncycastle.asn1.DERTaggedObject;
 import org.bouncycastle.asn1.crmf.CertRequest;
@@ -127,7 +128,7 @@ public final class CmpMessageHelper {
             final CertRequest certRequest, final KeyPair keypair) throws CmpClientException {
         ProofOfPossession proofOfPossession;
         try (ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream()) {
-            final DEROutputStream derOutputStream = new DEROutputStream(byteArrayOutputStream);
+            final ASN1OutputStream derOutputStream = ASN1OutputStream.create(byteArrayOutputStream,ASN1Encoding.DER);
             derOutputStream.writeObject(certRequest);
 
             byte[] popoProtectionBytes = byteArrayOutputStream.toByteArray();
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java
index 0d0d7f34..fac4150a 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/impl/CmpUtil.java
@@ -22,11 +22,12 @@
 package org.onap.oom.certservice.cmpv2client.impl;
 
 import org.bouncycastle.asn1.ASN1Encodable;
+import org.bouncycastle.asn1.ASN1Encoding;
 import org.bouncycastle.asn1.ASN1EncodableVector;
 import org.bouncycastle.asn1.ASN1GeneralizedTime;
 import org.bouncycastle.asn1.ASN1OctetString;
+import org.bouncycastle.asn1.ASN1OutputStream;
 import org.bouncycastle.asn1.DEROctetString;
-import org.bouncycastle.asn1.DEROutputStream;
 import org.bouncycastle.asn1.DERSequence;
 import org.bouncycastle.asn1.cmp.CMPObjectIdentifiers;
 import org.bouncycastle.asn1.cmp.InfoTypeAndValue;
@@ -116,7 +117,7 @@ public final class CmpUtil {
         vector.add(body);
         ASN1Encodable protectedPart = new DERSequence(vector);
         try (ByteArrayOutputStream baos = new ByteArrayOutputStream()) {
-            DEROutputStream out = new DEROutputStream(baos);
+            ASN1OutputStream out = ASN1OutputStream.create(baos,ASN1Encoding.DER);
             out.writeObject(protectedPart);
             res = baos.toByteArray();
         } catch (IOException ioe) {
diff --git a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/validation/CmpResponseValidationHelper.java b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/validation/CmpResponseValidationHelper.java
index 90044b66..f3da0f32 100644
--- a/certService/src/main/java/org/onap/oom/certservice/cmpv2client/validation/CmpResponseValidationHelper.java
+++ b/certService/src/main/java/org/onap/oom/certservice/cmpv2client/validation/CmpResponseValidationHelper.java
@@ -36,6 +36,7 @@ import javax.crypto.spec.SecretKeySpec;
 
 import org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import org.bouncycastle.asn1.DERBitString;
+import org.bouncycastle.asn1.ASN1BitString;
 import org.bouncycastle.asn1.cmp.CMPObjectIdentifiers;
 import org.bouncycastle.asn1.cmp.InfoTypeAndValue;
 import org.bouncycastle.asn1.cmp.PBMParameter;
@@ -66,7 +67,7 @@ public final class CmpResponseValidationHelper {
     static void verifySignature(PKIMessage respPkiMessage, PublicKey pk)
             throws CmpClientException {
         final byte[] protBytes = getProtectedBytes(respPkiMessage);
-        final DERBitString derBitString = respPkiMessage.getProtection();
+        final DERBitString derBitString = (DERBitString) respPkiMessage.getProtection();
         try {
             final Signature signature =
                     Signature.getInstance(
diff --git a/certServiceClient/pom.xml b/certServiceClient/pom.xml
index d330d82e..cd1be6a4 100644
--- a/certServiceClient/pom.xml
+++ b/certServiceClient/pom.xml
@@ -18,12 +18,12 @@
     <parent>
         <artifactId>oom-certservice</artifactId>
         <groupId>org.onap.oom.platform.cert-service</groupId>
-        <version>2.3.3-SNAPSHOT</version>
+        <version>2.6.0-SNAPSHOT</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 
     <artifactId>oom-certservice-client</artifactId>
-    <version>2.3.3-SNAPSHOT</version>
+    <version>2.6.0-SNAPSHOT</version>
     <name>oom-certservice-client</name>
     <description>OOM Certification Service Api Client</description>
     <packaging>jar</packaging>
diff --git a/certServiceK8sExternalProvider/pom.xml b/certServiceK8sExternalProvider/pom.xml
index 30b419ef..832a0e01 100644
--- a/certServiceK8sExternalProvider/pom.xml
+++ b/certServiceK8sExternalProvider/pom.xml
@@ -5,7 +5,7 @@
   <parent>
     <artifactId>oom-certservice</artifactId>
     <groupId>org.onap.oom.platform.cert-service</groupId>
-    <version>2.5.0-SNAPSHOT</version>
+    <version>2.6.0-SNAPSHOT</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
 
diff --git a/certServicePostProcessor/pom.xml b/certServicePostProcessor/pom.xml
index 5ea30809..5137ef93 100644
--- a/certServicePostProcessor/pom.xml
+++ b/certServicePostProcessor/pom.xml
@@ -5,12 +5,12 @@
     <parent>
         <artifactId>oom-certservice</artifactId>
         <groupId>org.onap.oom.platform.cert-service</groupId>
-        <version>2.5.0-SNAPSHOT</version>
+        <version>2.6.0-SNAPSHOT</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 
     <artifactId>oom-certservice-post-processor</artifactId>
-    <version>2.5.0-SNAPSHOT</version>
+    <version>2.6.0-SNAPSHOT</version>
     <name>oom-certservice-post-processor</name>
     <description>An application which conducts certificate post-processing like: merging truststores, copying keystores.</description>
     <packaging>jar</packaging>
diff --git a/certServicePostProcessor/src/main/java/org/onap/oom/certservice/postprocessor/merger/model/PemTruststore.java b/certServicePostProcessor/src/main/java/org/onap/oom/certservice/postprocessor/merger/model/PemTruststore.java
index 642721cc..8e360523 100644
--- a/certServicePostProcessor/src/main/java/org/onap/oom/certservice/postprocessor/merger/model/PemTruststore.java
+++ b/certServicePostProcessor/src/main/java/org/onap/oom/certservice/postprocessor/merger/model/PemTruststore.java
@@ -29,6 +29,7 @@ import java.io.IOException;
 import java.io.StringWriter;
 import java.security.Security;
 import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.util.ArrayList;
 import java.util.List;
@@ -89,8 +90,13 @@ public class PemTruststore extends Truststore {
     }
 
     boolean isFileWithoutPemCertificate() throws TruststoreDataOperationException {
-        List<Certificate> certificateList = extractCertificatesFromFile();
-        return certificateList.isEmpty();
+        try {
+            List<Certificate> certificateList = extractCertificatesFromFile();
+            return certificateList.isEmpty();
+        } catch (TruststoreDataOperationException e) {
+            LOGGER.error("Cannot extract certificates from file: {}", storeFile.getPath());
+        }
+        return true;
     }
 
     String transformToStringInPemFormat(List<Certificate> certificates) throws TruststoreDataOperationException {
@@ -112,7 +118,12 @@ public class PemTruststore extends Truststore {
             Security.addProvider(new BouncyCastleProvider());
             CertificateFactory certFactory = CertificateFactory.getInstance(X_509_CERTIFICATE, BOUNCY_CASTLE_PROVIDER);
             return new ArrayList<>(certFactory.generateCertificates(inputStream));
-        } catch (Exception e) {
+        }
+        catch (CertificateException e) {
+            LOGGER.error("Cannot read certificates from file: {}", storeFile.getPath());
+            throw new TruststoreDataOperationException(e);
+        }
+        catch (Exception e) {
             LOGGER.error("Cannot read certificates from file: {}", storeFile.getPath());
             throw new TruststoreDataOperationException(e);
         }
diff --git a/docs/conf.py b/docs/conf.py
index 351d0ccd..f6aebe82 100644
--- a/docs/conf.py
+++ b/docs/conf.py
@@ -6,7 +6,8 @@ master_doc = 'index'
 linkcheck_ignore = [
     'http://localhost',
     'http://ejbca',
-    'https://localhost'
+    'https://localhost',
+    'https://download.primekey.com'
 ]
 
 exclude_patterns = [
diff --git a/docs/tox.ini b/docs/tox.ini
index 509ac7d2..abbe5d27 100644
--- a/docs/tox.ini
+++ b/docs/tox.ini
@@ -4,10 +4,10 @@ envlist = docs,docs-linkcheck
 skipsdist = true
 
 [testenv:docs]
-basepython = python3
+basepython = python3.8
 deps =
     -r{toxinidir}/requirements-docs.txt
-    -chttps://git.onap.org/doc/plain/etc/upper-constraints.os.txt
+    -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt
     -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt
 commands =
     sphinx-build -W -b html -n -d {envtmpdir}/doctrees ./ {toxinidir}/_build/html
@@ -18,10 +18,10 @@ whitelist_externals =
     sh
 
 [testenv:docs-linkcheck]
-basepython = python3
+basepython = python3.8
 deps =
     -r{toxinidir}/requirements-docs.txt
-    -chttps://git.onap.org/doc/plain/etc/upper-constraints.os.txt?h=master
+    -chttps://raw.githubusercontent.com/openstack/requirements/stable/yoga/upper-constraints.txt
     -chttps://git.onap.org/doc/plain/etc/upper-constraints.onap.txt?h=master
 commands =
     sphinx-build -W -b linkcheck -d {envtmpdir}/doctrees ./ {toxinidir}/_build/linkcheck
diff --git a/pom.xml b/pom.xml
index 75c90ff0..ec7ec115 100644
--- a/pom.xml
+++ b/pom.xml
@@ -23,7 +23,7 @@
     </parent>
     <groupId>org.onap.oom.platform.cert-service</groupId>
     <artifactId>oom-certservice</artifactId>
-    <version>2.5.0-SNAPSHOT</version>
+    <version>2.6.0-SNAPSHOT</version>
     <name>oom-certservice</name>
     <description>OOM Certification Service</description>
     <packaging>pom</packaging>
@@ -49,14 +49,14 @@
         <spring.cloud-version>2020.0.3</spring.cloud-version>
 
         <springdoc-openapi-ui.version>1.2.30</springdoc-openapi-ui.version>
-        <bouncycastle.version>1.60</bouncycastle.version>
+        <bouncycastle.version>1.70</bouncycastle.version>
         <docker-maven-plugin.version>0.33.0</docker-maven-plugin.version>
         <springdoc-openapi-maven-plugin.version>0.2</springdoc-openapi-maven-plugin.version>
-        <gson.version>2.8.6</gson.version>
-        <httpcomponents.version>4.5.6</httpcomponents.version>
+        <gson.version>2.9.0</gson.version>
+        <httpcomponents.version>4.5.13</httpcomponents.version>
         <commons-lang3.version>3.9</commons-lang3.version>
         <commons-validator.version>1.7</commons-validator.version>
-        <commons-io.version>2.6</commons-io.version>
+        <commons-io.version>2.11.0</commons-io.version>
         <junit.version>5.5.2</junit.version>
         <mockito-junit-jupiter.version>2.17.0</mockito-junit-jupiter.version>
         <log4j2.version>2.17.1</log4j2.version>
diff --git a/version.properties b/version.properties
index 6c697332..8201005b 100644
--- a/version.properties
+++ b/version.properties
@@ -1,5 +1,5 @@
 major=2
-minor=5
+minor=6
 patch=0
 base_version=${major}.${minor}.${patch}
 release_version=${base_version}
author	Andreas Geissler <andreas-geissler@telekom.de>	2022-09-12 13:27:04 +0200
committer	Andreas Geissler <andreas-geissler@telekom.de>	2022-09-20 10:08:05 +0200
commit	0587da741a0edad6e5eefedbc1d200f0e2c81f2b (patch)
tree	2db6f1849ce6c01e2ee945ae8a50e3459bae054e
parent	187d1435142c50e627890ddd5049a9f43ebbe1a2 (diff)