Fix SonarQube vulnerabilities

Added logging to handle file io boolean returns Added security related settings to xml factories and builders Issue-ID: POLICY-2654 Change-Id: Ibc0a01f978bfc446e1dc1f8ad952d1305a7b7178 Signed-off-by: ToineSiebelink <toine.siebelink@est.tech>
author: ToineSiebelink <toine.siebelink@est.tech> 2020-06-29 12:24:38 +0100
committer: ToineSiebelink <toine.siebelink@est.tech> 2020-06-29 14:46:39 +0100
commit: bf368d2a9cf764f22126fd59c9a3a10ab12fb4bb (patch)
tree: 484b85a7533fbe8986240b5ca9a30bf5d9a8bdd7
parent: bea0762a2c28ee0330036843e17f5af38e06c807 (diff)
6 files changed, 34 insertions, 10 deletions
diff --git a/core/core-infrastructure/src/main/java/org/onap/policy/apex/core/infrastructure/xml/XPathReader.java b/core/core-infrastructure/src/main/java/org/onap/policy/apex/core/infrastructure/xml/XPathReader.java
index 53b8a7938..f20907370 100644
--- a/core/core-infrastructure/src/main/java/org/onap/policy/apex/core/infrastructure/xml/XPathReader.java
+++ b/core/core-infrastructure/src/main/java/org/onap/policy/apex/core/infrastructure/xml/XPathReader.java
@@ -76,7 +76,8 @@ public class XPathReader {
             LOGGER.info("Initializing XPath reader");
             DocumentBuilderFactory df = DocumentBuilderFactory.newInstance();
             df.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
-
+            df.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            df.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
             // Check if this is operating on a file
             if (xmlFileName != null) {
                 xmlDocument = df.newDocumentBuilder().parse(xmlFileName);
diff --git a/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java b/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java
index f3ea15935..e01e997fd 100644
--- a/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java
+++ b/examples/examples-onap-bbs/src/main/java/org/onap/policy/apex/examples/bbs/WebClient.java
@@ -34,6 +34,7 @@ import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.TrustManager;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
@@ -158,6 +159,9 @@ public class WebClient {
 
                 TransformerFactory transformerFactory = TransformerFactory.newInstance();
                 transformerFactory.setAttribute("indent-number", indent);
+                transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+
                 Transformer transformer = transformerFactory.newTransformer();
                 transformer.setOutputProperty(OutputKeys.ENCODING, StandardCharsets.UTF_8.name());
                 transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
diff --git a/model/basic-model/src/main/java/org/onap/policy/apex/model/basicmodel/handling/ApexModelWriter.java b/model/basic-model/src/main/java/org/onap/policy/apex/model/basicmodel/handling/ApexModelWriter.java
index 0dab08dcb..0763492fc 100644
--- a/model/basic-model/src/main/java/org/onap/policy/apex/model/basicmodel/handling/ApexModelWriter.java
+++ b/model/basic-model/src/main/java/org/onap/policy/apex/model/basicmodel/handling/ApexModelWriter.java
@@ -202,6 +202,9 @@ public class ApexModelWriter<C extends AxConcept> {
             // Write the concept into a DOM document, then transform to add CDATA fields and pretty
             // print, then write out the result
             final DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+            docBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            docBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+
             docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             final Document document = docBuilderFactory.newDocumentBuilder().newDocument();
 
@@ -223,6 +226,9 @@ public class ApexModelWriter<C extends AxConcept> {
     private Transformer getTransformer() throws TransformerConfigurationException {
         // Transform the DOM to the output stream
         final TransformerFactory transformerFactory = TransformerFactory.newInstance();
+        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        transformerFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+
         final Transformer domTransformer = transformerFactory.newTransformer();
 
         // Pretty print
diff --git a/model/utilities/src/main/java/org/onap/policy/apex/model/utilities/DirectoryDeleteShutdownHook.java b/model/utilities/src/main/java/org/onap/policy/apex/model/utilities/DirectoryDeleteShutdownHook.java
index f0fd8950f..2d96a5954 100644
--- a/model/utilities/src/main/java/org/onap/policy/apex/model/utilities/DirectoryDeleteShutdownHook.java
+++ b/model/utilities/src/main/java/org/onap/policy/apex/model/utilities/DirectoryDeleteShutdownHook.java
@@ -1,19 +1,20 @@
 /*-
  * ============LICENSE_START=======================================================
  *  Copyright (C) 2018 Ericsson. All rights reserved.
+ *  Modifications Copyright (C) 2020 Nordix Foundation.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
- * 
+ *
  * SPDX-License-Identifier: Apache-2.0
  * ============LICENSE_END=========================================================
  */
@@ -21,6 +22,8 @@
 package org.onap.policy.apex.model.utilities;
 
 import java.io.File;
+import org.slf4j.ext.XLogger;
+import org.slf4j.ext.XLoggerFactory;
 
 /**
  * The Class DirectoryShutdownHook removes the contents of a directory and the directory itself at shutdown.
@@ -28,6 +31,9 @@ import java.io.File;
  * @author Liam Fallon (liam.fallon@ericsson.com)
  */
 final class DirectoryDeleteShutdownHook extends Thread {
+
+    private static final XLogger LOGGER = XLoggerFactory.getXLogger(DirectoryUtils.class);
+
     // The directory we are acting on
     private final File tempDir;
 
@@ -48,7 +54,9 @@ final class DirectoryDeleteShutdownHook extends Thread {
         if (tempDir.exists()) {
             // Empty and delete the directory
             DirectoryUtils.emptyDirectory(tempDir);
-            tempDir.delete();
+            if (!tempDir.delete()) {
+                LOGGER.warn("Failed to delete directory {}", tempDir);
+            }
         }
     }
 }
diff --git a/model/utilities/src/main/java/org/onap/policy/apex/model/utilities/DirectoryUtils.java b/model/utilities/src/main/java/org/onap/policy/apex/model/utilities/DirectoryUtils.java
index b129ce21c..011dbb1b2 100644
--- a/model/utilities/src/main/java/org/onap/policy/apex/model/utilities/DirectoryUtils.java
+++ b/model/utilities/src/main/java/org/onap/policy/apex/model/utilities/DirectoryUtils.java
@@ -1,19 +1,20 @@
 /*
  * ============LICENSE_START=======================================================
  *  Copyright (C) 2016-2018 Ericsson. All rights reserved.
+ *  Modifications Copyright (C) 2020 Nordix Foundation.
  * ================================================================================
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
- * 
+ *
  *      http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
- * 
+ *
  * SPDX-License-Identifier: Apache-2.0
  * ============LICENSE_END=========================================================
  */
@@ -96,7 +97,9 @@ public abstract class DirectoryUtils {
                 }
 
                 // Delete the directory entry
-                directoryFile.delete();
+                if (!directoryFile.delete()) {
+                    LOGGER.warn("Failed to delete directory file {}", directoryFile);
+                }
             }
         }
 
diff --git a/tools/tools-common/src/main/java/org/onap/policy/apex/tools/common/OutputFile.java b/tools/tools-common/src/main/java/org/onap/policy/apex/tools/common/OutputFile.java
index 0aa85df5d..2a20554b5 100644
--- a/tools/tools-common/src/main/java/org/onap/policy/apex/tools/common/OutputFile.java
+++ b/tools/tools-common/src/main/java/org/onap/policy/apex/tools/common/OutputFile.java
@@ -122,7 +122,9 @@ public class OutputFile {
             }
         } else {
             try {
-                file.createNewFile();
+                if (file.createNewFile()) {
+                    LOGGER.trace("Created output file {}", file.getName());
+                }
             } catch (final IOException e) {
                 String message = "could not create output file: " + e.getMessage();
                 LOGGER.warn(message, e);
author	ToineSiebelink <toine.siebelink@est.tech>	2020-06-29 12:24:38 +0100
committer	ToineSiebelink <toine.siebelink@est.tech>	2020-06-29 14:46:39 +0100
commit	bf368d2a9cf764f22126fd59c9a3a10ab12fb4bb (patch)
tree	484b85a7533fbe8986240b5ca9a30bf5d9a8bdd7
parent	bea0762a2c28ee0330036843e17f5af38e06c807 (diff)