From 03c53c05213f0c01b8b9b03025129b9fbe801384 Mon Sep 17 00:00:00 2001
From: "Lo, WEI-TING(wl849v)" <wl849v@att.com>
Date: Tue, 27 Mar 2018 19:24:12 -0400
Subject: Security Vulnerabilities

Issue-ID: PORTAL-155

Includes Security Vulnerabilities and music jar

Change-Id: Id85471555461adf2127db66ed3d4f4a3d5a06fe4
Signed-off-by: Lo, WEI-TING(wl849v) <wl849v@att.com>
---
 ecomp-sdk/epsdk-app-common/pom.xml                 |  93 ++++++---------------
 ecomp-sdk/epsdk-app-os/pom.xml                     |   6 ++
 ecomp-sdk/epsdk-core/pom.xml                       |  84 ++++---------------
 ecomp-sdk/epsdk-fw/pom.xml                         |  50 +++++++----
 .../org/onap/music/core/2.4.4.1/core-2.4.4.1.jar   | Bin 0 -> 22223316 bytes
 .../org/onap/music/core/2.4.4/core-2.4.4.jar       | Bin 132593 -> 0 bytes
 .../org/onap/music/core/maven-metadata-local.xml   |   6 +-
 ecomp-sdk/epsdk-music/pom.xml                      |  78 ++++++++++-------
 ecomp-sdk/pom.xml                                  |   2 +-
 9 files changed, 139 insertions(+), 180 deletions(-)
 create mode 100644 ecomp-sdk/epsdk-music/dependencies/org/onap/music/core/2.4.4.1/core-2.4.4.1.jar
 delete mode 100644 ecomp-sdk/epsdk-music/dependencies/org/onap/music/core/2.4.4/core-2.4.4.jar

diff --git a/ecomp-sdk/epsdk-app-common/pom.xml b/ecomp-sdk/epsdk-app-common/pom.xml
index e9eec2ac..6e4f9e19 100644
--- a/ecomp-sdk/epsdk-app-common/pom.xml
+++ b/ecomp-sdk/epsdk-app-common/pom.xml
@@ -172,6 +172,12 @@
 			<groupId>org.elasticsearch</groupId>
 			<artifactId>elasticsearch</artifactId>
 			<version>2.2.0</version>
+			<exclusions> 
+				<exclusion> 
+					<groupId>org.apache.lucene</groupId> 
+					<artifactId>lucene-queryparser</artifactId> 
+				</exclusion> 
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>org.json</groupId>
@@ -245,6 +251,14 @@
         	<groupId>commons-httpclient</groupId>
             <artifactId>commons-httpclient</artifactId>
 		</exclusion>
+		<exclusion> 
+        	<groupId>xerces</groupId> 
+            <artifactId>xercesImpl</artifactId> 
+		</exclusion> 
+        <exclusion> 
+        	<groupId>commons-collections</groupId> 
+            <artifactId>commons-collections</artifactId> 
+		</exclusion>
         </exclusions>
 	</dependency>
 	<!-- Jacoco for offline instrumentation -->
@@ -254,11 +268,7 @@
 			<version>${jacoco.version}</version>
 			<classifier>runtime</classifier>
 		</dependency>
-		<dependency>
-    		<groupId>org.apache.lucene</groupId>
-    		<artifactId>lucene-queryparser</artifactId>
-    		<version>7.2.1</version>
-		</dependency>
+
 		<dependency>
     		<groupId>com.thoughtworks.xstream</groupId>
     		<artifactId>xstream</artifactId>
@@ -287,68 +297,9 @@
 		<dependency>
     		<groupId>commons-beanutils</groupId>
     		<artifactId>commons-beanutils</artifactId>
-    		<version>1.9.2</version>
-		</dependency>
-		<dependency>
-			<groupId>org.apache.poi</groupId>
-			<artifactId>poi</artifactId>
-			<version>3.17</version>
-			<exclusions>
-				<exclusion>
-					<groupId>commons-logging</groupId>
-					<artifactId>commons-logging</artifactId>
-				</exclusion>
-				<exclusion>
-					<groupId>log4j</groupId>
-					<artifactId>log4j</artifactId>
-				</exclusion>
-			</exclusions>
-		</dependency>
-		<dependency>
-			<groupId>org.apache.poi</groupId>
-			<artifactId>poi-ooxml</artifactId>
-			<version>3.17</version>
-			<exclusions>
-				<exclusion>
-					<groupId>commons-logging</groupId>
-					<artifactId>commons-logging</artifactId>
-				</exclusion>
-				<exclusion>
-					<groupId>log4j</groupId>
-					<artifactId>log4j</artifactId>
-				</exclusion>
-			</exclusions>
-		</dependency>
-		<dependency>
-			<groupId>org.apache.poi</groupId>
-			<artifactId>poi-scratchpad</artifactId>
-			<version>3.17</version>
-			<exclusions>
-				<exclusion>
-					<groupId>commons-logging</groupId>
-					<artifactId>commons-logging</artifactId>
-				</exclusion>
-				<exclusion>
-					<groupId>log4j</groupId>
-					<artifactId>log4j</artifactId>
-				</exclusion>
-			</exclusions>
-		</dependency>
-		<dependency>
-			<groupId>org.apache.poi</groupId>
-			<artifactId>poi-contrib</artifactId>
-			<version>3.5-FINAL</version>
-			<exclusions>
-				<exclusion>
-					<groupId>commons-logging</groupId>
-					<artifactId>commons-logging</artifactId>
-				</exclusion>
-				<exclusion>
-					<groupId>log4j</groupId>
-					<artifactId>log4j</artifactId>
-				</exclusion>
-			</exclusions>
+    		<version>1.9.3</version>
 		</dependency>
+		
 		<dependency>
 			<groupId>org.apache.httpcomponents</groupId>
 			<artifactId>httpclient</artifactId>
@@ -359,5 +310,15 @@
     		<artifactId>xalan</artifactId>
     		<version>2.7.2</version>
 		</dependency>	
+		<dependency> 
+    		<groupId>xerces</groupId> 
+    		<artifactId>xercesImpl</artifactId> 
+    		<version>2.11.0.SP5</version> 
+		</dependency> 
+		<dependency> 
+    		<groupId>commons-collections</groupId> 
+    		<artifactId>commons-collections</artifactId> 
+    		<version>3.2.2</version> 
+		</dependency>
 	</dependencies>
 </project>
diff --git a/ecomp-sdk/epsdk-app-os/pom.xml b/ecomp-sdk/epsdk-app-os/pom.xml
index 7bcaec66..ff5ce26b 100644
--- a/ecomp-sdk/epsdk-app-os/pom.xml
+++ b/ecomp-sdk/epsdk-app-os/pom.xml
@@ -307,6 +307,12 @@
 			<groupId>org.elasticsearch</groupId>
 			<artifactId>elasticsearch</artifactId>
 			<version>2.2.0</version>
+			<exclusions> 
+				<exclusion> 
+					<groupId>org.apache.lucene</groupId> 
+					<artifactId>lucene-queryparser</artifactId> 
+				</exclusion> 
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>org.json</groupId>
diff --git a/ecomp-sdk/epsdk-core/pom.xml b/ecomp-sdk/epsdk-core/pom.xml
index abaad567..8fd5a6ee 100644
--- a/ecomp-sdk/epsdk-core/pom.xml
+++ b/ecomp-sdk/epsdk-core/pom.xml
@@ -319,6 +319,12 @@
 			<groupId>org.elasticsearch</groupId>
 			<artifactId>elasticsearch</artifactId>
 			<version>2.2.0</version>
+			<exclusions> 
+				<exclusion> 
+					<groupId>org.apache.lucene</groupId> 
+					<artifactId>lucene-queryparser</artifactId> 
+				</exclusion> 
+			</exclusions>
 		</dependency>
 		<dependency>
 			<groupId>io.searchbox</groupId>
@@ -351,6 +357,10 @@
         	<groupId>commons-httpclient</groupId>
             <artifactId>commons-httpclient</artifactId>
 		</exclusion>
+		<exclusion> 
+        	<groupId>xerces</groupId> 
+            <artifactId>xercesImpl</artifactId> 
+		</exclusion>
         </exclusions>
 	</dependency>
 
@@ -386,11 +396,6 @@
 			<classifier>runtime</classifier>
 		</dependency>
 		<dependency>
-    		<groupId>org.apache.lucene</groupId>
-    		<artifactId>lucene-queryparser</artifactId>
-    		<version>7.2.1</version>
-		</dependency>
-		<dependency>
     		<groupId>com.thoughtworks.xstream</groupId>
     		<artifactId>xstream</artifactId>
     		<version>1.4.10</version>
@@ -418,67 +423,7 @@
 		<dependency>
     		<groupId>commons-beanutils</groupId>
     		<artifactId>commons-beanutils</artifactId>
-    		<version>1.9.2</version>
-		</dependency>
-		<dependency>
-			<groupId>org.apache.poi</groupId>
-			<artifactId>poi</artifactId>
-			<version>3.17</version>
-			<exclusions>
-				<exclusion>
-					<groupId>commons-logging</groupId>
-					<artifactId>commons-logging</artifactId>
-				</exclusion>
-				<exclusion>
-					<groupId>log4j</groupId>
-					<artifactId>log4j</artifactId>
-				</exclusion>
-			</exclusions>
-		</dependency>
-		<dependency>
-			<groupId>org.apache.poi</groupId>
-			<artifactId>poi-ooxml</artifactId>
-			<version>3.17</version>
-			<exclusions>
-				<exclusion>
-					<groupId>commons-logging</groupId>
-					<artifactId>commons-logging</artifactId>
-				</exclusion>
-				<exclusion>
-					<groupId>log4j</groupId>
-					<artifactId>log4j</artifactId>
-				</exclusion>
-			</exclusions>
-		</dependency>
-		<dependency>
-			<groupId>org.apache.poi</groupId>
-			<artifactId>poi-scratchpad</artifactId>
-			<version>3.17</version>
-			<exclusions>
-				<exclusion>
-					<groupId>commons-logging</groupId>
-					<artifactId>commons-logging</artifactId>
-				</exclusion>
-				<exclusion>
-					<groupId>log4j</groupId>
-					<artifactId>log4j</artifactId>
-				</exclusion>
-			</exclusions>
-		</dependency>
-		<dependency>
-			<groupId>org.apache.poi</groupId>
-			<artifactId>poi-contrib</artifactId>
-			<version>3.5-FINAL</version>
-			<exclusions>
-				<exclusion>
-					<groupId>commons-logging</groupId>
-					<artifactId>commons-logging</artifactId>
-				</exclusion>
-				<exclusion>
-					<groupId>log4j</groupId>
-					<artifactId>log4j</artifactId>
-				</exclusion>
-			</exclusions>
+    		<version>1.9.3</version>
 		</dependency>
 		<dependency>
 			<groupId>org.apache.httpcomponents</groupId>
@@ -489,7 +434,12 @@
     		<groupId>xalan</groupId>
     		<artifactId>xalan</artifactId>
     		<version>2.7.2</version>
-		</dependency>		
+		</dependency>	
+		<dependency> 
+    		<groupId>xerces</groupId> 
+    		<artifactId>xercesImpl</artifactId> 
+    		<version>2.11.0.SP5</version> 
+		</dependency>	
 	</dependencies>
 	
 </project>
diff --git a/ecomp-sdk/epsdk-fw/pom.xml b/ecomp-sdk/epsdk-fw/pom.xml
index 0cecde97..62600840 100644
--- a/ecomp-sdk/epsdk-fw/pom.xml
+++ b/ecomp-sdk/epsdk-fw/pom.xml
@@ -91,6 +91,22 @@
 					<groupId>log4j</groupId>
 					<artifactId>log4j</artifactId>
 				</exclusion>
+				<exclusion>
+					<groupId>xerces</groupId>
+					<artifactId>xercesImpl</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>xalan</groupId>
+					<artifactId>xalan</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>commons-beanutils</groupId>
+					<artifactId>commons-beanutils-core</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>commons-httpclient</groupId>
+					<artifactId>commons-httpclient</artifactId>
+				</exclusion>
 			</exclusions>
 		</dependency>
 		<dependency>
@@ -98,6 +114,12 @@
 			<artifactId>junit</artifactId>
 			<version>4.12</version>
 			<scope>test</scope>
+			<exclusions> 
+				<exclusion> 
+					<groupId>org.apache.httpcomponents</groupId> 
+					<artifactId>httpclient</artifactId> 
+				</exclusion> 
+			</exclusions>
 		</dependency>
 		<!-- Test scaffold -->
 		<dependency>
@@ -148,18 +170,18 @@
 			<version>1.0.0.Final</version>
 			<scope>test</scope>
 		</dependency>
-        <dependency>
-            <groupId>org.mockito</groupId>
-            <artifactId>mockito-core</artifactId>
-            <version>1.10.19</version>
-            <scope>test</scope>
-        </dependency>
 		<dependency>
-		    <groupId>org.jacoco</groupId>
-		    <artifactId>org.jacoco.agent</artifactId>
-		    <classifier>runtime</classifier>
-		    <scope>test</scope>
-		    <version>${jacoco.version}</version>
+			<groupId>org.mockito</groupId>
+			<artifactId>mockito-core</artifactId>
+			<version>1.10.19</version>
+			<scope>test</scope>
+		</dependency>
+		<dependency>
+			<groupId>org.jacoco</groupId>
+			<artifactId>org.jacoco.agent</artifactId>
+			<classifier>runtime</classifier>
+			<scope>test</scope>
+			<version>${jacoco.version}</version>
 		</dependency>
 		<dependency>
 			<groupId>commons-fileupload</groupId>
@@ -167,9 +189,9 @@
 			<version>1.3.3</version>
 		</dependency>
 		<dependency>
-    		<groupId>commons-beanutils</groupId>
-    		<artifactId>commons-beanutils</artifactId>
-    		<version>1.9.2</version>
+			<groupId>commons-beanutils</groupId>
+			<artifactId>commons-beanutils</artifactId>
+			<version>1.9.3</version>
 		</dependency>
 	</dependencies>
 
diff --git a/ecomp-sdk/epsdk-music/dependencies/org/onap/music/core/2.4.4.1/core-2.4.4.1.jar b/ecomp-sdk/epsdk-music/dependencies/org/onap/music/core/2.4.4.1/core-2.4.4.1.jar
new file mode 100644
index 00000000..c87ed1c4
Binary files /dev/null and b/ecomp-sdk/epsdk-music/dependencies/org/onap/music/core/2.4.4.1/core-2.4.4.1.jar differ
diff --git a/ecomp-sdk/epsdk-music/dependencies/org/onap/music/core/2.4.4/core-2.4.4.jar b/ecomp-sdk/epsdk-music/dependencies/org/onap/music/core/2.4.4/core-2.4.4.jar
deleted file mode 100644
index c2dd2dba..00000000
Binary files a/ecomp-sdk/epsdk-music/dependencies/org/onap/music/core/2.4.4/core-2.4.4.jar and /dev/null differ
diff --git a/ecomp-sdk/epsdk-music/dependencies/org/onap/music/core/maven-metadata-local.xml b/ecomp-sdk/epsdk-music/dependencies/org/onap/music/core/maven-metadata-local.xml
index 01c2b2bf..9e953565 100644
--- a/ecomp-sdk/epsdk-music/dependencies/org/onap/music/core/maven-metadata-local.xml
+++ b/ecomp-sdk/epsdk-music/dependencies/org/onap/music/core/maven-metadata-local.xml
@@ -3,10 +3,10 @@
   <groupId>org.onap.music</groupId>
   <artifactId>core</artifactId>
   <versioning>
-    <release>2.4.4</release>
+    <release>2.4.4.1</release>
     <versions>
-      <version>2.4.4</version>
+      <version>2.4.4.1</version>
     </versions>
-    <lastUpdated>20180302203455</lastUpdated>
+    <lastUpdated>20180302703455</lastUpdated>
   </versioning>
 </metadata>
diff --git a/ecomp-sdk/epsdk-music/pom.xml b/ecomp-sdk/epsdk-music/pom.xml
index 3b188176..2c2a7e1b 100644
--- a/ecomp-sdk/epsdk-music/pom.xml
+++ b/ecomp-sdk/epsdk-music/pom.xml
@@ -7,7 +7,7 @@
 		<artifactId>epsdk-project</artifactId>
 		<version>2.2.0-SNAPSHOT</version>
 	</parent>
-	
+
 	<groupId>org.onap.portal.sdk</groupId>
 	<artifactId>epsdk-music</artifactId>
 	<version>2.2.0-SNAPSHOT</version>
@@ -18,7 +18,7 @@
 
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-		<springframework.version>4.2.0.RELEASE</springframework.version>
+		<springframework.version>4.2.3.RELEASE</springframework.version>
 		<jersey1.version>1.19.4</jersey1.version>
 		<jaxrs.version>2.0.1</jaxrs.version>
 		<cassandra.version>3.0.0</cassandra.version>
@@ -108,35 +108,45 @@
 			<groupId>com.att.eelf</groupId>
 			<artifactId>eelf-core</artifactId>
 			<version>1.0.0</version>
+			<exclusions>
+				<exclusion>
+					<groupId>ch.qos.logback</groupId>
+					<artifactId>logback-classic</artifactId>
+				</exclusion>
+				<exclusion>
+					<groupId>ch.qos.logback</groupId>
+					<artifactId>logback-core</artifactId>
+				</exclusion>
+			</exclusions>
 		</dependency>
 
 		<!-- Music -->
 		<dependency>
 			<groupId>org.onap.music</groupId>
 			<artifactId>core</artifactId>
-			<version>2.4.4</version>
-		</dependency>  
-		<dependency>
+			<version>2.4.4.1</version>
+		</dependency>
+		<!-- <dependency>
 			<groupId>org.onap.music</groupId>
 			<artifactId>dependency</artifactId>
 			<version>2.4.4</version>
-		</dependency>  
+		</dependency> -->
 
 		<!-- Mapper -->
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-annotations</artifactId>
-			<version>2.6.3</version>
+			<version>2.8.10</version>
 		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-core</artifactId>
-			<version>2.6.3</version>
+			<version>2.8.10</version>
 		</dependency>
 		<dependency>
 			<groupId>com.fasterxml.jackson.core</groupId>
 			<artifactId>jackson-databind</artifactId>
-			<version>2.6.3</version>
+			<version>2.8.10</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.session</groupId>
@@ -148,6 +158,16 @@
 			<artifactId>json</artifactId>
 			<version>20160212</version>
 		</dependency>
+		<dependency>
+			<groupId>ch.qos.logback</groupId>
+			<artifactId>logback-core</artifactId>
+			<version>1.2.3</version>
+		</dependency>
+		<dependency>
+			<groupId>ch.qos.logback</groupId>
+			<artifactId>logback-classic</artifactId>
+			<version>1.2.3</version>
+		</dependency>
 	</dependencies>
 	<profiles>
 		<!-- disable doclint, a new feature in Java 8, when generating javadoc -->
@@ -186,26 +206,26 @@
 				</configuration>
 			</plugin>
 			<plugin>
-			<artifactId>maven-assembly-plugin</artifactId>
-			<configuration>
-				<archive>
-					<manifest>
-					</manifest>
-				</archive>
-				<descriptorRefs>
-					<descriptorRef>jar-with-dependencies</descriptorRef>
-				</descriptorRefs>
-			</configuration>
-			<executions>
-				<execution>
-					<id>make-assembly</id> <!-- this is used for inheritance merges -->
-					<phase>package</phase> <!-- bind to the packaging phase -->
-					<goals>
-						<goal>single</goal>
-					</goals>
-				</execution>
-			</executions>
-		</plugin>
+				<artifactId>maven-assembly-plugin</artifactId>
+				<configuration>
+					<archive>
+						<manifest>
+						</manifest>
+					</archive>
+					<descriptorRefs>
+						<descriptorRef>jar-with-dependencies</descriptorRef>
+					</descriptorRefs>
+				</configuration>
+				<executions>
+					<execution>
+						<id>make-assembly</id> <!-- this is used for inheritance merges -->
+						<phase>package</phase> <!-- bind to the packaging phase -->
+						<goals>
+							<goal>single</goal>
+						</goals>
+					</execution>
+				</executions>
+			</plugin>
 		</plugins>
 	</build>
 </project>
diff --git a/ecomp-sdk/pom.xml b/ecomp-sdk/pom.xml
index 8ae56339..e3db8a97 100644
--- a/ecomp-sdk/pom.xml
+++ b/ecomp-sdk/pom.xml
@@ -32,7 +32,7 @@
 
 	<properties>
 		<encoding>UTF-8</encoding>
-		<springframework.version>4.2.2.RELEASE</springframework.version>
+		<springframework.version>4.2.3.RELEASE</springframework.version>
 		<hibernate.version>4.3.11.Final</hibernate.version>
 		<skiptests>false</skiptests>
 		<nexusproxy>https://nexus.onap.org</nexusproxy>
-- 
cgit 1.2.3-korg