Fix vulnerability issue in multivimproxy3.0.1-ONAP3.0.0-ONAP1.2.1

upgrade springframework from 3.x to 4.x

CVE-2016-6812
CVE-2018-1270
CVE-2018-11039
SONATYPE-2015-0002
CVE-2014-3578
CVE-2018-1257
CVE-2017-12624
CVE-2018-8039

Change-Id: I671cf3c3fa29a4d935867d5030d77668a785dd88
Issue-ID: VFC-1187
Signed-off-by: Victor Gao <victor.gao@huawei.com>

3 files changed, 35 insertions, 73 deletions

diff --git a/service/pom.xml b/service/pom.xml
index 498ff56..da71144 100644
--- a/service/pom.xml
+++ b/service/pom.xml
@@ -65,10 +65,21 @@
             <version>1.3.0</version>

         </dependency>

         <dependency>

+            <groupId>commons-collections</groupId>

+            <artifactId>commons-collections</artifactId>

+            <version>3.2.2</version>

+        </dependency>

+        <dependency>

             <groupId>net.sf.json-lib</groupId>

             <artifactId>json-lib</artifactId>

             <version>2.4</version>

             <classifier>jdk15</classifier>

+            <exclusions>

+                <exclusion>

+                    <groupId>commons-collections</groupId>

+                    <artifactId>commons-collections</artifactId>

+                </exclusion>

+            </exclusions>

         </dependency>

         <!--  dependency>

             <groupId>org.eclipse.jetty.orbit</groupId>

@@ -91,7 +102,7 @@
         <dependency>

             <groupId>org.springframework</groupId>

             <artifactId>spring-tx</artifactId>

-            <version>3.1.0.RELEASE</version>

+            <version>3.1.2.RELEASE</version>

         </dependency>

         <dependency>

             <groupId>org.mybatis</groupId>

@@ -138,53 +149,64 @@
         <dependency>

             <groupId>org.springframework</groupId>

             <artifactId>spring-core</artifactId>

-            <version>3.1.0.RELEASE</version>

+            <version>4.3.18.RELEASE</version>

         </dependency>

         <dependency>

             <groupId>org.springframework</groupId>

             <artifactId>spring-aop</artifactId>

-            <version>3.1.0.RELEASE</version>

+            <version>4.3.18.RELEASE</version>

         </dependency>

         <dependency>

             <groupId>org.springframework</groupId>

             <artifactId>spring-beans</artifactId>

-            <version>3.1.0.RELEASE</version>

+            <version>4.3.18.RELEASE</version>

         </dependency>

         <dependency>

             <groupId>org.springframework</groupId>

             <artifactId>spring-context</artifactId>

-            <version>3.1.0.RELEASE</version>

+            <version>4.3.18.RELEASE</version>

         </dependency>

         <dependency>

             <groupId>org.springframework</groupId>

             <artifactId>spring-jdbc</artifactId>

-            <version>3.1.0.RELEASE</version>

+            <version>4.3.18.RELEASE</version>

         </dependency>

         <dependency>

             <groupId>org.springframework</groupId>

             <artifactId>spring-web</artifactId>

             <version>3.2.14.RELEASE</version>

         </dependency>

-        <dependency>

+        <!--dependency>

             <groupId>org.springframework</groupId>

             <artifactId>spring-asm</artifactId>

-            <version>3.1.0.RELEASE</version>

-        </dependency>

+            <version>4.3.18.RELEASE</version>

+        </dependency-->

         <dependency>

             <groupId>org.springframework</groupId>

             <artifactId>spring-expression</artifactId>

-            <version>3.1.0.RELEASE</version>

+            <version>4.3.18.RELEASE</version>

         </dependency>

         <dependency>

             <groupId>org.springframework</groupId>

             <artifactId>spring-test</artifactId>

-            <version>3.1.0.RELEASE</version>

+            <version>4.3.18.RELEASE</version>

         </dependency>

 

         <dependency>

             <groupId>org.apache.cxf</groupId>

+            <artifactId>cxf-rt-transports-http</artifactId>

+            <version>3.1.17</version>

+        </dependency>

+        <dependency>

+            <groupId>org.apache.cxf</groupId>

             <artifactId>cxf-rt-frontend-jaxrs</artifactId>

-            <version>3.1.6</version>

+            <version>3.1.17</version>

+			<exclusions>

+                <exclusion>

+                    <groupId>org.apache.cxf</groupId>

+                    <artifactId>cxf-rt-transports-http</artifactId>

+                </exclusion>

+            </exclusions>

         </dependency>

         <!-- UT coverage dependency start -->

         <dependency>

diff --git a/service/src/main/java/org/onap/vfc/nfvo/multivimproxy/service/activator/ROAMultivimProxyServicePostProcessor.java b/service/src/main/java/org/onap/vfc/nfvo/multivimproxy/service/activator/ROAMultivimProxyServicePostProcessor.java
deleted file mode 100644
index fd3f1bc..0000000
--- a/service/src/main/java/org/onap/vfc/nfvo/multivimproxy/service/activator/ROAMultivimProxyServicePostProcessor.java
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright 2016 Huawei Technologies Co., Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.onap.vfc.nfvo.multivimproxy.service.activator;
-
-import org.onap.vfc.nfvo.multivimproxy.service.adapter.inf.IMultivimProxyAdapterMgrService;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.BeansException;
-import org.springframework.beans.factory.config.DestructionAwareBeanPostProcessor;
-
-/**
- * <br>
- * <p>
- * </p>
- * 
- * @author
- * @version VFC 1.0 Sep 22, 2016
- */
-public class ROAMultivimProxyServicePostProcessor implements DestructionAwareBeanPostProcessor {
-
-    private static final Logger LOG = LoggerFactory.getLogger(ROAMultivimProxyServicePostProcessor.class);
-
-    @Override
-    public Object postProcessAfterInitialization(Object bean, String name) throws BeansException {
-        if(bean instanceof IMultivimProxyAdapterMgrService) {
-            LOG.warn("Register to Microservice BUS!");
-            IMultivimProxyAdapterMgrService proxyAdapterSvc = (IMultivimProxyAdapterMgrService)bean;
-            proxyAdapterSvc.register();
-        }
-
-        return bean;
-    }
-
-    @Override
-    public Object postProcessBeforeInitialization(Object bean, String name) throws BeansException {
-        // TODO Auto-generated method stub
-        return bean;
-    }
-
-    @Override
-    public void postProcessBeforeDestruction(Object bean, String name) throws BeansException {
-        // TODO Auto-generated method stub
-
-    }
-
-}
diff --git a/service/src/main/resources/spring/multivimproxy/services.xml b/service/src/main/resources/spring/multivimproxy/services.xml
index 135b1d9..33bdb01 100644
--- a/service/src/main/resources/spring/multivimproxy/services.xml
+++ b/service/src/main/resources/spring/multivimproxy/services.xml
@@ -35,7 +35,7 @@
     http://cxf.apache.org/transports/http/configuration
     http://cxf.apache.org/schemas/configuration/http-conf.xsd
     http://www.springframework.org/schema/aop
-    http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">
+    http://www.springframework.org/schema/aop/spring-aop.xsd">
 
     <!-- these are included in the dependency jar -->
     <import resource="classpath:META-INF/cxf/cxf.xml" />