From 9f1cac89181d9743316c4311c7d0b1e7eda5789e Mon Sep 17 00:00:00 2001
From: Victor Gao <victor.gao@huawei.com>
Date: Thu, 15 Nov 2018 16:31:25 +0800
Subject: Fix vulnerability issue in multivimproxy

upgrade springframework from 3.x to 4.x

CVE-2016-6812
CVE-2018-1270
CVE-2018-11039
SONATYPE-2015-0002
CVE-2014-3578
CVE-2018-1257
CVE-2017-12624
CVE-2018-8039

Change-Id: I671cf3c3fa29a4d935867d5030d77668a785dd88
Issue-ID: VFC-1187
Signed-off-by: Victor Gao <victor.gao@huawei.com>
---
 service/pom.xml                                    | 46 ++++++++++++-----
 .../ROAMultivimProxyServicePostProcessor.java      | 60 ----------------------
 .../resources/spring/multivimproxy/services.xml    |  2 +-
 3 files changed, 35 insertions(+), 73 deletions(-)
 delete mode 100644 service/src/main/java/org/onap/vfc/nfvo/multivimproxy/service/activator/ROAMultivimProxyServicePostProcessor.java

diff --git a/service/pom.xml b/service/pom.xml
index 498ff56..da71144 100644
--- a/service/pom.xml
+++ b/service/pom.xml
@@ -64,11 +64,22 @@
             <artifactId>com.springsource.org.apache.commons.codec</artifactId>
             <version>1.3.0</version>
         </dependency>
+        <dependency>
+            <groupId>commons-collections</groupId>
+            <artifactId>commons-collections</artifactId>
+            <version>3.2.2</version>
+        </dependency>
         <dependency>
             <groupId>net.sf.json-lib</groupId>
             <artifactId>json-lib</artifactId>
             <version>2.4</version>
             <classifier>jdk15</classifier>
+            <exclusions>
+                <exclusion>
+                    <groupId>commons-collections</groupId>
+                    <artifactId>commons-collections</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <!--  dependency>
             <groupId>org.eclipse.jetty.orbit</groupId>
@@ -91,7 +102,7 @@
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-tx</artifactId>
-            <version>3.1.0.RELEASE</version>
+            <version>3.1.2.RELEASE</version>
         </dependency>
         <dependency>
             <groupId>org.mybatis</groupId>
@@ -138,53 +149,64 @@
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-core</artifactId>
-            <version>3.1.0.RELEASE</version>
+            <version>4.3.18.RELEASE</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-aop</artifactId>
-            <version>3.1.0.RELEASE</version>
+            <version>4.3.18.RELEASE</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-beans</artifactId>
-            <version>3.1.0.RELEASE</version>
+            <version>4.3.18.RELEASE</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-context</artifactId>
-            <version>3.1.0.RELEASE</version>
+            <version>4.3.18.RELEASE</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-jdbc</artifactId>
-            <version>3.1.0.RELEASE</version>
+            <version>4.3.18.RELEASE</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-web</artifactId>
             <version>3.2.14.RELEASE</version>
         </dependency>
-        <dependency>
+        <!--dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-asm</artifactId>
-            <version>3.1.0.RELEASE</version>
-        </dependency>
+            <version>4.3.18.RELEASE</version>
+        </dependency-->
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-expression</artifactId>
-            <version>3.1.0.RELEASE</version>
+            <version>4.3.18.RELEASE</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-test</artifactId>
-            <version>3.1.0.RELEASE</version>
+            <version>4.3.18.RELEASE</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-transports-http</artifactId>
+            <version>3.1.17</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.cxf</groupId>
             <artifactId>cxf-rt-frontend-jaxrs</artifactId>
-            <version>3.1.6</version>
+            <version>3.1.17</version>
+			<exclusions>
+                <exclusion>
+                    <groupId>org.apache.cxf</groupId>
+                    <artifactId>cxf-rt-transports-http</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <!-- UT coverage dependency start -->
         <dependency>
diff --git a/service/src/main/java/org/onap/vfc/nfvo/multivimproxy/service/activator/ROAMultivimProxyServicePostProcessor.java b/service/src/main/java/org/onap/vfc/nfvo/multivimproxy/service/activator/ROAMultivimProxyServicePostProcessor.java
deleted file mode 100644
index fd3f1bc..0000000
--- a/service/src/main/java/org/onap/vfc/nfvo/multivimproxy/service/activator/ROAMultivimProxyServicePostProcessor.java
+++ /dev/null
@@ -1,60 +0,0 @@
-/*
- * Copyright 2016 Huawei Technologies Co., Ltd.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package org.onap.vfc.nfvo.multivimproxy.service.activator;
-
-import org.onap.vfc.nfvo.multivimproxy.service.adapter.inf.IMultivimProxyAdapterMgrService;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-import org.springframework.beans.BeansException;
-import org.springframework.beans.factory.config.DestructionAwareBeanPostProcessor;
-
-/**
- * <br>
- * <p>
- * </p>
- * 
- * @author
- * @version VFC 1.0 Sep 22, 2016
- */
-public class ROAMultivimProxyServicePostProcessor implements DestructionAwareBeanPostProcessor {
-
-    private static final Logger LOG = LoggerFactory.getLogger(ROAMultivimProxyServicePostProcessor.class);
-
-    @Override
-    public Object postProcessAfterInitialization(Object bean, String name) throws BeansException {
-        if(bean instanceof IMultivimProxyAdapterMgrService) {
-            LOG.warn("Register to Microservice BUS!");
-            IMultivimProxyAdapterMgrService proxyAdapterSvc = (IMultivimProxyAdapterMgrService)bean;
-            proxyAdapterSvc.register();
-        }
-
-        return bean;
-    }
-
-    @Override
-    public Object postProcessBeforeInitialization(Object bean, String name) throws BeansException {
-        // TODO Auto-generated method stub
-        return bean;
-    }
-
-    @Override
-    public void postProcessBeforeDestruction(Object bean, String name) throws BeansException {
-        // TODO Auto-generated method stub
-
-    }
-
-}
diff --git a/service/src/main/resources/spring/multivimproxy/services.xml b/service/src/main/resources/spring/multivimproxy/services.xml
index 135b1d9..33bdb01 100644
--- a/service/src/main/resources/spring/multivimproxy/services.xml
+++ b/service/src/main/resources/spring/multivimproxy/services.xml
@@ -35,7 +35,7 @@
     http://cxf.apache.org/transports/http/configuration
     http://cxf.apache.org/schemas/configuration/http-conf.xsd
     http://www.springframework.org/schema/aop
-    http://www.springframework.org/schema/aop/spring-aop-3.0.xsd">
+    http://www.springframework.org/schema/aop/spring-aop.xsd">
 
     <!-- these are included in the dependency jar -->
     <import resource="classpath:META-INF/cxf/cxf.xml" />
-- 
cgit 1.2.3-korg