From 91958f3b09ac4883d393d9cfb04ddcb0baa1d134 Mon Sep 17 00:00:00 2001
From: Victor Gao <victor.gao@huawei.com>
Date: Thu, 15 Nov 2018 15:44:17 +0800
Subject: Fix vulnerability issue in resmgr

upgrade springframework from 3.x to 4.x

CVE-2016-6812
CVE-2018-1270
CVE-2018-11039
SONATYPE-2015-0002
CVE-2014-3578
CVE-2018-1257
CVE-2017-12624
CVE-2018-8039

Change-Id: I59014c277df9bf201bb672a108a82a2deb0ed95b
Issue-ID: VFC-1187
Signed-off-by: Victor Gao <victor.gao@huawei.com>
(cherry picked from commit ea18924cd5505f5e36ea58e7424db54c41db4605)
---
 ResmanagementService/service/pom.xml | 35 +++++++++++++++++++++++------------
 1 file changed, 23 insertions(+), 12 deletions(-)

(limited to 'ResmanagementService/service/pom.xml')

diff --git a/ResmanagementService/service/pom.xml b/ResmanagementService/service/pom.xml
index 3e043b7..7571b8f 100644
--- a/ResmanagementService/service/pom.xml
+++ b/ResmanagementService/service/pom.xml
@@ -104,7 +104,7 @@
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-tx</artifactId>
-            <version>3.1.0.RELEASE</version>
+            <version>3.1.2.RELEASE</version>
         </dependency>
         <dependency>
             <groupId>org.mybatis</groupId>
@@ -151,53 +151,64 @@
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-core</artifactId>
-            <version>3.1.0.RELEASE</version>
+            <version>4.3.18.RELEASE</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-aop</artifactId>
-            <version>3.1.0.RELEASE</version>
+            <version>4.3.18.RELEASE</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-beans</artifactId>
-            <version>3.1.0.RELEASE</version>
+            <version>4.3.18.RELEASE</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-context</artifactId>
-            <version>3.1.0.RELEASE</version>
+            <version>4.3.18.RELEASE</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-jdbc</artifactId>
-            <version>3.1.0.RELEASE</version>
+            <version>4.3.18.RELEASE</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-web</artifactId>
             <version>3.2.14.RELEASE</version>
         </dependency>
-        <dependency>
+        <!--dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-asm</artifactId>
-            <version>3.1.0.RELEASE</version>
-        </dependency>
+            <version>4.3.18.RELEASE</version>
+        </dependency-->
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-expression</artifactId>
-            <version>3.1.0.RELEASE</version>
+            <version>4.3.18.RELEASE</version>
         </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-test</artifactId>
-            <version>3.1.0.RELEASE</version>
+            <version>4.3.18.RELEASE</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.cxf</groupId>
+            <artifactId>cxf-rt-transports-http</artifactId>
+            <version>3.1.17</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.cxf</groupId>
             <artifactId>cxf-rt-frontend-jaxrs</artifactId>
-            <version>3.1.6</version>
+            <version>3.1.17</version>
+			<exclusions>
+                <exclusion>
+                    <groupId>org.apache.cxf</groupId>
+                    <artifactId>cxf-rt-transports-http</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <!-- UT coverage dependency start -->
         <dependency>
-- 
cgit 1.2.3-korg