Merge pull request #97 from eu-digital-green-certificates/feat/update…

…-dependencies

Update Dependencies

codestyle/checkstyle.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0"?>
 <!DOCTYPE module PUBLIC
-  "-//Checkstyle//DTD Checkstyle Configuration 1.3//EN"
-  "https://checkstyle.org/dtds/configuration_1_3.dtd">
+        "-//Checkstyle//DTD Checkstyle Configuration 1.3//EN"
+        "https://checkstyle.org/dtds/configuration_1_3.dtd">
 
 <!--
     Checkstyle configuration that checks the Google coding conventions from Google Java Style
@@ -215,10 +215,10 @@
     <module name="Indentation">
       <property name="basicOffset" value="4"/>
       <property name="braceAdjustment" value="0"/>
-      <property name="caseIndent" value="2"/>
-      <property name="throwsIndent" value="2"/>
-      <property name="lineWrappingIndentation" value="2"/>
-      <property name="arrayInitIndent" value="2"/>
+      <property name="caseIndent" value="4"/>
+      <property name="throwsIndent" value="4"/>
+      <property name="lineWrappingIndentation" value="4"/>
+      <property name="arrayInitIndent" value="4"/>
     </module>
     <module name="AbbreviationAsWordInName">
       <property name="ignoreFinal" value="false"/>
@@ -282,7 +282,7 @@
                 value="CLASS_DEF, INTERFACE_DEF, ENUM_DEF, METHOD_DEF, CTOR_DEF, VARIABLE_DEF"/>
     </module>
     <module name="JavadocMethod">
-      <property name="scope" value="public"/>
+      <property name="accessModifiers" value="public"/>
       <property name="allowMissingParamTags" value="true"/>
       <property name="allowMissingReturnTag" value="true"/>
       <property name="allowedAnnotations" value="Override, Test"/>

owasp/suppressions.xml

@@ -18,4 +18,12 @@
     <notes>H2 is not used by this project.</notes>
     <cve>CVE-2021-23463</cve>
   </suppress>
+  <suppress>
+    <notes>False Positive, Should match only up to 5.3.2 (excluding) but we have 5.6.3 </notes>
+    <cve>CVE-2020-5408</cve>
+  </suppress>
+  <suppress>
+    <notes>False Positive, Should match only up to 1.32 (excluding) but we have 1.33</notes>
+    <cve>CVE-2022-38752</cve>
+  </suppress>
 </suppressions>

pom.xml

@@ -23,22 +23,21 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <!-- dependencies -->
-        <owasp.version>6.5.3</owasp.version>
-        <spring.boot.version>2.6.3</spring.boot.version>
-        <spring.cloud.version>3.1.0</spring.cloud.version>
-        <feign.version>11.7</feign.version>
+        <owasp.version>7.3.0</owasp.version>
+        <spring.boot.version>2.7.5</spring.boot.version>
+        <spring.cloud.version>3.1.4</spring.cloud.version>
+        <feign.version>11.10</feign.version>
         <bcpkix.version>1.70</bcpkix.version>
-        <lombok.version>1.18.22</lombok.version>
-        <mapstruct.version>1.4.2.Final</mapstruct.version>
+        <lombok.version>1.18.24</lombok.version>
+        <mapstruct.version>1.5.3.Final</mapstruct.version>
         <commonsio.version>2.11.0</commonsio.version>
-        <cbor.version>4.5.1</cbor.version>
-        <jackson.version>2.13.2</jackson.version>
-        <jackson.databind.version>2.13.2.1</jackson.databind.version>
-        <mockwebserver.version>4.9.3</mockwebserver.version>
-        <plugin.checkstyle.version>3.1.2</plugin.checkstyle.version>
-        <plugin.sonar.version>3.9.1.2184</plugin.sonar.version>
-        <plugin.surefire.version>3.0.0-M5</plugin.surefire.version>
-        <plugin.jacoco.version>0.8.7</plugin.jacoco.version>
+        <cbor.version>4.5.2</cbor.version>
+        <jackson.version>2.13.4</jackson.version>
+        <jackson.databind.version>2.13.4.2</jackson.databind.version>
+        <mockwebserver.version>4.10.0</mockwebserver.version>
+        <plugin.checkstyle.version>3.2.0</plugin.checkstyle.version>
+        <plugin.surefire.version>3.0.0-M7</plugin.surefire.version>
+        <plugin.jacoco.version>0.8.8</plugin.jacoco.version>
 
         <!-- license -->
         <license.projectName>EU Digital Green Certificate Gateway Service / dgc-lib</license.projectName>
@@ -74,9 +73,21 @@
     <dependencies>
         <dependency>
             <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter</artifactId>
+            <artifactId>spring-boot-starter-web</artifactId>
             <version>${spring.boot.version}</version>
             <optional>true</optional>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.yaml</groupId>
+                    <artifactId>snakeyaml</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <!-- Explicit inclusion of SnakeYaml because of CVE -->
+        <dependency>
+            <groupId>org.yaml</groupId>
+            <artifactId>snakeyaml</artifactId>
+            <version>1.33</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -149,24 +160,6 @@
             <version>${mockwebserver.version}</version>
             <scope>test</scope>
         </dependency>
-        <!-- Explicit inclusion because of https://nvd.nist.gov/vuln/detail/CVE-2021-27568 -->
-        <dependency>
-            <groupId>net.minidev</groupId>
-            <artifactId>json-smart</artifactId>
-            <version>2.4.7</version>
-            <scope>test</scope>
-        </dependency>
-        <!-- Explicit inclusion because of https://nvd.nist.gov/vuln/detail/CVE-2021-22119 -->
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-crypto</artifactId>
-            <version>5.5.1</version>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework</groupId>
-            <artifactId>spring-web</artifactId>
-            <version>5.3.15</version>
-        </dependency>
     </dependencies>
 
     <build>
@@ -185,7 +178,7 @@
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-compiler-plugin</artifactId>
-                    <version>3.8.1</version>
+                    <version>3.10.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.codehaus.mojo</groupId>
@@ -242,8 +235,6 @@
                 <configuration>
                     <configLocation>codestyle/checkstyle.xml</configLocation>
                     <excludes>target/**/*</excludes>
-                    <excludes>**/springbootworkaroundforks/*</excludes>
-                    <encoding>UTF-8</encoding>
                     <consoleOutput>true</consoleOutput>
                     <failsOnError>true</failsOnError>
                     <violationSeverity>warning</violationSeverity>

src/main/java/eu/europa/ec/dgc/gateway/connector/DgcGatewayConnectorUtils.java

@@ -135,14 +135,14 @@ public boolean trustListItemSignedByCa(TrustListItemDto certificate, X509Certifi
     }
 
     public boolean trustListItemSignedByCa(TrustListItemDto certificate, Map<String,
-            List<X509CertificateHolder>> caMap) {
+        List<X509CertificateHolder>> caMap) {
 
         X509CertificateHolder dcs;
         try {
             dcs = new X509CertificateHolder(Base64.getDecoder().decode(certificate.getRawData()));
         } catch (IOException e) {
             log.error("Could not parse certificate. KID: {}, Country: {}",
-                    certificate.getKid(), certificate.getCountry());
+                certificate.getKid(), certificate.getCountry());
             return false;
         } catch (NullPointerException e) {
             return false;
@@ -151,13 +151,13 @@ public boolean trustListItemSignedByCa(TrustListItemDto certificate, Map<String,
         List<X509CertificateHolder> caList = caMap.get(dcs.getIssuer().toString());
         if (caList == null) {
             log.error("Failed to find issuer certificate from cert. KID: {}, Country: {}",
-                    certificate.getKid(), certificate.getCountry());
+                certificate.getKid(), certificate.getCountry());
             return false;
         }
 
         return caList
-                .stream()
-                .anyMatch(ca -> trustListItemSignedByCa(certificate, ca));
+            .stream()
+            .anyMatch(ca -> trustListItemSignedByCa(certificate, ca));
     }
 
     boolean checkTrustAnchorSignature(TrustListItemDto trustListItem, List<X509CertificateHolder> trustAnchors) {

src/main/java/eu/europa/ec/dgc/gateway/connector/DgcGatewayDownloadConnector.java

@@ -103,8 +103,8 @@ private synchronized void updateIfRequired() {
             trustedCscaCertificates = connectorUtils.fetchCertificatesAndVerifyByTrustAnchor(CertificateTypeDto.CSCA);
             log.info("CSCA TrustStore contains {} trusted certificates.", trustedCscaCertificates.size());
             trustedCscaCertificateMap = trustedCscaCertificates.stream()
-                    .collect(Collectors.groupingBy((ca) -> ca.getSubject().toString(),
-                            Collectors.mapping((ca) -> ca, Collectors.toList())));
+                .collect(Collectors.groupingBy((ca) -> ca.getSubject().toString(),
+                    Collectors.mapping((ca) -> ca, Collectors.toList())));
 
             trustedUploadCertificates =
                 connectorUtils.fetchCertificatesAndVerifyByTrustAnchor(CertificateTypeDto.UPLOAD);

src/main/java/eu/europa/ec/dgc/gateway/connector/DgcGatewayDownloadConnectorBuilder.java

@@ -25,8 +25,6 @@
 import eu.europa.ec.dgc.gateway.connector.mapper.TrustListMapper;
 import eu.europa.ec.dgc.gateway.connector.mapper.TrustedIssuerMapper;
 import eu.europa.ec.dgc.gateway.connector.mapper.TrustedIssuerMapperImpl;
-import eu.europa.ec.dgc.gateway.connector.springbootworkaroundforks.DgcFeignClientBuilder;
-import eu.europa.ec.dgc.gateway.connector.springbootworkaroundforks.DgcFeignClientFactoryBean;
 import eu.europa.ec.dgc.utils.CertificateUtils;
 import feign.Client;
 import feign.httpclient.ApacheHttpClient;
@@ -58,6 +56,8 @@
 import org.apache.http.ssl.SSLContextBuilder;
 import org.bouncycastle.cert.X509CertificateHolder;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.springframework.cloud.openfeign.FeignClientBuilder;
+import org.springframework.cloud.openfeign.FeignClientFactoryBean;
 import org.springframework.context.ApplicationContext;
 import org.springframework.http.HttpHeaders;
 
@@ -287,9 +287,8 @@ public DgcGatewayDownloadConnector build() throws DgcGatewayDownloadConnectorBui
                 "Failed to create HTTP Client",
                 e);
         }
-
-        DgcGatewayConnectorRestClient restClient = new DgcFeignClientBuilder(springBootContext)
-            .forType(DgcGatewayConnectorRestClient.class, new DgcFeignClientFactoryBean(), UUID.randomUUID().toString())
+        DgcGatewayConnectorRestClient restClient = new FeignClientBuilder(springBootContext)
+            .forType(DgcGatewayConnectorRestClient.class, new FeignClientFactoryBean(), UUID.randomUUID().toString())
             .customize(builder -> builder.client(client))
             .url(url)
             .build();

src/main/java/eu/europa/ec/dgc/gateway/connector/DgcGatewayRevocationListDownloadConnector.java

@@ -56,6 +56,7 @@ public class DgcGatewayRevocationListDownloadConnector {
     /**
      * Gets a revocation list iterator, for partly downloading the revocation list.
      * The if-modified-since header is set to the default value to start at the beginning of the list.
+     *
      * @return revocation list iterator
      */
     public DgcGatewayRevocationListDownloadIterator getRevocationListDownloadIterator() {
@@ -65,6 +66,7 @@ public DgcGatewayRevocationListDownloadIterator getRevocationListDownloadIterato
     /**
      * Gets a revocation list iterator, for partly downloading the revocation list.
      * The if-modified-since header is set to the value of the parameter. Only newer part of the list are downloaded.
+     *
      * @param ifModifiedSinceDate The value for the if-modified-since header
      * @return revocation list iterator
      */
@@ -76,6 +78,7 @@ public DgcGatewayRevocationListDownloadIterator getRevocationListDownloadIterato
 
     /**
      * Gets the revocation list batch data for a given batchId.
+     *
      * @param batchId the id of the batch to download.
      * @return the batch data.
      */
@@ -90,7 +93,7 @@ public RevocationBatchDto getRevocationListBatchById(String batchId) throws Revo
             log.error("Download of revocation list batch failed. DGCG responded with status code: {}", e.status());
 
             if (e.status() == HttpStatus.GONE.value()) {
-                throw new RevocationBatchGoneException(String.format("Batch already gone: %s", batchId),batchId);
+                throw new RevocationBatchGoneException(String.format("Batch already gone: %s", batchId), batchId);
             }
 
             throw new RevocationBatchDownloadException("Batch download failed with exception.", e);
@@ -102,7 +105,7 @@ public RevocationBatchDto getRevocationListBatchById(String batchId) throws Revo
 
             throw new RevocationBatchDownloadException(
                 String.format("Batch download failed with unexpected response. Response status code: %d", statusCode),
-                    statusCode);
+                statusCode);
         }
 
         String cms = responseEntity.getBody();

src/main/java/eu/europa/ec/dgc/gateway/connector/DgcGatewayRevocationListUploadConnector.java

@@ -67,7 +67,7 @@ public class DgcGatewayRevocationListUploadConnector {
     private final DgcGatewayConnectorRestClient dgcGatewayConnectorRestClient;
 
     private final DgcGatewayConnectorConfigProperties properties;
-    
+
     private final ObjectMapper objectMapper;
 
     private final CertificateUtils certificateUtils;
@@ -111,12 +111,12 @@ void init() throws KeyStoreException, CertificateEncodingException, IOException
      * @throws DgcRevocationBatchUploadException with detailed information why the upload has failed.
      */
     public String uploadRevocationBatch(RevocationBatchDto revocationBatchDto)
-      throws DgcRevocationBatchUploadException, JsonProcessingException {
+        throws DgcRevocationBatchUploadException, JsonProcessingException {
 
         objectMapper.registerModule(new JavaTimeModule());
         String jsonString = objectMapper.writeValueAsString(revocationBatchDto);
         String payload = new SignedStringMessageBuilder().withPayload(jsonString)
-          .withSigningCertificate(uploadCertificateHolder, uploadCertificatePrivateKey).buildAsString();
+            .withSigningCertificate(uploadCertificateHolder, uploadCertificatePrivateKey).buildAsString();
 
         try {
             ResponseEntity<Void> response = dgcGatewayConnectorRestClient.uploadBatch(payload);
@@ -132,7 +132,7 @@ public String uploadRevocationBatch(RevocationBatchDto revocationBatchDto)
             } else if (e.status() == HttpStatus.UNAUTHORIZED.value() || e.status() == HttpStatus.FORBIDDEN.value()) {
                 log.error("Client is not authorized. (Invalid Client Certificate)");
                 throw new DgcRevocationBatchUploadException(
-                  DgcRevocationBatchUploadException.Reason.INVALID_AUTHORIZATION);
+                    DgcRevocationBatchUploadException.Reason.INVALID_AUTHORIZATION);
             }
         }
         return null;
@@ -145,14 +145,14 @@ public String uploadRevocationBatch(RevocationBatchDto revocationBatchDto)
      * @throws DgcRevocationBatchUploadException with detailed information why the delete has failed.
      */
     public void deleteRevocationBatch(String batchId) throws DgcRevocationBatchUploadException,
-      JsonProcessingException {
+        JsonProcessingException {
 
         RevocationBatchDeleteRequestDto deleteRequest = new RevocationBatchDeleteRequestDto();
         deleteRequest.setBatchId(batchId);
         String jsonString = objectMapper.writeValueAsString(deleteRequest);
 
         String payload = new SignedStringMessageBuilder().withPayload(jsonString)
-          .withSigningCertificate(uploadCertificateHolder, uploadCertificatePrivateKey).buildAsString();
+            .withSigningCertificate(uploadCertificateHolder, uploadCertificatePrivateKey).buildAsString();
 
         try {
             ResponseEntity<Void> response = dgcGatewayConnectorRestClient.deleteBatch(payload);
@@ -167,7 +167,7 @@ public void deleteRevocationBatch(String batchId) throws DgcRevocationBatchUploa
             } else if (e.status() == HttpStatus.UNAUTHORIZED.value() || e.status() == HttpStatus.FORBIDDEN.value()) {
                 log.error("Client is not authorized. (Invalid Client Certificate)");
                 throw new DgcRevocationBatchUploadException(
-                  DgcRevocationBatchUploadException.Reason.INVALID_AUTHORIZATION);
+                    DgcRevocationBatchUploadException.Reason.INVALID_AUTHORIZATION);
 
             } else if (e.status() == HttpStatus.NOT_FOUND.value()) {
                 log.info("ValidationRules with ID {} does not exists on DGCG", batchId);
@@ -181,8 +181,8 @@ private void handleBadRequest(FeignException e) throws DgcRevocationBatchUploadE
                 ProblemReportDto problemReport = objectMapper.readValue(e.contentUTF8(), ProblemReportDto.class);
 
                 throw new DgcRevocationBatchUploadException(DgcRevocationBatchUploadException.Reason.INVALID_BATCH,
-                  String.format("%s: %s, %s", problemReport.getCode(), problemReport.getProblem(),
-                    problemReport.getDetails()));
+                    String.format("%s: %s, %s", problemReport.getCode(), problemReport.getProblem(),
+                        problemReport.getDetails()));
             } catch (JsonProcessingException jsonException) {
                 throw new DgcRevocationBatchUploadException(DgcRevocationBatchUploadException.Reason.UNKNOWN_ERROR);
             }

src/main/java/eu/europa/ec/dgc/gateway/connector/client/DgcGatewayConnectorRestClient.java

@@ -42,9 +42,9 @@
 
 @ConditionalOnProperty("dgc.gateway.connector.enabled")
 @FeignClient(
-  name = "dgc-gateway-connector",
-  url = "${dgc.gateway.connector.endpoint}",
-  configuration = DgcGatewayConnectorRestClientConfig.class
+    name = "dgc-gateway-connector",
+    url = "${dgc.gateway.connector.endpoint}",
+    configuration = DgcGatewayConnectorRestClientConfig.class
 )
 public interface DgcGatewayConnectorRestClient {
 
@@ -130,7 +130,7 @@ public interface DgcGatewayConnectorRestClient {
      */
     @GetMapping(value = "/revocation-list", produces = MediaType.APPLICATION_JSON_VALUE)
     ResponseEntity<RevocationBatchListDto> downloadRevocationList(
-      @RequestHeader(HttpHeaders.IF_MODIFIED_SINCE) String lastUpdate);
+        @RequestHeader(HttpHeaders.IF_MODIFIED_SINCE) String lastUpdate);
 
     /**
      * Downloads a batch of the revocation list.