- updated license headers

- updated parent project: 8.5.0
- updated authzforce-ce-core-*: 20.3.1

CONTRIBUTING.md

@@ -23,7 +23,7 @@
    ```shell
    $ git checkout release-${version} 
    $ cd  cxf-spring-boot-server
-   $ docker build -t authzforce/restful-pdp:${version} .
+   $ docker build -t authzforce/restful-pdp:latest -t authzforce/restful-pdp:${version} .
    $ docker login
    $ docker push authzforce/restful-pdp:${version}
    ```

README.md

@@ -31,7 +31,7 @@ See [AuthzForce Core features](https://github.com/authzforce/core#features) for
 ## Limitations
 See [AuthzForce Core limitations](https://github.com/authzforce/core#limitations).
 
-## System requirements
+## System requirements 
 Java (JRE) 11 or later.
 
 
@@ -99,9 +99,9 @@ To use the Policy Provider for policies stored in MongoDB, please make sure the
 </dependency>
 <dependency>
          <groupId>org.mongodb</groupId>
-         <artifactId>mongo-java-driver</artifactId>
+         <artifactId>mongodb-driver-legacy</artifactId>
 	<!-- Set the version to whatever version is specified in authzforce-ce-core-pdp-testutils Maven POM. -->
-         <version>${mongo-java-driver.version}</version>
+         <version>${mongodb-driver-legacy.version}</version>
 </dependency>
 ```
 

cxf-spring-boot-server/Dockerfile

@@ -12,7 +12,7 @@ VOLUME /tmp
 RUN addgroup --system spring && adduser --system --home /home/spring --ingroup spring --disabled-password spring
 USER spring:spring
 WORKDIR /home/spring
-ARG JAR_FILE=target/*-6.0.1.jar
+ARG JAR_FILE=target/authzforce-ce-restful-pdp-cxf-spring-boot-server-*.jar
 COPY ${JAR_FILE} /app.jar
 # COPY extensions /extensions
 

cxf-spring-boot-server/owasp-dependency-check-suppression.xml

@@ -1,8 +1,25 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions
-	xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+	xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 	<suppress>
-		<!--See issue #35 on Github -->
-		<cve>CVE-2018-8088</cve>
+		<notes><![CDATA[
+   FP per issue https://github.com/jeremylong/DependencyCheck/issues/5545.
+   ]]></notes>
+		<packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
+		<vulnerabilityName>CVE-2022-45688</vulnerabilityName>
+	</suppress>
+	<suppress>
+		<notes><![CDATA[
+   FP per issue #5779
+   ]]></notes>
+		<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson-databind@.*$</packageUrl>
+		<cve>CVE-2023-35116</cve>
+	</suppress>
+	<suppress>
+		<notes><![CDATA[
+  	Considered FP by Spring devs - https://github.com/spring-projects/spring-framework/issues/24434
+   ]]></notes>
+		<packageUrl>pkg:maven/org.springframework/[email protected]</packageUrl>
+		<cve>CVE-2016-1000027</cve>
 	</suppress>
 </suppressions>

cxf-spring-boot-server/pom.xml

@@ -16,16 +16,12 @@
 		<!-- Publicly browsable repository URL. For example, via Gitlab web UI. -->
 		<url>${git.url.base}/restful-pdp/cxf-spring-boot-server</url>
 	</scm>
-	<properties>
-		<tomcat-version>9.0.58</tomcat-version>
-	</properties>
 	<dependencyManagement>
 		<dependencies>
 			<dependency>
 				<groupId>org.springframework.boot</groupId>
 				<artifactId>spring-boot-dependencies</artifactId>
-				<!-- Override Spring Boot v2.6.1 - used by cxf-spring-boot-starter-jaxrs:3.5.0 - which depends on Spring Core 5.3.14 which has 1 vulnerability. -->
-				<version>${spring-boot-starter.version}</version>
+				<version>${spring-boot.version}</version>
 				<type>pom</type>
 				<scope>import</scope>
 				<!-- jsonassert depends on com.vaadin.external.google:android-json whose classes conflict with org.json:json; same issue with json-path -->
@@ -53,36 +49,18 @@
 			<artifactId>cxf-rt-features-logging</artifactId>
 			<version>${cxf.version}</version>
 		</dependency>
+		<!-- cxf-spring-boot-starter-jaxrs:3.6.1 depends on spring-boot-starter:2.7.14 depends on snakeyaml:1.30 by default, which is affected by several CVES, fixed only in snakeyaml:2.0 and above
+		 So we are forcing snakeyaml:2.0+ version.
+		 -->
+		<dependency>
+			<groupId>org.yaml</groupId>
+			<artifactId>snakeyaml</artifactId>
+			<version>2.0</version>
+		</dependency>
 		<dependency>
 			<groupId>org.apache.cxf</groupId>
 			<artifactId>cxf-spring-boot-starter-jaxrs</artifactId>
 			<version>${cxf.version}</version>
-			<exclusions>
-				<exclusion>
-					<groupId>com.fasterxml.jackson.core</groupId>
-					<artifactId>jackson-databind</artifactId>
-				</exclusion>
-				<!-- exclude the validation-api:1.1.0 dependency that cxf-spring-boot-starter-jaxrs to prevent conflict with v2.0.1 that cxf-spring-boot-starter-jaxrs also depends on indirectly via spring-boot-starter-web / hibernate-validator -->
-				<exclusion>
-					<groupId>javax.validation</groupId>
-					<artifactId>validation-api</artifactId>
-				</exclusion>
-			</exclusions>
-		</dependency>
-		<dependency>
-			<groupId>org.apache.tomcat.embed</groupId>
-			<artifactId>tomcat-embed-core</artifactId>
-			<version>${tomcat-version}</version>
-		</dependency>
-		<dependency>
-			<groupId>org.apache.tomcat.embed</groupId>
-			<artifactId>tomcat-embed-websocket</artifactId>
-			<version>${tomcat-version}</version>
-		</dependency>
-		<dependency>
-			<groupId>javax.validation</groupId>
-			<artifactId>validation-api</artifactId>
-			<version>2.0.1.Final</version>
 		</dependency>
 		<dependency>
 			<groupId>junit</groupId>
@@ -92,7 +70,7 @@
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-test</artifactId>
-			<version>${spring-boot-starter.version}</version>
+			<version>${spring-boot.version}</version>
 			<scope>test</scope>
 			<!-- jsonassert depends on com.vaadin.external.google:android-json whose classes conflict with org.json:json; same issue with json-path -->
 			<exclusions>
@@ -217,7 +195,7 @@
 				<groupId>org.springframework.boot</groupId>
 				<artifactId>spring-boot-maven-plugin</artifactId>
 				<!-- <version>2.0.0.M6</version> -->
-				<version>${spring-boot-starter.version}</version>
+				<version>${spring-boot.version}</version>
 				<configuration>
 					<executable>true</executable>
 					<layout>ZIP</layout>

cxf-spring-boot-server/src/main/java/org/ow2/authzforce/rest/pdp/cxf/springboot/CxfJaxrsPdpSpringBootApp.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2022 THALES.
+ * Copyright (C) 2012-2023 THALES.
  *
  * This file is part of AuthzForce CE.
  *

cxf-spring-boot-server/src/test/java/org/ow2/authzforce/rest/pdp/cxf/springboot/test/XacmlRestProfileJaxRsTest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2012-2022 THALES.
+ * Copyright (C) 2012-2023 THALES.
  *
  * This file is part of AuthzForce CE.
  *

docker/docker-compose.yml

@@ -6,7 +6,7 @@ services:
   pdp:
     # depends_on:
     #  - iam
-    image: authzforce/restful-pdp:latest
+    image: authzforce/restful-pdp
 
     ports:
      - "8080:8080"

jaxrs/owasp-dependency-check-suppression.xml

@@ -1,7 +1,3 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
-	<suppress>
-		<!--See issue #35 on Github -->
-		<cve>CVE-2018-8088</cve>
-	</suppress>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
 </suppressions>

jaxrs/pom.xml

@@ -17,7 +17,7 @@
 		<url>${git.url.base}/restful-pdp/jaxrs</url>
 	</scm>
 	<properties>
-		<authzforce-ce-core.version>20.3.0</authzforce-ce-core.version>
+		<authzforce-ce-core.version>20.3.1</authzforce-ce-core.version>
 	</properties>
 	<dependencies>
 		<dependency>
@@ -33,7 +33,7 @@
 		<dependency>
 			<groupId>org.ow2.authzforce</groupId>
 			<artifactId>authzforce-ce-jaxrs-utils</artifactId>
-			<version>2.0.3</version>
+			<version>2.0.4</version>
 		</dependency>
 		<dependency>
 			<groupId>org.ow2.authzforce</groupId>
@@ -44,7 +44,7 @@
 		<dependency>
 			<groupId>org.testng</groupId>
 			<artifactId>testng</artifactId>
-			<version>7.7.0</version>
+			<version>7.8.0</version>
 			<scope>test</scope>
 		</dependency>
 		<dependency>
@@ -167,7 +167,8 @@
 						in same test suite -->
 					<!-- <suiteXmlFile>src/test/suite.xml</suiteXmlFile> -->
 					<!-- </suiteXmlFiles> -->
-					<skipAfterFailureCount>1</skipAfterFailureCount>
+					<!-- WARNING: skipAfterFailureCount > 0 is causing failure with TestNG 7.x -->
+					<skipAfterFailureCount>0</skipAfterFailureCount>
 					<!-- redirectTestOutputToFile: set this to 'true' to redirect the unit 
 						test standard output to a file (found in reportsDirectory/testName-output.txt) -->
 					<redirectTestOutputToFile>false</redirectTestOutputToFile>

owasp-dependency-check-suppression.xml

@@ -1,8 +1,29 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions
-	xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
-	<suppress>
+	xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+	<!--<suppress>-->
 		<!--See issue #35 on Github -->
-		<cve>CVE-2018-8088</cve>
+		<!--<cve>CVE-2018-8088</cve>-->
+	<!--</suppress>-->
+	<suppress>
+		<notes><![CDATA[
+   FP per issue https://github.com/jeremylong/DependencyCheck/issues/5545.
+   ]]></notes>
+		<packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl>
+		<vulnerabilityName>CVE-2022-45688</vulnerabilityName>
+	</suppress>
+	<suppress>
+		<notes><![CDATA[
+   FP per issue #5779
+   ]]></notes>
+		<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson-databind@.*$</packageUrl>
+		<cve>CVE-2023-35116</cve>
+	</suppress>
+	<suppress>
+		<notes><![CDATA[
+  	Considered FP by Spring devs - https://github.com/spring-projects/spring-framework/issues/24434
+   ]]></notes>
+		<packageUrl>pkg:maven/org.springframework/[email protected]</packageUrl>
+		<cve>CVE-2016-1000027</cve>
 	</suppress>
 </suppressions>

pom.xml

@@ -3,7 +3,7 @@
    <parent>
       <groupId>org.ow2.authzforce</groupId>
       <artifactId>authzforce-ce-parent</artifactId>
-      <version>8.4.1</version>
+      <version>8.5.0</version>
    </parent>
    <artifactId>authzforce-ce-restful-pdp</artifactId>
    <version>6.1.0-SNAPSHOT</version>