From d171efd9bde8e631a5f80fc83f62c7a33af34f08 Mon Sep 17 00:00:00 2001
From: siarhei_hrabko <siarhei_hrabko@epam.com>
Date: Mon, 20 Nov 2023 09:21:18 +0300
Subject: [PATCH 1/2] EPMRPP-87593 fix CVEs

---
 build.gradle                                  | 119 +++++++++---------
 .../RabbitMqManagementClientTemplate.java     |   2 +-
 src/main/resources/application.properties     |   6 +-
 3 files changed, 65 insertions(+), 62 deletions(-)

diff --git a/build.gradle b/build.gradle
index 0feb940c20..a47df6e571 100644
--- a/build.gradle
+++ b/build.gradle
@@ -15,10 +15,10 @@
  */
 
 plugins {
-    id "io.spring.dependency-management" version "1.0.9.RELEASE"
-    id 'org.springframework.boot' version '2.5.12'
+    id "io.spring.dependency-management" version "1.1.4"
+    id 'org.springframework.boot' version '2.5.15'
     id 'java'
-    id "org.owasp.dependencycheck" version "5.3.1"
+    id "org.owasp.dependencycheck" version "8.2.1"
 }
 
 import org.owasp.dependencycheck.reporting.ReportGenerator
@@ -56,16 +56,16 @@ repositories {
 }
 
 //https://nvd.nist.gov/vuln/detail/CVE-2020-10683 (dom4j 2.1.3 version dependency) AND https://nvd.nist.gov/vuln/detail/CVE-2019-14900
-ext['hibernate.version'] = '5.4.18.Final'
+ext['hibernate.version'] = '5.6.15.Final'
 //https://nvd.nist.gov/vuln/detail/CVE-2020-10693
-ext['hibernate-validator.version'] = '6.1.5.Final'
+ext['hibernate-validator.version'] = '6.2.5.Final'
 //https://nvd.nist.gov/vuln/detail/CVE-2020-13692
 //ext['postgresql.version'] = '42.2.13'
 //https://nvd.nist.gov/vuln/detail/CVE-2020-9488 and https://nvd.nist.gov/vuln/detail/CVE-2021-44228 and https://nvd.nist.gov/vuln/detail/CVE-2021-45046
-ext['log4j2.version'] = '2.17.1'
-ext['log4j-to-slf4j.version'] = '2.17.1'
+ext['log4j2.version'] = '2.21.1'
+ext['log4j-to-slf4j.version'] = '2.21.1'
 //https://nvd.nist.gov/vuln/detail/cve-2022-22965
-ext['spring-boot.version'] = '2.5.12'
+ext['spring-boot.version'] = '2.5.15'
 
 dependencyManagement {
     imports {
@@ -76,81 +76,84 @@ dependencyManagement {
 
 dependencies {
     if (releaseMode) {
-        compile 'com.epam.reportportal:commons-dao'
-        compile 'com.epam.reportportal:commons-rules'
-        compile 'com.epam.reportportal:commons-model'
-        compile 'com.epam.reportportal:commons'
-        compile 'com.epam.reportportal:commons-fonts'
-        compile 'com.epam.reportportal:plugin-api'
+        implementation 'com.epam.reportportal:commons-dao'
+        implementation 'com.epam.reportportal:commons-rules'
+        implementation 'com.epam.reportportal:commons-model'
+        implementation 'com.epam.reportportal:commons'
+        implementation 'com.epam.reportportal:commons-fonts'
+        implementation 'com.epam.reportportal:plugin-api'
     } else {
-        compile 'com.github.reportportal:commons-events:e337f8b7be'
-        compile 'com.github.reportportal:commons-dao:6f11ff3'
-        compile 'com.github.reportportal:commons-rules:29c30a1'
-        compile 'com.github.reportportal:commons-model:83f012f'
-        compile 'com.github.reportportal:commons:ce2166b'
-        compile 'com.github.reportportal:commons-fonts:d6e62dd'
-        compile 'com.github.reportportal:plugin-api:3876fab'
+        implementation 'com.github.reportportal:commons-events:e337f8b7be'
+        implementation 'com.github.reportportal:commons-dao:6f11ff3'
+        implementation 'com.github.reportportal:commons-rules:29c30a1'
+        implementation 'com.github.reportportal:commons-model:83f012f'
+        implementation 'com.github.reportportal:commons:ce2166b'
+        implementation 'com.github.reportportal:commons-fonts:d6e62dd'
+        implementation 'com.github.reportportal:plugin-api:3876fab'
     }
 
-    compile 'org.springframework.boot:spring-boot-starter-aop'
-    compile 'org.springframework.boot:spring-boot-starter-web'
-    compile 'org.springframework.boot:spring-boot-starter-quartz'
-    compile 'org.springframework.boot:spring-boot-starter-freemarker'
-    compile 'org.springframework.boot:spring-boot-starter-actuator'
-    compile 'org.springframework.boot:spring-boot-starter-amqp'
-    compile('org.springframework.boot:spring-boot-starter-batch')
+    implementation 'org.springframework.boot:spring-boot-starter-aop'
+    implementation 'org.springframework.boot:spring-boot-starter-web'
+    implementation 'org.springframework.boot:spring-boot-starter-quartz'
+    implementation 'org.springframework.boot:spring-boot-starter-freemarker'
+    implementation 'org.springframework.boot:spring-boot-starter-actuator'
+    implementation 'org.springframework.boot:spring-boot-starter-amqp'
+    implementation 'org.springframework.boot:spring-boot-starter-batch'
 
 
-    compile group: 'com.opencsv', name: 'opencsv', version: '5.7.1'
+    implementation 'com.opencsv:opencsv:5.8'
 
     // Fix CVE-2021-41079, CVE-2022-23181, CVE-2021-33037, CVE-2021-30640, CVE-2022-42252
-    compile 'org.apache.tomcat.embed:tomcat-embed-core:9.0.68'
-    compile 'org.apache.tomcat.embed:tomcat-embed-el:9.0.68'
-    compile 'org.apache.tomcat.embed:tomcat-embed-websocket:9.0.68'
+    implementation 'org.apache.tomcat.embed:tomcat-embed-core:9.0.82'
+    implementation 'org.apache.tomcat.embed:tomcat-embed-el:9.0.82'
+    implementation 'org.apache.tomcat.embed:tomcat-embed-websocket:9.0.82'
     //
 
     //https://nvd.nist.gov/vuln/detail/CVE-2020-5411
-    compile('org.springframework.batch:spring-batch-core:4.2.3.RELEASE')
-    compile('org.springframework.batch:spring-batch-infrastructure:4.2.3.RELEASE')
+    implementation('org.springframework.batch:spring-batch-core:4.3.9')
+    implementation('org.springframework.batch:spring-batch-infrastructure:4.3.9')
 
 
     // Optional for spring-boot-starter-amqp
-    compile "com.rabbitmq:http-client:2.1.0.RELEASE"
+    implementation "com.rabbitmq:http-client:5.2.0"
 
-    compile 'com.sun.mail:javax.mail:1.6.2'
-    compile 'net.sf.jasperreports:jasperreports:6.12.2'
-    compile 'com.lowagie:itext:2.1.7.js7'
+    implementation 'com.sun.mail:javax.mail:1.6.2'
+    implementation 'net.sf.jasperreports:jasperreports:6.20.6'
+    implementation 'xerces:xercesImpl:2.12.2'
+    implementation 'com.lowagie:itext:2.1.7.js7'
     // JasperReport's export to XLS uses Apache POI
-    compile 'org.apache.poi:poi:4.1.1'
-    compile 'io.springfox:springfox-swagger2'
+    implementation 'org.apache.poi:poi:5.2.3'
+    implementation 'io.springfox:springfox-swagger2:2.9.2'
+    implementation 'com.google.code.gson:gson:2.8.9'
+
 
     ///// Security
     //https://nvd.nist.gov/vuln/detail/CVE-2020-5407 AND https://nvd.nist.gov/vuln/detail/CVE-2020-5408
-    compile 'org.springframework.security:spring-security-core:5.5.8'
-    compile 'org.springframework.security:spring-security-config:5.5.8'
-    compile 'org.springframework.security:spring-security-web:5.5.8'
+    implementation 'org.springframework.security:spring-security-core:5.8.8'
+    implementation 'org.springframework.security:spring-security-config:5.8.8'
+    implementation 'org.springframework.security:spring-security-web:5.8.8'
     //
 
     // Fix CVE-2022-22969
-    compile 'org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE'
-    compile 'org.springframework.security:spring-security-jwt:1.0.11.RELEASE'
-    compile 'org.springframework.security:spring-security-acl'
-    compile 'com.github.ben-manes.caffeine:caffeine:2.8.0'
+    implementation 'org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE'
+    implementation 'org.springframework.security:spring-security-jwt:1.1.1.RELEASE'
+    implementation 'org.springframework.security:spring-security-acl'
+    implementation 'com.github.ben-manes.caffeine:caffeine:2.9.3'
 
     // Fix CVE-2022-22965, CVE-2022-22970
-    compile 'org.springframework:spring-beans:5.3.20'
+    implementation 'org.springframework:spring-beans:5.3.31'
     // Fix CVE-2021-22060, CVE-2021-22096
-    compile 'org.springframework:spring-core:5.3.20'
+    implementation 'org.springframework:spring-core:5.3.31'
     // Fix CVE-2022-45685, CVE-2022-40150, CVE-2022-40149
-    compile 'org.codehaus.jettison:jettison:1.5.2'
+    implementation 'org.codehaus.jettison:jettison:1.5.4'
     // Fix CVE-2020-15522
-    compile 'org.bouncycastle:bcprov-jdk15on:1.69'
-    compile 'org.apache.commons:commons-compress:1.21'
-    compile 'org.yaml:snakeyaml:1.32'
-    compile 'org.hibernate:hibernate-core:5.4.24.Final'
+    implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
+    implementation 'org.apache.commons:commons-compress:1.25.0'
+    implementation 'org.yaml:snakeyaml:1.33'
+    implementation 'org.hibernate:hibernate-core:5.6.15.Final'
 
     // Metrics
-    compile 'io.micrometer:micrometer-registry-prometheus:1.7.10'
+    implementation 'io.micrometer:micrometer-registry-prometheus:1.8.13'
 
     // add lombok support
     compileOnly "org.projectlombok:lombok:${lombokVersion}"
@@ -159,8 +162,8 @@ dependencies {
     testAnnotationProcessor "org.projectlombok:lombok:${lombokVersion}"
 
     //  Tests
-    testCompile 'org.springframework.boot:spring-boot-starter-test'
-    testCompile 'org.flywaydb.flyway-test-extensions:flyway-spring-test:7.0.0'
+    testImplementation 'org.springframework.boot:spring-boot-starter-test'
+    testImplementation 'org.flywaydb.flyway-test-extensions:flyway-spring-test:9.5.0'
 }
 
 processResources {
@@ -170,7 +173,7 @@ processResources {
     }
 }
 
-tasks.withType(JavaCompile) {
+tasks.withType(JavaCompile).configureEach {
     options.encoding = "UTF-8"
     options.compilerArgs << "-parameters"
     options.debug = true
diff --git a/src/main/java/com/epam/ta/reportportal/core/analyzer/auto/client/impl/RabbitMqManagementClientTemplate.java b/src/main/java/com/epam/ta/reportportal/core/analyzer/auto/client/impl/RabbitMqManagementClientTemplate.java
index 4bf3892b15..4ff216f06c 100644
--- a/src/main/java/com/epam/ta/reportportal/core/analyzer/auto/client/impl/RabbitMqManagementClientTemplate.java
+++ b/src/main/java/com/epam/ta/reportportal/core/analyzer/auto/client/impl/RabbitMqManagementClientTemplate.java
@@ -43,7 +43,7 @@ public RabbitMqManagementClientTemplate(Client rabbitClient, String virtualHost)
     this.virtualHost = virtualHost;
     try {
       rabbitClient.createVhost(virtualHost);
-    } catch (JsonProcessingException e) {
+    } catch (Exception e) {
       throw new ReportPortalException(ErrorType.UNCLASSIFIED_REPORT_PORTAL_ERROR,
           "Unable to create RabbitMq virtual host");
     }
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index cd908829e8..4bc0c01d3a 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 spring.main.allow-bean-definition-overriding=true
-spring.batch.initialize-schema=always
+spring.batch.jdbc.initialize-schema=always
 info.build.name=API Service
 info.build.description=ReportPortal API Service
 info.build.version=${version}${buildNumber}
@@ -23,7 +23,7 @@ info.build.repo=${repo}
 management.endpoints.web.base-path=/
 #security.sessions=never
 #security.basic.enabled=false
-management.server.servlet.context-path=/admin
+management.server.base-path=/admin
 ## Supported period format details
 ## https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html#parse-java.lang.CharSequence-
 com.ta.reportportal.job.load.plugins.cron=PT10S
@@ -53,4 +53,4 @@ com.ta.reportportal.rp.flushing.time.cron=\${rp.environment.variable.flushing.ti
 ## Profiles list
 spring.profiles.active=\${rp.profiles:default}
 
-rp.feature.flags=
\ No newline at end of file
+rp.feature.flags=

From e91613dd331db0145d47afd6f5c381aaf6e8cf74 Mon Sep 17 00:00:00 2001
From: siarhei_hrabko <siarhei_hrabko@epam.com>
Date: Mon, 20 Nov 2023 09:42:58 +0300
Subject: [PATCH 2/2] EPMRPP-87593 fix CVEs

---
 .../reportportal/ws/controller/ProjectControllerTest.java   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/test/java/com/epam/ta/reportportal/ws/controller/ProjectControllerTest.java b/src/test/java/com/epam/ta/reportportal/ws/controller/ProjectControllerTest.java
index 022982f854..7a08a2e65a 100644
--- a/src/test/java/com/epam/ta/reportportal/ws/controller/ProjectControllerTest.java
+++ b/src/test/java/com/epam/ta/reportportal/ws/controller/ProjectControllerTest.java
@@ -532,7 +532,7 @@ void indexProjectData() throws Exception {
 		arguments.put("analyzer_index", true);
 		arguments.put("analyzer", "test_analyzer");
 		exchangeInfo.setArguments(arguments);
-		when(rabbitClient.getExchanges(any())).thenReturn(Collections.singletonList(exchangeInfo));
+		when(rabbitClient.getExchanges(any(String.class))).thenReturn(Collections.singletonList(exchangeInfo));
 
 		mockMvc.perform(put("/v1/project/default_personal/index").with(token(oAuthHelper.getDefaultToken()))).andExpect(status().isOk());
 
@@ -547,7 +547,7 @@ void deleteIndex() throws Exception {
 		arguments.put("analyzer_index", true);
 		arguments.put("analyzer", "test_analyzer");
 		exchangeInfo.setArguments(arguments);
-		when(rabbitClient.getExchanges(any())).thenReturn(Collections.singletonList(exchangeInfo));
+		when(rabbitClient.getExchanges(any(String.class))).thenReturn(Collections.singletonList(exchangeInfo));
 
 		mockMvc.perform(delete("/v1/project/default_personal/index").with(token(oAuthHelper.getDefaultToken()))).andExpect(status().isOk());
 
@@ -566,4 +566,4 @@ private void verifyProjectIndexEvent() {
 		assertEquals(2L, event.getUserId().longValue());
 		assertEquals("default", event.getUserLogin());
 	}
-}
\ No newline at end of file
+}