EPMRPP-87593 fix CVEs

build.gradle

@@ -15,10 +15,10 @@
  */
 
 plugins {
-    id "io.spring.dependency-management" version "1.0.9.RELEASE"
-    id 'org.springframework.boot' version '2.5.12'
+    id "io.spring.dependency-management" version "1.1.4"
+    id 'org.springframework.boot' version '2.5.15'
     id 'java'
-    id "org.owasp.dependencycheck" version "5.3.1"
+    id "org.owasp.dependencycheck" version "8.2.1"
 }
 
 import org.owasp.dependencycheck.reporting.ReportGenerator
@@ -48,16 +48,16 @@ repositories {
 }
 
 //https://nvd.nist.gov/vuln/detail/CVE-2020-10683 (dom4j 2.1.3 version dependency) AND https://nvd.nist.gov/vuln/detail/CVE-2019-14900
-ext['hibernate.version'] = '5.4.18.Final'
+ext['hibernate.version'] = '5.6.15.Final'
 //https://nvd.nist.gov/vuln/detail/CVE-2020-10693
-ext['hibernate-validator.version'] = '6.1.5.Final'
+ext['hibernate-validator.version'] = '6.2.5.Final'
 //https://nvd.nist.gov/vuln/detail/CVE-2020-13692
 //ext['postgresql.version'] = '42.2.13'
 //https://nvd.nist.gov/vuln/detail/CVE-2020-9488 and https://nvd.nist.gov/vuln/detail/CVE-2021-44228 and https://nvd.nist.gov/vuln/detail/CVE-2021-45046
-ext['log4j2.version'] = '2.17.1'
-ext['log4j-to-slf4j.version'] = '2.17.1'
+ext['log4j2.version'] = '2.21.1'
+ext['log4j-to-slf4j.version'] = '2.21.1'
 //https://nvd.nist.gov/vuln/detail/cve-2022-22965
-ext['spring-boot.version'] = '2.5.12'
+ext['spring-boot.version'] = '2.5.15'
 
 dependencyManagement {
     imports {
@@ -68,81 +68,84 @@ dependencyManagement {
 
 dependencies {
     if (releaseMode) {
-        compile 'com.epam.reportportal:commons-dao'
-        compile 'com.epam.reportportal:commons-rules'
-        compile 'com.epam.reportportal:commons-model'
-        compile 'com.epam.reportportal:commons'
-        compile 'com.epam.reportportal:commons-fonts'
-        compile 'com.epam.reportportal:plugin-api'
+        implementation 'com.epam.reportportal:commons-dao'
+        implementation 'com.epam.reportportal:commons-rules'
+        implementation 'com.epam.reportportal:commons-model'
+        implementation 'com.epam.reportportal:commons'
+        implementation 'com.epam.reportportal:commons-fonts'
+        implementation 'com.epam.reportportal:plugin-api'
     } else {
-        compile 'com.github.reportportal:commons-events:e337f8b7be'
-        compile 'com.github.reportportal:commons-dao:dafe9b4d'
-        compile 'com.github.reportportal:commons-rules:01ec4d17'
-        compile 'com.github.reportportal:commons-model:83f012f'
-        compile 'com.github.reportportal:commons:07566b8e'
-        compile 'com.github.reportportal:commons-fonts:d6e62dd'
-        compile 'com.github.reportportal:plugin-api:55bf2f26'
+        implementation 'com.github.reportportal:commons-events:e337f8b7be'
+        implementation 'com.github.reportportal:commons-dao:dafe9b4d'
+        implementation 'com.github.reportportal:commons-rules:01ec4d17'
+        implementation 'com.github.reportportal:commons-model:83f012f'
+        implementation 'com.github.reportportal:commons:07566b8e'
+        implementation 'com.github.reportportal:commons-fonts:d6e62dd'
+        implementation 'com.github.reportportal:plugin-api:55bf2f26'
     }
 
-    compile 'org.springframework.boot:spring-boot-starter-aop'
-    compile 'org.springframework.boot:spring-boot-starter-web'
-    compile 'org.springframework.boot:spring-boot-starter-quartz'
-    compile 'org.springframework.boot:spring-boot-starter-freemarker'
-    compile 'org.springframework.boot:spring-boot-starter-actuator'
-    compile 'org.springframework.boot:spring-boot-starter-amqp'
-    compile('org.springframework.boot:spring-boot-starter-batch')
+    implementation 'org.springframework.boot:spring-boot-starter-aop'
+    implementation 'org.springframework.boot:spring-boot-starter-web'
+    implementation 'org.springframework.boot:spring-boot-starter-quartz'
+    implementation 'org.springframework.boot:spring-boot-starter-freemarker'
+    implementation 'org.springframework.boot:spring-boot-starter-actuator'
+    implementation 'org.springframework.boot:spring-boot-starter-amqp'
+    implementation 'org.springframework.boot:spring-boot-starter-batch'
 
 
-    compile group: 'com.opencsv', name: 'opencsv', version: '5.7.1'
+    implementation 'com.opencsv:opencsv:5.8'
 
     // Fix CVE-2021-41079, CVE-2022-23181, CVE-2021-33037, CVE-2021-30640, CVE-2022-42252
-    compile 'org.apache.tomcat.embed:tomcat-embed-core:9.0.68'
-    compile 'org.apache.tomcat.embed:tomcat-embed-el:9.0.68'
-    compile 'org.apache.tomcat.embed:tomcat-embed-websocket:9.0.68'
+    implementation 'org.apache.tomcat.embed:tomcat-embed-core:9.0.82'
+    implementation 'org.apache.tomcat.embed:tomcat-embed-el:9.0.82'
+    implementation 'org.apache.tomcat.embed:tomcat-embed-websocket:9.0.82'
     //
 
     //https://nvd.nist.gov/vuln/detail/CVE-2020-5411
-    compile('org.springframework.batch:spring-batch-core:4.2.3.RELEASE')
-    compile('org.springframework.batch:spring-batch-infrastructure:4.2.3.RELEASE')
+    implementation('org.springframework.batch:spring-batch-core:4.3.9')
+    implementation('org.springframework.batch:spring-batch-infrastructure:4.3.9')
 
 
     // Optional for spring-boot-starter-amqp
-    compile "com.rabbitmq:http-client:2.1.0.RELEASE"
+    implementation "com.rabbitmq:http-client:5.2.0"
 
-    compile 'com.sun.mail:javax.mail:1.6.2'
-    compile 'net.sf.jasperreports:jasperreports:6.12.2'
-    compile 'com.lowagie:itext:2.1.7.js7'
+    implementation 'com.sun.mail:javax.mail:1.6.2'
+    implementation 'net.sf.jasperreports:jasperreports:6.20.6'
+    implementation 'xerces:xercesImpl:2.12.2'
+    implementation 'com.lowagie:itext:2.1.7.js7'
     // JasperReport's export to XLS uses Apache POI
-    compile 'org.apache.poi:poi:4.1.1'
-    compile 'io.springfox:springfox-swagger2'
+    implementation 'org.apache.poi:poi:5.2.3'
+    implementation 'io.springfox:springfox-swagger2:2.9.2'
+    implementation 'com.google.code.gson:gson:2.8.9'
+
 
     ///// Security
     //https://nvd.nist.gov/vuln/detail/CVE-2020-5407 AND https://nvd.nist.gov/vuln/detail/CVE-2020-5408
-    compile 'org.springframework.security:spring-security-core:5.5.8'
-    compile 'org.springframework.security:spring-security-config:5.5.8'
-    compile 'org.springframework.security:spring-security-web:5.5.8'
+    implementation 'org.springframework.security:spring-security-core:5.8.8'
+    implementation 'org.springframework.security:spring-security-config:5.8.8'
+    implementation 'org.springframework.security:spring-security-web:5.8.8'
     //
 
     // Fix CVE-2022-22969
-    compile 'org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE'
-    compile 'org.springframework.security:spring-security-jwt:1.0.11.RELEASE'
-    compile 'org.springframework.security:spring-security-acl'
-    compile 'com.github.ben-manes.caffeine:caffeine:2.8.0'
+    implementation 'org.springframework.security.oauth:spring-security-oauth2:2.5.2.RELEASE'
+    implementation 'org.springframework.security:spring-security-jwt:1.1.1.RELEASE'
+    implementation 'org.springframework.security:spring-security-acl'
+    implementation 'com.github.ben-manes.caffeine:caffeine:2.9.3'
 
     // Fix CVE-2022-22965, CVE-2022-22970
-    compile 'org.springframework:spring-beans:5.3.20'
+    implementation 'org.springframework:spring-beans:5.3.31'
     // Fix CVE-2021-22060, CVE-2021-22096
-    compile 'org.springframework:spring-core:5.3.20'
+    implementation 'org.springframework:spring-core:5.3.31'
     // Fix CVE-2022-45685, CVE-2022-40150, CVE-2022-40149
-    compile 'org.codehaus.jettison:jettison:1.5.2'
+    implementation 'org.codehaus.jettison:jettison:1.5.4'
     // Fix CVE-2020-15522
-    compile 'org.bouncycastle:bcprov-jdk15on:1.69'
-    compile 'org.apache.commons:commons-compress:1.21'
-    compile 'org.yaml:snakeyaml:1.32'
-    compile 'org.hibernate:hibernate-core:5.4.24.Final'
+    implementation 'org.bouncycastle:bcprov-jdk15on:1.70'
+    implementation 'org.apache.commons:commons-compress:1.25.0'
+    implementation 'org.yaml:snakeyaml:1.33'
+    implementation 'org.hibernate:hibernate-core:5.6.15.Final'
 
     // Metrics
-    compile 'io.micrometer:micrometer-registry-prometheus:1.7.10'
+    implementation 'io.micrometer:micrometer-registry-prometheus:1.8.13'
 
     // add lombok support
     compileOnly "org.projectlombok:lombok:${lombokVersion}"
@@ -151,8 +154,8 @@ dependencies {
     testAnnotationProcessor "org.projectlombok:lombok:${lombokVersion}"
 
     //  Tests
-    testCompile 'org.springframework.boot:spring-boot-starter-test'
-    testCompile 'org.flywaydb.flyway-test-extensions:flyway-spring-test:7.0.0'
+    testImplementation 'org.springframework.boot:spring-boot-starter-test'
+    testImplementation 'org.flywaydb.flyway-test-extensions:flyway-spring-test:9.5.0'
 }
 
 processResources {
@@ -162,7 +165,7 @@ processResources {
     }
 }
 
-tasks.withType(JavaCompile) {
+tasks.withType(JavaCompile).configureEach {
     options.encoding = "UTF-8"
     options.compilerArgs << "-parameters"
     options.debug = true

src/main/java/com/epam/ta/reportportal/core/analyzer/auto/client/impl/RabbitMqManagementClientTemplate.java

@@ -43,7 +43,7 @@ public RabbitMqManagementClientTemplate(Client rabbitClient, String virtualHost)
     this.virtualHost = virtualHost;
     try {
       rabbitClient.createVhost(virtualHost);
-    } catch (JsonProcessingException e) {
+    } catch (Exception e) {
       throw new ReportPortalException(ErrorType.UNCLASSIFIED_REPORT_PORTAL_ERROR,
           "Unable to create RabbitMq virtual host");
     }

src/main/resources/application.properties

@@ -14,7 +14,7 @@
 # limitations under the License.
 #
 spring.main.allow-bean-definition-overriding=true
-spring.batch.initialize-schema=always
+spring.batch.jdbc.initialize-schema=always
 info.build.name=API Service
 info.build.description=ReportPortal API Service
 info.build.version=${version}${buildNumber}
@@ -23,7 +23,7 @@ info.build.repo=${repo}
 management.endpoints.web.base-path=/
 #security.sessions=never
 #security.basic.enabled=false
-management.server.servlet.context-path=/admin
+management.server.base-path=/admin
 ## Supported period format details
 ## https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html#parse-java.lang.CharSequence-
 com.ta.reportportal.job.load.plugins.cron=PT10S
@@ -53,4 +53,4 @@ com.ta.reportportal.rp.flushing.time.cron=\${rp.environment.variable.flushing.ti
 ## Profiles list
 spring.profiles.active=\${rp.profiles:default}
 
-rp.feature.flags=
+rp.feature.flags=

src/test/java/com/epam/ta/reportportal/ws/controller/ProjectControllerTest.java

@@ -532,7 +532,7 @@ void indexProjectData() throws Exception {
 		arguments.put("analyzer_index", true);
 		arguments.put("analyzer", "test_analyzer");
 		exchangeInfo.setArguments(arguments);
-		when(rabbitClient.getExchanges(any())).thenReturn(Collections.singletonList(exchangeInfo));
+		when(rabbitClient.getExchanges(any(String.class))).thenReturn(Collections.singletonList(exchangeInfo));
 
 		mockMvc.perform(put("/v1/project/default_personal/index").with(token(oAuthHelper.getDefaultToken()))).andExpect(status().isOk());
 
@@ -547,7 +547,7 @@ void deleteIndex() throws Exception {
 		arguments.put("analyzer_index", true);
 		arguments.put("analyzer", "test_analyzer");
 		exchangeInfo.setArguments(arguments);
-		when(rabbitClient.getExchanges(any())).thenReturn(Collections.singletonList(exchangeInfo));
+		when(rabbitClient.getExchanges(any(String.class))).thenReturn(Collections.singletonList(exchangeInfo));
 
 		mockMvc.perform(delete("/v1/project/default_personal/index").with(token(oAuthHelper.getDefaultToken()))).andExpect(status().isOk());
 
@@ -566,4 +566,4 @@ private void verifyProjectIndexEvent() {
 		assertEquals(2L, event.getUserId().longValue());
 		assertEquals("default", event.getUserLogin());
 	}
-}
+}