From d5f53736f2001ca0f412fc6bf755641ce99abb5c Mon Sep 17 00:00:00 2001 From: Chanaka Balasooriya Date: Fri, 6 Dec 2024 23:10:36 +0100 Subject: [PATCH 1/8] Fix vulnerability issues by upgrading/replacing some dependencies and upgrading java version to 21 --- cve-suppressions.xml | 14 +++--- pom.xml | 43 ++++++++----------- .../BitmapShardDataSourceProvider.java | 9 ++-- .../executors/ValidationExecutorWrapper.java | 10 ++--- .../zalando/sprocwrapper/util/NameUtils.java | 2 +- .../core/fieldMapper/DateFieldMapper.java | 4 +- .../typemapper/postgres/PgTypeHelper.java | 15 +------ .../org/zalando/sprocwrapper/SimpleIT.java | 2 +- .../ExampleDomainObjectWithValidation.java | 6 +-- .../ExampleValidationSProcService.java | 2 +- 10 files changed, 49 insertions(+), 58 deletions(-) diff --git a/cve-suppressions.xml b/cve-suppressions.xml index 0e1c309..daeb351 100644 --- a/cve-suppressions.xml +++ b/cve-suppressions.xml @@ -1,7 +1,11 @@ - - - spring-.*-5\.3\.23\.jar - CVE-2016-1000027 - + + + ^pkg:maven/org\.glassfish/jakarta\.el@.*$ + CVE-2023-5763 + + + ^pkg:maven/org\.glassfish/jakarta\.el@.*$ + CVE-2024-9329 + diff --git a/pom.xml b/pom.xml index b0ca837..106d696 100644 --- a/pom.xml +++ b/pom.xml @@ -59,10 +59,10 @@ UTF-8 - 8 - 8 - 5.3.23 - 42.5.1 + 21 + 21 + 6.2.0 + 42.7.4 7.2.1 @@ -83,31 +83,21 @@ ${postgresql.version} - commons-lang - commons-lang - 2.6 - - - commons-beanutils - commons-beanutils - 1.9.4 - - - commons-logging - commons-logging - - + org.apache.commons + commons-lang3 + 3.17.0 org.hibernate.validator hibernate-validator - 6.1.5.Final + 9.0.0.Beta3 org.glassfish - javax.el - 3.0.1-b08 + jakarta.el + 5.0.0-M1 + org.reflections reflections @@ -117,7 +107,7 @@ com.google.guava guava - 30.1-jre + 33.3.1-jre javax.persistence @@ -143,6 +133,11 @@ ${spring.version} test + + org.springframework + spring-beans + ${spring.version} + org.springframework spring-test @@ -209,7 +204,7 @@ - true + 0 cve-suppressions.xml @@ -272,7 +267,7 @@ org.jacoco jacoco-maven-plugin - 0.8.4 + 0.8.12 prepare-agent diff --git a/src/main/java/org/zalando/sprocwrapper/dsprovider/BitmapShardDataSourceProvider.java b/src/main/java/org/zalando/sprocwrapper/dsprovider/BitmapShardDataSourceProvider.java index 1871f77..d803518 100644 --- a/src/main/java/org/zalando/sprocwrapper/dsprovider/BitmapShardDataSourceProvider.java +++ b/src/main/java/org/zalando/sprocwrapper/dsprovider/BitmapShardDataSourceProvider.java @@ -3,7 +3,7 @@ import com.google.common.base.Strings; import com.google.common.collect.Lists; import com.google.common.collect.Sets; -import org.apache.commons.beanutils.BeanUtils; +import org.springframework.beans.BeanWrapperImpl; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -89,18 +89,19 @@ public BitmapShardDataSourceProvider(final Class dataSourc for (final Entry entry : connectionUrls.entrySet()) { final DataSource ds = dataSourceClass.getDeclaredConstructor().newInstance(); + var dsBeanWrapper = new BeanWrapperImpl(ds); for (final Entry prop : commonDataSourceProperties.entrySet()) { - BeanUtils.setProperty(ds, prop.getKey(), prop.getValue()); + dsBeanWrapper.setPropertyValue(prop.getKey(), prop.getValue()); } final String[] parts = entry.getValue().split("\\|"); - BeanUtils.setProperty(ds, "jdbcUrl", parts[0]); + dsBeanWrapper.setPropertyValue("jdbcUrl", parts[0]); if (parts.length > 1) { // a little bit hacky, because "initSQL" is boneCP-specific - BeanUtils.setProperty(ds, "initSQL", parts[1]); + dsBeanWrapper.setPropertyValue("initSQL", parts[1]); } for (int i = 0; i < dataSources.length; i++) { diff --git a/src/main/java/org/zalando/sprocwrapper/proxy/executors/ValidationExecutorWrapper.java b/src/main/java/org/zalando/sprocwrapper/proxy/executors/ValidationExecutorWrapper.java index 1ee3b62..7cc1b22 100644 --- a/src/main/java/org/zalando/sprocwrapper/proxy/executors/ValidationExecutorWrapper.java +++ b/src/main/java/org/zalando/sprocwrapper/proxy/executors/ValidationExecutorWrapper.java @@ -6,11 +6,11 @@ import org.slf4j.LoggerFactory; import javax.sql.DataSource; -import javax.validation.ConstraintViolation; -import javax.validation.ConstraintViolationException; -import javax.validation.Validation; -import javax.validation.Validator; -import javax.validation.ValidatorFactory; +import jakarta.validation.ConstraintViolation; +import jakarta.validation.ConstraintViolationException; +import jakarta.validation.Validation; +import jakarta.validation.Validator; +import jakarta.validation.ValidatorFactory; import java.util.Set; /** diff --git a/src/main/java/org/zalando/sprocwrapper/util/NameUtils.java b/src/main/java/org/zalando/sprocwrapper/util/NameUtils.java index 050e8f0..2a78c8b 100644 --- a/src/main/java/org/zalando/sprocwrapper/util/NameUtils.java +++ b/src/main/java/org/zalando/sprocwrapper/util/NameUtils.java @@ -4,7 +4,7 @@ import java.util.Locale; -import static org.apache.commons.lang.StringUtils.splitByCharacterTypeCamelCase; +import static org.apache.commons.lang3.StringUtils.splitByCharacterTypeCamelCase; /** * Static utility methods for naming conventions. diff --git a/src/main/java/org/zalando/typemapper/core/fieldMapper/DateFieldMapper.java b/src/main/java/org/zalando/typemapper/core/fieldMapper/DateFieldMapper.java index ca66f4f..ba3b656 100644 --- a/src/main/java/org/zalando/typemapper/core/fieldMapper/DateFieldMapper.java +++ b/src/main/java/org/zalando/typemapper/core/fieldMapper/DateFieldMapper.java @@ -1,5 +1,6 @@ package org.zalando.typemapper.core.fieldMapper; +import java.nio.charset.StandardCharsets; import java.sql.Date; import java.sql.SQLException; import java.sql.Timestamp; @@ -24,7 +25,8 @@ public Object mapField(final String string, final Class clazz) { Timestamp date = null; try { - date = postgresJDBCDriverReusedTimestampUtils.toTimestamp(null, string); + date = postgresJDBCDriverReusedTimestampUtils.toTimestamp(null, string.getBytes( + StandardCharsets.UTF_8)); } catch (final SQLException e) { LOG.error("Invalid date/time string: {}", string, e); } diff --git a/src/main/java/org/zalando/typemapper/postgres/PgTypeHelper.java b/src/main/java/org/zalando/typemapper/postgres/PgTypeHelper.java index cf03400..d025fe3 100644 --- a/src/main/java/org/zalando/typemapper/postgres/PgTypeHelper.java +++ b/src/main/java/org/zalando/typemapper/postgres/PgTypeHelper.java @@ -3,7 +3,6 @@ import javax.persistence.Column; import com.google.common.base.Optional; -import org.postgresql.core.BaseConnection; import org.postgresql.jdbc.PostgresJDBCDriverReusedTimestampUtils; import org.postgresql.util.PGobject; import org.slf4j.Logger; @@ -268,7 +267,7 @@ public int compare(final Field a, final Field b) { for (final Field f : fields) { final DatabaseFieldDescriptor databaseFieldDescriptor = getDatabaseFieldDescriptor(f); if (databaseFieldDescriptor != null) { - if (!f.isAccessible()) { + if (!f.canAccess(obj)) { f.setAccessible(true); } @@ -501,17 +500,7 @@ public static String toPgString(Object o, final Connection connection) { } else { tmpd = new Timestamp(((Date) o).getTime()); } - - if (connection instanceof BaseConnection) { - - // if we do have a valid postgresql connection use this one: - final BaseConnection postgresBaseConnection = (BaseConnection) connection; - sb.append(postgresBaseConnection.getTimestampUtils().toString(null, tmpd)); - } else { - - // no valid postgresql connection - use that one: - sb.append(postgresJDBCDriverReusedTimestampUtils.toString(null, tmpd)); - } + sb.append(postgresJDBCDriverReusedTimestampUtils.toString(null, tmpd)); } else if (o instanceof Map) { final Map map = (Map) o; sb.append(HStore.serialize(map)); diff --git a/src/test/java/org/zalando/sprocwrapper/SimpleIT.java b/src/test/java/org/zalando/sprocwrapper/SimpleIT.java index 097ae86..83fce4f 100644 --- a/src/test/java/org/zalando/sprocwrapper/SimpleIT.java +++ b/src/test/java/org/zalando/sprocwrapper/SimpleIT.java @@ -17,7 +17,7 @@ import java.util.List; import java.util.Optional; import javax.sql.DataSource; -import javax.validation.ConstraintViolationException; +import jakarta.validation.ConstraintViolationException; import com.google.common.collect.Lists; import com.google.common.collect.Sets; diff --git a/src/test/java/org/zalando/sprocwrapper/example/ExampleDomainObjectWithValidation.java b/src/test/java/org/zalando/sprocwrapper/example/ExampleDomainObjectWithValidation.java index 9444b92..e0c609d 100644 --- a/src/test/java/org/zalando/sprocwrapper/example/ExampleDomainObjectWithValidation.java +++ b/src/test/java/org/zalando/sprocwrapper/example/ExampleDomainObjectWithValidation.java @@ -1,8 +1,8 @@ package org.zalando.sprocwrapper.example; -import javax.validation.constraints.Max; -import javax.validation.constraints.Min; -import javax.validation.constraints.NotNull; +import jakarta.validation.constraints.Max; +import jakarta.validation.constraints.Min; +import jakarta.validation.constraints.NotNull; import org.zalando.typemapper.annotations.DatabaseField; diff --git a/src/test/java/org/zalando/sprocwrapper/example/ExampleValidationSProcService.java b/src/test/java/org/zalando/sprocwrapper/example/ExampleValidationSProcService.java index 2cbed0e..9d5c0f8 100644 --- a/src/test/java/org/zalando/sprocwrapper/example/ExampleValidationSProcService.java +++ b/src/test/java/org/zalando/sprocwrapper/example/ExampleValidationSProcService.java @@ -1,6 +1,6 @@ package org.zalando.sprocwrapper.example; -import javax.validation.constraints.NotNull; +import jakarta.validation.constraints.NotNull; import org.zalando.sprocwrapper.SProcCall; import org.zalando.sprocwrapper.SProcCall.Validate; From f17a11934884ae9f182d03069dde174f09c99113 Mon Sep 17 00:00:00 2001 From: Chanaka Balasooriya Date: Fri, 13 Dec 2024 12:00:14 +0100 Subject: [PATCH 2/8] upgrade dependency-check-maven.version and removed cve-supressions.xml as no cve is supressed --- cve-suppressions.xml | 11 ----------- pom.xml | 7 ++----- 2 files changed, 2 insertions(+), 16 deletions(-) delete mode 100644 cve-suppressions.xml diff --git a/cve-suppressions.xml b/cve-suppressions.xml deleted file mode 100644 index daeb351..0000000 --- a/cve-suppressions.xml +++ /dev/null @@ -1,11 +0,0 @@ - - - - ^pkg:maven/org\.glassfish/jakarta\.el@.*$ - CVE-2023-5763 - - - ^pkg:maven/org\.glassfish/jakarta\.el@.*$ - CVE-2024-9329 - - diff --git a/pom.xml b/pom.xml index 106d696..352d5c9 100644 --- a/pom.xml +++ b/pom.xml @@ -63,7 +63,7 @@ 21 6.2.0 42.7.4 - 7.2.1 + 11.1.0 @@ -135,7 +135,7 @@ org.springframework - spring-beans + spring-beans ${spring.version} @@ -205,9 +205,6 @@ 0 - - cve-suppressions.xml - From a66f3b186e0c28bb544f1df64be8a121f2df93f6 Mon Sep 17 00:00:00 2001 From: Chanaka Balasooriya Date: Fri, 7 Feb 2025 11:19:17 +0100 Subject: [PATCH 3/8] update release version to 4.0.0 and fix zappr errors --- .zappr.yaml | 1 + pom.xml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.zappr.yaml b/.zappr.yaml index e8d3aec..6b1169b 100644 --- a/.zappr.yaml +++ b/.zappr.yaml @@ -6,3 +6,4 @@ approvals: - zalando - zalando-stups collaborators: true +X-Zalando-Team: acid diff --git a/pom.xml b/pom.xml index 352d5c9..45fff3a 100644 --- a/pom.xml +++ b/pom.xml @@ -6,7 +6,7 @@ org.zalando zalando-sprocwrapper - 3.2.2-SNAPSHOT + 4.0.0-SNAPSHOT Stored Procedure Wrapper Library to make PostgreSQL stored procedures available through simple Java "*SProcService" interfaces From 83819c83bb5883324dbb6b109044cef92e3cf6cd Mon Sep 17 00:00:00 2001 From: Chanaka Balasooriya Date: Fri, 7 Feb 2025 11:35:36 +0100 Subject: [PATCH 4/8] add zapper type --- .zappr.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.zappr.yaml b/.zappr.yaml index 6b1169b..73fe292 100644 --- a/.zappr.yaml +++ b/.zappr.yaml @@ -7,3 +7,4 @@ approvals: - zalando-stups collaborators: true X-Zalando-Team: acid +X-Zalando-Type: code \ No newline at end of file From 13b31d125bb23ad940ab398464e08c408934f3d5 Mon Sep 17 00:00:00 2001 From: Chanaka Balasooriya Date: Fri, 7 Feb 2025 12:42:08 +0100 Subject: [PATCH 5/8] fix github workflow by updating action versions and upgrade docker compose postgres version to 17 --- .github/workflows/codeql-analysis.yml | 8 ++++---- .github/workflows/workflow.yml | 11 ++++++----- docker-compose.yml | 2 +- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 37f4756..62f912e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -39,11 +39,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v1 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -54,7 +54,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v1 + uses: github/codeql-action/autobuild@v3 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -68,4 +68,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 104bb85..4f244b1 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -15,7 +15,7 @@ jobs: services: postgres: - image: postgres:13 + image: postgres:17 env: POSTGRES_PASSWORD: postgres # Set health checks to wait until postgres has started @@ -28,13 +28,14 @@ jobs: - 5432:5432 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Set up JDK - uses: actions/setup-java@v1 + uses: actions/setup-java@v4 with: - java-version: 8 + distribution: 'temurin' + java-version: '21' - name: Cache local Maven repository - uses: actions/cache@v2 + uses: actions/cache@v4 with: path: ~/.m2/repository key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} diff --git a/docker-compose.yml b/docker-compose.yml index 7a3f3fe..63dd21d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,7 +1,7 @@ version: '3' services: db: - image: 'postgres:13' + image: 'postgres:17' environment: POSTGRES_PASSWORD: 'postgres' ports: From 18a1d4de7b1e1adbe4755ee78f1c5db0cb14e47e Mon Sep 17 00:00:00 2001 From: Chanaka Balasooriya Date: Fri, 7 Feb 2025 13:42:35 +0100 Subject: [PATCH 6/8] remove owasp dependency check plugin as build takes too long without a NVD API key --- pom.xml | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/pom.xml b/pom.xml index 45fff3a..472eb9b 100644 --- a/pom.xml +++ b/pom.xml @@ -63,7 +63,6 @@ 21 6.2.0 42.7.4 - 11.1.0 @@ -192,21 +191,6 @@ - - org.owasp - dependency-check-maven - ${dependency-check-maven.version} - - - - check - - - - - 0 - - org.basepom.maven duplicate-finder-maven-plugin From 3c3c71ee7e6afab19be2856e0e2c30fd8cd142e2 Mon Sep 17 00:00:00 2001 From: Chanaka Balasooriya Date: Fri, 7 Feb 2025 14:16:11 +0100 Subject: [PATCH 7/8] fix validations for zappr --- .zappr.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.zappr.yaml b/.zappr.yaml index 73fe292..910d30a 100644 --- a/.zappr.yaml +++ b/.zappr.yaml @@ -1,10 +1,10 @@ approvals: - pattern: "^(:\\+1:|👍|\\+1|:thumbsup:|[Ll][Gg][Tt][Mm])$" - minimum: 1 - from: - orgs: - - zalando - - zalando-stups - collaborators: true + groups: + zalando: + minimum: 1 + from: + orgs: + - "zalando" + - "zalando-stups" +X-Zalando-Type: code X-Zalando-Team: acid -X-Zalando-Type: code \ No newline at end of file From 89f1a980f7779aae9803bd46f65ed93c46cda4e8 Mon Sep 17 00:00:00 2001 From: Chanaka Balasooriya Date: Fri, 7 Feb 2025 14:29:33 +0100 Subject: [PATCH 8/8] fix validations for zappr --- .zappr.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.zappr.yaml b/.zappr.yaml index 910d30a..0eae9a4 100644 --- a/.zappr.yaml +++ b/.zappr.yaml @@ -8,3 +8,5 @@ approvals: - "zalando-stups" X-Zalando-Type: code X-Zalando-Team: acid + +