From d07380329fb36f39c8a1c8748bd88bb70070f73a Mon Sep 17 00:00:00 2001
From: Felix Dittrich <Felix.Dittrich@t-systems.com>
Date: Tue, 22 Feb 2022 11:12:38 +0100
Subject: [PATCH] Update Spring Boot 2.6.3 Update several dependencies Add
 OWASP Check

---
 owasp/suppressions.xml                        |  7 ++++
 pom.xml                                       | 42 +++++++++++++++----
 .../repository/QuickTestArchiveView.java      | 11 ++++-
 .../quicktest/repository/QuicktestView.java   | 12 +++++-
 .../QuickTestArchiveControllerTest.java       |  2 +-
 .../controller/QuickTestControllerTest.java   |  2 +-
 .../service/QuickTestArchiveServiceTest.java  |  7 ++--
 .../service/QuickTestServiceTest.java         |  8 +++-
 8 files changed, 72 insertions(+), 19 deletions(-)
 create mode 100644 owasp/suppressions.xml

diff --git a/owasp/suppressions.xml b/owasp/suppressions.xml
new file mode 100644
index 00000000..27f4a3e2
--- /dev/null
+++ b/owasp/suppressions.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress>
+    <notes>Bug only affects not used features of embedded tomcat.</notes>
+    <cve>CVE-2022-23181</cve>
+  </suppress>
+</suppressions>
diff --git a/pom.xml b/pom.xml
index b55df926..5b1c918a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -5,7 +5,7 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.6.2</version>
+        <version>2.6.3</version>
         <relativePath/> <!-- lookup parent from repository -->
     </parent>
     <groupId>app.coronawarn</groupId>
@@ -26,26 +26,36 @@
 
     <properties>
         <java.version>11</java.version>
-        <spring-cloud.version>2021.0.0</spring-cloud.version>
-        <keycloak.version>14.0.0</keycloak.version>
-        <springdoc.version>1.5.9</springdoc.version>
+        <spring-cloud.version>2021.0.1</spring-cloud.version>
+        <keycloak.version>16.1.1</keycloak.version>
+        <springdoc.version>1.6.6</springdoc.version>
         <liquibase.version>4.6.2</liquibase.version>
         <pdfbox.version>2.0.24</pdfbox.version>
         <google-zxing.version>3.4.1</google-zxing.version>
         <opencsv.version>5.5.2</opencsv.version>
-        <springTestAddons.version>3.1.13-jdk11</springTestAddons.version>
-        <shedlock.version>4.30.0</shedlock.version>
+        <springTestAddons.version>3.1.15-jdk11</springTestAddons.version>
+        <shedlock.version>4.33.0</shedlock.version>
+        <h2.version>2.1.210</h2.version>
+        <psql.version>42.3.3</psql.version>
+        <hibernate.version>5.6.5.Final</hibernate.version>
         <!-- plugins -->
         <plugin.checkstyle.version>3.1.2</plugin.checkstyle.version>
         <license.projectName>Corona-Warn-App / cwa-quick-test-backend</license.projectName>
         <license.inceptionYear>2021</license.inceptionYear>
         <license.licenseName>apache_v2</license.licenseName>
         <log4j2.version>2.17.1</log4j2.version>
+        <owasp.version>6.5.3</owasp.version>
     </properties>
     <dependencies>
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-data-jpa</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.hibernate</groupId>
+                    <artifactId>hibernate-core</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -112,6 +122,12 @@
             <groupId>com.h2database</groupId>
             <artifactId>h2</artifactId>
             <scope>runtime</scope>
+            <version>${h2.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.hibernate</groupId>
+            <artifactId>hibernate-core</artifactId>
+            <version>${hibernate.version}</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -202,12 +218,12 @@
         <dependency>
             <groupId>com.upokecenter</groupId>
             <artifactId>cbor</artifactId>
-            <version>4.5.1</version>
+            <version>4.5.2</version>
         </dependency>
         <dependency>
             <groupId>eu.europa.ec.dgc</groupId>
             <artifactId>dgc-lib</artifactId>
-            <version>1.1.9</version>
+            <version>1.1.13</version>
         </dependency>
 
         <!-- DB drivers -->
@@ -215,6 +231,7 @@
             <groupId>org.postgresql</groupId>
             <artifactId>postgresql</artifactId>
             <scope>runtime</scope>
+            <version>${psql.version}</version>
         </dependency>
         <dependency>
             <groupId>mysql</groupId>
@@ -243,6 +260,15 @@
 
     <build>
         <plugins>
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <version>${owasp.version}</version>
+                <configuration>
+                    <suppressionFile>./owasp/suppressions.xml</suppressionFile>
+                    <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
+                </configuration>
+            </plugin>
             <plugin>
                 <groupId>org.asciidoctor</groupId>
                 <artifactId>asciidoctor-maven-plugin</artifactId>
diff --git a/src/main/java/app/coronawarn/quicktest/repository/QuickTestArchiveView.java b/src/main/java/app/coronawarn/quicktest/repository/QuickTestArchiveView.java
index b970c5ce..9853d5b6 100644
--- a/src/main/java/app/coronawarn/quicktest/repository/QuickTestArchiveView.java
+++ b/src/main/java/app/coronawarn/quicktest/repository/QuickTestArchiveView.java
@@ -1,5 +1,12 @@
 package app.coronawarn.quicktest.repository;
 
-public interface QuickTestArchiveView {
-    String getHashedGuid();
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+
+@AllArgsConstructor
+@Getter
+public class QuickTestArchiveView {
+
+    private String hashedGuid;
+
 }
diff --git a/src/main/java/app/coronawarn/quicktest/repository/QuicktestView.java b/src/main/java/app/coronawarn/quicktest/repository/QuicktestView.java
index 78d252ca..4ec7e8c3 100644
--- a/src/main/java/app/coronawarn/quicktest/repository/QuicktestView.java
+++ b/src/main/java/app/coronawarn/quicktest/repository/QuicktestView.java
@@ -1,5 +1,13 @@
 package app.coronawarn.quicktest.repository;
 
-public interface QuicktestView {
-    String getShortHashedGuid();
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+
+@AllArgsConstructor
+@Getter
+public class QuicktestView {
+
+    private String shortHashedGuid;
+
 }
+
diff --git a/src/test/java/app/coronawarn/quicktest/controller/QuickTestArchiveControllerTest.java b/src/test/java/app/coronawarn/quicktest/controller/QuickTestArchiveControllerTest.java
index f4bf7962..eaec2866 100644
--- a/src/test/java/app/coronawarn/quicktest/controller/QuickTestArchiveControllerTest.java
+++ b/src/test/java/app/coronawarn/quicktest/controller/QuickTestArchiveControllerTest.java
@@ -129,7 +129,7 @@ void createQuickTestArchive() throws Exception {
     void findArchivesByTestResultAndUpdatedAtBetween() throws Exception {
 
         QuickTestArchiveView quickTestArchive =
-          () -> "6fa4dcecf716d8dd96c9e927dda5484f1a8a9da03155aa760e0c38f9bed645c4";
+          new QuickTestArchiveView("6fa4dcecf716d8dd96c9e927dda5484f1a8a9da03155aa760e0c38f9bed645c4");
         when(quickTestArchiveService.findByTestResultAndUpdatedAtBetween(any(), anyShort(), any(), any())).thenReturn(
             Collections.singletonList(quickTestArchive));
 
diff --git a/src/test/java/app/coronawarn/quicktest/controller/QuickTestControllerTest.java b/src/test/java/app/coronawarn/quicktest/controller/QuickTestControllerTest.java
index 0c4ea14a..ad5bb3a8 100644
--- a/src/test/java/app/coronawarn/quicktest/controller/QuickTestControllerTest.java
+++ b/src/test/java/app/coronawarn/quicktest/controller/QuickTestControllerTest.java
@@ -895,7 +895,7 @@ void updateQuickTestWithPersonalData() throws Exception {
 
     @Test
     void getPendingQuickTests() throws Exception {
-        QuicktestView quickTest = () -> "00000000";
+        QuicktestView quickTest = new QuicktestView("00000000");
         when(quickTestService.findAllPendingQuickTestsByTenantIdAndPocId(any()))
                 .thenReturn(Collections.singletonList(quickTest));
 
diff --git a/src/test/java/app/coronawarn/quicktest/service/QuickTestArchiveServiceTest.java b/src/test/java/app/coronawarn/quicktest/service/QuickTestArchiveServiceTest.java
index 2483861e..48ab0968 100644
--- a/src/test/java/app/coronawarn/quicktest/service/QuickTestArchiveServiceTest.java
+++ b/src/test/java/app/coronawarn/quicktest/service/QuickTestArchiveServiceTest.java
@@ -22,7 +22,8 @@
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.fail;
-import static org.mockito.ArgumentMatchers.*;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyList;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
 import static org.mockito.Mockito.when;
@@ -106,9 +107,9 @@ void createNewQuickTestArchiveQuickTestNotFound() {
     void findByTestResultAndUpdatedAtBetweenTest() {
         String hashedGuid = quickTestArchive.getHashedGuid();
         when(quickTestArchiveRepository.findAllByTenantIdAndPocIdAndUpdatedAtBetween(any(), any(), any(), any()))
-            .thenReturn(Collections.singletonList(() -> hashedGuid));
+            .thenReturn(Collections.singletonList(new QuickTestArchiveView(hashedGuid)));
         when(quickTestArchiveRepository.findAllByTenantIdAndPocIdAndTestResultInAndUpdatedAtBetween(any(),
-            any(), anyList(), any(), any())).thenReturn(Collections.singletonList(() -> hashedGuid));
+            any(), anyList(), any(), any())).thenReturn(Collections.singletonList(new QuickTestArchiveView(hashedGuid)));
         List<QuickTestArchiveView> quickTestArchives =
             quickTestArchiveService.findByTestResultAndUpdatedAtBetween(
                 new HashMap<>(),
diff --git a/src/test/java/app/coronawarn/quicktest/service/QuickTestServiceTest.java b/src/test/java/app/coronawarn/quicktest/service/QuickTestServiceTest.java
index 4590cc54..b050b1be 100644
--- a/src/test/java/app/coronawarn/quicktest/service/QuickTestServiceTest.java
+++ b/src/test/java/app/coronawarn/quicktest/service/QuickTestServiceTest.java
@@ -20,7 +20,11 @@
 
 package app.coronawarn.quicktest.service;
 
-import static org.junit.jupiter.api.Assertions.*;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.fail;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.doThrow;
@@ -349,7 +353,7 @@ void removeAllBeforeTest() {
     void findAllPendingQuickTestsByTenantIdAndPocIdTest() {
         Map<String, String> ids = new HashMap<>();
         List<QuickTest> quickTests = new ArrayList<>();
-        QuicktestView quicktestView = () -> "00000000";
+        QuicktestView quicktestView = new QuicktestView("00000000");
         when(quickTestRepository.getShortHashedGuidByTenantIdAndPocIdAndTestResultInAndVersionIsGreaterThan(
             any(), any(), any(), any()))
             .thenReturn(List.of(quicktestView));