Merge pull request #92 from eclipse-tractusx/fix/upgrade_libs

Upgrade libs and Code Checks

CHANGELOG.md

@@ -8,6 +8,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 # Changelog
 
+## [1.3.1] - [unreleased]
+
+### Fixes
+- Fix vulnerability on postgresql version upgrade to 42.7.2
+- Fix vulnerability found upgrade spring boot version to 3.2.3
+
+### Changed
+- Change Spring security configuration and enable csrf configuration
+
 ## [1.3.0] - 2024-02-19
 
 ### Changed

pom.xml

@@ -23,12 +23,12 @@
     <parent>
         <groupId>org.springframework.boot</groupId>
         <artifactId>spring-boot-starter-parent</artifactId>
-        <version>3.1.8</version>
+        <version>3.2.3</version>
         <relativePath/> <!-- lookup parent from repository -->
     </parent>
     <groupId>org.eclipse.tractusx</groupId>
     <artifactId>value-added-service</artifactId>
-    <version>1.3.0</version>
+    <version>1.3.1</version>
     <name>vas-country-risk-backend</name>
     <description>Project to Validate Country Risks Score</description>
     <properties>
@@ -41,7 +41,7 @@
         <spring-boot.version>3.1.7</spring-boot.version>
         <org.zalando.problem-spring-web>0.26.0</org.zalando.problem-spring-web>
         <org.springdoc.springdoc-openapi-ui>2.1.0</org.springdoc.springdoc-openapi-ui>
-        <org.springframework.cloud>4.0.4</org.springframework.cloud>
+        <org.springframework.cloud>4.1.1</org.springframework.cloud>
         <sonar.host.url>https://sonarcloud.io</sonar.host.url>
         <sonar.coverage.jacoco.xmlReportPaths>${project.reporting.outputDirectory}/target/jacoco-report/jacoco.xml
         </sonar.coverage.jacoco.xmlReportPaths>
@@ -54,7 +54,7 @@
         <jacoco.version>0.8.7</jacoco.version>
 
         <spring-security-web-version>6.2.1</spring-security-web-version>
-        <postgresql-version>42.6.0</postgresql-version>
+        <postgresql-version>42.7.2</postgresql-version>
         <jackson-databind-nullable>0.2.6</jackson-databind-nullable>
         <wiremock-standalone-version>3.0.0-beta-10</wiremock-standalone-version>
         <snake-yaml-version>2.2</snake-yaml-version>
@@ -264,11 +264,7 @@
                 <groupId>org.liquibase</groupId>
                 <artifactId>liquibase-maven-plugin</artifactId>
             </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-help-plugin</artifactId>
-                <version>${maven-clean-plugin.version}</version>
-            </plugin>
+
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>

src/main/java/org/eclipse/tractusx/valueaddedservice/config/SecurityConfiguration.java

@@ -24,6 +24,7 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.web.servlet.config.annotation.CorsRegistry;
 import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
@@ -41,16 +42,13 @@ public class SecurityConfiguration  {
     @Bean
     @ConditionalOnProperty(prefix = "security", name = "enabled", havingValue = "true")
     public SecurityFilterChain securityFilterChain(final HttpSecurity httpSecurity) throws Exception {
-
         httpSecurity.cors(withDefaults())
-                        .csrf(((csrf)-> csrf.disable()))
-                                .authorizeHttpRequests(((authz)-> authz
+                                .authorizeHttpRequests((auth-> auth
                                         .requestMatchers("/error","/api/dashboard/**","/api/sharing/**","/api/edc/**")
                                         .authenticated()
                                         .requestMatchers("/v3/api-docs/**", "/swagger-ui.html", "/swagger-ui/**","/management/**")
                                         .permitAll()
                                 ));
-
         httpSecurity.oauth2ResourceServer(resourceServer -> resourceServer
                 .jwt(withDefaults()));
 
@@ -69,26 +67,12 @@ public void addCorsMappings(CorsRegistry registry) {
         };
     }
 
-    @Bean
-    @ConditionalOnProperty(prefix = "security", name = "enabled", havingValue = "false")
-    public SecurityFilterChain securityFilterChainLocal(final HttpSecurity httpSecurity) throws Exception {
-
-
-
-        httpSecurity.cors(withDefaults())
-                .csrf(((csrf)-> csrf.disable()))
-                .formLogin(((form)-> form.disable()))
-                .httpBasic((httpBasic)-> httpBasic.disable())
-                .logout((logout)-> logout.disable())
-                .headers((headers)->headers.frameOptions(frameOptionsConfig -> frameOptionsConfig.disable()))
-                .authorizeHttpRequests(((authz)-> authz
-                        .requestMatchers("/error","/api/**","/management/**","/v3/api-docs/**", "/swagger-ui.html", "/swagger-ui/**")
-                        .permitAll()
-                ));
-
 
 
-        return httpSecurity.build();
+    @Bean
+    @ConditionalOnProperty(prefix = "security", name = "enabled", havingValue = "false")
+    public WebSecurityCustomizer webSecurityCustomizer() {
+        return (web) -> web.ignoring().requestMatchers("/**");
     }
 
 

src/main/java/org/eclipse/tractusx/valueaddedservice/service/ReportService.java

@@ -19,6 +19,7 @@
 ********************************************************************************/
 package org.eclipse.tractusx.valueaddedservice.service;
 
+import org.apache.commons.text.StringEscapeUtils;
 import org.eclipse.tractusx.valueaddedservice.domain.Report;
 import org.eclipse.tractusx.valueaddedservice.domain.enumeration.Type;
 import org.eclipse.tractusx.valueaddedservice.dto.ReportDTO;
@@ -58,7 +59,8 @@ public ReportService(ReportRepository reportRepository, ReportMapper reportMappe
      * @return the persisted entity.
      */
     public ReportDTO save(ReportDTO reportDTO) {
-        log.debug("Request to save Report : {}", reportDTO);
+        String reportString = StringEscapeUtils.escapeJava(reportDTO.toString());
+        log.debug("Request to save Report : {}", reportString);
         Report report = reportMapper.toEntity(reportDTO);
         report = reportRepository.save(report);
         return reportMapper.toDto(report);

src/main/java/org/eclipse/tractusx/valueaddedservice/service/ReportValuesService.java

@@ -19,6 +19,7 @@
 ********************************************************************************/
 package org.eclipse.tractusx.valueaddedservice.service;
 
+import org.apache.commons.text.StringEscapeUtils;
 import org.eclipse.tractusx.valueaddedservice.domain.Report;
 import org.eclipse.tractusx.valueaddedservice.domain.ReportValues;
 import org.eclipse.tractusx.valueaddedservice.dto.ReportDTO;
@@ -62,7 +63,8 @@ public ReportValuesService(ReportValuesRepository reportValuesRepository, Report
      * @return the persisted entity.
      */
     public ReportValuesDTO save(ReportValuesDTO reportValuesDTO, ReportDTO reportDTO) {
-        log.debug("Request to save ReportValues : {}", reportValuesDTO);
+        String reports = StringEscapeUtils.escapeJava(reportValuesDTO.toString());
+        log.debug("Request to save ReportValues : {}", reports);
         Report report = reportMapper.toEntity(reportDTO);
         ReportValues reportValues = reportValuesMapper.toEntity(reportValuesDTO);
         reportValues.setReport(report);

src/main/java/org/eclipse/tractusx/valueaddedservice/service/logic/CountryLogicService.java

@@ -20,6 +20,7 @@
 package org.eclipse.tractusx.valueaddedservice.service.logic;
 
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.text.StringEscapeUtils;
 import org.eclipse.tractusx.valueaddedservice.dto.CompanyUserDTO;
 import org.eclipse.tractusx.valueaddedservice.dto.CountryDTO;
 import org.eclipse.tractusx.valueaddedservice.service.CountryService;
@@ -47,7 +48,8 @@ public class CountryLogicService {
 
     @Cacheable(value = "vas-country", key = "{#root.methodName , {#companyUserDTO.name,#companyUserDTO.email,#companyUserDTO.companyName},#roles }", unless = "#result == null")
     public List<CountryDTO> getAssociatedCountries (CompanyUserDTO companyUserDTO,String token,List<String> roles) {
-        log.debug("getAssociatedCountries filtered by companyUserDTO " + companyUserDTO);
+        String sanitizedCompany = StringEscapeUtils.escapeJava(companyUserDTO.toString());
+        log.debug("getAssociatedCountries filtered by companyUserDTO " + sanitizedCompany);
         List<String> countryList;
         countryList = externalBusinessPartnersLogicService.getExternalPartnersCountry(companyUserDTO,token,roles);
 
@@ -61,7 +63,8 @@ public List<CountryDTO> getAssociatedCountries (CompanyUserDTO companyUserDTO,St
 
     @Cacheable(value = "vas-country", key = "{#root.methodName , {#companyUserDTO.name,#companyUserDTO.email,#companyUserDTO.companyName},#roles}", unless = "#result == null")
     public List<CountryDTO> getCountryFilterByISO2(CompanyUserDTO companyUserDTO,String token,List<String> roles){
-        log.debug("getCountryFilterByISO2 filtered by companyUserDTO "+ companyUserDTO);
+        String sanitizedCompany = StringEscapeUtils.escapeJava(companyUserDTO.toString());
+        log.debug("getCountryFilterByISO2 filtered by companyUserDTO "+ sanitizedCompany);
         List<CountryDTO> countryDTOList = countryService.findAll().stream().filter(MethodUtils.distinctByKey(CountryDTO::getIso2)).toList();
         countryDTOList.forEach(countryDTO -> countryDTO.setTotalBpn(externalBusinessPartnersLogicService.getTotalBpnByCountry(countryDTO,companyUserDTO,token,roles)));
 

src/main/java/org/eclipse/tractusx/valueaddedservice/service/logic/DataSourceLogicService.java

@@ -20,6 +20,7 @@
 package org.eclipse.tractusx.valueaddedservice.service.logic;
 
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.text.StringEscapeUtils;
 import org.eclipse.tractusx.valueaddedservice.domain.enumeration.Type;
 import org.eclipse.tractusx.valueaddedservice.dto.CompanyUserDTO;
 import org.eclipse.tractusx.valueaddedservice.dto.DataSourceDTO;
@@ -51,7 +52,8 @@ public class DataSourceLogicService {
 
     @Cacheable(value = "vas-datasource", key = "{#root.methodName , {#year,#companyUserDTO.name,#companyUserDTO.email,#companyUserDTO.companyName}}", unless = "#result == null")
     public List<DataSourceDTO> findRatingsByYearAndCompanyUser(Integer year, CompanyUserDTO companyUserDTO){
-        log.debug("findRatingsByYearAndCompanyUser {}",companyUserDTO);
+        String sanitizedCompany = StringEscapeUtils.escapeJava(companyUserDTO.toString());
+        log.debug("findRatingsByYearAndCompanyUser {}",sanitizedCompany);
         List<DataSourceDTO> dataSourceDTOS = dataSourceService.findRatingsByYearAndTypeGlobal(year);
         List<DataSourceDTO> companyRatings = dataSourceService.findByYearPublishedAndCompanyUserCompanyNameAndType(year, companyUserDTO, Type.Company);
         List<DataSourceDTO> dataSourceDTOByYearAndUser = dataSourceService.findRatingByYearAndUser(year,companyUserDTO);
@@ -63,7 +65,8 @@ public List<DataSourceDTO> findRatingsByYearAndCompanyUser(Integer year, Company
 
     @Cacheable(value = "vas-datasource", key = "{#root.methodName , {#companyUserDTO.name,#companyUserDTO.email,#companyUserDTO.companyName}}", unless = "#result == null")
     public List<DataSourceDTO> findRatingsByCompanyUser(CompanyUserDTO companyUserDTO){
-        log.debug("findRatingsByCompanyUser {}",companyUserDTO);
+        String sanitizedCompany = StringEscapeUtils.escapeJava(companyUserDTO.toString());
+        log.debug("findRatingsByCompanyUser {}",sanitizedCompany);
         return dataSourceService.findRatingByUser(companyUserDTO);
 
     }
@@ -75,7 +78,8 @@ public void invalidateAllCache() {
 
     @Cacheable(value = "vas-datasource", key = "{#root.methodName , {#year,#companyUserDTO.companyName}}", unless = "#result == null")
     public List<DataSourceDTO> findRatingsByYearAndCompanyUserCompany(Integer year, CompanyUserDTO companyUserDTO){
-        log.debug("findRatingsByYearAndCompanyUser {}",companyUserDTO);
+        String sanitizedCompany = StringEscapeUtils.escapeJava(companyUserDTO.toString());
+        log.debug("findRatingsByYearAndCompanyUser {}",sanitizedCompany);
         List<DataSourceDTO>  dataSourceDTOS = dataSourceService.findRatingsByYearAndTypeGlobal(year);
         List<DataSourceDTO> companyRatings = dataSourceService.findByYearPublishedAndCompanyUserCompanyNameAndType(year, companyUserDTO, Type.Company);
         dataSourceDTOS.addAll(companyRatings);

src/main/java/org/eclipse/tractusx/valueaddedservice/service/logic/ExternalBusinessPartnersLogicService.java

@@ -20,6 +20,7 @@
 package org.eclipse.tractusx.valueaddedservice.service.logic;
 
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.text.StringEscapeUtils;
 import org.eclipse.tractusx.valueaddedservice.dto.BusinessPartnerDTO;
 import org.eclipse.tractusx.valueaddedservice.dto.CompanyUserDTO;
 import org.eclipse.tractusx.valueaddedservice.dto.CountryDTO;
@@ -42,7 +43,8 @@ public class ExternalBusinessPartnersLogicService {
 
     @Cacheable(value = "vas-bpn", key = "{#root.methodName , {#companyUserDTO.name,#companyUserDTO.email,#companyUserDTO.companyName},#roles}", unless = "#result == null")
     public List<String> getExternalPartnersCountry (CompanyUserDTO companyUserDTO,String token,List<String> roles) {
-        log.debug("getExternalPartnersCountry for companyUserDTO {}",companyUserDTO);
+        String sanitizedCompany = StringEscapeUtils.escapeJava(companyUserDTO.toString());
+        log.debug("getExternalPartnersCountry for companyUserDTO {}",sanitizedCompany);
         List<BusinessPartnerDTO> businessPartnerDTOS;
         businessPartnerDTOS = businessPartnersLogicService.getExternalBusinessPartners(companyUserDTO,token,roles);
         List<String> countryList = new ArrayList<>();

src/main/java/org/eclipse/tractusx/valueaddedservice/service/logic/RangeLogicService.java

@@ -20,6 +20,7 @@
 package org.eclipse.tractusx.valueaddedservice.service.logic;
 
 import lombok.extern.slf4j.Slf4j;
+import org.apache.commons.text.StringEscapeUtils;
 import org.eclipse.tractusx.valueaddedservice.constants.VasConstants;
 import org.eclipse.tractusx.valueaddedservice.domain.enumeration.RangeType;
 import org.eclipse.tractusx.valueaddedservice.dto.CompanyUserDTO;
@@ -40,7 +41,9 @@ public class RangeLogicService {
     RangeService rangeService;
 
     public void saveRanges(List<RangeDTO> rangeDTOS, CompanyUserDTO companyUserDTO)  {
-        log.debug("saveRanges save new ranges {} for companyUser {}",rangeDTOS,companyUserDTO);
+        String sanitizedRange = StringEscapeUtils.escapeJava(rangeDTOS.toString());
+        String sanitizedCompany = StringEscapeUtils.escapeJava(companyUserDTO.toString());
+        log.debug("saveRanges save new ranges {} for companyUser {}",sanitizedRange,sanitizedCompany);
         List<RangeDTO> list = rangeService.getUserRanges(companyUserDTO);
         if (list.isEmpty()) {
             rangeDTOS.forEach(rangeDTO -> {
@@ -57,7 +60,8 @@ public void saveRanges(List<RangeDTO> rangeDTOS, CompanyUserDTO companyUserDTO)
 
     @Cacheable(value = "vas-range", key = "{#root.methodName , {#companyUserDTO.name,#companyUserDTO.email,#companyUserDTO.companyName}}", unless = "#result == null")
     public List<RangeDTO> getUserRangesOrDefault(CompanyUserDTO companyUserDTO) {
-        log.debug("getUserRangesOrDefault get ranges for companyUser {}",companyUserDTO);
+        String sanitizedCompany = StringEscapeUtils.escapeJava(companyUserDTO.toString());
+        log.debug("getUserRangesOrDefault get ranges for companyUser {}",sanitizedCompany);
         List<RangeDTO> ranges = rangeService.getUserRanges(companyUserDTO);
         if (!ranges.isEmpty()) {
             return ranges;