diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5df34a4..9d18d46 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,12 @@
# Change Log
+### V1.3.5-SNAPSHOT
+
+- Fixed vulnerability CVE-2020-25649, CVE-2020-15522, CVE-2020-9488 and CVE-2019-17571
+- Update dependency library for bouncycastle to version 1.69
+- Update dependency library for jackson-databind to version 2.10.5.1
+- Remove dependency library for slf4j, updated to log4j version 2.14.1 for logging
+
### V1.3.4-SNAPSHOT
- Fixed vulnerability CVE-2019-14379 and CVE-2019-14439
diff --git a/LICENSE b/LICENSE
index bfa5d63..1fa7d98 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,4 @@
-Copyright (C) 2017-2020 GovTech, Government Digital Services, PDD-AI
+Copyright (C) 2017-2021 GovTech, Government Digital Services - ENP
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
diff --git a/README.md b/README.md
index 07bd5a8..08af9e1 100644
--- a/README.md
+++ b/README.md
@@ -63,22 +63,25 @@ mvn install
com.api.util
ApiSecurity
- 1.3.2-SNAPSHOT
+ 1.3.5-SNAPSHOT
```
**Note:**
-* This project is leveraging on _slf4j-log4j12_ framework for the logging. If you are using logging implementation other than log4j, you can change to other type of implementation such as nop,simple,jdk14,logback. You could replace the following xml in pom.xml.
-* If your are using Log4j _Version2_, please refer to [Log4j2-SLF4J Binding](https://logging.apache.org/log4j/2.x/log4j-slf4j-impl/index.html)
+* This project is leveraging on Log4j _Version2_ framework for the logging. If you are using logging implementation other than Log4j _Version2_ , you can change to other type of implementation such as nop,simple,jdk14,logback. You could replace the following xml in pom.xml.
```xml
- org.slf4j
- slf4j-log4j12
- 1.7.25
+ org.apache.logging.log4j
+ log4j-api
+ 2.14.1
+
+
+ org.apache.logging.log4j
+ log4j-core
+ 2.14.1
-
```
#### Maven Test
@@ -136,7 +139,7 @@ repositories {
mavenLocal()
}
dependencies {
- compile group: 'com.api.util', name: 'ApiSecurity', version: '1.3.1-SNAPSHOT'
+ compile group: 'com.api.util', name: 'ApiSecurity', version: '1.3.5-SNAPSHOT'
}
```
@@ -554,7 +557,7 @@ public void Http_POST_Test() throws ApiUtilException, IOException
}
```
-
+
## Contributing
For more information about contributing PRs and issues, see [CONTRIBUTING.md](.github/CONTRIBUTING.md).
@@ -566,6 +569,6 @@ See [CHANGELOG.md](CHANGELOG.md).
## References
+ [UTF-8 in Gradle](https://stackoverflow.com/questions/21267234/show-utf-8-text-properly-in-gradle)
-+ [SLF4J FAQ](https://www.slf4j.org/faq.html)
-+ [Akana API Consumer Security](http://docs.akana.com/ag/cm_policies/using_api_consumer_app_sec_policy.htm)
-+ [RSA and HMAC Request Signing Standard](http://tools.ietf.org/html/draft-cavage-http-signatures-05)
++ [LOG4J2 FAQ](https://logging.apache.org/log4j/2.x/faq.html)
++ [Akana API Consumer Security](http://docs.akana.com/cm/learnmore/app_security.htm)
++ [RSA and HMAC Request Signing Standard](https://tools.ietf.org/id/draft-cavage-http-signatures-08.html)
diff --git a/build.gradle b/build.gradle
index cb12d79..ddf8192 100644
--- a/build.gradle
+++ b/build.gradle
@@ -4,7 +4,7 @@ plugins {
id 'com.github.kt3k.coveralls' version '2.6.3'
}
-version '1.3.4-SNAPSHOT'
+version '1.3.5-SNAPSHOT'
tasks.withType(JavaCompile) {
options.encoding = "UTF-8"
@@ -16,13 +16,23 @@ repositories {
dependencies {
//compile group: 'org.apache.commons', name: 'commons-collections4', version: '4.1'
+
+ //gradle 4.0
compile group: 'commons-lang', name: 'commons-lang', version: '2.4'
- compile group: 'org.slf4j', name: 'slf4j-api', version: '1.7.25'
- compile group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.9.9.2'
+ compile group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.14.1'
+ compile group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.14.1'
+ compile group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.10.5.1'
compile group: 'com.googlecode.json-simple', name: 'json-simple', version: '1.1.1'
- compile group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version: '1.60'
- testCompile group: 'org.slf4j', name: 'slf4j-log4j12', version: '1.7.25'
- testCompile group: 'junit', name: 'junit', version: '4.12'
+ compile group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version: '1.69'
+
+ testCompile group: 'junit', name: 'junit', version: '4.13.1'
+
+ //gradle 6.9
+ //implementation group: 'commons-lang', name: 'commons-lang', version: '2.4'
+ //implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.10.5.1'
+ //implementation group: 'com.googlecode.json-simple', name: 'json-simple', version: '1.1.1'
+ //implementation group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version: '1.69'
+ //testImplementation group: 'junit', name: 'junit', version: '4.13.1'
}
jar {
diff --git a/pom.xml b/pom.xml
index 19451bb..2a8ac86 100644
--- a/pom.xml
+++ b/pom.xml
@@ -2,7 +2,7 @@
4.0.0
com.api.util
ApiSecurity
- 1.3.4-SNAPSHOT
+ 1.3.5-SNAPSHOT
@@ -78,10 +78,15 @@
test
- org.slf4j
- slf4j-log4j12
- 1.7.25
-
+ org.apache.logging.log4j
+ log4j-api
+ 2.14.1
+
+
+ org.apache.logging.log4j
+ log4j-core
+ 2.14.1
+
commons-lang
commons-lang
@@ -90,7 +95,7 @@
com.fasterxml.jackson.core
jackson-databind
- 2.10.0.pr3
+ 2.10.5.1
com.googlecode.json-simple
@@ -100,7 +105,7 @@
org.bouncycastle
bcpkix-jdk15on
- 1.61
+ 1.69
diff --git a/src/main/java/com/api/util/ApiSecurity/ApiSigning.java b/src/main/java/com/api/util/ApiSecurity/ApiSigning.java
index 4c6e890..92b1b9e 100644
--- a/src/main/java/com/api/util/ApiSecurity/ApiSigning.java
+++ b/src/main/java/com/api/util/ApiSecurity/ApiSigning.java
@@ -7,8 +7,8 @@
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.LogManager;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
@@ -34,7 +34,7 @@
*/
public class ApiSigning {
- private static final Logger log = LoggerFactory.getLogger(ApiSigning.class);
+ private static final Logger log = LogManager.getLogger(ApiSigning.class);
/**
* Create HMACRSA256 Signature (L1) with a given basestring
diff --git a/src/main/resources/log4j.properties b/src/main/resources/log4j.properties
deleted file mode 100644
index 5d49ecf..0000000
--- a/src/main/resources/log4j.properties
+++ /dev/null
@@ -1,16 +0,0 @@
-# Root logger
-log4j.rootLogger=DEBUG, stdout
-
-# log to console
-log4j.appender.stdout=org.apache.log4j.ConsoleAppender
-log4j.appender.stdout.Target=System.out
-log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
-log4j.appender.stdout.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} [%t] %-5p:: %m%n
-
-# log to file
-#log4j.appender.file=org.apache.log4j.RollingFileAppender
-#log4j.appender.file.File=
-#log4j.appender.file.MaxFileSize=10000KB
-#log4j.appender.file.MaxBackupIndex=10
-#log4j.appender.file.layout=org.apache.log4j.PatternLayout
-#log4j.appender.file.layout.ConversionPattern=%d{yyyy-MM-dd HH:mm:ss} [%t] %-5p:: %m%n
diff --git a/src/main/resources/log4j2.properties b/src/main/resources/log4j2.properties
new file mode 100644
index 0000000..51fb853
--- /dev/null
+++ b/src/main/resources/log4j2.properties
@@ -0,0 +1,38 @@
+
+status = error
+dest = err
+name = PropertiesConfig
+
+
+# log to console
+appender.console.type = Console
+appender.console.name = STDOUT
+appender.console.layout.type = PatternLayout
+appender.console.layout.pattern = %d{yyyy-MM-dd HH:mm:ss} [%t] %-5p:: %m%n
+
+
+# log to file
+# property.filename = target/rolling/rollingtest.log
+# appender.rolling.type = RollingFile
+# appender.rolling.name = RollingFile
+# appender.rolling.fileName = ${filename}
+# appender.rolling.filePattern = target/rolling2/test1-%d{MM-dd-yy-HH-mm-ss}-%i.log.gz
+# appender.rolling.layout.type = PatternLayout
+# appender.rolling.layout.pattern = %d{yyyy-MM-dd HH:mm:ss} [%t] %-5p:: %m%n
+# appender.rolling.policies.type = Policies
+# appender.rolling.policies.time.type = TimeBasedTriggeringPolicy
+# appender.rolling.policies.time.interval = 2
+# appender.rolling.policies.time.modulate = true
+# appender.rolling.policies.size.type = SizeBasedTriggeringPolicy
+# appender.rolling.policies.size.size=10000KB
+# appender.rolling.strategy.type = DefaultRolloverStrategy
+# appender.rolling.strategy.max = 10
+# logger.rolling.name = com.example.my.app
+# logger.rolling.level = debug
+# logger.rolling.additivity = false
+# logger.rolling.appenderRef.rolling.ref = RollingFile
+
+
+ #Root logger
+rootLogger.level = debug
+rootLogger.appenderRef.stdout.ref = STDOUT
\ No newline at end of file
diff --git a/src/test/java/com/api/util/ApiSecurity/ApiSecurityTest.java b/src/test/java/com/api/util/ApiSecurity/ApiSecurityTest.java
index 4884dd7..3024003 100644
--- a/src/test/java/com/api/util/ApiSecurity/ApiSecurityTest.java
+++ b/src/test/java/com/api/util/ApiSecurity/ApiSecurityTest.java
@@ -16,8 +16,8 @@
import java.util.Set;
import org.junit.runner.RunWith;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.LogManager;
import com.api.util.testframework.JUnitFactoryRunner;
import com.api.util.testframework.JUnitTestFactory;
@@ -35,7 +35,7 @@
@RunWith(JUnitFactoryRunner.class)
public class ApiSecurityTest {
- private static final Logger log = LoggerFactory.getLogger(ApiSecurityTest.class);
+ private static final Logger log = LogManager.getLogger(ApiSecurityTest.class);
private static final String testDataPath = getLocalPath("src/main/resources/test-suites/testData/");
diff --git a/src/test/java/com/api/util/ApiSecurity/AuthorizationTokenTest.java b/src/test/java/com/api/util/ApiSecurity/AuthorizationTokenTest.java
index 6d84e73..9bbeefd 100644
--- a/src/test/java/com/api/util/ApiSecurity/AuthorizationTokenTest.java
+++ b/src/test/java/com/api/util/ApiSecurity/AuthorizationTokenTest.java
@@ -10,7 +10,7 @@
import static org.junit.Assert.*;
/**
- * @author GDS-PDD
+ * @author GDS-ENP
*
*/
public class AuthorizationTokenTest {
diff --git a/src/test/java/com/api/util/testframework/RuntimeTestCase.java b/src/test/java/com/api/util/testframework/RuntimeTestCase.java
index 22760cc..27d7efd 100644
--- a/src/test/java/com/api/util/testframework/RuntimeTestCase.java
+++ b/src/test/java/com/api/util/testframework/RuntimeTestCase.java
@@ -1,7 +1,7 @@
package com.api.util.testframework;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.LogManager;
import com.api.util.ApiSecurity.ApiList;
import com.api.util.ApiSecurity.ApiSigning;
@@ -24,7 +24,7 @@
public class RuntimeTestCase{
- private static final Logger log = LoggerFactory.getLogger(RuntimeTestCase.class);
+ private static final Logger log = LogManager.getLogger(RuntimeTestCase.class);
//private ApiList apiList;
private String testName;
@@ -50,6 +50,7 @@ public void setTestName(String testName) {
*/
@JUnitFactoryTest
public void getSignatureBaseString() throws IOException, InterruptedException, ParseException {
+ log.trace("Entering teset test application.");
log.info("====================> Start :: RuntimeTestCase :: getSignatureBaseString :: testName : {} ", testName);
ExpectedResult expectedResult = testDatum.getExpectedResult();
diff --git a/src/test/java/com/api/util/testframework/RuntimeTestUtility.java b/src/test/java/com/api/util/testframework/RuntimeTestUtility.java
index fbcc73f..c2c45fb 100644
--- a/src/test/java/com/api/util/testframework/RuntimeTestUtility.java
+++ b/src/test/java/com/api/util/testframework/RuntimeTestUtility.java
@@ -1,7 +1,7 @@
package com.api.util.testframework;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.LogManager;
import com.api.util.ApiSecurity.ApiList;
import com.api.util.ApiSecurity.ApiUtilException;
@@ -17,7 +17,7 @@
public class RuntimeTestUtility {
- private static final Logger log = LoggerFactory.getLogger(RuntimeTestUtility.class);
+ private static final Logger log = LogManager.getLogger(RuntimeTestUtility.class);
private static ApiList apiList;
public static String getExpectedResultMap(ExpectedResult expectedResult) throws ApiUtilException {