From 1a2f696efeb72fb392b2dd5090fc2fafc96e90b5 Mon Sep 17 00:00:00 2001
From: Shawn McKinney <smckinney@symas.com>
Date: Tue, 10 Dec 2019 15:48:21 -0600
Subject: [PATCH] FC-274 - Upgrade maven plugins and dependencies

---
 README.md                 | 10 ++++--
 pom.xml                   | 70 ++++++++++++++++++++++++++++-----------
 src/owasp/suppression.xml | 37 +++++++++++++++++++++
 3 files changed, 94 insertions(+), 23 deletions(-)
 create mode 100644 src/owasp/suppression.xml

diff --git a/README.md b/README.md
index 94ee004..b2a19c8 100644
--- a/README.md
+++ b/README.md
@@ -202,10 +202,14 @@ This web app uses Java EE security.
  ```
 
  This sample requires Java 8 and Maven 3 to be setup within the execution env.
-
+ 
+#### 2. Load the default security policy for Fortress REST.
+ 
+ ```
  mvn install -Dload.file=src/main/resources/FortressRestServerPolicy.xml
+ ```
 
-#### 2. Optional, load a sample security policy for ARBAC.
+#### 3. Optional, load a sample security policy for ARBAC.
  ```maven
  mvn install -Dload.file=src/main/resources/FortressRestArbacSamplePolicy.xml
  ```
@@ -214,7 +218,7 @@ This web app uses Java EE security.
  * *-Dload.file* automatically loads the [directory-fortress-rest security policy](src/main/resources/FortressRestServerPolicy.xml) data into ldap.
  * This load needs to happen just once for the default test cases to work and may be dropped from future `mvn` commands.
 
-#### 3. Deploy to Tomcat:
+#### 4. Deploy to Tomcat:
 
  a. If using autodeploy feature, verify the Tomcat auto-deploy options are set correctly in the [pom.xml](pom.xml) file:
  ```xml
diff --git a/pom.xml b/pom.xml
index 38f51c0..5260deb 100755
--- a/pom.xml
+++ b/pom.xml
@@ -104,7 +104,7 @@
     <java.version>1.8</java.version>
     <!-- Dependencies version -->
     <fortress.realm.version>2.0.4</fortress.realm.version>
-    <cxf.version>3.2.6</cxf.version>
+    <cxf.version>3.3.4</cxf.version>
     <httpclient.version>3.1</httpclient.version>
     <java.version>1.8</java.version>
     <javadoc.version>2.9.1</javadoc.version>
@@ -112,9 +112,9 @@
     <log4j.version>1.2.17</log4j.version>
     <servlet-api.version>2.5.0</servlet-api.version>
     <slf4j.log4j12.version>1.7.21</slf4j.log4j12.version>
-    <spring.version>5.0.9.RELEASE</spring.version>
-    <spring.security.version>5.0.7.RELEASE</spring.security.version>
-    <jackson-jaxrs.version>2.9.7</jackson-jaxrs.version>
+    <jackson-jaxrs.version>2.10.1</jackson-jaxrs.version>
+    <version.jaxb.core>2.3.0.1</version.jaxb.core>
+    <version.jaxb.impl>2.3.2</version.jaxb.impl>
 
     <!--  Other properties -->
     <base.dir>.</base.dir>
@@ -155,17 +155,16 @@
         <version>${jackson-jaxrs.version}</version>
     </dependency>
 
-    <!-- Spring Dependencies -->
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-core</artifactId>
-      <version>${spring.version}</version>
+      <version>5.2.2.RELEASE</version>
     </dependency>
     
     <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-web</artifactId>
-      <version>${spring.security.version}</version>
+      <version>5.2.1.RELEASE</version>
     </dependency>
 
     <!-- Logging Dependencies -->
@@ -197,16 +196,16 @@
     </dependency>
 
     <dependency>
-         <groupId>com.sun.xml.bind</groupId>
-         <artifactId>jaxb-core</artifactId>
-         <version>2.3.0</version>
-       </dependency>
+      <groupId>com.sun.xml.bind</groupId>
+      <artifactId>jaxb-impl</artifactId>
+      <version>${version.jaxb.impl}</version>
+    </dependency>
 
     <dependency>
-      <groupId>com.sun.xml.bind</groupId>
-        <artifactId>jaxb-impl</artifactId>
-        <version>2.3.0</version>
-      </dependency>
+      <groupId>org.glassfish.jaxb</groupId>
+      <artifactId>jaxb-core</artifactId>
+      <version>${version.jaxb.core}</version>
+    </dependency>
 
   </dependencies>
 
@@ -289,7 +288,6 @@
           <server>local-tomcat</server>
           <url>http://localhost:8080/manager/text</url>
           <path>/${project.artifactId}-${project.version}</path>
-<!--          <path>/enmasse-${version}</path>-->
           <!-- Warning the tomcat manager creds here are for deploying into a demo environment only. -->
           <username>tcmanager</username>
           <password>m@nager123</password>
@@ -311,11 +309,21 @@
         </configuration>
       </plugin>
 
+      <plugin>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-maven</artifactId>
+        <version>5.2.4</version>
+        <configuration>
+          <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
+          <suppressionFile>${project.basedir}/src/owasp/suppression.xml</suppressionFile>
+        </configuration>
+      </plugin>
+
       <!-- War the app -->
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-war-plugin</artifactId>
-        <version>2.4</version>
+        <version>3.2.3</version>
         <configuration>
           <warName>${project.artifactId}-${project.version}</warName>
           <archive>
@@ -357,7 +365,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-compiler-plugin</artifactId>
-        <version>3.8.0</version>
+        <version>3.8.1</version>
         <configuration>
           <source>${java.version}</source>
           <target>${java.version}</target>
@@ -369,7 +377,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-source-plugin</artifactId>
-        <version>3.0.0</version>
+        <version>3.2.0</version>
         <executions>
           <execution>
             <id>attach-sources</id>
@@ -451,4 +459,26 @@
     </repository>
   </repositories>
 
-</project>
+  <!-- OWASP Dependency Vulnerability Scanner Profile -->
+  <profiles>
+
+  <profile>
+    <id>owasp</id>
+    <build>
+      <plugins>
+        <plugin>
+          <groupId>org.owasp</groupId>
+          <artifactId>dependency-check-maven</artifactId>
+          <executions>
+            <execution>
+              <goals>
+                <goal>check</goal>
+              </goals>
+            </execution>
+          </executions>
+        </plugin>
+      </plugins>
+    </build>
+  </profile>
+</profiles>
+</project>
\ No newline at end of file
diff --git a/src/owasp/suppression.xml b/src/owasp/suppression.xml
new file mode 100644
index 0000000..06d1344
--- /dev/null
+++ b/src/owasp/suppression.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ *   Licensed to the Apache Software Foundation (ASF) under one
+ *   or more contributor license agreements.  See the NOTICE file
+ *   distributed with this work for additional information
+ *   regarding copyright ownership.  The ASF licenses this file
+ *   to you under the Apache License, Version 2.0 (the
+ *   "License"); you may not use this file except in compliance
+ *   with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *   Unless required by applicable law or agreed to in writing,
+ *   software distributed under the License is distributed on an
+ *   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ *   KIND, either express or implied.  See the License for the
+ *   specific language governing permissions and limitations
+ *   under the License.
+ *
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <!-- Suppress OWASP warnings about spring security, security method override, not applicable here. -->
+    <suppress>
+        <notes><![CDATA[
+   file name: spring-security-core-5.2.1.RELEASE.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-core@.*$</packageUrl>
+        <cve>CVE-2018-1258</cve>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: spring-security-web-5.2.1.RELEASE.jar
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-web@.*$</packageUrl>
+        <cpe>cpe:/a:pivotal_software:spring_security</cpe>
+    </suppress>
+</suppressions>
\ No newline at end of file