aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGerald Palfinger <gerald.palfinger@iaik.tugraz.at>2022-01-20 14:20:41 +0000
committerGerald Palfinger <gerald.palfinger@iaik.tugraz.at>2022-01-20 14:20:41 +0000
commit863eef9357f985936f0e72a267232fbd42315d95 (patch)
treeb47bbb1f43d250b4a009aa5fe9b3a013ffe5a292
parent70efc77fb1ba95a74ad8c7ce6ad097de35d208e2 (diff)
parent228b1e2dc09d9554edcd667c68325709d1fb0d3e (diff)
downloadpdf-as-4-863eef9357f985936f0e72a267232fbd42315d95.tar.gz
pdf-as-4-863eef9357f985936f0e72a267232fbd42315d95.tar.bz2
pdf-as-4-863eef9357f985936f0e72a267232fbd42315d95.zip
Merge branch 'issue_58' into 'master'
Update all vulnerable dependencies See merge request egiz/pdf-as-4!1
-rw-r--r--.gitlab-ci.yml86
-rw-r--r--build.gradle102
-rw-r--r--pdf-as-cli/build.gradle2
-rw-r--r--pdf-as-common/build.gradle2
-rw-r--r--pdf-as-lib/build.gradle6
-rw-r--r--pdf-as-moa/build.gradle2
-rw-r--r--pdf-as-pdfbox-2/build.gradle10
-rw-r--r--pdf-as-pdfbox-2/src/test/resources/1Sign_manyQR.pdfbin0 -> 188967 bytes
-rw-r--r--pdf-as-pdfbox-2/src/test/resources/new_qr_2-2.pdfbin0 -> 182043 bytes
-rw-r--r--pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed.pdfbin0 -> 225097 bytes
-rw-r--r--pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed.pdfbin0 -> 267093 bytes
-rw-r--r--pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed_signed.pdfbin0 -> 310607 bytes
-rw-r--r--pdf-as-web-db/build.gradle6
-rw-r--r--pdf-as-web-statistic-api/build.gradle2
-rw-r--r--pdf-as-web/build.gradle27
-rw-r--r--pdf-as-web/gradle.properties3
16 files changed, 156 insertions, 92 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 00000000..1cd13b89
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,86 @@
+image: gradle:6.8.3-jdk11
+
+variables:
+ LC_ALL: "en_US.UTF-8"
+ LANG: "en_US.UTF-8"
+ LANGUAGE: "en_US"
+ LIB_NAME: "PDF-AS 4"
+ GIT_DEPTH: "2"
+ SECURE_LOG_LEVEL: "debug"
+
+include:
+ - template: Dependency-Scanning.gitlab-ci.yml
+ - template: Security/SAST.gitlab-ci.yml
+ - template: Secret-Detection.gitlab-ci.yml
+
+default:
+ tags:
+ - docker
+
+stages:
+ - assemble
+ - test
+ - package
+ - release
+
+cache:
+ paths:
+ - .m2/repository
+ - .gradle/wrapper
+ - .gradle/caches
+
+assemble:
+ stage: assemble
+ tags:
+ - docker
+ except:
+ - tags
+ script: |
+ ./gradlew --warning-mode all -x test clean build
+ artifacts:
+ when: always
+ reports:
+ junit: "**/build/test-results/test/**/TEST-*.xml"
+
+release_packaging:
+ stage: package
+ tags:
+ - docker
+ except:
+ - tags
+ - /^feature/.*$/i
+ - /^issue.*$/i
+ before_script:
+ - mkdir -p ~/.ssh
+ - ssh-keyscan apps.egiz.gv.at >> ~/.ssh/known_hosts
+ - chmod 644 ~/.ssh/known_hosts
+ script: |
+ ./gradlew --stacktrace -x test assemble uploadArchives
+ artifacts:
+ when: always
+ name: "${CI_PROJECT_NAME}-${CI_COMMIT_SHORT_SHA}"
+ reports:
+ dotenv: variables.env
+
+release:
+ stage: release
+ image: registry.gitlab.com/gitlab-org/release-cli:latest
+ tags:
+ - docker
+ needs:
+ - job: assemble
+ artifacts: true
+ when: manual
+ only:
+ - master
+ script: |
+ echo "Releasing version $VERSION of $LIB_NAME"
+ echo "Publishing version $VERSION to public EGIZ maven"
+ cd ./moaSig
+ ./gradlew release
+ artifacts:
+ name: "${CI_PROJECT_NAME}-${CI_COMMIT_SHORT_SHA}-release"
+ expire_in: never
+ paths:
+ - "../release/${VERSION}/pdf-as-web-${VERSION}.war"
+ - "../release/${VERSION}/pdf-as-lib-${VERSION}.zip"
diff --git a/build.gradle b/build.gradle
index 6fe2c297..4d5f0d41 100644
--- a/build.gradle
+++ b/build.gradle
@@ -6,6 +6,7 @@ buildscript {
dependencies {
classpath "com.github.ben-manes:gradle-versions-plugin:0.28.0"
+ classpath "org.owasp:dependency-check-gradle:6.5.0.1"
}
}
@@ -15,50 +16,37 @@ allprojects {
version = '4.2.1-SNAPSHOT'
}
-configurations {
- cveCheck
-}
-
-dependencies {
- cveCheck 'org.owasp:dependency-check-ant:1.2.5'
-}
-
-task checkCVE {
- doLast {
- // Redefine checkCVEAnt Ant task, with the classpath property set to our newly defined
- // cveCheck configuration classpath.
- ant.taskdef(name: 'checkCVEAnt', classname: 'org.owasp.dependencycheck.taskdefs.DependencyCheckTask',
- classpath: configurations.cveCheck.asPath)
-
- // executing checkCVEAnt Task
- ant.checkCVEAnt(
- applicationname: "PDF-AS",
- reportoutputdirectory: (new File(rootDir, 'releases/cvecheck/' + project.name)).toString(),
- reportformat: "ALL") {
- fileset(dir: (new File(rootDir, 'build/alldependencies')).toString()) {
- include(name: '**/**')
- }
- }
- }
-}
-
subprojects {
apply plugin: 'java-library'
apply plugin: 'eclipse'
apply plugin: 'maven-publish'
- //apply plugin: 'maven'
+ apply plugin: 'maven'
+ apply plugin: 'org.owasp.dependencycheck'
group = 'at.gv.egiz.pdfas'
configurations {
deployerJars
- cveCheck
}
- repositories { mavenCentral() }
+ repositories {
+ mavenCentral()
+
+ maven {
+ url "https://apps.egiz.gv.at/maven/"
+ mavenContent {
+ releasesOnly()
+ }
+ }
+ maven {
+ url "https://apps.egiz.gv.at/maven-snapshot/"
+ mavenContent {
+ snapshotsOnly()
+ }
+ }
+ }
dependencies {
testImplementation 'junit:junit:4.13.2'
- cveCheck 'org.owasp:dependency-check-ant:6.1.3'
}
task sourcesJar(type: Jar, dependsOn: classes) {
@@ -82,8 +70,8 @@ subprojects {
//tomcatVersion = '7.0.54';
//tomcatVersion = '8.0.36';
tomcatVersion = '9.0.46';
- slf4jVersion = '1.7.30'
- cxfVersion = '3.0.1'
+ slf4jVersion = '1.7.32'
+ cxfVersion = '3.4.5'
}
jar { manifest.attributes provider: 'EGIZ', 'Specification-Version': getCheckedOutGitCommitHash(), 'Implementation-Version': project.version }
@@ -97,30 +85,7 @@ subprojects {
from configurations.runtime
into 'build/alldependencies'
}
-
- rootProject.checkCVE.dependsOn copyDeps
-
- task checkCVELocal {
- doLast {
- // Redefine checkCVEAnt Ant task, with the classpath property set to our newly defined
- // cveCheck configuration classpath.
- ant.taskdef(name: 'checkCVEAnt', classname: 'org.owasp.dependencycheck.taskdefs.DependencyCheckTask',
- classpath: configurations.cveCheck.asPath)
-
- // executing checkCVEAnt Task
- ant.checkCVEAnt(
- applicationname: project.name,
- reportoutputdirectory: (new File(rootDir, 'releases/' + version + '/cvecheck/' + project.name)).toString(),
- reportformat: "ALL") {
- fileset(dir: 'build/alldependencies') {
- include(name: '**/**')
- }
- }
- }
- }
- checkCVELocal.dependsOn copyDepsLocal
-
publishing {
publications {
myLibrary(MavenPublication) {
@@ -136,12 +101,25 @@ subprojects {
}
}
-// uploadArchives {
-// repositories.mavenDeployer {
-// repository(url: project.releaseRepoUrl)
-// snapshotRepository(url: project.snapshotRepoUrl)
-// }
-// }
+ dependencies {
+ deployerJars "org.apache.maven.wagon:wagon-ssh:3.4.3"
+
+ }
+
+ uploadArchives {
+ repositories.mavenDeployer {
+ configuration = configurations.deployerJars
+ repository(url: "sftp://apps.egiz.gv.at/maven") {
+ authentication(userName: System.getenv("EGIZ_MAVEN_USER"), password: System.getenv("EGIZ_MAVEN_PASSWORD"))
+
+ }
+ snapshotRepository(url: "sftp://apps.egiz.gv.at/maven-snapshot") {
+ authentication(userName: System.getenv("EGIZ_MAVEN_USER"), password: System.getenv("EGIZ_MAVEN_PASSWORD"))
+
+ }
+ }
+ }
+
task(internalRelease) {
doLast {
diff --git a/pdf-as-cli/build.gradle b/pdf-as-cli/build.gradle
index 79efe54a..2854000f 100644
--- a/pdf-as-cli/build.gradle
+++ b/pdf-as-cli/build.gradle
@@ -35,7 +35,7 @@ dependencies {
implementation group: 'commons-collections', name: 'commons-collections', version: '3.2.2'
implementation group: 'commons-cli', name: 'commons-cli', version: '1.2'
implementation group: 'javax.activation', name: 'activation', version: '1.1.1'
- implementation 'ch.qos.logback:logback-classic:1.1.2'
+ implementation 'ch.qos.logback:logback-classic:1.2.10'
testImplementation group: 'junit', name: 'junit', version: '4.+'
}
diff --git a/pdf-as-common/build.gradle b/pdf-as-common/build.gradle
index a607fcfe..b57f9b6f 100644
--- a/pdf-as-common/build.gradle
+++ b/pdf-as-common/build.gradle
@@ -25,7 +25,7 @@ dependencies {
api group: 'commons-io', name: 'commons-io', version: '2.8.0'
api group: 'ognl', name: 'ognl', version: '3.2.19'
api group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1'
- api 'commons-codec:commons-codec:1.10'
+ api 'commons-codec:commons-codec:1.15'
api group: 'org.glassfish.jaxb', name: 'jaxb-runtime', version: '2.3.3'
api group: 'javax.jws', name: 'javax.jws-api', version: '1.1'
testImplementation group: 'junit', name: 'junit', version: '4.+'
diff --git a/pdf-as-lib/build.gradle b/pdf-as-lib/build.gradle
index e55ac6a3..cff40ef0 100644
--- a/pdf-as-lib/build.gradle
+++ b/pdf-as-lib/build.gradle
@@ -68,9 +68,9 @@ dependencies {
api group: 'org.bouncycastle', name: 'bcprov-jdk15on', version: '1.68'
api group: 'javax.activation', name: 'activation', version: '1.1.1'
api group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1'
- api group: 'com.google.code.gson', name: 'gson', version: '2.8.6'
+ api group: 'com.google.code.gson', name: 'gson', version: '2.8.9'
api group: 'org.bitbucket.b_c', name: 'jose4j', version: '0.7.6'
- api group: 'commons-io', name: 'commons-io', version: '2.8'
+ api group: 'commons-io', name: 'commons-io', version: '2.8.0'
api group: 'org.glassfish.jaxb', name: 'jaxb-runtime', version: '2.3.3'
api 'org.apache.commons:commons-collections4:4.4'
api group: 'ognl', name: 'ognl', version: '3.2.19'
@@ -84,7 +84,7 @@ dependencies {
api group: 'com.google.zxing', name: 'core', version: '3.4.1'
api group: 'com.google.zxing', name: 'javase', version: '3.4.1'
testImplementation group: 'junit', name: 'junit', version: '4.+'
- testCompile "junit:junit:4.11"
+ testCompile "junit:junit:4.13.2"
ws group: 'org.apache.cxf', name: 'cxf-tools', version: cxfVersion
ws group: 'org.apache.cxf', name: 'cxf-tools-wsdlto-databinding-jaxb', version: cxfVersion
ws group: 'org.apache.cxf', name: 'cxf-tools-wsdlto-frontend-jaxws', version: cxfVersion
diff --git a/pdf-as-moa/build.gradle b/pdf-as-moa/build.gradle
index 62fa9530..fd438cbc 100644
--- a/pdf-as-moa/build.gradle
+++ b/pdf-as-moa/build.gradle
@@ -13,7 +13,7 @@ buildscript {
mavenLocal()
mavenCentral()
}
- dependencies { classpath("commons-io:commons-io:2.4") }
+ dependencies { classpath("commons-io:commons-io:2.8.0") }
}
sourceSets {
diff --git a/pdf-as-pdfbox-2/build.gradle b/pdf-as-pdfbox-2/build.gradle
index 66c003ec..b37462bd 100644
--- a/pdf-as-pdfbox-2/build.gradle
+++ b/pdf-as-pdfbox-2/build.gradle
@@ -32,11 +32,11 @@ releases.dependsOn sourcesJar
dependencies {
implementation project (':pdf-as-lib')
implementation group: 'org.slf4j', name: 'slf4j-api', version: slf4jVersion
- implementation 'org.slf4j:jcl-over-slf4j:1.7.30'
- api group: 'org.apache.pdfbox', name: 'pdfbox', version: '2.0.23'
- api group: 'org.apache.pdfbox', name: 'pdfbox-tools', version: '2.0.23'
- api group: 'org.apache.pdfbox', name: 'preflight', version: '2.0.23'
- implementation group: 'commons-io', name: 'commons-io', version: '2.8'
+ implementation 'org.slf4j:jcl-over-slf4j:1.7.32'
+ api group: 'org.apache.pdfbox', name: 'pdfbox', version: '2.0.25'
+ api group: 'org.apache.pdfbox', name: 'pdfbox-tools', version: '2.0.25'
+ api group: 'org.apache.pdfbox', name: 'preflight', version: '2.0.25'
+ implementation group: 'commons-io', name: 'commons-io', version: '2.8.0'
implementation group: 'ognl', name: 'ognl', version: '3.2.19'
testImplementation group: 'junit', name: 'junit', version: '4.+'
diff --git a/pdf-as-pdfbox-2/src/test/resources/1Sign_manyQR.pdf b/pdf-as-pdfbox-2/src/test/resources/1Sign_manyQR.pdf
new file mode 100644
index 00000000..0784592a
--- /dev/null
+++ b/pdf-as-pdfbox-2/src/test/resources/1Sign_manyQR.pdf
Binary files differ
diff --git a/pdf-as-pdfbox-2/src/test/resources/new_qr_2-2.pdf b/pdf-as-pdfbox-2/src/test/resources/new_qr_2-2.pdf
new file mode 100644
index 00000000..565ce8e6
--- /dev/null
+++ b/pdf-as-pdfbox-2/src/test/resources/new_qr_2-2.pdf
Binary files differ
diff --git a/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed.pdf b/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed.pdf
new file mode 100644
index 00000000..be6fdddb
--- /dev/null
+++ b/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed.pdf
Binary files differ
diff --git a/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed.pdf b/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed.pdf
new file mode 100644
index 00000000..ee0f140f
--- /dev/null
+++ b/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed.pdf
Binary files differ
diff --git a/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed_signed.pdf b/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed_signed.pdf
new file mode 100644
index 00000000..34769dd0
--- /dev/null
+++ b/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed_signed.pdf
Binary files differ
diff --git a/pdf-as-web-db/build.gradle b/pdf-as-web-db/build.gradle
index 91a4825d..6f252a32 100644
--- a/pdf-as-web-db/build.gradle
+++ b/pdf-as-web-db/build.gradle
@@ -17,9 +17,9 @@ dependencies {
implementation project (':pdf-as-web')
implementation project (':pdf-as-web-status')
implementation project (':pdf-as-web-statistic-api')
- api "org.hibernate:hibernate-core:4.3.11.Final"
- api "org.hibernate:hibernate-entitymanager:4.3.11.Final"
- implementation group: 'log4j', name: 'log4j', version: '1.2.17'
+ api "org.hibernate:hibernate-core:5.6.2.Final"
+ api "org.hibernate:hibernate-entitymanager:5.6.2.Final"
+ implementation 'ch.qos.logback:logback-classic:1.2.10'
implementation group: 'org.slf4j', name: 'slf4j-api', version: slf4jVersion
testImplementation group: 'junit', name: 'junit', version: '4.+'
}
diff --git a/pdf-as-web-statistic-api/build.gradle b/pdf-as-web-statistic-api/build.gradle
index aa9429d7..377c0714 100644
--- a/pdf-as-web-statistic-api/build.gradle
+++ b/pdf-as-web-statistic-api/build.gradle
@@ -22,7 +22,7 @@ sourceSets.test.runtimeClasspath += configurations.providedCompile
dependencies {
implementation group: 'org.slf4j', name: 'slf4j-api', version: slf4jVersion
- implementation 'org.apache.commons:commons-lang3:3.3.2'
+ implementation 'org.apache.commons:commons-lang3:3.12.0'
testImplementation group: 'junit', name: 'junit', version: '4.+'
}
diff --git a/pdf-as-web/build.gradle b/pdf-as-web/build.gradle
index f6479d55..cf14365b 100644
--- a/pdf-as-web/build.gradle
+++ b/pdf-as-web/build.gradle
@@ -3,7 +3,7 @@ apply plugin: 'eclipse'
apply plugin: 'eclipse-wtp'
apply plugin: 'war'
-apply plugin: 'org.akhikhl.gretty'
+apply plugin: 'org.gretty'
buildscript {
repositories {
@@ -16,7 +16,7 @@ buildscript {
}
dependencies {
- classpath 'org.akhikhl.gretty:gretty:+'
+ classpath 'org.gretty:gretty:3.0.7'
}
}
@@ -51,18 +51,20 @@ dependencies {
api project (':signature-standards:sigs-pades')
api project (':pdf-as-web-status')
api project (':pdf-as-web-statistic-api')
- api group: 'commons-fileupload', name: 'commons-fileupload', version: '1.3.1'
+ api group: 'commons-fileupload', name: 'commons-fileupload', version: '1.4'
+ // Upgrade dependency of commons-fileupload from 2.2 to 2.8.0 to avoid CVE-2021-29425
+ api group: 'commons-io', name: 'commons-io', version: '2.8.0'
api group: 'opensymphony', name: 'sitemesh', version: '2.4.2'
api group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1'
api group: 'javax.xml.ws', name: 'jaxws-api', version: '2.3.1'
api group: 'org.glassfish.jaxb', name: 'jaxb-runtime', version: '2.3.3'
api "commons-codec:commons-codec:1.15"
api 'org.apache.commons:commons-lang3:3.12.0'
- api 'org.apache.cxf:cxf-rt-transports-http:3.4.1'
- api 'org.apache.cxf:cxf-rt-frontend-jaxws:3.4.1'
- api 'com.thetransactioncompany:cors-filter:2.9.1'
- api 'ch.qos.logback:logback-classic:1.2.3'
- api 'ch.qos.logback:logback-core:1.2.3'
+ api 'org.apache.cxf:cxf-rt-transports-http:3.4.5'
+ api 'org.apache.cxf:cxf-rt-frontend-jaxws:3.4.5'
+ api 'com.thetransactioncompany:cors-filter:2.10'
+ api 'ch.qos.logback:logback-classic:1.2.10'
+ api 'ch.qos.logback:logback-core:1.2.10'
api 'org.json:json:20210307'
api group: 'javax.jws', name: 'javax.jws-api', version: '1.1'
pdfbox2 project (':pdf-as-pdfbox-2')
@@ -72,8 +74,8 @@ dependencies {
gretty {
// supported values:
- // 'jetty7', 'jetty8', 'jetty9', 'tomcat7', 'tomcat8'
- servletContainer = 'jetty9'
+ // 'jetty7', 'jetty8', 'jetty9', 'jetty9.3', 'jetty9.4', 'tomcat85', 'tomcat9'
+ servletContainer = 'tomcat85'
jvmArgs = [ '-Dpdf-as-web.conf=' + System.getProperty("user.home") + '/.pdfas/pdf-as-web.properties' ]
}
@@ -272,13 +274,8 @@ task releases(dependsOn: buildTomcat, type: Copy) {
from archive
from tararchive
into rootDir.toString() + "/releases/" + version
-
-
-
}
-
-
releases.dependsOn jar
releases.dependsOn sourcesJar
releases.dependsOn war
diff --git a/pdf-as-web/gradle.properties b/pdf-as-web/gradle.properties
new file mode 100644
index 00000000..887ae74e
--- /dev/null
+++ b/pdf-as-web/gradle.properties
@@ -0,0 +1,3 @@
+jetty94Version = 9.4.44.v20210927
+jetty93Version = 9.3.30.v20211001
+jetty9Version = 9.2.30.v20200428 \ No newline at end of file