diff options
author | Gerald Palfinger <gerald.palfinger@iaik.tugraz.at> | 2022-01-20 14:20:41 +0000 |
---|---|---|
committer | Gerald Palfinger <gerald.palfinger@iaik.tugraz.at> | 2022-01-20 14:20:41 +0000 |
commit | 863eef9357f985936f0e72a267232fbd42315d95 (patch) | |
tree | b47bbb1f43d250b4a009aa5fe9b3a013ffe5a292 | |
parent | 70efc77fb1ba95a74ad8c7ce6ad097de35d208e2 (diff) | |
parent | 228b1e2dc09d9554edcd667c68325709d1fb0d3e (diff) | |
download | pdf-as-4-863eef9357f985936f0e72a267232fbd42315d95.tar.gz pdf-as-4-863eef9357f985936f0e72a267232fbd42315d95.tar.bz2 pdf-as-4-863eef9357f985936f0e72a267232fbd42315d95.zip |
Merge branch 'issue_58' into 'master'
Update all vulnerable dependencies
See merge request egiz/pdf-as-4!1
-rw-r--r-- | .gitlab-ci.yml | 86 | ||||
-rw-r--r-- | build.gradle | 102 | ||||
-rw-r--r-- | pdf-as-cli/build.gradle | 2 | ||||
-rw-r--r-- | pdf-as-common/build.gradle | 2 | ||||
-rw-r--r-- | pdf-as-lib/build.gradle | 6 | ||||
-rw-r--r-- | pdf-as-moa/build.gradle | 2 | ||||
-rw-r--r-- | pdf-as-pdfbox-2/build.gradle | 10 | ||||
-rw-r--r-- | pdf-as-pdfbox-2/src/test/resources/1Sign_manyQR.pdf | bin | 0 -> 188967 bytes | |||
-rw-r--r-- | pdf-as-pdfbox-2/src/test/resources/new_qr_2-2.pdf | bin | 0 -> 182043 bytes | |||
-rw-r--r-- | pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed.pdf | bin | 0 -> 225097 bytes | |||
-rw-r--r-- | pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed.pdf | bin | 0 -> 267093 bytes | |||
-rw-r--r-- | pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed_signed.pdf | bin | 0 -> 310607 bytes | |||
-rw-r--r-- | pdf-as-web-db/build.gradle | 6 | ||||
-rw-r--r-- | pdf-as-web-statistic-api/build.gradle | 2 | ||||
-rw-r--r-- | pdf-as-web/build.gradle | 27 | ||||
-rw-r--r-- | pdf-as-web/gradle.properties | 3 |
16 files changed, 156 insertions, 92 deletions
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 00000000..1cd13b89 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,86 @@ +image: gradle:6.8.3-jdk11 + +variables: + LC_ALL: "en_US.UTF-8" + LANG: "en_US.UTF-8" + LANGUAGE: "en_US" + LIB_NAME: "PDF-AS 4" + GIT_DEPTH: "2" + SECURE_LOG_LEVEL: "debug" + +include: + - template: Dependency-Scanning.gitlab-ci.yml + - template: Security/SAST.gitlab-ci.yml + - template: Secret-Detection.gitlab-ci.yml + +default: + tags: + - docker + +stages: + - assemble + - test + - package + - release + +cache: + paths: + - .m2/repository + - .gradle/wrapper + - .gradle/caches + +assemble: + stage: assemble + tags: + - docker + except: + - tags + script: | + ./gradlew --warning-mode all -x test clean build + artifacts: + when: always + reports: + junit: "**/build/test-results/test/**/TEST-*.xml" + +release_packaging: + stage: package + tags: + - docker + except: + - tags + - /^feature/.*$/i + - /^issue.*$/i + before_script: + - mkdir -p ~/.ssh + - ssh-keyscan apps.egiz.gv.at >> ~/.ssh/known_hosts + - chmod 644 ~/.ssh/known_hosts + script: | + ./gradlew --stacktrace -x test assemble uploadArchives + artifacts: + when: always + name: "${CI_PROJECT_NAME}-${CI_COMMIT_SHORT_SHA}" + reports: + dotenv: variables.env + +release: + stage: release + image: registry.gitlab.com/gitlab-org/release-cli:latest + tags: + - docker + needs: + - job: assemble + artifacts: true + when: manual + only: + - master + script: | + echo "Releasing version $VERSION of $LIB_NAME" + echo "Publishing version $VERSION to public EGIZ maven" + cd ./moaSig + ./gradlew release + artifacts: + name: "${CI_PROJECT_NAME}-${CI_COMMIT_SHORT_SHA}-release" + expire_in: never + paths: + - "../release/${VERSION}/pdf-as-web-${VERSION}.war" + - "../release/${VERSION}/pdf-as-lib-${VERSION}.zip" diff --git a/build.gradle b/build.gradle index 6fe2c297..4d5f0d41 100644 --- a/build.gradle +++ b/build.gradle @@ -6,6 +6,7 @@ buildscript { dependencies { classpath "com.github.ben-manes:gradle-versions-plugin:0.28.0" + classpath "org.owasp:dependency-check-gradle:6.5.0.1" } } @@ -15,50 +16,37 @@ allprojects { version = '4.2.1-SNAPSHOT' } -configurations { - cveCheck -} - -dependencies { - cveCheck 'org.owasp:dependency-check-ant:1.2.5' -} - -task checkCVE { - doLast { - // Redefine checkCVEAnt Ant task, with the classpath property set to our newly defined - // cveCheck configuration classpath. - ant.taskdef(name: 'checkCVEAnt', classname: 'org.owasp.dependencycheck.taskdefs.DependencyCheckTask', - classpath: configurations.cveCheck.asPath) - - // executing checkCVEAnt Task - ant.checkCVEAnt( - applicationname: "PDF-AS", - reportoutputdirectory: (new File(rootDir, 'releases/cvecheck/' + project.name)).toString(), - reportformat: "ALL") { - fileset(dir: (new File(rootDir, 'build/alldependencies')).toString()) { - include(name: '**/**') - } - } - } -} - subprojects { apply plugin: 'java-library' apply plugin: 'eclipse' apply plugin: 'maven-publish' - //apply plugin: 'maven' + apply plugin: 'maven' + apply plugin: 'org.owasp.dependencycheck' group = 'at.gv.egiz.pdfas' configurations { deployerJars - cveCheck } - repositories { mavenCentral() } + repositories { + mavenCentral() + + maven { + url "https://apps.egiz.gv.at/maven/" + mavenContent { + releasesOnly() + } + } + maven { + url "https://apps.egiz.gv.at/maven-snapshot/" + mavenContent { + snapshotsOnly() + } + } + } dependencies { testImplementation 'junit:junit:4.13.2' - cveCheck 'org.owasp:dependency-check-ant:6.1.3' } task sourcesJar(type: Jar, dependsOn: classes) { @@ -82,8 +70,8 @@ subprojects { //tomcatVersion = '7.0.54'; //tomcatVersion = '8.0.36'; tomcatVersion = '9.0.46'; - slf4jVersion = '1.7.30' - cxfVersion = '3.0.1' + slf4jVersion = '1.7.32' + cxfVersion = '3.4.5' } jar { manifest.attributes provider: 'EGIZ', 'Specification-Version': getCheckedOutGitCommitHash(), 'Implementation-Version': project.version } @@ -97,30 +85,7 @@ subprojects { from configurations.runtime into 'build/alldependencies' } - - rootProject.checkCVE.dependsOn copyDeps - - task checkCVELocal { - doLast { - // Redefine checkCVEAnt Ant task, with the classpath property set to our newly defined - // cveCheck configuration classpath. - ant.taskdef(name: 'checkCVEAnt', classname: 'org.owasp.dependencycheck.taskdefs.DependencyCheckTask', - classpath: configurations.cveCheck.asPath) - - // executing checkCVEAnt Task - ant.checkCVEAnt( - applicationname: project.name, - reportoutputdirectory: (new File(rootDir, 'releases/' + version + '/cvecheck/' + project.name)).toString(), - reportformat: "ALL") { - fileset(dir: 'build/alldependencies') { - include(name: '**/**') - } - } - } - } - checkCVELocal.dependsOn copyDepsLocal - publishing { publications { myLibrary(MavenPublication) { @@ -136,12 +101,25 @@ subprojects { } } -// uploadArchives { -// repositories.mavenDeployer { -// repository(url: project.releaseRepoUrl) -// snapshotRepository(url: project.snapshotRepoUrl) -// } -// } + dependencies { + deployerJars "org.apache.maven.wagon:wagon-ssh:3.4.3" + + } + + uploadArchives { + repositories.mavenDeployer { + configuration = configurations.deployerJars + repository(url: "sftp://apps.egiz.gv.at/maven") { + authentication(userName: System.getenv("EGIZ_MAVEN_USER"), password: System.getenv("EGIZ_MAVEN_PASSWORD")) + + } + snapshotRepository(url: "sftp://apps.egiz.gv.at/maven-snapshot") { + authentication(userName: System.getenv("EGIZ_MAVEN_USER"), password: System.getenv("EGIZ_MAVEN_PASSWORD")) + + } + } + } + task(internalRelease) { doLast { diff --git a/pdf-as-cli/build.gradle b/pdf-as-cli/build.gradle index 79efe54a..2854000f 100644 --- a/pdf-as-cli/build.gradle +++ b/pdf-as-cli/build.gradle @@ -35,7 +35,7 @@ dependencies { implementation group: 'commons-collections', name: 'commons-collections', version: '3.2.2' implementation group: 'commons-cli', name: 'commons-cli', version: '1.2' implementation group: 'javax.activation', name: 'activation', version: '1.1.1' - implementation 'ch.qos.logback:logback-classic:1.1.2' + implementation 'ch.qos.logback:logback-classic:1.2.10' testImplementation group: 'junit', name: 'junit', version: '4.+' } diff --git a/pdf-as-common/build.gradle b/pdf-as-common/build.gradle index a607fcfe..b57f9b6f 100644 --- a/pdf-as-common/build.gradle +++ b/pdf-as-common/build.gradle @@ -25,7 +25,7 @@ dependencies { api group: 'commons-io', name: 'commons-io', version: '2.8.0' api group: 'ognl', name: 'ognl', version: '3.2.19' api group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1' - api 'commons-codec:commons-codec:1.10' + api 'commons-codec:commons-codec:1.15' api group: 'org.glassfish.jaxb', name: 'jaxb-runtime', version: '2.3.3' api group: 'javax.jws', name: 'javax.jws-api', version: '1.1' testImplementation group: 'junit', name: 'junit', version: '4.+' diff --git a/pdf-as-lib/build.gradle b/pdf-as-lib/build.gradle index e55ac6a3..cff40ef0 100644 --- a/pdf-as-lib/build.gradle +++ b/pdf-as-lib/build.gradle @@ -68,9 +68,9 @@ dependencies { api group: 'org.bouncycastle', name: 'bcprov-jdk15on', version: '1.68' api group: 'javax.activation', name: 'activation', version: '1.1.1' api group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1' - api group: 'com.google.code.gson', name: 'gson', version: '2.8.6' + api group: 'com.google.code.gson', name: 'gson', version: '2.8.9' api group: 'org.bitbucket.b_c', name: 'jose4j', version: '0.7.6' - api group: 'commons-io', name: 'commons-io', version: '2.8' + api group: 'commons-io', name: 'commons-io', version: '2.8.0' api group: 'org.glassfish.jaxb', name: 'jaxb-runtime', version: '2.3.3' api 'org.apache.commons:commons-collections4:4.4' api group: 'ognl', name: 'ognl', version: '3.2.19' @@ -84,7 +84,7 @@ dependencies { api group: 'com.google.zxing', name: 'core', version: '3.4.1' api group: 'com.google.zxing', name: 'javase', version: '3.4.1' testImplementation group: 'junit', name: 'junit', version: '4.+' - testCompile "junit:junit:4.11" + testCompile "junit:junit:4.13.2" ws group: 'org.apache.cxf', name: 'cxf-tools', version: cxfVersion ws group: 'org.apache.cxf', name: 'cxf-tools-wsdlto-databinding-jaxb', version: cxfVersion ws group: 'org.apache.cxf', name: 'cxf-tools-wsdlto-frontend-jaxws', version: cxfVersion diff --git a/pdf-as-moa/build.gradle b/pdf-as-moa/build.gradle index 62fa9530..fd438cbc 100644 --- a/pdf-as-moa/build.gradle +++ b/pdf-as-moa/build.gradle @@ -13,7 +13,7 @@ buildscript { mavenLocal() mavenCentral() } - dependencies { classpath("commons-io:commons-io:2.4") } + dependencies { classpath("commons-io:commons-io:2.8.0") } } sourceSets { diff --git a/pdf-as-pdfbox-2/build.gradle b/pdf-as-pdfbox-2/build.gradle index 66c003ec..b37462bd 100644 --- a/pdf-as-pdfbox-2/build.gradle +++ b/pdf-as-pdfbox-2/build.gradle @@ -32,11 +32,11 @@ releases.dependsOn sourcesJar dependencies { implementation project (':pdf-as-lib') implementation group: 'org.slf4j', name: 'slf4j-api', version: slf4jVersion - implementation 'org.slf4j:jcl-over-slf4j:1.7.30' - api group: 'org.apache.pdfbox', name: 'pdfbox', version: '2.0.23' - api group: 'org.apache.pdfbox', name: 'pdfbox-tools', version: '2.0.23' - api group: 'org.apache.pdfbox', name: 'preflight', version: '2.0.23' - implementation group: 'commons-io', name: 'commons-io', version: '2.8' + implementation 'org.slf4j:jcl-over-slf4j:1.7.32' + api group: 'org.apache.pdfbox', name: 'pdfbox', version: '2.0.25' + api group: 'org.apache.pdfbox', name: 'pdfbox-tools', version: '2.0.25' + api group: 'org.apache.pdfbox', name: 'preflight', version: '2.0.25' + implementation group: 'commons-io', name: 'commons-io', version: '2.8.0' implementation group: 'ognl', name: 'ognl', version: '3.2.19' testImplementation group: 'junit', name: 'junit', version: '4.+' diff --git a/pdf-as-pdfbox-2/src/test/resources/1Sign_manyQR.pdf b/pdf-as-pdfbox-2/src/test/resources/1Sign_manyQR.pdf Binary files differnew file mode 100644 index 00000000..0784592a --- /dev/null +++ b/pdf-as-pdfbox-2/src/test/resources/1Sign_manyQR.pdf diff --git a/pdf-as-pdfbox-2/src/test/resources/new_qr_2-2.pdf b/pdf-as-pdfbox-2/src/test/resources/new_qr_2-2.pdf Binary files differnew file mode 100644 index 00000000..565ce8e6 --- /dev/null +++ b/pdf-as-pdfbox-2/src/test/resources/new_qr_2-2.pdf diff --git a/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed.pdf b/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed.pdf Binary files differnew file mode 100644 index 00000000..be6fdddb --- /dev/null +++ b/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed.pdf diff --git a/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed.pdf b/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed.pdf Binary files differnew file mode 100644 index 00000000..ee0f140f --- /dev/null +++ b/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed.pdf diff --git a/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed_signed.pdf b/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed_signed.pdf Binary files differnew file mode 100644 index 00000000..34769dd0 --- /dev/null +++ b/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed_signed.pdf diff --git a/pdf-as-web-db/build.gradle b/pdf-as-web-db/build.gradle index 91a4825d..6f252a32 100644 --- a/pdf-as-web-db/build.gradle +++ b/pdf-as-web-db/build.gradle @@ -17,9 +17,9 @@ dependencies { implementation project (':pdf-as-web') implementation project (':pdf-as-web-status') implementation project (':pdf-as-web-statistic-api') - api "org.hibernate:hibernate-core:4.3.11.Final" - api "org.hibernate:hibernate-entitymanager:4.3.11.Final" - implementation group: 'log4j', name: 'log4j', version: '1.2.17' + api "org.hibernate:hibernate-core:5.6.2.Final" + api "org.hibernate:hibernate-entitymanager:5.6.2.Final" + implementation 'ch.qos.logback:logback-classic:1.2.10' implementation group: 'org.slf4j', name: 'slf4j-api', version: slf4jVersion testImplementation group: 'junit', name: 'junit', version: '4.+' } diff --git a/pdf-as-web-statistic-api/build.gradle b/pdf-as-web-statistic-api/build.gradle index aa9429d7..377c0714 100644 --- a/pdf-as-web-statistic-api/build.gradle +++ b/pdf-as-web-statistic-api/build.gradle @@ -22,7 +22,7 @@ sourceSets.test.runtimeClasspath += configurations.providedCompile dependencies { implementation group: 'org.slf4j', name: 'slf4j-api', version: slf4jVersion - implementation 'org.apache.commons:commons-lang3:3.3.2' + implementation 'org.apache.commons:commons-lang3:3.12.0' testImplementation group: 'junit', name: 'junit', version: '4.+' } diff --git a/pdf-as-web/build.gradle b/pdf-as-web/build.gradle index f6479d55..cf14365b 100644 --- a/pdf-as-web/build.gradle +++ b/pdf-as-web/build.gradle @@ -3,7 +3,7 @@ apply plugin: 'eclipse' apply plugin: 'eclipse-wtp' apply plugin: 'war' -apply plugin: 'org.akhikhl.gretty' +apply plugin: 'org.gretty' buildscript { repositories { @@ -16,7 +16,7 @@ buildscript { } dependencies { - classpath 'org.akhikhl.gretty:gretty:+' + classpath 'org.gretty:gretty:3.0.7' } } @@ -51,18 +51,20 @@ dependencies { api project (':signature-standards:sigs-pades') api project (':pdf-as-web-status') api project (':pdf-as-web-statistic-api') - api group: 'commons-fileupload', name: 'commons-fileupload', version: '1.3.1' + api group: 'commons-fileupload', name: 'commons-fileupload', version: '1.4' + // Upgrade dependency of commons-fileupload from 2.2 to 2.8.0 to avoid CVE-2021-29425 + api group: 'commons-io', name: 'commons-io', version: '2.8.0' api group: 'opensymphony', name: 'sitemesh', version: '2.4.2' api group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1' api group: 'javax.xml.ws', name: 'jaxws-api', version: '2.3.1' api group: 'org.glassfish.jaxb', name: 'jaxb-runtime', version: '2.3.3' api "commons-codec:commons-codec:1.15" api 'org.apache.commons:commons-lang3:3.12.0' - api 'org.apache.cxf:cxf-rt-transports-http:3.4.1' - api 'org.apache.cxf:cxf-rt-frontend-jaxws:3.4.1' - api 'com.thetransactioncompany:cors-filter:2.9.1' - api 'ch.qos.logback:logback-classic:1.2.3' - api 'ch.qos.logback:logback-core:1.2.3' + api 'org.apache.cxf:cxf-rt-transports-http:3.4.5' + api 'org.apache.cxf:cxf-rt-frontend-jaxws:3.4.5' + api 'com.thetransactioncompany:cors-filter:2.10' + api 'ch.qos.logback:logback-classic:1.2.10' + api 'ch.qos.logback:logback-core:1.2.10' api 'org.json:json:20210307' api group: 'javax.jws', name: 'javax.jws-api', version: '1.1' pdfbox2 project (':pdf-as-pdfbox-2') @@ -72,8 +74,8 @@ dependencies { gretty { // supported values: - // 'jetty7', 'jetty8', 'jetty9', 'tomcat7', 'tomcat8' - servletContainer = 'jetty9' + // 'jetty7', 'jetty8', 'jetty9', 'jetty9.3', 'jetty9.4', 'tomcat85', 'tomcat9' + servletContainer = 'tomcat85' jvmArgs = [ '-Dpdf-as-web.conf=' + System.getProperty("user.home") + '/.pdfas/pdf-as-web.properties' ] } @@ -272,13 +274,8 @@ task releases(dependsOn: buildTomcat, type: Copy) { from archive from tararchive into rootDir.toString() + "/releases/" + version - - - } - - releases.dependsOn jar releases.dependsOn sourcesJar releases.dependsOn war diff --git a/pdf-as-web/gradle.properties b/pdf-as-web/gradle.properties new file mode 100644 index 00000000..887ae74e --- /dev/null +++ b/pdf-as-web/gradle.properties @@ -0,0 +1,3 @@ +jetty94Version = 9.4.44.v20210927 +jetty93Version = 9.3.30.v20211001 +jetty9Version = 9.2.30.v20200428
\ No newline at end of file |