Merge branch 'issue_58' into 'master'

Update all vulnerable dependencies

See merge request egiz/pdf-as-4!1

16 files changed, 156 insertions, 92 deletions

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
new file mode 100644
index 00000000..1cd13b89
--- /dev/null
+++ b/.gitlab-ci.yml
@@ -0,0 +1,86 @@
+image: gradle:6.8.3-jdk11
+
+variables:
+  LC_ALL: "en_US.UTF-8"
+  LANG: "en_US.UTF-8"
+  LANGUAGE: "en_US"
+  LIB_NAME: "PDF-AS 4"
+  GIT_DEPTH: "2"
+  SECURE_LOG_LEVEL: "debug"  
+  
+include:
+  - template: Dependency-Scanning.gitlab-ci.yml
+  - template: Security/SAST.gitlab-ci.yml
+  - template: Secret-Detection.gitlab-ci.yml
+
+default:
+  tags:
+    - docker
+    
+stages:
+  - assemble
+  - test
+  - package
+  - release
+
+cache:
+  paths:
+    - .m2/repository
+    - .gradle/wrapper
+    - .gradle/caches
+
+assemble:
+  stage: assemble
+  tags:
+    - docker    
+  except:
+    - tags  
+  script: |
+    ./gradlew --warning-mode all -x test clean build 
+  artifacts:
+    when: always
+    reports:
+      junit: "**/build/test-results/test/**/TEST-*.xml"
+
+release_packaging:
+  stage: package
+  tags:
+    - docker    
+  except:
+    - tags  
+    - /^feature/.*$/i
+    - /^issue.*$/i
+  before_script:
+    - mkdir -p ~/.ssh
+    - ssh-keyscan apps.egiz.gv.at >> ~/.ssh/known_hosts
+    - chmod 644 ~/.ssh/known_hosts      
+  script: |
+    ./gradlew --stacktrace -x test assemble uploadArchives
+  artifacts:
+    when: always
+    name: "${CI_PROJECT_NAME}-${CI_COMMIT_SHORT_SHA}"  
+    reports:
+      dotenv: variables.env    
+    
+release:
+  stage: release
+  image: registry.gitlab.com/gitlab-org/release-cli:latest
+  tags:
+    - docker   
+  needs:
+    - job: assemble
+      artifacts: true
+  when: manual
+  only:
+    - master
+  script: |
+    echo "Releasing version $VERSION of $LIB_NAME"
+    echo "Publishing version $VERSION to public EGIZ maven"
+    cd ./moaSig
+    ./gradlew release
+  artifacts:
+    name: "${CI_PROJECT_NAME}-${CI_COMMIT_SHORT_SHA}-release"
+    expire_in: never
+    paths:
+      - "../release/${VERSION}/pdf-as-web-${VERSION}.war"
+      - "../release/${VERSION}/pdf-as-lib-${VERSION}.zip"
diff --git a/build.gradle b/build.gradle
index 6fe2c297..4d5f0d41 100644
--- a/build.gradle
+++ b/build.gradle
@@ -6,6 +6,7 @@ buildscript {
 	
 	dependencies {
 		 classpath "com.github.ben-manes:gradle-versions-plugin:0.28.0"
+		 classpath "org.owasp:dependency-check-gradle:6.5.0.1"
 	}
 }
 
@@ -15,50 +16,37 @@ allprojects {
 	version = '4.2.1-SNAPSHOT'
 }
 
-configurations {
-	cveCheck
-}
-
-dependencies {
-	cveCheck 'org.owasp:dependency-check-ant:1.2.5'
-}
-
-task checkCVE {
-	doLast {
-		// Redefine checkCVEAnt Ant task, with the classpath property set to our newly defined
-		// cveCheck configuration classpath.
-		ant.taskdef(name: 'checkCVEAnt', classname: 'org.owasp.dependencycheck.taskdefs.DependencyCheckTask',
-			classpath: configurations.cveCheck.asPath)
-	
-		// executing checkCVEAnt Task
-		ant.checkCVEAnt(
-			applicationname: "PDF-AS",
-			reportoutputdirectory: (new File(rootDir, 'releases/cvecheck/' + project.name)).toString(),
-			reportformat: "ALL") {
-			fileset(dir: (new File(rootDir, 'build/alldependencies')).toString()) {
-				include(name: '**/**')
-			}
-		}
-	}
-}
-
 subprojects {
 	apply plugin: 'java-library'
 	apply plugin: 'eclipse'
 	apply plugin: 'maven-publish'
-	//apply plugin: 'maven'
+	apply plugin: 'maven'
+	apply plugin: 'org.owasp.dependencycheck'
 	group = 'at.gv.egiz.pdfas'
 
 	configurations {
 		deployerJars
-		cveCheck
 	}
 	
-	repositories { mavenCentral() }
+	repositories { 
+    mavenCentral() 
+    
+    maven {
+       	url "https://apps.egiz.gv.at/maven/"     	
+       	mavenContent {
+           	releasesOnly()
+       	}
+    }
+    maven {
+       	url "https://apps.egiz.gv.at/maven-snapshot/"
+       	mavenContent {
+           	snapshotsOnly()
+       	}
+    }    
+  }
 
 	dependencies { 
 		testImplementation 'junit:junit:4.13.2' 
-		cveCheck 'org.owasp:dependency-check-ant:6.1.3'
 	}
 
 	task sourcesJar(type: Jar, dependsOn: classes) {
@@ -82,8 +70,8 @@ subprojects {
 		//tomcatVersion = '7.0.54';
 		//tomcatVersion = '8.0.36';
 		tomcatVersion = '9.0.46';
-		slf4jVersion = '1.7.30'
-		cxfVersion = '3.0.1'
+		slf4jVersion = '1.7.32'
+		cxfVersion = '3.4.5'
 	  }
 	
 	jar { manifest.attributes provider: 'EGIZ', 'Specification-Version': getCheckedOutGitCommitHash(), 'Implementation-Version': project.version  }
@@ -97,30 +85,7 @@ subprojects {
 		from configurations.runtime
 		into 'build/alldependencies'
 	}
-		
-	rootProject.checkCVE.dependsOn copyDeps
-	
-	task checkCVELocal {
-		doLast {
-			// Redefine checkCVEAnt Ant task, with the classpath property set to our newly defined
-			// cveCheck configuration classpath.
-			ant.taskdef(name: 'checkCVEAnt', classname: 'org.owasp.dependencycheck.taskdefs.DependencyCheckTask',
-				classpath: configurations.cveCheck.asPath)
-	
-			// executing checkCVEAnt Task
-			ant.checkCVEAnt(
-				applicationname: project.name,
-				reportoutputdirectory: (new File(rootDir, 'releases/' + version + '/cvecheck/' + project.name)).toString(),
-				reportformat: "ALL") {
-					fileset(dir: 'build/alldependencies') {
-					include(name: '**/**')
-				}
-			}
-		}
-	}
-	checkCVELocal.dependsOn copyDepsLocal
 
-	
 	publishing {
     	publications {
         	myLibrary(MavenPublication) {
@@ -136,12 +101,25 @@ subprojects {
     	}
 	}	
 	
-//	uploadArchives {
-//		repositories.mavenDeployer {
-//			repository(url: project.releaseRepoUrl)
-//			snapshotRepository(url: project.snapshotRepoUrl)
-//		}
-//	}
+	dependencies {
+    	deployerJars "org.apache.maven.wagon:wagon-ssh:3.4.3"
+    	
+	}
+
+	uploadArchives {
+    	repositories.mavenDeployer {        	
+        	configuration = configurations.deployerJars        	        	
+        	repository(url: "sftp://apps.egiz.gv.at/maven") {
+            	authentication(userName: System.getenv("EGIZ_MAVEN_USER"), password: System.getenv("EGIZ_MAVEN_PASSWORD"))
+            	
+        	}
+        	snapshotRepository(url: "sftp://apps.egiz.gv.at/maven-snapshot") {
+            	authentication(userName: System.getenv("EGIZ_MAVEN_USER"), password: System.getenv("EGIZ_MAVEN_PASSWORD"))
+            	
+        	}
+    	}
+	}  
+	
 	
 	task(internalRelease) {
 		doLast {
diff --git a/pdf-as-cli/build.gradle b/pdf-as-cli/build.gradle
index 79efe54a..2854000f 100644
--- a/pdf-as-cli/build.gradle
+++ b/pdf-as-cli/build.gradle
@@ -35,7 +35,7 @@ dependencies {
     implementation group: 'commons-collections', name: 'commons-collections', version: '3.2.2'
 	implementation group: 'commons-cli', name: 'commons-cli', version: '1.2'
 	implementation group: 'javax.activation', name: 'activation', version: '1.1.1'
-	implementation 'ch.qos.logback:logback-classic:1.1.2'
+	implementation 'ch.qos.logback:logback-classic:1.2.10'
     testImplementation group: 'junit', name: 'junit', version: '4.+'
 }
 
diff --git a/pdf-as-common/build.gradle b/pdf-as-common/build.gradle
index a607fcfe..b57f9b6f 100644
--- a/pdf-as-common/build.gradle
+++ b/pdf-as-common/build.gradle
@@ -25,7 +25,7 @@ dependencies {
 	api group: 'commons-io', name: 'commons-io', version: '2.8.0'
 	api group: 'ognl', name: 'ognl', version: '3.2.19'
     api group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1'
-	api 'commons-codec:commons-codec:1.10'
+	api 'commons-codec:commons-codec:1.15'
     api group: 'org.glassfish.jaxb', name: 'jaxb-runtime', version: '2.3.3'
     api group: 'javax.jws', name: 'javax.jws-api', version: '1.1'
     testImplementation group: 'junit', name: 'junit', version: '4.+'
diff --git a/pdf-as-lib/build.gradle b/pdf-as-lib/build.gradle
index e55ac6a3..cff40ef0 100644
--- a/pdf-as-lib/build.gradle
+++ b/pdf-as-lib/build.gradle
@@ -68,9 +68,9 @@ dependencies {
     api group: 'org.bouncycastle', name: 'bcprov-jdk15on', version: '1.68'
 	api group: 'javax.activation', name: 'activation', version: '1.1.1'
 	api group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1'
-	api group: 'com.google.code.gson', name: 'gson', version: '2.8.6'
+	api group: 'com.google.code.gson', name: 'gson', version: '2.8.9'
 	api group: 'org.bitbucket.b_c', name: 'jose4j', version: '0.7.6'
-	api group: 'commons-io', name: 'commons-io', version: '2.8'
+	api group: 'commons-io', name: 'commons-io', version: '2.8.0'
 	api group: 'org.glassfish.jaxb', name: 'jaxb-runtime', version: '2.3.3'
 	api 'org.apache.commons:commons-collections4:4.4'
 	api group: 'ognl', name: 'ognl', version: '3.2.19'
@@ -84,7 +84,7 @@ dependencies {
 	api group: 'com.google.zxing', name: 'core', version: '3.4.1'
 	api group: 'com.google.zxing', name: 'javase', version: '3.4.1'
 	testImplementation group: 'junit', name: 'junit', version: '4.+'
-	testCompile "junit:junit:4.11"
+	testCompile "junit:junit:4.13.2"
 	ws group: 'org.apache.cxf', name: 'cxf-tools', version: cxfVersion
 	ws group: 'org.apache.cxf', name: 'cxf-tools-wsdlto-databinding-jaxb', version: cxfVersion
 	ws group: 'org.apache.cxf', name: 'cxf-tools-wsdlto-frontend-jaxws', version: cxfVersion
diff --git a/pdf-as-moa/build.gradle b/pdf-as-moa/build.gradle
index 62fa9530..fd438cbc 100644
--- a/pdf-as-moa/build.gradle
+++ b/pdf-as-moa/build.gradle
@@ -13,7 +13,7 @@ buildscript {
 		mavenLocal()
 		mavenCentral()
 	}
-	dependencies { classpath("commons-io:commons-io:2.4") }
+	dependencies { classpath("commons-io:commons-io:2.8.0") }
 }
 
 sourceSets {
diff --git a/pdf-as-pdfbox-2/build.gradle b/pdf-as-pdfbox-2/build.gradle
index 66c003ec..b37462bd 100644
--- a/pdf-as-pdfbox-2/build.gradle
+++ b/pdf-as-pdfbox-2/build.gradle
@@ -32,11 +32,11 @@ releases.dependsOn sourcesJar
 dependencies {
 	implementation project (':pdf-as-lib')
 	implementation group: 'org.slf4j', name: 'slf4j-api', version: slf4jVersion
-	implementation 'org.slf4j:jcl-over-slf4j:1.7.30'
-	api group: 'org.apache.pdfbox', name: 'pdfbox', version: '2.0.23'
-	api group: 'org.apache.pdfbox', name: 'pdfbox-tools', version: '2.0.23'
-	api group: 'org.apache.pdfbox', name: 'preflight', version: '2.0.23'
-	implementation group: 'commons-io', name: 'commons-io', version: '2.8'
+	implementation 'org.slf4j:jcl-over-slf4j:1.7.32'
+	api group: 'org.apache.pdfbox', name: 'pdfbox', version: '2.0.25'
+	api group: 'org.apache.pdfbox', name: 'pdfbox-tools', version: '2.0.25'
+	api group: 'org.apache.pdfbox', name: 'preflight', version: '2.0.25'
+	implementation group: 'commons-io', name: 'commons-io', version: '2.8.0'
 	implementation group: 'ognl', name: 'ognl', version: '3.2.19'
 	testImplementation group: 'junit', name: 'junit', version: '4.+'
 	
diff --git a/pdf-as-pdfbox-2/src/test/resources/1Sign_manyQR.pdf b/pdf-as-pdfbox-2/src/test/resources/1Sign_manyQR.pdf
new file mode 100644
index 00000000..0784592a
--- /dev/null
+++ b/pdf-as-pdfbox-2/src/test/resources/1Sign_manyQR.pdf
diff --git a/pdf-as-pdfbox-2/src/test/resources/new_qr_2-2.pdf b/pdf-as-pdfbox-2/src/test/resources/new_qr_2-2.pdf
new file mode 100644
index 00000000..565ce8e6
--- /dev/null
+++ b/pdf-as-pdfbox-2/src/test/resources/new_qr_2-2.pdf
diff --git a/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed.pdf b/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed.pdf
new file mode 100644
index 00000000..be6fdddb
--- /dev/null
+++ b/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed.pdf
diff --git a/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed.pdf b/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed.pdf
new file mode 100644
index 00000000..ee0f140f
--- /dev/null
+++ b/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed.pdf
diff --git a/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed_signed.pdf b/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed_signed.pdf
new file mode 100644
index 00000000..34769dd0
--- /dev/null
+++ b/pdf-as-pdfbox-2/src/test/resources/new_qr_2_signed_signed_signed.pdf
diff --git a/pdf-as-web-db/build.gradle b/pdf-as-web-db/build.gradle
index 91a4825d..6f252a32 100644
--- a/pdf-as-web-db/build.gradle
+++ b/pdf-as-web-db/build.gradle
@@ -17,9 +17,9 @@ dependencies {
 	implementation project (':pdf-as-web')
 	implementation project (':pdf-as-web-status')
 	implementation project (':pdf-as-web-statistic-api')
-	api "org.hibernate:hibernate-core:4.3.11.Final"
-	api "org.hibernate:hibernate-entitymanager:4.3.11.Final"
-	implementation group: 'log4j', name: 'log4j', version: '1.2.17'
+	api "org.hibernate:hibernate-core:5.6.2.Final"
+	api "org.hibernate:hibernate-entitymanager:5.6.2.Final"
+	implementation 'ch.qos.logback:logback-classic:1.2.10'
 	implementation group: 'org.slf4j', name: 'slf4j-api', version: slf4jVersion
 	testImplementation group: 'junit', name: 'junit', version: '4.+'
 }
diff --git a/pdf-as-web-statistic-api/build.gradle b/pdf-as-web-statistic-api/build.gradle
index aa9429d7..377c0714 100644
--- a/pdf-as-web-statistic-api/build.gradle
+++ b/pdf-as-web-statistic-api/build.gradle
@@ -22,7 +22,7 @@ sourceSets.test.runtimeClasspath += configurations.providedCompile
 
 dependencies {
 	implementation group: 'org.slf4j', name: 'slf4j-api', version: slf4jVersion
-	implementation 'org.apache.commons:commons-lang3:3.3.2'
+	implementation 'org.apache.commons:commons-lang3:3.12.0'
 	testImplementation group: 'junit', name: 'junit', version: '4.+'
 }
 
diff --git a/pdf-as-web/build.gradle b/pdf-as-web/build.gradle
index f6479d55..cf14365b 100644
--- a/pdf-as-web/build.gradle
+++ b/pdf-as-web/build.gradle
@@ -3,7 +3,7 @@ apply plugin: 'eclipse'
 apply plugin: 'eclipse-wtp'
 apply plugin: 'war'
 
-apply plugin: 'org.akhikhl.gretty'
+apply plugin: 'org.gretty'
 
 buildscript {
   repositories {
@@ -16,7 +16,7 @@ buildscript {
   }
 
   dependencies {
-    classpath 'org.akhikhl.gretty:gretty:+'
+    classpath 'org.gretty:gretty:3.0.7'
   }
 }
 
@@ -51,18 +51,20 @@ dependencies {
 	api project (':signature-standards:sigs-pades')
 	api project (':pdf-as-web-status')
 	api project (':pdf-as-web-statistic-api')
-	api group: 'commons-fileupload', name: 'commons-fileupload', version: '1.3.1'
+	api group: 'commons-fileupload', name: 'commons-fileupload', version: '1.4'
+	// Upgrade dependency of commons-fileupload from 2.2 to 2.8.0 to avoid CVE-2021-29425
+	api group: 'commons-io', name: 'commons-io', version: '2.8.0'
 	api group: 'opensymphony', name: 'sitemesh', version: '2.4.2'
 	api group: 'javax.xml.bind', name: 'jaxb-api', version: '2.3.1'
     api group: 'javax.xml.ws', name: 'jaxws-api', version: '2.3.1'
 	api group: 'org.glassfish.jaxb', name: 'jaxb-runtime', version: '2.3.3'
     api "commons-codec:commons-codec:1.15"
 	api 'org.apache.commons:commons-lang3:3.12.0'
-	api 'org.apache.cxf:cxf-rt-transports-http:3.4.1'
-	api 'org.apache.cxf:cxf-rt-frontend-jaxws:3.4.1'
-	api 'com.thetransactioncompany:cors-filter:2.9.1'
-	api 'ch.qos.logback:logback-classic:1.2.3'
-	api 'ch.qos.logback:logback-core:1.2.3'
+	api 'org.apache.cxf:cxf-rt-transports-http:3.4.5'
+	api 'org.apache.cxf:cxf-rt-frontend-jaxws:3.4.5'
+	api 'com.thetransactioncompany:cors-filter:2.10'
+	api 'ch.qos.logback:logback-classic:1.2.10'
+	api 'ch.qos.logback:logback-core:1.2.10'
 	api 'org.json:json:20210307'
 	api group: 'javax.jws', name: 'javax.jws-api', version: '1.1'
 	pdfbox2 project (':pdf-as-pdfbox-2')
@@ -72,8 +74,8 @@ dependencies {
 
 gretty {
   // supported values:
-  // 'jetty7', 'jetty8', 'jetty9', 'tomcat7', 'tomcat8'
-  servletContainer = 'jetty9'
+  // 'jetty7', 'jetty8', 'jetty9', 'jetty9.3', 'jetty9.4', 'tomcat85', 'tomcat9'
+  servletContainer = 'tomcat85'
   
   jvmArgs = [ '-Dpdf-as-web.conf=' + System.getProperty("user.home") + '/.pdfas/pdf-as-web.properties' ]
 }
@@ -272,13 +274,8 @@ task releases(dependsOn: buildTomcat, type: Copy) {
 	from archive
 	from tararchive	
 	into rootDir.toString() + "/releases/" + version
-
-
-
 }
 
-
-
 releases.dependsOn jar
 releases.dependsOn sourcesJar
 releases.dependsOn war
diff --git a/pdf-as-web/gradle.properties b/pdf-as-web/gradle.properties
new file mode 100644
index 00000000..887ae74e
--- /dev/null
+++ b/pdf-as-web/gradle.properties
@@ -0,0 +1,3 @@
+jetty94Version = 9.4.44.v20210927
+jetty93Version = 9.3.30.v20211001
+jetty9Version = 9.2.30.v20200428
\ No newline at end of file