Merge pull request #121 from Onlineberatung/VIC-1855-fix-critical-cves

Vic 1855 fix critical cves
Onlineberatung · Oct 26, 2022 · 3396985 · 3396985
2 parents d9db924 + 4b8e7dd
commit 3396985
Show file tree

Hide file tree

Showing 9 changed files with 94 additions and 147 deletions.
diff --git a/.github/workflows/securityScan.yml b/.github/workflows/securityScan.yml
@@ -0,0 +1,22 @@
+name: Run trivy security scan
+on:
+  push:
+    branches:
+      - 'develop'
+  pull_request:
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in fs mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          format: 'table'
+          exit-code: 1
+          severity: CRITICAL
diff --git a/pom.xml b/pom.xml
@@ -16,7 +16,7 @@
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>2.3.5.RELEASE</version>
+    <version>2.5.14</version>
     <relativePath/> <!-- lookup parent from repository -->
   </parent>
 
@@ -27,6 +27,14 @@
     <keycloak.version>17.0.0</keycloak.version>
     <!-- force at least version 2.16 due to https://logging.apache.org/log4j/2.x/security.html -->
     <log4j.version>2.17.1</log4j.version>
+    <jackson.databind.nullable.version>0.2.3</jackson.databind.nullable.version>
+    <openapi.generator.maven.version>6.2.0</openapi.generator.maven.version>
+    <liquibase-core.version>4.9.1</liquibase-core.version>
+    <liquibase-maven-plugin.version>4.1.1</liquibase-maven-plugin.version>
+    <springfox-bean-validators.version>3.0.0</springfox-bean-validators.version>
+    <springfox-swagger-ui.version>3.0.0</springfox-swagger-ui.version>
+    <springfox-swagger2.version>3.0.0</springfox-swagger2.version>
+    <spring-security-test.version>5.5.7</spring-security-test.version>
   </properties>
 
   <dependencies>
@@ -66,29 +74,29 @@
     <dependency>
       <groupId>org.openapitools</groupId>
       <artifactId>openapi-generator-maven-plugin</artifactId>
-      <version>5.1.1</version>
+      <version>${openapi.generator.maven.version}</version>
       <scope>provided</scope>
     </dependency>
     <dependency>
       <groupId>org.openapitools</groupId>
       <artifactId>jackson-databind-nullable</artifactId>
-      <version>0.2.1</version>
+      <version>${jackson.databind.nullable.version}</version>
     </dependency>
     <!-- SpringFox: generate YAML file from POJOs and generate documentation -->
     <dependency>
       <groupId>io.springfox</groupId>
       <artifactId>springfox-swagger2</artifactId>
-      <version>2.9.2</version>
+      <version>${springfox-swagger2.version}</version>
     </dependency>
     <dependency>
       <groupId>io.springfox</groupId>
       <artifactId>springfox-bean-validators</artifactId>
-      <version>2.9.2</version>
+      <version>${springfox-bean-validators.version}</version>
     </dependency>
     <dependency>
       <groupId>io.springfox</groupId>
       <artifactId>springfox-swagger-ui</artifactId>
-      <version>2.9.2</version>
+      <version>${springfox-swagger-ui.version}</version>
     </dependency>
 
     <!-- Keycloak dependencies -->
@@ -145,7 +153,13 @@
     <dependency>
       <groupId>org.liquibase</groupId>
       <artifactId>liquibase-maven-plugin</artifactId>
-      <version>4.1.1</version>
+      <version>${liquibase-maven-plugin.version}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.liquibase</groupId>
+      <artifactId>liquibase-core</artifactId>
+      <version>${liquibase-core.version}</version>
     </dependency>
 
     <dependency>
@@ -177,6 +191,7 @@
     <dependency>
       <groupId>org.springframework.security</groupId>
       <artifactId>spring-security-test</artifactId>
+      <version>${spring-security-test.version}</version>
       <scope>test</scope>
     </dependency>
     <dependency>

diff --git a/...va/de/caritas/cob/messageservice/api/controller/CustomSwaggerUIApiResourceController.java b/...va/de/caritas/cob/messageservice/api/controller/CustomSwaggerUIApiResourceController.java
diff --git a/...main/java/de/caritas/cob/messageservice/api/controller/CustomSwaggerUIPathController.java b/...main/java/de/caritas/cob/messageservice/api/controller/CustomSwaggerUIPathController.java
diff --git a/src/main/java/de/caritas/cob/messageservice/config/SpringFoxConfig.java b/src/main/java/de/caritas/cob/messageservice/config/SpringFoxConfig.java
@@ -77,7 +77,7 @@ private List<SecurityReference> securityReferences() {
         .reference("token").scopes(new AuthorizationScope[0]).build());
   }
 
-  private List<? extends SecurityScheme> securitySchemes() {
+  private List<SecurityScheme> securitySchemes() {
     return singletonList(new ApiKey("Bearer", "Authorization", "header"));
   }
 

diff --git a/src/test/java/de/caritas/cob/messageservice/api/service/EncryptionServiceTest.java b/src/test/java/de/caritas/cob/messageservice/api/service/EncryptionServiceTest.java
@@ -4,21 +4,15 @@
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
 import static org.junit.Assert.fail;
-import java.io.UnsupportedEncodingException;
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-import javax.crypto.BadPaddingException;
-import javax.crypto.IllegalBlockSizeException;
-import javax.crypto.NoSuchPaddingException;
 import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
-import org.mockito.internal.util.reflection.FieldSetter;
 import org.mockito.junit.MockitoJUnitRunner;
 import de.caritas.cob.messageservice.api.exception.CustomCryptoException;
+import org.powermock.reflect.Whitebox;
 
 @RunWith(MockitoJUnitRunner.class)
 public class EncryptionServiceTest {
@@ -40,8 +34,9 @@ public class EncryptionServiceTest {
 
   @Before
   public void setup() throws NoSuchFieldException {
-    FieldSetter.setField(encryptionService,
-        encryptionService.getClass().getDeclaredField("fragment_applicationKey"), KEY_APPLICATION);
+    Whitebox.setInternalState(encryptionService, "fragment_applicationKey", KEY_APPLICATION);
+
+
     encryptionService.updateMasterKey(KEY_MASTER);
   }
 

diff --git a/src/test/java/de/caritas/cob/messageservice/api/service/RocketChatServiceTest.java b/src/test/java/de/caritas/cob/messageservice/api/service/RocketChatServiceTest.java
@@ -2,7 +2,6 @@
 
 import static de.caritas.cob.messageservice.api.service.RocketChatService.E2E_ENCRYPTION_TYPE;
 import static de.caritas.cob.messageservice.testhelper.RocketChatFieldConstants.FIELD_NAME_RC_GET_GROUP_INFO_URL;
-import static de.caritas.cob.messageservice.testhelper.RocketChatFieldConstants.FIELD_NAME_RC_POST_GROUP_MESSAGES_READ;
 import static de.caritas.cob.messageservice.testhelper.RocketChatFieldConstants.FIELD_VALUE_RC_GET_GROUP_INFO_URL;
 import static de.caritas.cob.messageservice.testhelper.RocketChatFieldConstants.FIELD_VALUE_RC_POST_GROUP_MESSAGES_READ;
 import static de.caritas.cob.messageservice.testhelper.TestConstants.RC_GROUP_ID;
@@ -23,7 +22,7 @@
 import static org.mockito.Mockito.verifyNoInteractions;
 import static org.mockito.Mockito.verifyNoMoreInteractions;
 import static org.mockito.Mockito.when;
-import static org.mockito.internal.util.reflection.FieldSetter.setField;
+
 import static org.powermock.reflect.Whitebox.setInternalState;
 
 import de.caritas.cob.messageservice.api.exception.CustomCryptoException;
@@ -54,6 +53,7 @@
 import org.mockito.InjectMocks;
 import org.mockito.Mock;
 import org.mockito.junit.MockitoJUnitRunner;
+import org.powermock.reflect.Whitebox;
 import org.slf4j.Logger;
 import org.springframework.http.HttpEntity;
 import org.springframework.http.HttpMethod;
@@ -100,46 +100,32 @@ public class RocketChatServiceTest {
 
   @Before
   public void setup() throws NoSuchFieldException, SecurityException {
-    setField(rocketChatService, rocketChatService.getClass().getDeclaredField("rcHeaderAuthToken"),
-        RC_TOKEN);
-    setField(rocketChatService, rocketChatService.getClass().getDeclaredField("rcHeaderUserId"),
-        RC_USER_ID);
-    setField(rocketChatService, rocketChatService.getClass().getDeclaredField("rcQueryParamRoomId"),
-        RC_GROUP_ID);
-    setField(rocketChatService, rocketChatService.getClass().getDeclaredField("rcQueryParamOffset"),
-        String.valueOf(RC_OFFSET));
-    setField(rocketChatService, rocketChatService.getClass().getDeclaredField("rcQueryParamCount"),
-        String.valueOf(RC_COUNT));
-    setField(rocketChatService, rocketChatService.getClass().getDeclaredField("rcQueryParamSort"),
-        "sort");
-    setField(rocketChatService,
-        rocketChatService.getClass().getDeclaredField("rcQueryParamSortValue"), "{\"ts\":1}");
-    setField(rocketChatService, rocketChatService.getClass().getDeclaredField("rcSendMessageUrl"),
-        "http://localhost/api/v1/chat.sendMessage");
-    setField(rocketChatService,
-        rocketChatService.getClass().getDeclaredField(FIELD_NAME_RC_POST_GROUP_MESSAGES_READ),
-        FIELD_VALUE_RC_POST_GROUP_MESSAGES_READ);
-    setField(rocketChatService,
-        rocketChatService.getClass().getDeclaredField(FIELD_NAME_RC_GET_GROUP_INFO_URL),
-        FIELD_VALUE_RC_GET_GROUP_INFO_URL);
+    Whitebox.setInternalState(rocketChatService, "rcHeaderAuthToken", RC_TOKEN);
+    Whitebox.setInternalState(rocketChatService, "rcHeaderUserId", RC_USER_ID);
+    Whitebox.setInternalState(rocketChatService, "rcQueryParamRoomId", RC_GROUP_ID);
+    Whitebox.setInternalState(rocketChatService, "rcQueryParamOffset", String.valueOf(RC_OFFSET));
+    Whitebox.setInternalState(rocketChatService, "rcQueryParamCount", String.valueOf(RC_COUNT));
+    Whitebox.setInternalState(rocketChatService, "rcQueryParamSort", "sort");
+    Whitebox.setInternalState(rocketChatService, "rcQueryParamSortValue", "{\"ts\":1}");
+    Whitebox.setInternalState(rocketChatService, "rcSendMessageUrl", "http://localhost/api/v1/chat.sendMessage");
+    Whitebox.setInternalState(rocketChatService, "rcPostGroupMessagesRead", FIELD_VALUE_RC_POST_GROUP_MESSAGES_READ);
+    Whitebox.setInternalState(rocketChatService, FIELD_NAME_RC_GET_GROUP_INFO_URL, FIELD_VALUE_RC_GET_GROUP_INFO_URL);
     setInternalState(LogService.class, "LOGGER", logger);
   }
 
   @Test(expected = InternalServerErrorException.class)
   public void getGroupMessages_Should_ThrowInternalServerErrorException_When_BuildMessageStreamUriFails()
       throws NoSuchFieldException {
-    setField(rocketChatService,
-        rocketChatService.getClass().getDeclaredField("rcGetGroupMessageUrl"), null);
 
+    Whitebox.setInternalState(rocketChatService, "rcGetGroupMessageUrl", (Object[]) null);
     rocketChatService.getGroupMessages(RC_TOKEN, RC_USER_ID, RC_GROUP_ID, 0, 0, Instant.now());
   }
 
   @Test(expected = InternalServerErrorException.class)
   public void getGroupMessages_Should_ThrowInternalServerErrorException_When_RocketChatRequestFails()
       throws NoSuchFieldException {
-    setField(rocketChatService,
-        rocketChatService.getClass().getDeclaredField("rcGetGroupMessageUrl"),
-        "http://localhost/api/v1/groups.messages");
+    Whitebox.setInternalState(rocketChatService, "rcGetGroupMessageUrl",  "http://localhost/api/v1/groups.messages");
+
     HttpClientErrorException ex = new HttpClientErrorException(HttpStatus.BAD_REQUEST);
     when(restTemplate.exchange(any(), any(HttpMethod.class), any(),
         ArgumentMatchers.<Class<MessageStreamDTO>>any())).thenThrow(ex);
@@ -150,9 +136,8 @@ public void getGroupMessages_Should_ThrowInternalServerErrorException_When_Rocke
   @Test(expected = InternalServerErrorException.class)
   public void getGroupMessages_Should_ThrowInternalServerErrorException_When_DecryptionOfMessageFails()
       throws NoSuchFieldException, CustomCryptoException {
-    setField(rocketChatService,
-        rocketChatService.getClass().getDeclaredField("rcGetGroupMessageUrl"),
-        "http://localhost/api/v1/groups.messages");
+    Whitebox.setInternalState(rocketChatService, "rcGetGroupMessageUrl",  "http://localhost/api/v1/groups.messages");
+
     EasyRandom easyRandom = new EasyRandom();
     MessageStreamDTO messageStreamDTO = easyRandom.nextObject(MessageStreamDTO.class);
     messageStreamDTO.setMessages(easyRandom.objects(MessagesDTO.class, 5)
@@ -171,9 +156,8 @@ public void getGroupMessages_Should_ThrowInternalServerErrorException_When_Decry
   @Test
   public void getGroupMessages_Should_ReturnMessageStreamDTO_When_ProvidedWithValidParameters()
       throws NoSuchFieldException {
-    setField(rocketChatService,
-        rocketChatService.getClass().getDeclaredField("rcGetGroupMessageUrl"),
-        "http://localhost/api/v1/groups.messages");
+    Whitebox.setInternalState(rocketChatService, "rcGetGroupMessageUrl", "http://localhost/api/v1/groups.messages");
+
     List<MessagesDTO> messages = new ArrayList<>();
     ResponseEntity<MessageStreamDTO> entity = new ResponseEntity<>(
         new MessageStreamDTO().messages(messages), HttpStatus.OK);
@@ -189,9 +173,8 @@ public void getGroupMessages_Should_ReturnMessageStreamDTO_When_ProvidedWithVali
   @Test
   public void getGroupMessages_Should_DecryptAllMessages()
       throws NoSuchFieldException, CustomCryptoException {
-    setField(rocketChatService,
-        rocketChatService.getClass().getDeclaredField("rcGetGroupMessageUrl"),
-        "http://localhost/api/v1/groups.messages");
+    Whitebox.setInternalState(rocketChatService, "rcGetGroupMessageUrl", "http://localhost/api/v1/groups.messages");
+
     EasyRandom easyRandom = new EasyRandom();
     MessageStreamDTO messageStreamDTO = easyRandom.nextObject(MessageStreamDTO.class);
     messageStreamDTO.setMessages(easyRandom.objects(MessagesDTO.class, 5)
@@ -209,9 +192,7 @@ public void getGroupMessages_Should_DecryptAllMessages()
   @Test
   public void getGroupMessages_Should_SetForwardAsMessageType_ForForwardedMessages()
       throws NoSuchFieldException {
-    setField(rocketChatService,
-        rocketChatService.getClass().getDeclaredField("rcGetGroupMessageUrl"),
-        "http://localhost/api/v1/groups.messages");
+    Whitebox.setInternalState(rocketChatService, "rcGetGroupMessageUrl", "http://localhost/api/v1/groups.messages");
     EasyRandom easyRandom = new EasyRandom();
     MessageStreamDTO messageStreamDTO = easyRandom.nextObject(MessageStreamDTO.class);
     messageStreamDTO.setMessages(easyRandom.objects(MessagesDTO.class, 5)
@@ -241,9 +222,8 @@ public void getGroupMessages_Should_SetForwardAsMessageType_ForForwardedMessages
   @Test
   public void getGroupMessages_Should_SetVideocallAsMessageType_ForVideocallMessages()
       throws NoSuchFieldException {
-    setField(rocketChatService,
-        rocketChatService.getClass().getDeclaredField("rcGetGroupMessageUrl"),
-        "http://localhost/api/v1/groups.messages");
+
+    Whitebox.setInternalState(rocketChatService, "rcGetGroupMessageUrl", "http://localhost/api/v1/groups.messages");
     EasyRandom easyRandom = new EasyRandom();
     MessageStreamDTO messageStreamDTO = easyRandom.nextObject(MessageStreamDTO.class);
     messageStreamDTO.setMessages(easyRandom.objects(MessagesDTO.class, 5)
@@ -273,9 +253,7 @@ public void getGroupMessages_Should_SetVideocallAsMessageType_ForVideocallMessag
   @Test
   public void getGroupMessages_Should_SetFurtherStepsAsMessageType_ForFurtherStepsMessages()
       throws NoSuchFieldException {
-    setField(rocketChatService,
-        rocketChatService.getClass().getDeclaredField("rcGetGroupMessageUrl"),
-        "http://localhost/api/v1/groups.messages");
+    Whitebox.setInternalState(rocketChatService, "rcGetGroupMessageUrl", "http://localhost/api/v1/groups.messages");
     EasyRandom easyRandom = new EasyRandom();
     MessageStreamDTO messageStreamDTO = easyRandom.nextObject(MessageStreamDTO.class);
     messageStreamDTO.setMessages(easyRandom.objects(MessagesDTO.class, 5)