Security Vulnerability springfox-swagger2-3.0.0.jar - security

I am working on one project and we are using tool Whitesource for our project.
The system Whitesource tells me usually that I need to update some dependency. Now it just says
Whitesource shows a problem Security Vulnerability with the message:
An issue was found in io.springfox:springfox-swagger-ui. This vulnerability can lead to �Log injection�- whereas untrusted data gets written into log files/entries. It allows attackers to forge log entries or inject malicious content into the logs.
pom.xml
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger-common</artifactId>
<version>3.0.0</version>
</dependency>
<dependency>
<groupId>io.springfox</groupId>
<artifactId>springfox-swagger2</artifactId>
<version>3.0.0</version>
<scope>compile</scope>
</dependency>
Please help me solve the problem or tell me where to start solving the problem.

Unfortunately, SpringFox https://github.com/springfox/springfox is not maintained for last 2 years. Applications currently leveraging SpringFox should migrate to SpringDoc.
SprinDoc GitHub repo and here is migration guide

Unfortunately, there is currently no fix available from Springfox.
A little explanation: With this security issue, an attacker could write untrustworthy data in the log files and thus falsify log entries or inject malicious content into the logs.

Related

is possible remove Jhipster Dependencies in back? why is necessary?

is possible remove Jhipster Dependencies in back? why is necessary or recommended???
IF I REMOVE OF POM.XML appears different compilation errors.
<dependencyManagement>
<dependencies>
<dependency>
<groupId>io.github.jhipster</groupId>
<artifactId>jhipster-dependencies</artifactId>
<version>${jhipster-dependencies.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<!-- jhipster-needle-maven-add-dependency-management -->
</dependencies>
</dependencyManagement>
Is it possible?
Yes but you have to import all the dependencies yourself although nothing very difficult because most of them are already provided as Spring Boot starters. Looking at effective pom with mvnw help:effective-pom could help.
Then you must import maven plugins configuration.
Finally, your project will still depend on jhipster-framework library unless you extract only the classes your project needs.
Is it recommended?
For long term, managing yourself your dependencies is a good thing because major libraries like Spring Boot, Hibernate, ... support old releases for quite a long time while JHipster team supports only current major release (currently 7.x) which usually means one year.
At the beginning of your project, you will probably want to be able to follow JHipster updates. Modifying the pom.xml will make updating generated code more difficult.
Once you have written much manual code, your project is probably already too difficult to update, so cutting the dependency with JHipster will be harmless.
I found it harder to remove dependency from JHipster frontend than from backend because for instance ng-jhipster has some dependencies on Bootstrap that require some effort to remove.

Using Liquibase with Azure SQL And Azure Active Directory Authentication

How can you use Liquibase with an Azure SQL database and Azure Active Directory Authentication? Specifically, I want to connect using ActiveDirectoryPassword authentication mode as documented here:
https://learn.microsoft.com/en-us/sql/connect/jdbc/connecting-using-azure-active-directory-authentication?view=sql-server-ver15#connecting-using-activedirectorypassword-authentication-mode
I cannot figure out how to call the Liquibase CLI to make this happen.
Is this possible?
I was able to get this to work. I am not very familiar with Java (we use Liquibase with a C# project), so I think some of the Java pieces tripped me up.
There were a few things I had to do to make this work:
I needed to add some properties to the URL I sent to Liquibase:
--url="jdbc:sqlserver://REDACTED.database.windows.net;databaseName=REDACTED;authentication=ActiveDirectoryPassword;encrypt=true;trustServerCertificate=true"
ActiveDirectoryPassword is what tells the driver to use the authentication mechanism I wanted. I also had to add encrypt=true and trustServerCertificate=true to avoid some SSL errors I was getting (from: https://learn.microsoft.com/en-us/sql/connect/jdbc/connecting-with-ssl-encryption?view=sql-server-ver15).
I needed the MSAL4J (Azure Active Directory) libraries in my classpath. I added them to the liquibase/lib directory so that the default Liquibase launcher scripts would add them for me. I got caught on this, too, because I needed to use Maven which we do not use. After downloading Maven, I used the copy-dependencies plugin to download the dependencies I needed.
mvn dependency:copy-dependencies
Here was the simple pom.xml I used:
<project>
<modelVersion>4.0.0</modelVersion>
<groupId>com.mycompany.app</groupId>
<artifactId>my-app</artifactId>
<version>1</version>
<dependencies>
<dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>adal4j</artifactId>
<version>1.6.3</version>
</dependency>
</dependencies>
</project>
I also put these dependencies in the liquibase/lib directory so they were automatically included in the classpath. The instructions from Microsoft were helpful in leading me to the correct places:
https://learn.microsoft.com/en-us/sql/connect/jdbc/connecting-using-azure-active-directory-authentication?view=sql-server-ver15#connecting-using-activedirectorypassword-authentication-mode
Also, not sure it was required to meet my goal, but I upgraded to the latest Liquibase (3.8.7) and latest SQL Server drivers (8.2):
https://learn.microsoft.com/en-us/sql/connect/jdbc/download-microsoft-jdbc-driver-for-sql-server?view=sql-server-ver15

Dynamically changing log level in log4j version 1 and bridge to version 2

I'm currently working on an application which wants to dynamically change the log level of a next java application (is running on the localhost). This external application uses log4j version 1.2.16. I want to use jmx, find all "LoggerConfigAdminMBean" and change level.
In specification (visit https://logging.apache.org/log4j/2.0/manual/jmx.html) is mentioned that it is possible with the log4j 2.
Because I do not want to do much changes in the external application, so I only changed log4j1.2.16.jar by log4j1.2bridge.jar (visit https://logging.apache.org/log4j/2.x/log4j-1.2-api/index.html). But the result of this change is empty list of LoggerConfigAdminMBean.
Is the Jmx MBeans feature completely activated by using log4j 1.2 bridge jar and is there some way to get list of LoggerConfigAdminMBean full or is it possible only by migration from log4j1 to log4j2 version?
Thank you very much for the answers.
You should use these 2 dependencies:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>2.11.1</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-1.2-api</artifactId>
<version>2.11.1</version>
</dependency>
And adapt log4j.properties, which must be placed in the project´s classpath. See: https://logging.apache.org/log4j/2.x/manual/configuration.html#Properties

Trouble using spring-data-solr with Broadleaf commerce

Using Broadleaf Commerce version 5.2.2-GA. I have implemented custom search capability using spring-data-solr.
Seeing this issue:
[org.broadleafcommerce.cms.url.domain.URLHandlerImpl]
are managed classes within the MergePersistenceUnitManager
but were not detected as being transformed by the EntityMarkerClassTransformer. There can be multiple causes for this:
1. Session persistence is enabled in your servlet container (like Tomcat) and an entity object has been loaded by the container before being loaded by the application's classloader. Ensure that session persistence is disabled; in Tomcat ensure that a <Manager pathname="" /> element exists in your context.xml.
2. You are inadvertently using class scanning to find a ServletContainerInitializer class, and your servlet container is loading all classes before transformers have been registered. If you are using a web.xml, ensure that there is an <absolute-ordering /> element somewhere in that file. If you are not using a web.xml and are using Spring Boot, then you likely need to add one. See https://www.broadleafcommerce.com/docs/core/5.2/broadleaf-concepts/key-aspects-and-configuration/app-server-configuration/tomcat for the example web.xml
3. The classes are being used as apart of an #Bean method or in some other runtime capacity that is initialized prior to persistence manager startup
I can get around the error by either:
removing spring-instrument.jar, via site/pom.xml overriding spring-boot-maven-plugin config:
<pluginManagement>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<configuration combine.self="override">
</configuration>
</plugin>
</plugins>
</pluginManagement>
Removing 'specifically' the spring-data-solr dependency (just to prove it causes the error), i.e. from core/pom.xml, removing this:
<dependency>
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-solr</artifactId>
</dependency>
I am happy to remove instrumentation for the time being, although this causes issues with the Auditing functionality. I.e. when attempting to save a BLC organic entity (such as StaticAssetImpl), due to the fact spring-instrumentation is not available, I see this:
java.lang.NullPointerException: null
at org.broadleafcommerce.common.audit.AbstractAuditableListener.setAuditData(AbstractAuditableListener.java:88)
Ideally in the longer term, I would like to safely be able to include the spring-data-solr dependency. NOTE: I can safely use spring-data-commons and spring-data-jpa, it appears that spring-data-solr is solely causing the issue. I have tried spring-data-solr 3.0.5.RELEASE, 3.0.8.RELEASE (latest) and 2.0.9.RELEASE.
In the meantime, have been looking for a way to disable Auditing, cant seem to find any documentation. I have tried overriding Entities to remove the #EntityListener, tried to override the AdminAuditableListener, tried to look for a property that would disable it but no luck as yet.
Appreciate any help with either a short term workaround to disable Auditing, disable Auditing for specific Entities only or perhaps something I have not tried that could make spring-data-solr compatible.
Thanks
The error you are running into regarding UrlHandlerImpl was resolved in Broadleaf 5.2.3-GA, see https://github.com/broadleafcommerce/issues/issues/5. The latest Broadleaf release is actually 5.2.6-GA.
There might be something inadvertent (scanning or something) that Spring Data Solr adds, but generally this piece shouldn't be an issue.

spring integration sftp java dsl : cannot resolve method handleWithAdapter

I'm follow this docs this docs
and add maven depency:
<dependency>
<groupId>org.springframework.integration</groupId>
<artifactId>spring-integration-sftp</artifactId>
<version>5.0.0.M6</version>
</dependency>
<dependency>
<groupId>org.springframework.integration</groupId>
<artifactId>spring-integration-java-dsl</artifactId>
<version>1.2.3.RELEASE</version>
</dependency>
But it cannot resolve these method:
does I miss anything?
Starting with Spring Integration 5.0, whole Java DSL project is merged to the core project. So, you don't need that extra spring-integration-java-dsl dependency anymore. More over it isn't compatible with Spring Integration 5.0.
There is no any more such a handleWithAdapter() since there is no single entry point because all the namespace factories are distributed between appropriate modules.
So, right now you have to do this:
.handle(Sftp.outboundGateway(...))
See Migration Guide for more info.
And also follow back to the past from release blog post.

Resources