Merge pull request #9 from WorldHealthOrganization/fetch-eu-updates

Fetch Changes from EU

codestyle/checkstyle.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0"?>
 <!DOCTYPE module PUBLIC
-  "-//Checkstyle//DTD Checkstyle Configuration 1.3//EN"
-  "https://checkstyle.org/dtds/configuration_1_3.dtd">
+        "-//Checkstyle//DTD Checkstyle Configuration 1.3//EN"
+        "https://checkstyle.org/dtds/configuration_1_3.dtd">
 
 <!--
     Checkstyle configuration that checks the Google coding conventions from Google Java Style
@@ -215,10 +215,10 @@
     <module name="Indentation">
       <property name="basicOffset" value="4"/>
       <property name="braceAdjustment" value="0"/>
-      <property name="caseIndent" value="2"/>
-      <property name="throwsIndent" value="2"/>
-      <property name="lineWrappingIndentation" value="2"/>
-      <property name="arrayInitIndent" value="2"/>
+      <property name="caseIndent" value="4"/>
+      <property name="throwsIndent" value="4"/>
+      <property name="lineWrappingIndentation" value="4"/>
+      <property name="arrayInitIndent" value="4"/>
     </module>
     <module name="AbbreviationAsWordInName">
       <property name="ignoreFinal" value="false"/>
@@ -282,7 +282,7 @@
                 value="CLASS_DEF, INTERFACE_DEF, ENUM_DEF, METHOD_DEF, CTOR_DEF, VARIABLE_DEF"/>
     </module>
     <module name="JavadocMethod">
-      <property name="scope" value="public"/>
+      <property name="accessModifiers" value="public"/>
       <property name="allowMissingParamTags" value="true"/>
       <property name="allowMissingReturnTag" value="true"/>
       <property name="allowedAnnotations" value="Override, Test"/>

owasp/suppressions.xml

@@ -18,4 +18,12 @@
     <notes>H2 is not used by this project.</notes>
     <cve>CVE-2021-23463</cve>
   </suppress>
+  <suppress>
+    <notes>False Positive, Should match only up to 5.3.2 (excluding) but we have 5.6.3 </notes>
+    <cve>CVE-2020-5408</cve>
+  </suppress>
+  <suppress>
+    <notes>False Positive, Should match only up to 1.32 (excluding) but we have 1.33</notes>
+    <cve>CVE-2022-38752</cve>
+  </suppress>
 </suppressions>

pom.xml

@@ -23,21 +23,21 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
         <!-- dependencies -->
-        <owasp.version>6.5.3</owasp.version>
-        <spring.boot.version>2.6.3</spring.boot.version>
-        <spring.cloud.version>3.1.1</spring.cloud.version>
-        <feign.version>11.7</feign.version>
+        <owasp.version>7.3.0</owasp.version>
+        <spring.boot.version>2.7.5</spring.boot.version>
+        <spring.cloud.version>3.1.4</spring.cloud.version>
+        <feign.version>11.10</feign.version>
         <bcpkix.version>1.70</bcpkix.version>
-        <lombok.version>1.18.22</lombok.version>
-        <mapstruct.version>1.4.2.Final</mapstruct.version>
+        <lombok.version>1.18.24</lombok.version>
+        <mapstruct.version>1.5.3.Final</mapstruct.version>
         <commonsio.version>2.11.0</commonsio.version>
-        <cbor.version>4.5.1</cbor.version>
-        <jackson.version>2.13.1</jackson.version>
-        <mockwebserver.version>4.9.3</mockwebserver.version>
-        <plugin.checkstyle.version>3.1.2</plugin.checkstyle.version>
-        <plugin.sonar.version>3.9.1.2184</plugin.sonar.version>
-        <plugin.surefire.version>3.0.0-M5</plugin.surefire.version>
-        <plugin.jacoco.version>0.8.7</plugin.jacoco.version>
+        <cbor.version>4.5.2</cbor.version>
+        <jackson.version>2.13.4</jackson.version>
+        <jackson.databind.version>2.13.4.2</jackson.databind.version>
+        <mockwebserver.version>4.10.0</mockwebserver.version>
+        <plugin.checkstyle.version>3.2.0</plugin.checkstyle.version>
+        <plugin.surefire.version>3.0.0-M7</plugin.surefire.version>
+        <plugin.jacoco.version>0.8.8</plugin.jacoco.version>
 
         <!-- license -->
         <license.projectName>WHO Digital Documentation Covid Certificate Gateway Service / ddcc-gateway-lib</license.projectName>
@@ -73,9 +73,25 @@
     <dependencies>
         <dependency>
             <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter</artifactId>
+            <artifactId>spring-boot-starter-web</artifactId>
             <version>${spring.boot.version}</version>
             <optional>true</optional>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.yaml</groupId>
+                    <artifactId>snakeyaml</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>com.fasterxml.jackson.core</groupId>
+                    <artifactId>jackson-databind</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <!-- Explicit inclusion of SnakeYaml because of CVE -->
+        <dependency>
+            <groupId>org.yaml</groupId>
+            <artifactId>snakeyaml</artifactId>
+            <version>1.33</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -128,12 +144,18 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>${jackson.version}</version>
+            <version>${jackson.databind.version}</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.datatype</groupId>
             <artifactId>jackson-datatype-jsr310</artifactId>
             <version>${jackson.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>com.fasterxml.jackson.core</groupId>
+                    <artifactId>jackson-databind</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
 
         <dependency>
@@ -148,24 +170,6 @@
             <version>${mockwebserver.version}</version>
             <scope>test</scope>
         </dependency>
-        <!-- Explicit inclusion because of https://nvd.nist.gov/vuln/detail/CVE-2021-27568 -->
-        <dependency>
-            <groupId>net.minidev</groupId>
-            <artifactId>json-smart</artifactId>
-            <version>2.4.7</version>
-            <scope>test</scope>
-        </dependency>
-        <!-- Explicit inclusion because of https://nvd.nist.gov/vuln/detail/CVE-2021-22119 -->
-        <dependency>
-            <groupId>org.springframework.security</groupId>
-            <artifactId>spring-security-crypto</artifactId>
-            <version>5.5.1</version>
-        </dependency>
-        <dependency>
-            <groupId>org.springframework</groupId>
-            <artifactId>spring-web</artifactId>
-            <version>5.3.15</version>
-        </dependency>
     </dependencies>
 
     <build>
@@ -184,7 +188,7 @@
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-compiler-plugin</artifactId>
-                    <version>3.8.1</version>
+                    <version>3.10.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.codehaus.mojo</groupId>
@@ -209,7 +213,7 @@
                         <exclude>**/connector/dto/**</exclude>
                         <exclude>**/connector/mapper/**</exclude>
                         <exclude>**/connector/model/**</exclude>
-                        <exclude>**/DgcLibAutoConfiguration.ava</exclude>
+                        <exclude>**/DgcLibAutoConfiguration.java</exclude>
                     </excludes>
                 </configuration>
                 <executions>
@@ -241,8 +245,6 @@
                 <configuration>
                     <configLocation>codestyle/checkstyle.xml</configLocation>
                     <excludes>target/**/*</excludes>
-                    <excludes>**/springbootworkaroundforks/*</excludes>
-                    <encoding>UTF-8</encoding>
                     <consoleOutput>true</consoleOutput>
                     <failsOnError>true</failsOnError>
                     <violationSeverity>warning</violationSeverity>

src/main/java/eu/europa/ec/dgc/gateway/connector/DgcGatewayConnectorUtils.java

@@ -36,6 +36,7 @@
 import eu.europa.ec.dgc.gateway.connector.model.TrustedIssuer;
 import eu.europa.ec.dgc.gateway.connector.model.TrustedReference;
 import eu.europa.ec.dgc.signing.SignedCertificateMessageParser;
+import eu.europa.ec.dgc.signing.SignedMessageParser;
 import eu.europa.ec.dgc.signing.SignedStringMessageParser;
 import eu.europa.ec.dgc.utils.CertificateUtils;
 import feign.FeignException;
@@ -118,7 +119,9 @@ void init() throws KeyStoreException, CertificateEncodingException, IOException
     public boolean trustListItemSignedByCa(TrustListItemDto certificate, X509CertificateHolder ca) {
         ContentVerifierProvider verifier;
         try {
-            verifier = new JcaContentVerifierProviderBuilder().build(ca);
+            verifier = new JcaContentVerifierProviderBuilder()
+                .setProvider(new BouncyCastleProvider())
+                .build(ca);
         } catch (OperatorCreationException | CertificateException e) {
             log.error("Failed to instantiate JcaContentVerifierProvider from cert. KID: {}, Country: {}",
                 certificate.getKid(), certificate.getCountry());
@@ -132,6 +135,8 @@ public boolean trustListItemSignedByCa(TrustListItemDto certificate, X509Certifi
             log.error("Could not parse certificate. KID: {}, Country: {}",
                 certificate.getKid(), certificate.getCountry());
             return false;
+        } catch (NullPointerException e) {
+            return false;
         }
 
         try {
@@ -153,6 +158,8 @@ public boolean trustListItemSignedByCa(TrustListItemDto certificate, Map<String,
             log.error("Could not parse certificate. KID: {}, Country: {}",
                 certificate.getKid(), certificate.getCountry());
             return false;
+        } catch (NullPointerException e) {
+            return false;
         }
 
         List<X509CertificateHolder> caList = caMap.get(dcs.getIssuer().toString());
@@ -171,7 +178,7 @@ boolean checkTrustAnchorSignature(TrustListItemDto trustListItem, List<X509Certi
         SignedCertificateMessageParser parser = new SignedCertificateMessageParser(
             trustListItem.getSignature(), trustListItem.getRawData());
 
-        if (parser.getParserState() != SignedCertificateMessageParser.ParserState.SUCCESS) {
+        if (parser.getParserState() != SignedMessageParser.ParserState.SUCCESS) {
             log.error("Could not parse trustListItem CMS. ParserState: {}", parser.getParserState());
             return false;
         } else if (!parser.isSignatureVerified()) {

src/main/java/eu/europa/ec/dgc/gateway/connector/DgcGatewayDownloadConnectorBuilder.java

@@ -25,6 +25,7 @@
 import eu.europa.ec.dgc.gateway.connector.mapper.TrustListMapper;
 import eu.europa.ec.dgc.gateway.connector.mapper.TrustedCertificateMapper;
 import eu.europa.ec.dgc.gateway.connector.mapper.TrustedIssuerMapper;
+import eu.europa.ec.dgc.gateway.connector.mapper.TrustedIssuerMapperImpl;
 import eu.europa.ec.dgc.gateway.connector.mapper.TrustedReferenceMapper;
 import eu.europa.ec.dgc.utils.CertificateUtils;
 import feign.Client;
@@ -78,9 +79,9 @@ public class DgcGatewayDownloadConnectorBuilder {
     private static final CertificateUtils certificateUtils = new CertificateUtils();
     private final ApplicationContext springBootContext;
     private final TrustListMapper trustListMapper;
-    private final TrustedIssuerMapper trustedIssuerMapper;
     private final TrustedReferenceMapper trustedReferenceMapper;
     private final TrustedCertificateMapper trustedCertificateMapper;
+    private final TrustedIssuerMapper trustedIssuerMapper = new TrustedIssuerMapperImpl();
 
     /**
      * Builder parameters.

src/main/java/eu/europa/ec/dgc/gateway/connector/DgcGatewayRevocationListDownloadConnector.java

@@ -56,6 +56,7 @@ public class DgcGatewayRevocationListDownloadConnector {
     /**
      * Gets a revocation list iterator, for partly downloading the revocation list.
      * The if-modified-since header is set to the default value to start at the beginning of the list.
+     *
      * @return revocation list iterator
      */
     public DgcGatewayRevocationListDownloadIterator getRevocationListDownloadIterator() {
@@ -65,6 +66,7 @@ public DgcGatewayRevocationListDownloadIterator getRevocationListDownloadIterato
     /**
      * Gets a revocation list iterator, for partly downloading the revocation list.
      * The if-modified-since header is set to the value of the parameter. Only newer part of the list are downloaded.
+     *
      * @param ifModifiedSinceDate The value for the if-modified-since header
      * @return revocation list iterator
      */
@@ -76,6 +78,7 @@ public DgcGatewayRevocationListDownloadIterator getRevocationListDownloadIterato
 
     /**
      * Gets the revocation list batch data for a given batchId.
+     *
      * @param batchId the id of the batch to download.
      * @return the batch data.
      */
@@ -90,7 +93,7 @@ public RevocationBatchDto getRevocationListBatchById(String batchId) throws Revo
             log.error("Download of revocation list batch failed. DGCG responded with status code: {}", e.status());
 
             if (e.status() == HttpStatus.GONE.value()) {
-                throw new RevocationBatchGoneException(String.format("Batch already gone: %s", batchId),batchId);
+                throw new RevocationBatchGoneException(String.format("Batch already gone: %s", batchId), batchId);
             }
 
             throw new RevocationBatchDownloadException("Batch download failed with exception.", e);
@@ -102,7 +105,7 @@ public RevocationBatchDto getRevocationListBatchById(String batchId) throws Revo
 
             throw new RevocationBatchDownloadException(
                 String.format("Batch download failed with unexpected response. Response status code: %d", statusCode),
-                    statusCode);
+                statusCode);
         }
 
         String cms = responseEntity.getBody();