Fix vulnerability issues by upgrading/replacing some dependencies and upgrading java version to 21

Author: Chanaka Balasooriya

cve-suppressions.xml

@@ -1,7 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
-    <suppress>
-        <filePath regex="true">spring-.*-5\.3\.23\.jar</filePath>
-        <cve>CVE-2016-1000027</cve>
-    </suppress>
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+  <suppress>
+    <packageUrl regex="true">^pkg:maven/org\.glassfish/jakarta\.el@.*$</packageUrl>
+    <cve>CVE-2023-5763</cve>
+  </suppress>
+  <suppress>
+    <packageUrl regex="true">^pkg:maven/org\.glassfish/jakarta\.el@.*$</packageUrl>
+    <cve>CVE-2024-9329</cve>
+  </suppress>
 </suppressions>

pom.xml

@@ -59,10 +59,10 @@
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <maven.compiler.source>8</maven.compiler.source>
-        <maven.compiler.target>8</maven.compiler.target>
-        <spring.version>5.3.23</spring.version>
-        <postgresql.version>42.5.1</postgresql.version>
+        <maven.compiler.source>21</maven.compiler.source>
+        <maven.compiler.target>21</maven.compiler.target>
+        <spring.version>6.2.0</spring.version>
+        <postgresql.version>42.7.4</postgresql.version>
         <dependency-check-maven.version>7.2.1</dependency-check-maven.version>
     </properties>
 
@@ -83,31 +83,21 @@
             <version>${postgresql.version}</version>
         </dependency>
         <dependency>
-            <groupId>commons-lang</groupId>
-            <artifactId>commons-lang</artifactId>
-            <version>2.6</version>
-        </dependency>
-        <dependency>
-            <groupId>commons-beanutils</groupId>
-            <artifactId>commons-beanutils</artifactId>
-            <version>1.9.4</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>commons-logging</groupId>
-                    <artifactId>commons-logging</artifactId>
-                </exclusion>
-            </exclusions>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+            <version>3.17.0</version>
         </dependency>
         <dependency>
             <groupId>org.hibernate.validator</groupId>
             <artifactId>hibernate-validator</artifactId>
-            <version>6.1.5.Final</version>
+            <version>9.0.0.Beta3</version>
         </dependency>
         <dependency>
             <groupId>org.glassfish</groupId>
-            <artifactId>javax.el</artifactId>
-            <version>3.0.1-b08</version>
+            <artifactId>jakarta.el</artifactId>
+            <version>5.0.0-M1</version>
         </dependency>
+
         <dependency>
             <groupId>org.reflections</groupId>
             <artifactId>reflections</artifactId>
@@ -117,7 +107,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>30.1-jre</version>
+            <version>33.3.1-jre</version>
         </dependency>
         <dependency>
             <groupId>javax.persistence</groupId>
@@ -143,6 +133,11 @@
             <version>${spring.version}</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-beans</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-test</artifactId>
@@ -209,7 +204,7 @@
                     </execution>
                 </executions>
                 <configuration>
-                    <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
+                    <failBuildOnCVSS>0</failBuildOnCVSS>
                     <suppressionFiles>
                         <suppressionFile>cve-suppressions.xml</suppressionFile>
                     </suppressionFiles>
@@ -272,7 +267,7 @@
             <plugin>
                 <groupId>org.jacoco</groupId>
                 <artifactId>jacoco-maven-plugin</artifactId>
-                <version>0.8.4</version>
+                <version>0.8.12</version>
                 <executions>
                     <execution>
                         <id>prepare-agent</id>

src/main/java/org/zalando/sprocwrapper/dsprovider/BitmapShardDataSourceProvider.java

@@ -3,7 +3,7 @@
 import com.google.common.base.Strings;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
-import org.apache.commons.beanutils.BeanUtils;
+import org.springframework.beans.BeanWrapperImpl;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -89,18 +89,19 @@ public BitmapShardDataSourceProvider(final Class<? extends DataSource> dataSourc
 
         for (final Entry<String, String> entry : connectionUrls.entrySet()) {
             final DataSource ds = dataSourceClass.getDeclaredConstructor().newInstance();
+            var dsBeanWrapper = new BeanWrapperImpl(ds);
             for (final Entry<String, String> prop : commonDataSourceProperties.entrySet()) {
-                BeanUtils.setProperty(ds, prop.getKey(), prop.getValue());
+                dsBeanWrapper.setPropertyValue(prop.getKey(), prop.getValue());
             }
 
             final String[] parts = entry.getValue().split("\\|");
 
-            BeanUtils.setProperty(ds, "jdbcUrl", parts[0]);
+            dsBeanWrapper.setPropertyValue("jdbcUrl", parts[0]);
 
             if (parts.length > 1) {
 
                 // a little bit hacky, because "initSQL" is boneCP-specific
-                BeanUtils.setProperty(ds, "initSQL", parts[1]);
+                dsBeanWrapper.setPropertyValue("initSQL", parts[1]);
             }
 
             for (int i = 0; i < dataSources.length; i++) {

src/main/java/org/zalando/sprocwrapper/proxy/executors/ValidationExecutorWrapper.java

@@ -6,11 +6,11 @@
 import org.slf4j.LoggerFactory;
 
 import javax.sql.DataSource;
-import javax.validation.ConstraintViolation;
-import javax.validation.ConstraintViolationException;
-import javax.validation.Validation;
-import javax.validation.Validator;
-import javax.validation.ValidatorFactory;
+import jakarta.validation.ConstraintViolation;
+import jakarta.validation.ConstraintViolationException;
+import jakarta.validation.Validation;
+import jakarta.validation.Validator;
+import jakarta.validation.ValidatorFactory;
 import java.util.Set;
 
 /**

src/main/java/org/zalando/sprocwrapper/util/NameUtils.java

@@ -4,7 +4,7 @@
 
 import java.util.Locale;
 
-import static org.apache.commons.lang.StringUtils.splitByCharacterTypeCamelCase;
+import static org.apache.commons.lang3.StringUtils.splitByCharacterTypeCamelCase;
 
 /**
  * Static utility methods for naming conventions.

src/main/java/org/zalando/typemapper/core/fieldMapper/DateFieldMapper.java

@@ -1,5 +1,6 @@
 package org.zalando.typemapper.core.fieldMapper;
 
+import java.nio.charset.StandardCharsets;
 import java.sql.Date;
 import java.sql.SQLException;
 import java.sql.Timestamp;
@@ -24,7 +25,8 @@ public Object mapField(final String string, final Class<?> clazz) {
 
         Timestamp date = null;
         try {
-            date = postgresJDBCDriverReusedTimestampUtils.toTimestamp(null, string);
+            date = postgresJDBCDriverReusedTimestampUtils.toTimestamp(null, string.getBytes(
+                StandardCharsets.UTF_8));
         } catch (final SQLException e) {
             LOG.error("Invalid date/time string: {}", string, e);
         }

src/main/java/org/zalando/typemapper/postgres/PgTypeHelper.java

@@ -3,7 +3,6 @@
 import javax.persistence.Column;
 
 import com.google.common.base.Optional;
-import org.postgresql.core.BaseConnection;
 import org.postgresql.jdbc.PostgresJDBCDriverReusedTimestampUtils;
 import org.postgresql.util.PGobject;
 import org.slf4j.Logger;
@@ -268,7 +267,7 @@ public int compare(final Field a, final Field b) {
         for (final Field f : fields) {
             final DatabaseFieldDescriptor databaseFieldDescriptor = getDatabaseFieldDescriptor(f);
             if (databaseFieldDescriptor != null) {
-                if (!f.isAccessible()) {
+                if (!f.canAccess(obj)) {
                     f.setAccessible(true);
                 }
 
@@ -501,17 +500,7 @@ public static String toPgString(Object o, final Connection connection) {
             } else {
                 tmpd = new Timestamp(((Date) o).getTime());
             }
-
-            if (connection instanceof BaseConnection) {
-
-                // if we do have a valid postgresql connection use this one:
-                final BaseConnection postgresBaseConnection = (BaseConnection) connection;
-                sb.append(postgresBaseConnection.getTimestampUtils().toString(null, tmpd));
-            } else {
-
-                // no valid postgresql connection - use that one:
-                sb.append(postgresJDBCDriverReusedTimestampUtils.toString(null, tmpd));
-            }
+            sb.append(postgresJDBCDriverReusedTimestampUtils.toString(null, tmpd));
         } else if (o instanceof Map) {
             final Map<?, ?> map = (Map<?, ?>) o;
             sb.append(HStore.serialize(map));

src/test/java/org/zalando/sprocwrapper/SimpleIT.java

@@ -17,7 +17,7 @@
 import java.util.List;
 import java.util.Optional;
 import javax.sql.DataSource;
-import javax.validation.ConstraintViolationException;
+import jakarta.validation.ConstraintViolationException;
 
 import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;

src/test/java/org/zalando/sprocwrapper/example/ExampleDomainObjectWithValidation.java

@@ -1,8 +1,8 @@
 package org.zalando.sprocwrapper.example;
 
-import javax.validation.constraints.Max;
-import javax.validation.constraints.Min;
-import javax.validation.constraints.NotNull;
+import jakarta.validation.constraints.Max;
+import jakarta.validation.constraints.Min;
+import jakarta.validation.constraints.NotNull;
 
 import org.zalando.typemapper.annotations.DatabaseField;
 

src/test/java/org/zalando/sprocwrapper/example/ExampleValidationSProcService.java

@@ -1,6 +1,6 @@
 package org.zalando.sprocwrapper.example;
 
-import javax.validation.constraints.NotNull;
+import jakarta.validation.constraints.NotNull;
 
 import org.zalando.sprocwrapper.SProcCall;
 import org.zalando.sprocwrapper.SProcCall.Validate;