Removing log4j dependencies from test and substituting logback as the slf4j...

Removing log4j dependencies from test and substituting logback as the slf4j provider, adding gitlab security scanning configurations

Removing log4j dependencies from test and substituting logback as the slf4j...
79eec30f · bhill6@wisc.edu · 9de23040 · 79eec30f · 79eec30f · 79eec30f
Commit 79eec30f authored 2 years ago by bhill6@wisc.edu
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+include:
+  # Security scanning
+  - template: Security/SAST.gitlab-ci.yml
+  - template: Security/Secret-Detection.gitlab-ci.yml
+  - template: Security/Dependency-Scanning.gitlab-ci.yml
 image: maven:3-amazoncorretto-8
 variables:
@@ -20,10 +26,21 @@ default:
    - aws
    - docker
+stages:
+  - test # GitLab security scanning jobs use the 'test' stage
+  - deploy
 test:
  stage: test
  script:
    - mvn clean $MAVEN_CLI_OPTS verify
+  artifacts:
+    paths:
+      - uw-spring-security-config/target/dependency-check-report.html
+      - uw-spring-security-core/target/dependency-check-report.html
+      - uw-spring-security-sample-war/target/dependency-check-report.html
+      - uw-spring-security-web/target/dependency-check-report.html
+    expire_in: 1 year
 deploy:
  stage: deploy

--- a/cve-supressions.xml
+++ b/cve-supressions.xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+Documentation: https://jeremylong.github.io/DependencyCheck/general/suppression.html
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <suppress>
+        <notes><![CDATA[Long discussion about this CVE by Spring: https://github.com/spring-projects/spring-framework/issues/24434]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.springframework/spring.*$</packageUrl>
+        <cve>CVE-2016-1000027</cve>
+    </suppress>
+</suppressions>
\ No newline at end of file
--- a/pom.xml
+++ b/pom.xml
@@ -36,7 +36,7 @@
 		<revision>3.0.4</revision>
 		<adi.development.version>2.0.1</adi.development.version>
 		<jackson.version>2.14.0-rc1</jackson.version>
-		<slf4j.version>1.7.7</slf4j.version>
+		<slf4j.version>2.0.3</slf4j.version>
 		<spring.framework.version>5.3.23</spring.framework.version>
 		<spring.security.version>5.7.3</spring.security.version>
 	</properties>
@@ -138,7 +138,7 @@
 			<dependency>
 				<groupId>junit</groupId>
 				<artifactId>junit</artifactId>
-				<version>4.12</version>
+				<version>4.13.1</version>
 			</dependency>
 			<dependency>
 				<groupId>org.apache.commons</groupId>
@@ -161,9 +161,9 @@
 				<version>${slf4j.version}</version>
 			</dependency>
 			<dependency>
-				<groupId>org.slf4j</groupId>
+				<groupId>ch.qos.logback</groupId>
-				<artifactId>slf4j-log4j12</artifactId>
+				<artifactId>logback-classic</artifactId>
-				<version>${slf4j.version}</version>
+				<version>1.3.4</version>
 			</dependency>
 			<dependency>
 				<groupId>org.springframework</groupId>
@@ -274,6 +274,9 @@
 				<groupId>org.owasp</groupId>
 				<artifactId>dependency-check-maven</artifactId>
 				<version>7.0.4</version>
+				<configuration>
+					<suppressionFile>cve-supressions.xml</suppressionFile>
+				</configuration>
 				<executions>
 					<execution>
 						<goals>

--- a/uw-spring-security-config/pom.xml
+++ b/uw-spring-security-config/pom.xml
@@ -46,8 +46,8 @@
 			<scope>test</scope>
 		</dependency>
 		<dependency>
-			<groupId>org.slf4j</groupId>
+			<groupId>ch.qos.logback</groupId>
-			<artifactId>slf4j-log4j12</artifactId>
+			<artifactId>logback-classic</artifactId>
 			<scope>test</scope>
 		</dependency>
 		<dependency>

--- a/uw-spring-security-core/pom.xml
+++ b/uw-spring-security-core/pom.xml
@@ -59,8 +59,8 @@
 			<scope>test</scope>
 		</dependency>
 		<dependency>
-			<groupId>org.slf4j</groupId>
+			<groupId>ch.qos.logback</groupId>
-			<artifactId>slf4j-log4j12</artifactId>
+			<artifactId>logback-classic</artifactId>
 			<scope>test</scope>
 		</dependency>
 		<dependency>

--- a/uw-spring-security-sample-war/pom.xml
+++ b/uw-spring-security-sample-war/pom.xml
@@ -50,16 +50,15 @@
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-webmvc</artifactId>
 		</dependency>
 		<dependency>
-			<groupId>org.slf4j</groupId>
+			<groupId>ch.qos.logback</groupId>
-			<artifactId>jcl-over-slf4j</artifactId>
+			<artifactId>logback-classic</artifactId>
-			<scope>runtime</scope>
+			<scope>test</scope>
 		</dependency>
 		<dependency>
 			<groupId>org.slf4j</groupId>
-			<artifactId>slf4j-log4j12</artifactId>
+			<artifactId>jcl-over-slf4j</artifactId>
-			<scope>runtime</scope>
+			<scope>test</scope>
 		</dependency>
 	</dependencies>
 	<build>

--- a/uw-spring-security-web/pom.xml
+++ b/uw-spring-security-web/pom.xml
@@ -38,8 +38,8 @@
 			<scope>test</scope>
 		</dependency>
 		<dependency>
-			<groupId>org.slf4j</groupId>
+			<groupId>ch.qos.logback</groupId>
-			<artifactId>slf4j-log4j12</artifactId>
+			<artifactId>logback-classic</artifactId>
 			<scope>test</scope>
 		</dependency>
 		<dependency>