Dependency updates to eliminate vulnerabilities discovered by dependency-check

.gitlab-ci.yml

+include:
+  # Security scanning
+  - template: Security/SAST.gitlab-ci.yml
+  - template: Security/SAST-IaC.latest.gitlab-ci.yml
+  - template: Security/Secret-Detection.gitlab-ci.yml
+  - template: Security/Dependency-Scanning.gitlab-ci.yml
+
 image: maven:3-amazoncorretto-8
 
 variables:
@@ -20,15 +27,49 @@ default:
     - aws
     - docker
 
-test:
-  stage: test
+stages:
+  - build
+  - test
+  - deploy
+
+build_jar:
+  stage: build
+  cache:
+    paths:
+      - .m2/repository
   script:
-    - mvn clean $MAVEN_CLI_OPTS verify
+    - mvn $MAVEN_CLI_OPTS clean verify
+  artifacts:
+    paths:
+      - .m2/
+      - "*/target"
+    expire_in: 1 week
+
+secret_detection:
+  needs: []
+
+semgrep-sast:
+  needs: []
+
+gemnasium-maven-dependency_scanning:
+  variables:
+    DS_JAVA_VERSION: 8
+  needs:
+    - build_jar
+
+spotbugs-sast:
+  tags:
+  needs:
+    - build_jar
+  variables:
+    SAST_JAVA_VERSION: 8
+    MAVEN_REPO_PATH: $CI_PROJECT_DIR/.m2/repository
+    COMPILE: "false"
 
 deploy:
   stage: deploy
   only:
-    - main
+    - trunk
   script:
     - env
     - mvn $MAVEN_CLI_OPTS deploy -Pdeploy -X

pom.xml

@@ -2,7 +2,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>edu.wisc.uwss</groupId>
 	<artifactId>uw-spring-security</artifactId>
-	<version>3.0.5</version>
+	<version>3.0.6</version>
 	<packaging>pom</packaging>
 	<name>UW Spring Security Parent</name>
 	<description>Parent project for module to integrate Spring Security with UW authentication mechanism.</description>
@@ -33,12 +33,13 @@
 	</repositories>
 
 	<properties>
-		<revision>3.0.4</revision>
+		<revision>3.0.6</revision>
 		<adi.development.version>2.0.1</adi.development.version>
-		<jackson.version>2.11.1</jackson.version>
-		<slf4j.version>1.7.7</slf4j.version>
-		<spring.framework.version>5.2.7.RELEASE</spring.framework.version>
-		<spring.security.version>5.3.3.RELEASE</spring.security.version>
+		<jackson.version>2.14.0-rc1</jackson.version>
+		<slf4j.version>2.0.3</slf4j.version>
+		<spring.framework.version>5.3.23</spring.framework.version>
+		<spring.security.version>5.7.3</spring.security.version>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 	</properties>
 	<dependencyManagement>
 		<dependencies>
@@ -93,8 +94,28 @@
 						<groupId>joda-time</groupId>
 						<artifactId>joda-time</artifactId>
 					</exclusion>
+					<exclusion>
+						<groupId>org.opensaml</groupId>
+						<artifactId>opensaml</artifactId>
+					</exclusion>
                 </exclusions>
             </dependency>
+			<dependency>
+				<groupId>org.opensaml</groupId>
+				<artifactId>opensaml</artifactId>
+				<version>2.6.4</version>
+				<exclusions>
+					<exclusion>
+						<groupId>org.owasp.esapi</groupId>
+						<artifactId>esapi</artifactId>
+					</exclusion>
+				</exclusions>
+			</dependency>
+			<dependency>
+				<groupId>org.owasp.esapi</groupId>
+				<artifactId>esapi</artifactId>
+				<version>2.5.0.0</version>
+			</dependency>
 			<dependency>
 				<groupId>edu.wisc.uwss</groupId>
 				<artifactId>uw-spring-security-config</artifactId>
@@ -118,7 +139,7 @@
 			<dependency>
 				<groupId>junit</groupId>
 				<artifactId>junit</artifactId>
-				<version>4.12</version>
+				<version>4.13.1</version>
 			</dependency>
 			<dependency>
 				<groupId>org.apache.commons</groupId>
@@ -141,9 +162,9 @@
 				<version>${slf4j.version}</version>
 			</dependency>
 			<dependency>
-				<groupId>org.slf4j</groupId>
-				<artifactId>slf4j-log4j12</artifactId>
-				<version>${slf4j.version}</version>
+				<groupId>ch.qos.logback</groupId>
+				<artifactId>logback-classic</artifactId>
+				<version>1.3.4</version>
 			</dependency>
 			<dependency>
 				<groupId>org.springframework</groupId>
@@ -250,6 +271,7 @@
 				<artifactId>maven-install-plugin</artifactId>
 				<version>3.0.0-M1</version>
 			</plugin>
+
 		</plugins>
 	</build>
 	<modules>

uw-spring-security-config/pom.xml

@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>edu.wisc.uwss</groupId>
 		<artifactId>uw-spring-security</artifactId>
-		<version>3.0.5</version>
+		<version>3.0.6</version>
 	</parent>
 	<artifactId>uw-spring-security-config</artifactId>
 	<name>UW Spring Security Configuration</name>
@@ -46,8 +46,8 @@
 			<scope>test</scope>
 		</dependency>
 		<dependency>
-			<groupId>org.slf4j</groupId>
-			<artifactId>slf4j-log4j12</artifactId>
+			<groupId>ch.qos.logback</groupId>
+			<artifactId>logback-classic</artifactId>
 			<scope>test</scope>
 		</dependency>
 		<dependency>

uw-spring-security-core/pom.xml

@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>edu.wisc.uwss</groupId>
 		<artifactId>uw-spring-security</artifactId>
-		<version>3.0.5</version>
+		<version>3.0.6</version>
 	</parent>
 	<artifactId>uw-spring-security-core</artifactId>
 	<name>UW Spring Security Core</name>
@@ -59,8 +59,8 @@
 			<scope>test</scope>
 		</dependency>
 		<dependency>
-			<groupId>org.slf4j</groupId>
-			<artifactId>slf4j-log4j12</artifactId>
+			<groupId>ch.qos.logback</groupId>
+			<artifactId>logback-classic</artifactId>
 			<scope>test</scope>
 		</dependency>
 		<dependency>

uw-spring-security-sample-war/pom.xml

@@ -3,7 +3,7 @@
 	<parent>
 		<groupId>edu.wisc.uwss</groupId>
 		<artifactId>uw-spring-security</artifactId>
-		<version>3.0.5</version>
+		<version>3.0.6</version>
 	</parent>
 	<artifactId>uw-spring-security-sample-war</artifactId>
 	<name>UW Spring Security Sample War</name>
@@ -50,16 +50,15 @@
 			<groupId>org.springframework</groupId>
 			<artifactId>spring-webmvc</artifactId>
 		</dependency>
-
 		<dependency>
-			<groupId>org.slf4j</groupId>
-			<artifactId>jcl-over-slf4j</artifactId>
-			<scope>runtime</scope>
+			<groupId>ch.qos.logback</groupId>
+			<artifactId>logback-classic</artifactId>
+			<scope>test</scope>
 		</dependency>
 		<dependency>
 			<groupId>org.slf4j</groupId>
-			<artifactId>slf4j-log4j12</artifactId>
-			<scope>runtime</scope>
+			<artifactId>jcl-over-slf4j</artifactId>
+			<scope>test</scope>
 		</dependency>
 	</dependencies>
 	<build>

uw-spring-security-sample-war/src/main/java/edu/wisc/uwss/sample/configuration/DemonstrationOnlyPreAuthenticationConfiguration.java

@@ -96,7 +96,11 @@ public class DemonstrationOnlyPreAuthenticationConfiguration {
           HttpServletRequest httpRequest = (HttpServletRequest) request;
           String uri = httpRequest.getRequestURI();
           String param = httpRequest.getParameter("_ignorepreauth");
-          logger.debug("uri={}, param={}", uri, param);
+
+          // remove CRLF to avoid CWE-93
+          String cleanUri = (uri!=null) ? uri.replaceAll("([\\r\\n])", " ") : null;
+          String cleanParam = (param!=null) ? param.replace("([\\r\\n])","") : null;
+          logger.debug("uri={}, param={}", cleanUri, cleanParam);
           if(null != param || IGNORED.contains(uri)) {
             logger.info("skipping PreAuthenticationSimulationServletFilter, either due to '_ignorepreauth' or visiting ignore uri");
             filterChain.doFilter(request, response); 

uw-spring-security-web/pom.xml

@@ -15,7 +15,7 @@
     <parent>
 		<groupId>edu.wisc.uwss</groupId>
 		<artifactId>uw-spring-security</artifactId>
-		<version>3.0.5</version>
+		<version>3.0.6</version>
 	</parent>
 	<artifactId>uw-spring-security-web</artifactId>
 	<name>UW Spring Security Web</name>
@@ -38,8 +38,8 @@
 			<scope>test</scope>
 		</dependency>
 		<dependency>
-			<groupId>org.slf4j</groupId>
-			<artifactId>slf4j-log4j12</artifactId>
+			<groupId>ch.qos.logback</groupId>
+			<artifactId>logback-classic</artifactId>
 			<scope>test</scope>
 		</dependency>
 		<dependency>