diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 3f0239720d324ca842cab0936a72f77b4a69a3fc..e540d277c71cf201434022f5076139a1d39c0ab7 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,3 +1,10 @@
+include:
+ # Security scanning
+ - template: Security/SAST.gitlab-ci.yml
+ - template: Security/SAST-IaC.latest.gitlab-ci.yml
+ - template: Security/Secret-Detection.gitlab-ci.yml
+ - template: Security/Dependency-Scanning.gitlab-ci.yml
+
image: maven:3-amazoncorretto-8
variables:
@@ -20,15 +27,49 @@ default:
- aws
- docker
-test:
- stage: test
+stages:
+ - build
+ - test
+ - deploy
+
+build_jar:
+ stage: build
+ cache:
+ paths:
+ - .m2/repository
script:
- - mvn clean $MAVEN_CLI_OPTS verify
+ - mvn $MAVEN_CLI_OPTS clean verify
+ artifacts:
+ paths:
+ - .m2/
+ - "*/target"
+ expire_in: 1 week
+
+secret_detection:
+ needs: []
+
+semgrep-sast:
+ needs: []
+
+gemnasium-maven-dependency_scanning:
+ variables:
+ DS_JAVA_VERSION: 8
+ needs:
+ - build_jar
+
+spotbugs-sast:
+ tags:
+ needs:
+ - build_jar
+ variables:
+ SAST_JAVA_VERSION: 8
+ MAVEN_REPO_PATH: $CI_PROJECT_DIR/.m2/repository
+ COMPILE: "false"
deploy:
stage: deploy
only:
- - main
+ - trunk
script:
- env
- mvn $MAVEN_CLI_OPTS deploy -Pdeploy -X
diff --git a/pom.xml b/pom.xml
index 2d7561091c6a8a8ba163b3428fa1f3eda5c3c83e..6f40d9b2271b7374e7b0dbba17f679e92da36ea8 100644
--- a/pom.xml
+++ b/pom.xml
@@ -2,7 +2,7 @@
<modelVersion>4.0.0</modelVersion>
<groupId>edu.wisc.uwss</groupId>
<artifactId>uw-spring-security</artifactId>
- <version>3.0.5</version>
+ <version>3.0.6</version>
<packaging>pom</packaging>
<name>UW Spring Security Parent</name>
<description>Parent project for module to integrate Spring Security with UW authentication mechanism.</description>
@@ -33,12 +33,13 @@
</repositories>
<properties>
- <revision>3.0.4</revision>
+ <revision>3.0.6</revision>
<adi.development.version>2.0.1</adi.development.version>
- <jackson.version>2.11.1</jackson.version>
- <slf4j.version>1.7.7</slf4j.version>
- <spring.framework.version>5.2.7.RELEASE</spring.framework.version>
- <spring.security.version>5.3.3.RELEASE</spring.security.version>
+ <jackson.version>2.14.0-rc1</jackson.version>
+ <slf4j.version>2.0.3</slf4j.version>
+ <spring.framework.version>5.3.23</spring.framework.version>
+ <spring.security.version>5.7.3</spring.security.version>
+ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencyManagement>
<dependencies>
@@ -93,8 +94,28 @@
<groupId>joda-time</groupId>
<artifactId>joda-time</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>org.opensaml</groupId>
+ <artifactId>opensaml</artifactId>
+ </exclusion>
</exclusions>
</dependency>
+ <dependency>
+ <groupId>org.opensaml</groupId>
+ <artifactId>opensaml</artifactId>
+ <version>2.6.4</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.owasp.esapi</groupId>
+ <artifactId>esapi</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.owasp.esapi</groupId>
+ <artifactId>esapi</artifactId>
+ <version>2.5.0.0</version>
+ </dependency>
<dependency>
<groupId>edu.wisc.uwss</groupId>
<artifactId>uw-spring-security-config</artifactId>
@@ -118,7 +139,7 @@
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
- <version>4.12</version>
+ <version>4.13.1</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
@@ -141,9 +162,9 @@
<version>${slf4j.version}</version>
</dependency>
<dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- <version>${slf4j.version}</version>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-classic</artifactId>
+ <version>1.3.4</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
@@ -250,6 +271,7 @@
<artifactId>maven-install-plugin</artifactId>
<version>3.0.0-M1</version>
</plugin>
+
</plugins>
</build>
<modules>
diff --git a/uw-spring-security-config/pom.xml b/uw-spring-security-config/pom.xml
index 04febd84675cf768677c045db129914c424bd813..4f6831f74be729ca3562633fa57b936653103b4a 100644
--- a/uw-spring-security-config/pom.xml
+++ b/uw-spring-security-config/pom.xml
@@ -3,7 +3,7 @@
<parent>
<groupId>edu.wisc.uwss</groupId>
<artifactId>uw-spring-security</artifactId>
- <version>3.0.5</version>
+ <version>3.0.6</version>
</parent>
<artifactId>uw-spring-security-config</artifactId>
<name>UW Spring Security Configuration</name>
@@ -46,8 +46,8 @@
<scope>test</scope>
</dependency>
<dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-classic</artifactId>
<scope>test</scope>
</dependency>
<dependency>
diff --git a/uw-spring-security-core/pom.xml b/uw-spring-security-core/pom.xml
index ad4d1e6f7d1856bed9a40a7484c85167a6451005..54451d8a435a973a0846946007e25edcdddb8d16 100644
--- a/uw-spring-security-core/pom.xml
+++ b/uw-spring-security-core/pom.xml
@@ -3,7 +3,7 @@
<parent>
<groupId>edu.wisc.uwss</groupId>
<artifactId>uw-spring-security</artifactId>
- <version>3.0.5</version>
+ <version>3.0.6</version>
</parent>
<artifactId>uw-spring-security-core</artifactId>
<name>UW Spring Security Core</name>
@@ -59,8 +59,8 @@
<scope>test</scope>
</dependency>
<dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-classic</artifactId>
<scope>test</scope>
</dependency>
<dependency>
diff --git a/uw-spring-security-sample-war/pom.xml b/uw-spring-security-sample-war/pom.xml
index bf7099a876b12ca440fa2f50237dd11aaaca0cad..1c95220ee024477f79899e76a2acc12a75ee9947 100644
--- a/uw-spring-security-sample-war/pom.xml
+++ b/uw-spring-security-sample-war/pom.xml
@@ -3,7 +3,7 @@
<parent>
<groupId>edu.wisc.uwss</groupId>
<artifactId>uw-spring-security</artifactId>
- <version>3.0.5</version>
+ <version>3.0.6</version>
</parent>
<artifactId>uw-spring-security-sample-war</artifactId>
<name>UW Spring Security Sample War</name>
@@ -50,16 +50,15 @@
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
</dependency>
-
<dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>jcl-over-slf4j</artifactId>
- <scope>runtime</scope>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-classic</artifactId>
+ <scope>test</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
- <scope>runtime</scope>
+ <artifactId>jcl-over-slf4j</artifactId>
+ <scope>test</scope>
</dependency>
</dependencies>
<build>
diff --git a/uw-spring-security-sample-war/src/main/java/edu/wisc/uwss/sample/configuration/DemonstrationOnlyPreAuthenticationConfiguration.java b/uw-spring-security-sample-war/src/main/java/edu/wisc/uwss/sample/configuration/DemonstrationOnlyPreAuthenticationConfiguration.java
index fa8c773a234369b39614eae65baf488c1904fbf7..db1900692a08d01c41b5e34ee514dc8d35adf2ea 100644
--- a/uw-spring-security-sample-war/src/main/java/edu/wisc/uwss/sample/configuration/DemonstrationOnlyPreAuthenticationConfiguration.java
+++ b/uw-spring-security-sample-war/src/main/java/edu/wisc/uwss/sample/configuration/DemonstrationOnlyPreAuthenticationConfiguration.java
@@ -96,7 +96,11 @@ public class DemonstrationOnlyPreAuthenticationConfiguration {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String uri = httpRequest.getRequestURI();
String param = httpRequest.getParameter("_ignorepreauth");
- logger.debug("uri={}, param={}", uri, param);
+
+ // remove CRLF to avoid CWE-93
+ String cleanUri = (uri!=null) ? uri.replaceAll("([\\r\\n])", " ") : null;
+ String cleanParam = (param!=null) ? param.replace("([\\r\\n])","") : null;
+ logger.debug("uri={}, param={}", cleanUri, cleanParam);
if(null != param || IGNORED.contains(uri)) {
logger.info("skipping PreAuthenticationSimulationServletFilter, either due to '_ignorepreauth' or visiting ignore uri");
filterChain.doFilter(request, response);
diff --git a/uw-spring-security-web/pom.xml b/uw-spring-security-web/pom.xml
index f2bbce661da8e1038f0dc46c52bcc34d775c6b5c..4373f93e5094e152895f46792bc9f5fa763282c4 100644
--- a/uw-spring-security-web/pom.xml
+++ b/uw-spring-security-web/pom.xml
@@ -15,7 +15,7 @@
<parent>
<groupId>edu.wisc.uwss</groupId>
<artifactId>uw-spring-security</artifactId>
- <version>3.0.5</version>
+ <version>3.0.6</version>
</parent>
<artifactId>uw-spring-security-web</artifactId>
<name>UW Spring Security Web</name>
@@ -38,8 +38,8 @@
<scope>test</scope>
</dependency>
<dependency>
- <groupId>org.slf4j</groupId>
- <artifactId>slf4j-log4j12</artifactId>
+ <groupId>ch.qos.logback</groupId>
+ <artifactId>logback-classic</artifactId>
<scope>test</scope>
</dependency>
<dependency>