Merge pull request #3 from blasttoys/development

Development

Author: blasttoys

CHANGELOG.md

@@ -1,5 +1,12 @@
 # Change Log
 
+### V1.3.5-SNAPSHOT
+
+- Fixed vulnerability CVE-2020-25649, CVE-2020-15522, CVE-2020-9488 and CVE-2019-17571
+- Update dependency library for bouncycastle to version 1.69
+- Update dependency library for jackson-databind to version 2.10.5.1
+- Remove dependency library for slf4j, updated to log4j version 2.14.1 for logging
+
 ### V1.3.4-SNAPSHOT
 
 - Fixed vulnerability CVE-2019-14379 and CVE-2019-14439

LICENSE

@@ -1,4 +1,4 @@
-Copyright (C) 2017-2020 GovTech, Government Digital Services, PDD-AI
+Copyright (C) 2017-2021 GovTech, Government Digital Services - ENP
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

README.md

@@ -63,22 +63,25 @@ mvn install
 <dependency>
     <groupId>com.api.util</groupId>
     <artifactId>ApiSecurity</artifactId>
-    <version>1.3.2-SNAPSHOT</version>
+    <version>1.3.5-SNAPSHOT</version>
 </dependency>
 ```
 
 **Note:** 
-* This project is leveraging on _slf4j-log4j12_ framework for the logging. If you are using logging implementation other than log4j, you can change to other type of implementation such as nop,simple,jdk14,logback. You could replace the following xml in pom.xml.
-* If your are using Log4j _Version2_, please refer to [Log4j2-SLF4J Binding](https://logging.apache.org/log4j/2.x/log4j-slf4j-impl/index.html)
+* This project is leveraging on Log4j _Version2_  framework for the logging. If you are using logging implementation other than Log4j _Version2_ , you can change to other type of implementation such as nop,simple,jdk14,logback. You could replace the following xml in pom.xml.
 
 
 ```xml
 <dependency>
-    <groupId>org.slf4j</groupId>
-    <artifactId>slf4j-log4j12</artifactId>
-    <version>1.7.25</version>
+	<groupId>org.apache.logging.log4j</groupId>
+	<artifactId>log4j-api</artifactId>
+	<version>2.14.1</version>
+</dependency>
+<dependency>
+	<groupId>org.apache.logging.log4j</groupId>
+	<artifactId>log4j-core</artifactId>
+	<version>2.14.1</version>
 </dependency>
-  	
 ```
 
 #### Maven Test
@@ -136,7 +139,7 @@ repositories {
     mavenLocal()
 }
 dependencies {
-    compile group: 'com.api.util', name: 'ApiSecurity', version: '1.3.1-SNAPSHOT'
+    compile group: 'com.api.util', name: 'ApiSecurity', version: '1.3.5-SNAPSHOT'
 }
 	
 ```
@@ -554,7 +557,7 @@ public void Http_POST_Test() throws ApiUtilException, IOException
 }
 
 ```
-
+	
 ## Contributing
 For more information about contributing PRs and issues, see [CONTRIBUTING.md](.github/CONTRIBUTING.md).
 
@@ -566,6 +569,6 @@ See [CHANGELOG.md](CHANGELOG.md).
 
 ## References
 + [UTF-8 in Gradle](https://stackoverflow.com/questions/21267234/show-utf-8-text-properly-in-gradle)
-+ [SLF4J FAQ](https://www.slf4j.org/faq.html)
-+ [Akana API Consumer Security](http://docs.akana.com/ag/cm_policies/using_api_consumer_app_sec_policy.htm)
-+ [RSA and HMAC Request Signing Standard](http://tools.ietf.org/html/draft-cavage-http-signatures-05)
++ [LOG4J2 FAQ](https://logging.apache.org/log4j/2.x/faq.html)
++ [Akana API Consumer Security](http://docs.akana.com/cm/learnmore/app_security.htm)
++ [RSA and HMAC Request Signing Standard](https://tools.ietf.org/id/draft-cavage-http-signatures-08.html)

build.gradle

@@ -4,7 +4,7 @@ plugins {
     id 'com.github.kt3k.coveralls' version '2.6.3'
 }
 
-version '1.3.4-SNAPSHOT'
+version '1.3.5-SNAPSHOT'
 
 tasks.withType(JavaCompile) {
     options.encoding = "UTF-8"
@@ -16,13 +16,23 @@ repositories {
 
 dependencies {
     //compile group: 'org.apache.commons', name: 'commons-collections4', version: '4.1'
+    
+    //gradle 4.0
     compile group: 'commons-lang', name: 'commons-lang', version: '2.4'
-    compile group: 'org.slf4j', name: 'slf4j-api', version: '1.7.25'
-    compile group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.9.9.2'
+    compile group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.14.1'
+    compile group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.14.1'
+    compile group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.10.5.1'
     compile group: 'com.googlecode.json-simple', name: 'json-simple', version: '1.1.1'
-    compile group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version: '1.60'
-    testCompile group: 'org.slf4j', name: 'slf4j-log4j12', version: '1.7.25'
-    testCompile group: 'junit', name: 'junit', version: '4.12'
+    compile group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version: '1.69'
+    
+    testCompile group: 'junit', name: 'junit', version: '4.13.1'
+
+    //gradle 6.9
+    //implementation group: 'commons-lang', name: 'commons-lang', version: '2.4'
+    //implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.10.5.1'
+    //implementation group: 'com.googlecode.json-simple', name: 'json-simple', version: '1.1.1'
+    //implementation group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version: '1.69'
+    //testImplementation group: 'junit', name: 'junit', version: '4.13.1'
 }
 
 jar {

pom.xml

@@ -2,7 +2,7 @@
   <modelVersion>4.0.0</modelVersion>
   <groupId>com.api.util</groupId>
   <artifactId>ApiSecurity</artifactId>
-  <version>1.3.4-SNAPSHOT</version>
+  <version>1.3.5-SNAPSHOT</version>
   <build>
     <plugins>
       <plugin>
@@ -61,7 +61,7 @@
   	<dependency>
 		<groupId>junit</groupId>
 		<artifactId>junit</artifactId>
-		<version>4.12</version>
+		<version>4.13.1</version>
 		<scope>test</scope>
 		<exclusions>
 			<exclusion>
@@ -78,10 +78,15 @@
 		<scope>test</scope>
 	</dependency> 	
   	<dependency>
-  		<groupId>org.slf4j</groupId>
-  		<artifactId>slf4j-log4j12</artifactId>
-  		<version>1.7.25</version>
-  	</dependency>
+		    <groupId>org.apache.logging.log4j</groupId>
+		    <artifactId>log4j-api</artifactId>
+		    <version>2.14.1</version>
+	</dependency>
+  	<dependency>
+		    <groupId>org.apache.logging.log4j</groupId>
+		    <artifactId>log4j-core</artifactId>
+		    <version>2.14.1</version>
+	</dependency>
   	<dependency>
             <groupId>commons-lang</groupId>
             <artifactId>commons-lang</artifactId>
@@ -90,7 +95,7 @@
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>2.10.0.pr3</version>
+            <version>2.10.5.1</version>
         </dependency>
         <dependency>
 		    <groupId>com.googlecode.json-simple</groupId>
@@ -100,7 +105,7 @@
 		<dependency>
 		    <groupId>org.bouncycastle</groupId>
 		    <artifactId>bcpkix-jdk15on</artifactId>
-		    <version>1.60</version>
+		    <version>1.69</version>
 		</dependency>	
   </dependencies>
   <properties>

src/main/java/com/api/util/ApiSecurity/ApiSigning.java

@@ -10,10 +10,11 @@
 import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter;
 import org.bouncycastle.openssl.jcajce.JceOpenSSLPKCS8DecryptorProviderBuilder;
 import org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.LogManager;
 import org.bouncycastle.operator.InputDecryptorProvider;
 import org.bouncycastle.pkcs.PKCS8EncryptedPrivateKeyInfo;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+
 
 import javax.crypto.Mac;
 import javax.crypto.spec.SecretKeySpec;
@@ -42,7 +43,7 @@
  */
 public class ApiSigning {
 
-    private static final Logger log = LoggerFactory.getLogger(ApiSigning.class);
+    private static final Logger log = LogManager.getLogger(ApiSigning.class);
 
     /**
      * Create HMACRSA256 Signature (L1) with a given basestring

src/main/resources/log4j.properties

@@ -0,0 +1,38 @@
+
+status = error
+dest = err
+name = PropertiesConfig
+ 
+
+# log to console 
+appender.console.type = Console
+appender.console.name = STDOUT
+appender.console.layout.type = PatternLayout
+appender.console.layout.pattern = %d{yyyy-MM-dd HH:mm:ss} [%t] %-5p:: %m%n
+ 
+
+# log to file
+# property.filename = target/rolling/rollingtest.log
+# appender.rolling.type = RollingFile
+# appender.rolling.name = RollingFile
+# appender.rolling.fileName = ${filename}
+# appender.rolling.filePattern = target/rolling2/test1-%d{MM-dd-yy-HH-mm-ss}-%i.log.gz
+# appender.rolling.layout.type = PatternLayout
+# appender.rolling.layout.pattern = %d{yyyy-MM-dd HH:mm:ss} [%t] %-5p:: %m%n
+# appender.rolling.policies.type = Policies
+# appender.rolling.policies.time.type = TimeBasedTriggeringPolicy
+# appender.rolling.policies.time.interval = 2
+# appender.rolling.policies.time.modulate = true
+# appender.rolling.policies.size.type = SizeBasedTriggeringPolicy
+# appender.rolling.policies.size.size=10000KB
+# appender.rolling.strategy.type = DefaultRolloverStrategy
+# appender.rolling.strategy.max = 10
+# logger.rolling.name = com.example.my.app
+# logger.rolling.level = debug
+# logger.rolling.additivity = false
+# logger.rolling.appenderRef.rolling.ref = RollingFile
+ 
+
+ #Root logger
+rootLogger.level = debug
+rootLogger.appenderRef.stdout.ref = STDOUT

src/main/resources/log4j2.properties

@@ -16,8 +16,8 @@
 import java.util.Set;
 
 import org.junit.runner.RunWith;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.LogManager;
 
 import com.api.util.testframework.JUnitFactoryRunner;
 import com.api.util.testframework.JUnitTestFactory;
@@ -35,7 +35,7 @@
 @RunWith(JUnitFactoryRunner.class)
 public class ApiSecurityTest {
 
-	private static final Logger log = LoggerFactory.getLogger(ApiSecurityTest.class);
+	private static final Logger log = LogManager.getLogger(ApiSecurityTest.class);
 
 	private static final String testDataPath = getLocalPath("src/main/resources/test-suites/testData/");
 

src/test/java/com/api/util/ApiSecurity/ApiSecurityTest.java

@@ -9,7 +9,7 @@
 import static org.junit.Assert.*;
 
 /**
- * @author GDS-PDD
+ * @author GDS-ENP
  *
  */
 public class AuthorizationTokenTest {

src/test/java/com/api/util/ApiSecurity/AuthorizationTokenTest.java

@@ -1,7 +1,7 @@
 package com.api.util.testframework;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.LogManager;
 
 import com.api.util.ApiSecurity.ApiList;
 import com.api.util.ApiSecurity.ApiSigning;
@@ -35,7 +35,7 @@
 
 public class RuntimeTestCase{
 
-	private static final Logger log = LoggerFactory.getLogger(RuntimeTestCase.class);
+	private static final Logger log = LogManager.getLogger(RuntimeTestCase.class);
 
 	//private ApiList apiList;
 	private String testName;
@@ -61,6 +61,7 @@ public void setTestName(String testName) {
     */
     @JUnitFactoryTest
     public void getSignatureBaseString() throws IOException, InterruptedException, ParseException {
+    	  log.trace("Entering teset test application.");
     	log.info("====================> Start :: RuntimeTestCase :: getSignatureBaseString :: testName : {} ", testName);
 
 		ExpectedResult expectedResult = testDatum.getExpectedResult();

src/test/java/com/api/util/testframework/RuntimeTestCase.java

@@ -1,7 +1,7 @@
 package com.api.util.testframework;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
+import org.apache.logging.log4j.Logger;
+import org.apache.logging.log4j.LogManager;
 
 import com.api.util.ApiSecurity.ApiList;
 import com.api.util.ApiSecurity.ApiUtilException;
@@ -19,7 +19,7 @@
 
 public class RuntimeTestUtility {
 
-	private static final Logger log = LoggerFactory.getLogger(RuntimeTestUtility.class);
+	private static final Logger log = LogManager.getLogger(RuntimeTestUtility.class);
 	private static ApiList apiList;
 
 	public static String getExpectedResultMap(ExpectedResult expectedResult) throws ApiUtilException {