[backend] Update spring boot to v3.5.7 (release/current) - abandoned

openaev-api/pom.xml

@@ -76,7 +76,7 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-security</artifactId>
-            <version>3.2.11</version>
+            <version>3.5.7</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -85,7 +85,7 @@
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-oauth2-client</artifactId>
-            <version>3.2.11</version>
+            <version>3.5.7</version>
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>

openaev-api/src/main/java/io/openaev/authorisation/HttpClientFactory.java

@@ -9,8 +9,8 @@
 import org.apache.hc.client5.http.impl.classic.HttpClients;
 import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
 import org.apache.hc.client5.http.io.HttpClientConnectionManager;
-import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
-import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactoryBuilder;
+import org.apache.hc.client5.http.ssl.ClientTlsStrategyBuilder;
+import org.apache.hc.client5.http.ssl.TlsSocketStrategy;
 import org.springframework.stereotype.Service;
 
 @Service
@@ -25,11 +25,11 @@ public CloseableHttpClient httpClientCustom() {
     try {
       SSLContext sslContext = SSLContext.getInstance("TLS");
       sslContext.init(null, new TrustManager[] {trustManager}, null);
-      SSLConnectionSocketFactory sslConFactory =
-          SSLConnectionSocketFactoryBuilder.create().setSslContext(sslContext).build();
+      TlsSocketStrategy tlsStrategy =
+          ClientTlsStrategyBuilder.create().setSslContext(sslContext).buildClassic();
       HttpClientConnectionManager cm =
           PoolingHttpClientConnectionManagerBuilder.create()
-              .setSSLSocketFactory(sslConFactory)
+              .setTlsSocketStrategy(tlsStrategy)
               .build();
       return HttpClients.custom().setConnectionManager(cm).build();
     } catch (Exception e) {

openaev-api/src/main/java/io/openaev/config/MvcConfig.java

@@ -2,9 +2,9 @@
 
 import com.fasterxml.jackson.databind.ObjectMapper;
 import jakarta.annotation.Resource;
+import jakarta.validation.constraints.NotNull;
 import java.util.List;
 import java.util.concurrent.Executors;
-import org.jetbrains.annotations.NotNull;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.converter.ByteArrayHttpMessageConverter;

openaev-api/src/main/java/io/openaev/config/OpenAEVOAuth2User.java

@@ -4,8 +4,8 @@
 import static io.openaev.database.model.User.ROLE_USER;
 
 import io.openaev.database.model.User;
+import jakarta.validation.constraints.NotNull;
 import java.util.*;
-import org.jetbrains.annotations.NotNull;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.core.user.OAuth2User;

openaev-api/src/main/java/io/openaev/config/OpenAEVOidcUser.java

@@ -4,8 +4,8 @@
 import static io.openaev.database.model.User.ROLE_USER;
 
 import io.openaev.database.model.User;
+import jakarta.validation.constraints.NotNull;
 import java.util.*;
-import org.jetbrains.annotations.NotNull;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.oauth2.core.oidc.OidcIdToken;

openaev-api/src/main/java/io/openaev/config/OpenAEVSaml2User.java

@@ -1,9 +1,9 @@
 package io.openaev.config;
 
 import io.openaev.database.model.User;
+import jakarta.validation.constraints.NotNull;
 import java.util.Collection;
 import java.util.List;
-import org.jetbrains.annotations.NotNull;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.saml2.provider.service.authentication.Saml2AuthenticatedPrincipal;

openaev-api/src/main/java/io/openaev/config/security/OpenSamlConfig.java

@@ -9,11 +9,11 @@
 import io.openaev.database.model.User;
 import io.openaev.security.SsoRefererAuthenticationSuccessHandler;
 import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.NotNull;
 import java.util.ArrayList;
 import java.util.List;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.jetbrains.annotations.NotNull;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.core.env.Environment;

openaev-api/src/main/java/io/openaev/executors/crowdstrike/client/CrowdStrikeExecutorClient.java

@@ -5,9 +5,6 @@
 import io.openaev.authorisation.HttpClientFactory;
 import io.openaev.executors.crowdstrike.config.CrowdStrikeExecutorConfig;
 import io.openaev.executors.crowdstrike.model.*;
-import io.openaev.executors.crowdstrike.model.Authentication;
-import io.openaev.executors.crowdstrike.model.ResourcesHosts;
-import io.openaev.executors.crowdstrike.model.ResourcesSession;
 import io.openaev.service.EndpointService;
 import jakarta.validation.constraints.NotBlank;
 import jakarta.validation.constraints.NotNull;
@@ -17,7 +14,10 @@
 import java.time.Instant;
 import java.time.ZoneOffset;
 import java.time.format.DateTimeFormatter;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.apache.hc.client5.http.ClientProtocolException;

openaev-api/src/main/java/io/openaev/helper/RabbitMQHelper.java

@@ -12,15 +12,10 @@
 import lombok.extern.slf4j.Slf4j;
 import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
 import org.apache.hc.client5.http.impl.classic.HttpClients;
-import org.apache.hc.client5.http.impl.io.BasicHttpClientConnectionManager;
 import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
 import org.apache.hc.client5.http.io.HttpClientConnectionManager;
-import org.apache.hc.client5.http.socket.ConnectionSocketFactory;
-import org.apache.hc.client5.http.socket.PlainConnectionSocketFactory;
-import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
-import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
-import org.apache.hc.core5.http.config.Registry;
-import org.apache.hc.core5.http.config.RegistryBuilder;
+import org.apache.hc.client5.http.ssl.ClientTlsStrategyBuilder;
+import org.apache.hc.client5.http.ssl.TlsSocketStrategy;
 import org.apache.hc.core5.ssl.SSLContextBuilder;
 import org.apache.hc.core5.ssl.SSLContexts;
 import org.apache.hc.core5.ssl.TrustStrategy;
@@ -97,8 +92,8 @@ private static RestTemplate rabbitMQRestTemplate(RabbitmqConfig rabbitmqConfig)
           CertificateException {
     RestTemplate restTemplate =
         new RestTemplateBuilder()
-            .setConnectTimeout(Duration.ofSeconds(2))
-            .setReadTimeout(Duration.ofSeconds(2))
+            .connectTimeout(Duration.ofSeconds(2))
+            .readTimeout(Duration.ofSeconds(2))
             .build();
 
     if (rabbitmqConfig.isSsl() && rabbitmqConfig.isManagementInsecure()) {
@@ -108,16 +103,15 @@ private static RestTemplate rabbitMQRestTemplate(RabbitmqConfig rabbitmqConfig)
       TrustStrategy acceptingTrustStrategy = (cert, authType) -> true;
       SSLContext sslContext =
           SSLContexts.custom().loadTrustMaterial(null, acceptingTrustStrategy).build();
-      SSLConnectionSocketFactory sslsf =
-          new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
-      Registry<ConnectionSocketFactory> socketFactoryRegistry =
-          RegistryBuilder.<ConnectionSocketFactory>create()
-              .register("https", sslsf)
-              .register("http", new PlainConnectionSocketFactory())
+      TlsSocketStrategy tlsStrategy =
+          ClientTlsStrategyBuilder.create()
+              .setSslContext(sslContext)
+              .setHostnameVerifier((hostname, session) -> true) // Noop
+              .buildClassic();
+      HttpClientConnectionManager connectionManager =
+          PoolingHttpClientConnectionManagerBuilder.create()
+              .setTlsSocketStrategy(tlsStrategy)
               .build();
-
-      BasicHttpClientConnectionManager connectionManager =
-          new BasicHttpClientConnectionManager(socketFactoryRegistry);
       CloseableHttpClient httpClient =
           HttpClients.custom().setConnectionManager(connectionManager).build();
       requestFactoryHttp.setHttpClient(httpClient);
@@ -129,10 +123,11 @@ private static RestTemplate rabbitMQRestTemplate(RabbitmqConfig rabbitmqConfig)
                   rabbitmqConfig.getTrustStore().getURL(),
                   rabbitmqConfig.getTrustStorePassword().toCharArray())
               .build();
-      SSLConnectionSocketFactory sslConFactory = new SSLConnectionSocketFactory(sslContext);
+      TlsSocketStrategy tlsStrategy =
+          ClientTlsStrategyBuilder.create().setSslContext(sslContext).buildClassic();
       HttpClientConnectionManager cm =
           PoolingHttpClientConnectionManagerBuilder.create()
-              .setSSLSocketFactory(sslConFactory)
+              .setTlsSocketStrategy(tlsStrategy)
               .build();
       CloseableHttpClient httpClient = HttpClients.custom().setConnectionManager(cm).build();
       ClientHttpRequestFactory requestFactory =

openaev-api/src/main/java/io/openaev/importer/V1_DataImporter.java

@@ -36,6 +36,7 @@
 import io.openaev.telemetry.metric_collectors.ActionMetricCollector;
 import jakarta.activation.MimetypesFileTypeMap;
 import jakarta.annotation.Resource;
+import jakarta.validation.constraints.NotNull;
 import java.time.Instant;
 import java.util.*;
 import java.util.function.Supplier;
@@ -44,7 +45,6 @@
 import java.util.stream.StreamSupport;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.jetbrains.annotations.NotNull;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.stereotype.Component;
 import org.springframework.transaction.annotation.Transactional;

openaev-api/src/main/java/io/openaev/injectors/caldera/CalderaExecutor.java

@@ -3,9 +3,9 @@
 import static io.openaev.database.model.Command.COMMAND_TYPE;
 import static io.openaev.database.model.ExecutionTrace.getNewErrorTrace;
 import static io.openaev.database.model.ExecutionTrace.getNewInfoTrace;
-import static io.openaev.model.expectation.DetectionExpectation.*;
-import static io.openaev.model.expectation.ManualExpectation.*;
-import static io.openaev.model.expectation.PreventionExpectation.*;
+import static io.openaev.model.expectation.DetectionExpectation.detectionExpectationForAssetGroup;
+import static io.openaev.model.expectation.ManualExpectation.manualExpectationForAssetGroup;
+import static io.openaev.model.expectation.PreventionExpectation.preventionExpectationForAssetGroup;
 import static io.openaev.utils.AgentUtils.isValidAgent;
 import static io.openaev.utils.ExpectationUtils.*;
 import static java.time.Instant.now;
@@ -14,7 +14,6 @@
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import io.openaev.database.model.*;
 import io.openaev.database.model.InjectExpectation.EXPECTATION_TYPE;
-import io.openaev.database.model.PayloadCommandBlock;
 import io.openaev.execution.ExecutableInject;
 import io.openaev.executors.Injector;
 import io.openaev.injectors.caldera.client.model.Ability;

openaev-api/src/main/java/io/openaev/injectors/caldera/service/CalderaResultCollectorService.java

@@ -1,7 +1,6 @@
 package io.openaev.injectors.caldera.service;
 
 import io.openaev.database.model.*;
-import io.openaev.database.model.InjectStatus;
 import io.openaev.database.repository.InjectRepository;
 import io.openaev.injectors.caldera.CalderaContract;
 import io.openaev.injectors.caldera.model.ResultStatus;

openaev-api/src/main/java/io/openaev/injectors/lade/service/LadeService.java

@@ -240,27 +240,24 @@ public List<Contract> buildContracts(ContractConfig contractConfig) throws Excep
                   dependencySelectField("source", "Source", "workzone", workzoneHostsMap));
             }
             JsonNode parameters = specs.get("parameters");
-            Iterator<Map.Entry<String, JsonNode>> fields = parameters.fields();
-            fields.forEachRemaining(
-                entry -> {
-                  String key = entry.getKey();
-                  JsonNode parameter = entry.getValue();
-                  JsonNode nameNode = parameter.get("name");
-                  String name = nameNode != null ? nameNode.asText() : key;
-                  List<String> types =
-                      asStream(parameter.get("types").elements()).map(JsonNode::asText).toList();
-                  if (types.contains("host.nics.ip")) {
-                    builder.mandatory(
-                        dependencySelectField(key, name, "workzone", workzoneHostsIps));
-                  } else if (types.contains("boolean")) {
-                    JsonNode defaultNode = parameter.get("default");
-                    builder.optional(checkboxField(key, name, defaultNode.booleanValue()));
-                  } else if (types.contains("string")) {
-                    JsonNode defaultNode = parameter.get("default");
-                    builder.optional(
-                        textField(key, name, defaultNode != null ? defaultNode.asText() : ""));
-                  }
-                });
+            for (Map.Entry<String, JsonNode> entry : parameters.properties()) {
+              String key = entry.getKey();
+              JsonNode parameter = entry.getValue();
+              JsonNode nameNode = parameter.get("name");
+              String name = nameNode != null ? nameNode.asText() : key;
+              List<String> types =
+                  asStream(parameter.get("types").elements()).map(JsonNode::asText).toList();
+              if (types.contains("host.nics.ip")) {
+                builder.mandatory(dependencySelectField(key, name, "workzone", workzoneHostsIps));
+              } else if (types.contains("boolean")) {
+                JsonNode defaultNode = parameter.get("default");
+                builder.optional(checkboxField(key, name, defaultNode.booleanValue()));
+              } else if (types.contains("string")) {
+                JsonNode defaultNode = parameter.get("default");
+                builder.optional(
+                    textField(key, name, defaultNode != null ? defaultNode.asText() : ""));
+              }
+            }
             Contract contractInstance =
                 executableContract(
                     contractConfig,

openaev-api/src/main/java/io/openaev/opencti/connectors/impl/SecurityCoverageConnector.java

@@ -6,6 +6,7 @@
 import io.openaev.opencti.connectors.ConnectorBase;
 import io.openaev.opencti.connectors.ConnectorType;
 import io.openaev.utils.StringUtils;
+import jakarta.validation.Valid;
 import java.util.ArrayList;
 import java.util.List;
 import lombok.Getter;
@@ -20,8 +21,8 @@ public class SecurityCoverageConnector extends ConnectorBase {
   private final String id = "68949a7b-c1c2-4649-b3de-7db804ba02bb";
 
   // need to access the base URL for overriding the callback URI
-  @Autowired private OpenCTIConfig openctiConfig;
-  @Autowired private OpenAEVConfig mainConfig;
+  @Autowired @Valid private OpenCTIConfig openctiConfig;
+  @Autowired @Valid private OpenAEVConfig mainConfig;
 
   private final ConnectorType type = ConnectorType.INTERNAL_ENRICHMENT;
   private final String name = "OpenAEV Coverage";

openaev-api/src/main/java/io/openaev/opencti/connectors/service/OpenCTIConnectorService.java

@@ -5,13 +5,13 @@
 import io.openaev.opencti.errors.ConnectorError;
 import io.openaev.opencti.service.OpenCTIService;
 import io.openaev.stix.objects.Bundle;
+import jakarta.validation.constraints.NotNull;
 import java.io.IOException;
 import java.util.List;
 import java.util.Optional;
 import lombok.Getter;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.jetbrains.annotations.NotNull;
 import org.springframework.stereotype.Service;
 
 @Service

openaev-api/src/main/java/io/openaev/opencti/connectors/service/PrivilegeService.java

@@ -12,9 +12,7 @@
 import io.openaev.service.GroupService;
 import io.openaev.service.RoleService;
 import io.openaev.service.UserService;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Optional;
+import java.util.*;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.stereotype.Service;
@@ -50,7 +48,7 @@ public void ensurePrivilegedUserExistsForConnector(ConnectorBase connector) {
                     List.of(
                         userService.createUserToken(
                             existingEmailUser.get(), connector.getToken()))));
-        existingEmailUser.get().setGroups(new ArrayList<>(List.of(group)));
+        existingEmailUser.get().setGroups(new HashSet<>(Set.of(group)));
         userService.updateUser(existingEmailUser.get());
         return;
       }
@@ -62,15 +60,15 @@ public void ensurePrivilegedUserExistsForConnector(ConnectorBase connector) {
       input.setToken(connector.getToken());
       input.setEmail("connector-%s@openaev.invalid".formatted(connector.getId()));
       User u = userService.createUser(input, 1); // magic number; Active
-      u.setGroups(new ArrayList<>(List.of(group)));
+      u.setGroups(new HashSet<>(Set.of(group)));
       userService.updateUser(u);
     } else {
       UpdateUserInput input = new UpdateUserInput();
       input.setAdmin(false);
       input.setFirstname(connector.getName());
       input.setLastname("OpenCTI Connector");
       input.setEmail("connector-%s@openaev.invalid".formatted(connector.getId()));
-      connectorUser.get().setGroups(new ArrayList<>(List.of(group)));
+      connectorUser.get().setGroups(new HashSet<>(Set.of(group)));
       userService.updateUser(connectorUser.get(), input);
     }
   }

openaev-api/src/main/java/io/openaev/rest/asset_group/AssetGroupCriteriaBuilderService.java

@@ -16,9 +16,9 @@
 import jakarta.persistence.Tuple;
 import jakarta.persistence.TypedQuery;
 import jakarta.persistence.criteria.*;
+import jakarta.validation.constraints.NotNull;
 import java.util.List;
 import lombok.RequiredArgsConstructor;
-import org.jetbrains.annotations.NotNull;
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.PageImpl;
 import org.springframework.data.domain.Pageable;

openaev-api/src/main/java/io/openaev/rest/asset_group/AssetGroupQueryHelper.java

@@ -34,9 +34,11 @@ public static void select(
             assetGroupRoot.get("id").alias("asset_group_id"),
             assetGroupRoot.get("name").alias("asset_group_name"),
             assetGroupRoot.get("description").alias("asset_group_description"),
-            assetGroupRoot
-                .get("dynamicFilter")
-                .as(String.class)
+            // FIXME : migrating to spring 3.5 upgraded hibernate from 6.4 to 6.6.
+            // It now adds distinct query which cannot work with json fields so we have to cast it
+            // as jsonb first
+            // Correct fix would be to change field in the db to jsonb
+            cb.function("to_jsonb", String.class, assetGroupRoot.get("dynamicFilter"))
                 .alias("asset_group_dynamic_filter"),
             assetIdsExpression.alias("asset_group_assets"),
             tagIdsExpression.alias("asset_group_tags"))

openaev-api/src/main/java/io/openaev/rest/collector/service/CollectorService.java

@@ -17,7 +17,6 @@
 import java.util.Optional;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.data.jpa.repository.Query;
 import org.springframework.stereotype.Service;
 
 @Slf4j
@@ -93,8 +92,6 @@ public List<Collector> collectorsForPayload(String payloadId) {
     return collectorRepository.findByPayloadId(payloadId);
   }
 
-  @Query(
-      "SELECT c FROM Collector c WHERE c.detectionRemediations.payload.injector.contracts.injects.injectId = :injectId")
   public List<Collector> collectorsForAtomicTesting(String injectId) {
     return collectorRepository.findByInjectId(injectId);
   }