From 8e1019acae201cc2123210446681ae5f683710f2 Mon Sep 17 00:00:00 2001 From: chasegawa Date: Tue, 10 May 2022 13:52:03 -0700 Subject: [PATCH] SHIBUI-2264 Closed vulnerability from common-collections v3.x by upgrading to v4.3 --- backend/build.gradle | 6 +++++- .../admin/ui/service/JPAMetadataResolverServiceImpl.groovy | 2 +- pac4j-module/build.gradle | 2 ++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/backend/build.gradle b/backend/build.gradle index d1770d8ee..53ddcae09 100644 --- a/backend/build.gradle +++ b/backend/build.gradle @@ -205,7 +205,11 @@ dependencies { integrationTestCompile 'org.springframework.security:spring-security-test:5.6.3' // CSV file support - compile 'com.opencsv:opencsv:4.4' + compile 'com.opencsv:opencsv:4.4', { + exclude group: 'commons-collections' + } + + compile 'org.apache.commons:commons-collections4:4.3' // Envers for persistent entities versioning compile 'org.hibernate:hibernate-envers' diff --git a/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy b/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy index 79420f6d0..ed3f794c0 100644 --- a/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy +++ b/backend/src/main/groovy/edu/internet2/tier/shibboleth/admin/ui/service/JPAMetadataResolverServiceImpl.groovy @@ -32,7 +32,7 @@ import groovy.util.logging.Slf4j import groovy.xml.DOMBuilder import groovy.xml.MarkupBuilder import net.shibboleth.utilities.java.support.scripting.EvaluableScript -import org.apache.commons.collections.CollectionUtils +import org.apache.commons.collections4.CollectionUtils import org.opensaml.saml.common.profile.logic.EntityIdPredicate import org.opensaml.saml.metadata.resolver.MetadataResolver import org.opensaml.saml.metadata.resolver.filter.MetadataFilter diff --git a/pac4j-module/build.gradle b/pac4j-module/build.gradle index be39bb6d8..20f44e058 100644 --- a/pac4j-module/build.gradle +++ b/pac4j-module/build.gradle @@ -40,7 +40,9 @@ dependencies { compile 'org.pac4j:pac4j-saml:5.4.3', { // opensaml libraries are provided exclude group: 'org.opensaml' + exclude group: 'commons-collections' } + compile 'org.apache.commons:commons-collections4:4.3' testCompile project(':backend') testCompile 'org.springframework.boot:spring-boot-starter-test:2.6.7'