Veracode Fixes

CHANGELOG.md

@@ -7,6 +7,20 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ## [Unreleased]
  - NA
 
+## [1.2.7] - 2023-04-21
+
+### Added
+ - Added changes related to digital twin registry
+ - Validate input request attribute
+
+### Changed
+ - Upgrade spring expression to 6.0.8 version
+ - Spring boot upgraded to 3.0.5
+
+### Fixed
+ - Fixed for cross site scripting
+ - Veracode issue fix
+
 ## [1.2.4] - 2023-04-20
 
 ### Added

DEPENDENCIES

@@ -136,7 +136,7 @@ maven/mavencentral/org.springframework/spring-beans/6.0.4, Apache-2.0, approved,
 maven/mavencentral/org.springframework/spring-context-support/6.0.4, Apache-2.0, approved, #6960
 maven/mavencentral/org.springframework/spring-context/6.0.4, Apache-2.0, approved, #5936
 maven/mavencentral/org.springframework/spring-core/6.0.7, Apache-2.0 AND BSD-3-Clause, approved, #5948
-maven/mavencentral/org.springframework/spring-expression/6.0.4, Apache-2.0, approved, #3284
+maven/mavencentral/org.springframework/spring-expression/6.0.8, Apache-2.0, approved, #3284
 maven/mavencentral/org.springframework/spring-jcl/6.0.4, Apache-2.0, approved, #3283
 maven/mavencentral/org.springframework/spring-jdbc/6.0.4, Apache-2.0, approved, #5924
 maven/mavencentral/org.springframework/spring-orm/6.0.4, Apache-2.0, approved, #5925

README.md

@@ -12,8 +12,8 @@ This service will help service provider to set up DFT/SDE with EDC and EDC as se
 ### Software Version
 
 ```shell
-Application version: 1.2.4
-Helm release version: 1.2.4
+Application version: 1.2.7
+Helm release version: 1.2.7
 ```
 
 

charts/orchestrator/Chart.yaml

@@ -38,15 +38,15 @@ sources:
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.2.4
+version: 1.2.7
 
 
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.2.4"
+appVersion: "1.2.7"
 
 dependencies:
   - condition: postgresql.enabled

charts/orchestrator/README.md

@@ -1,7 +1,6 @@
 # autosetup
 
-
-![Version: 1.2.4](https://img.shields.io/badge/Version-1.2.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.4](https://img.shields.io/badge/AppVersion-1.2.4-informational?style=flat-square)
+![Version: 1.2.7](https://img.shields.io/badge/Version-1.2.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.7](https://img.shields.io/badge/AppVersion-1.2.7-informational?style=flat-square)
 
 
 This service will help service provider to set up DFT/SDE with EDC and EDC as service in service provider environment.

pom.xml

@@ -6,12 +6,12 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>3.0.2</version>
+		<version>3.0.5</version>
 		<relativePath /> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>org.eclipse.tractusx</groupId>
 	<artifactId>auto-setup</artifactId>
-	<version>1.2.4</version>
+	<version>1.2.7</version>
 	<name>auto-setup</name>
 	<description>auto-setup</description>
 	<properties>
@@ -208,6 +208,11 @@
 			<artifactId>spring-boot-configuration-processor</artifactId>
 			<optional>true</optional>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-expression</artifactId>
+			<version>6.0.8</version>
+		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-oauth2-client</artifactId>
@@ -218,6 +223,11 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-webmvc</artifactId>
+			<version>6.0.8</version>
+		</dependency>
 		<dependency>
 			<groupId>com.h2database</groupId>
 			<artifactId>h2</artifactId>

src/main/java/org/eclipse/tractusx/autosetup/config/SecurityConfig.java

@@ -20,7 +20,12 @@
 
 package org.eclipse.tractusx.autosetup.config;
 
-import lombok.SneakyThrows;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Stream;
+
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.context.annotation.Bean;
@@ -36,16 +41,12 @@
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.util.matcher.AnyRequestMatcher;
+import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter.HeaderValue;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
-import java.util.stream.Stream;
+import lombok.SneakyThrows;
 
 @Configuration
 @EnableWebSecurity
@@ -118,9 +119,14 @@ public SecurityFilterChain filterChain(HttpSecurity http, Jwt2AuthenticationConv
             .anyRequest().authenticated();
         // @formatter:on
 
-		http.headers().xssProtection().and()
-				.contentSecurityPolicy("default-src 'self'; script-src 'self' 'unsafe-inline'").and()
-				.httpStrictTransportSecurity().requestMatcher(AnyRequestMatcher.INSTANCE);
+		http.headers().xssProtection(xssProtection -> xssProtection.headerValue(HeaderValue.ENABLED_MODE_BLOCK));
+
+		http.headers()
+		      .contentSecurityPolicy("default-src 'self'; script-src 'self'")
+		      .and()
+		      .httpStrictTransportSecurity()
+		      		.includeSubDomains(true)
+		      		.maxAgeInSeconds(15724800);
 
 		return http.build();
 	}

src/main/java/org/eclipse/tractusx/autosetup/constant/ToolType.java

@@ -22,6 +22,6 @@
 
 public enum ToolType {
 
-	DFT_WITH_EDC, DFT, EDC, DFT_WITH_EDC_TRACTUS, EDC_TRACTUS
+	DFT_WITH_EDC, DFT, EDC, DFT_WITH_EDC_TRACTUS, EDC_TRACTUS, DT_REGISTRY
 
 }

src/main/java/org/eclipse/tractusx/autosetup/controller/AppDetailsController.java

@@ -42,6 +42,7 @@
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.responses.ApiResponses;
+import jakarta.validation.Valid;
 
 @RestController
 public class AppDetailsController {
@@ -54,7 +55,7 @@ public class AppDetailsController {
 	@ApiResponses(value = {
 			@ApiResponse(responseCode = "200", description = "OK", content = @Content(schema = @Schema(implementation = AppDetails.class))) })
 	@PostMapping("/internal/app-details")
-	public AppDetails createOrUpdateAppInfo(@RequestBody AppDetailsRequest appDetailsRequest) {
+	public AppDetails createOrUpdateAppInfo(@Valid @RequestBody AppDetailsRequest appDetailsRequest) {
 		return appDetailsService.createOrUpdateAppInfo(appDetailsRequest);
 	}
 
@@ -80,7 +81,7 @@ public List<AppDetails> getAllAppInfo() {
 	@ApiResponses(value = {
 			@ApiResponse(responseCode = "200", description = "OK", content = @Content(schema = @Schema(implementation = AppServiceCatalog.class))) })
 	@PostMapping("/internal/catalog-service")
-	public AppServiceCatalog createCatalogService(@RequestBody AppServiceCatalogPojo appServiceCatalog) {
+	public AppServiceCatalog createCatalogService(@Valid @RequestBody AppServiceCatalogPojo appServiceCatalog) {
 		return appDetailsService.createCatalogService(appServiceCatalog);
 	}
 
@@ -105,7 +106,7 @@ public List<AppServiceCatalog> getAllCatalogService() {
 			@ApiResponse(responseCode = "200", description = "OK", content = @Content(schema = @Schema(implementation = AppServiceCatalogAndCustomerMapping.class))) })
 	@PostMapping("/internal/catalog-service-mapping")
 	public AppServiceCatalogAndCustomerMapping createCatalogServiceMapping(
-			@RequestBody AppServiceCatalogAndCustomerMappingPojo appServiceCatalogAndCustomerMapping) {
+			@Valid @RequestBody AppServiceCatalogAndCustomerMappingPojo appServiceCatalogAndCustomerMapping) {
 		return appDetailsService.createCatalogServiceMapping(appServiceCatalogAndCustomerMapping);
 	}
 

src/main/java/org/eclipse/tractusx/autosetup/controller/AutoSetupHandlerController.java

@@ -68,9 +68,9 @@ public String getAllInstallPackages() {
 	@ApiResponses(value = {
 			@ApiResponse(responseCode = "200", description = "Created", content = @Content(schema = @Schema(implementation = UUID.class))) })
 	@PutMapping("/internal/update-package/{executionId}")
-	public String updateDftPackage(@PathVariable("executionId") String executionId,
+	public String updateDftPackage(@PathVariable("executionId") UUID executionId,
 			@RequestBody DFTUpdateRequest dftUpdateRequest) {
-		return appHandlerService.updateDftPackage(executionId, dftUpdateRequest);
+		return appHandlerService.updateDftPackage(executionId.toString(), dftUpdateRequest);
 	}
 
 	// portal access
@@ -88,26 +88,26 @@ public String createPackage(@Valid @RequestBody AutoSetupRequest autoSetupReques
 			@ApiResponse(responseCode = "200", description = "Updated", content = @Content(schema = @Schema(implementation = UUID.class))) })
 
 	@PutMapping("/autosetup/{executionId}")
-	public String updatePackage(@PathVariable("executionId") String executionId,
+	public String updatePackage(@PathVariable("executionId") UUID executionId,
 			@RequestBody @Valid AutoSetupRequest autoSetupRequest) {
-		return appHandlerService.updatePackage(autoSetupRequest, executionId);
+		return appHandlerService.updatePackage(autoSetupRequest, executionId.toString());
 	}
 
 	// portal access
 	@Operation(summary = "Delete autosetup packages", description = "This API will use to delete the existing packages created by the Auto setup process")
 	@ApiResponses(value = {
 			@ApiResponse(responseCode = "200", description = "Deleted", content = @Content(schema = @Schema(implementation = UUID.class))) })
 	@DeleteMapping("/autosetup/{executionId}")
-	public String deletePackage(@PathVariable("executionId") String executionId) {
-		return appHandlerService.deletePackage(executionId);
+	public String deletePackage(@PathVariable("executionId") UUID executionId) {
+		return appHandlerService.deletePackage(executionId.toString());
 	}
 
 	// portal access
 	@Operation(summary = "Check Auto setup execution status", description = "This API will use to check/verify Auto setup process execution status")
 	@ApiResponses(value = {
 			@ApiResponse(responseCode = "200", description = "OK", content = @Content(schema = @Schema(implementation = AutoSetupResponse.class))) })
 	@GetMapping("/autosetup/{executionId}")
-	public AutoSetupResponse getCheckDetails(@PathVariable("executionId") String executionId) {
-		return autoSetupTriggerManager.getCheckDetails(executionId);
+	public AutoSetupResponse getCheckDetails(@PathVariable("executionId") UUID executionId) {
+		return autoSetupTriggerManager.getCheckDetails(executionId.toString());
 	}
 }

src/main/java/org/eclipse/tractusx/autosetup/manager/DTRegistryManager.java

@@ -20,7 +20,8 @@
 
 package org.eclipse.tractusx.autosetup.manager;
 
-import java.util.HashMap;
+import static org.eclipse.tractusx.autosetup.constant.AppNameConstant.DT_REGISTRY;
+
 import java.util.Map;
 import java.util.UUID;
 
@@ -40,8 +41,6 @@
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 
-import static org.eclipse.tractusx.autosetup.constant.AppNameConstant.DT_REGISTRY;
-
 @Slf4j
 @Service
 @RequiredArgsConstructor
@@ -57,7 +56,6 @@ public class DTRegistryManager {
 	public Map<String, String> managePackage(Customer customerDetails, AppActions action, SelectedTools tool,
 			Map<String, String> inputData, AutoSetupTriggerEntry triger) {
 
-		Map<String, String> outputData = new HashMap<>();
 		AutoSetupTriggerDetails autoSetupTriggerDetails = AutoSetupTriggerDetails.builder()
 				.id(UUID.randomUUID().toString()).step(DT_REGISTRY.name()).build();
 		try {
@@ -66,7 +64,7 @@ public Map<String, String> managePackage(Customer customerDetails, AppActions ac
 			String dnsName = inputData.get("dnsName");
 			String dnsNameURLProtocol = inputData.get("dnsNameURLProtocol");
 
-			String dtregistryUrl = dnsNameURLProtocol + "://" + dnsName + "/"
+			String dtregistryUrl = dnsNameURLProtocol + "://" + dnsName + ""
 					+ sDEConfigurationProperty.getDtregistryUrlPrefix();
 
 			inputData.put("rgdatabase", "registry");
@@ -77,9 +75,10 @@ public Map<String, String> managePackage(Customer customerDetails, AppActions ac
 			inputData.put("tenantId", "bpn");
 			inputData.put("dtregistryUrlPrefix", sDEConfigurationProperty.getDtregistryUrlPrefix());
 
-			outputData.put("sde.digital-twins.hostname", dtregistryUrl);
-			outputData.put("sde.digital-twins.authentication.url",
+			inputData.put("sde.digital-twins.hostname", dtregistryUrl);
+			inputData.put("sde.digital-twins.authentication.url",
 					sDEConfigurationProperty.getDigitalTwinsAuthenticationUrl());
+			inputData.put("dtregistryUrl", dtregistryUrl);
 
 			if (AppActions.CREATE.equals(action))
 				appManagement.createPackage(DT_REGISTRY, packageName, inputData);
@@ -100,7 +99,7 @@ public Map<String, String> managePackage(Customer customerDetails, AppActions ac
 			autoSetupTriggerManager.saveTriggerDetails(autoSetupTriggerDetails, triger);
 		}
 
-		return outputData;
+		return inputData;
 	}
 
 }

src/main/java/org/eclipse/tractusx/autosetup/model/AppDetailsRequest.java

@@ -20,31 +20,54 @@
 
 package org.eclipse.tractusx.autosetup.model;
 
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Pattern;
 import lombok.Data;
 
 @Data
 public class AppDetailsRequest {
 
+	@NotBlank(message = "AppName is mandatory")
+	@Pattern(regexp = "[a-zA-ZÀ-ÿ0-9][a-zA-ZÀ-ÿ0-9\\-_]+", message = "AppName should not contains special characters")
 	private String appName;
 
+	@NotBlank(message = "ContextCluster is mandatory")
+	@Pattern(regexp = "[a-zA-ZÀ-ÿ0-9][a-zA-ZÀ-ÿ0-9\\-_]+", message = "ContextCluster should not contains special characters")
 	private String contextCluster;
 
+	@NotBlank(message = "ContextNamespace is mandatory")
+	@Pattern(regexp = "[a-zA-ZÀ-ÿ0-9][a-zA-ZÀ-ÿ0-9\\-_]+", message = "ContextNamespace should not contains special characters")
 	private String contextNamespace;
 
+	@NotBlank(message = "PackageIdentifier is mandatory")
+	@Pattern(regexp = "[a-zA-ZÀ-ÿ0-9][a-zA-ZÀ-ÿ0-9\\-_./]+", message = "PackageIdentifier should not contains special characters")
 	private String packageIdentifier;
 
+	@NotBlank(message = "PluginName is mandatory")
+	@Pattern(regexp = "[a-zA-ZÀ-ÿ0-9][a-zA-ZÀ-ÿ0-9\\-_./]+", message = "PluginName should not contains special characters")
 	private String pluginName;
 
+	@NotBlank(message = "PluginVersion is mandatory")
+	@Pattern(regexp = "[a-zA-ZÀ-ÿ0-9][a-zA-ZÀ-ÿ0-9\\-_./]+", message = "PluginVersion should not contains special characters")
 	private String pluginVersion;
 
+	@NotBlank(message = "PackageVersion is mandatory")
+	@Pattern(regexp = "[a-zA-ZÀ-ÿ0-9][a-zA-ZÀ-ÿ0-9\\-_./]+", message = "PackageVersion should not contains special characters")
 	private String packageVersion;
-
+
+	@NotBlank(message = "ExpectedInputData is mandatory")
+	@Pattern(regexp = "[a-zA-ZÀ-ÿ0-9 \"$\n\t\\{\\},\\-_./:=\\[\\]]+", message = "ExpectedInputData should not contains special characters")
 	private String expectedInputData;
-
+
+	@Pattern(regexp = "[a-zA-ZÀ-ÿ0-9][a-zA-ZÀ-ÿ0-9\\-_]+", message = "OutputData should not contains special characters")
 	private String outputData;
-
+
+	@NotBlank(message = "RequiredYamlConfiguration is mandatory")
+	@Pattern(regexp = "[a-zA-ZÀ-ÿ0-9 \"$\n\t\\{\\},\\-_./:=\\[\\]]+", message = "RequiredYamlConfiguration should not contains special characters")
 	private String requiredYamlConfiguration;
-
+
+	@NotBlank(message = "YamlValueFieldType is mandatory")
+	@Pattern(regexp = "[a-zA-ZÀ-ÿ0-9 \"$\n\t\\{\\},\\-_./:=\\[\\]]+", message = "YamlValueFieldType should not contains special characters")
 	private String yamlValueFieldType;
 
 }

src/main/java/org/eclipse/tractusx/autosetup/model/AppServiceCatalogAndCustomerMappingPojo.java

@@ -20,6 +20,9 @@
 
 package org.eclipse.tractusx.autosetup.model;
 
+import jakarta.validation.Valid;
+import jakarta.validation.constraints.NotBlank;
+import jakarta.validation.constraints.Pattern;
 import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Data;
@@ -31,12 +34,19 @@
 @AllArgsConstructor
 public class AppServiceCatalogAndCustomerMappingPojo {
 
+	@NotBlank(message = "Customer is mandatory")
+	@Pattern(regexp = "[a-zA-ZÀ-ÿ0-9][a-zA-ZÀ-ÿ0-9\\-_]+", message = "Customer should not contains special characters")
 	private String customer;
 
+	@NotBlank(message = "ServiceId is mandatory")
+	@Pattern(regexp = "[a-zA-ZÀ-ÿ0-9][a-zA-ZÀ-ÿ0-9\\-_]+", message = "ServiceId should not contains special characters")
 	private String serviceId;
 
+	@Valid
 	private AppServiceCatalogPojo serviceCatalog;
 
+	@NotBlank(message = "CanonicalId is mandatory")
+	@Pattern(regexp = "[a-zA-ZÀ-ÿ0-9][a-zA-ZÀ-ÿ0-9\\-_]+", message = "CanonicalId should not contains special characters")
 	private String canonicalId;
 
 }