Veracode Fixes

CHANGELOG.md

@@ -7,7 +7,21 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 ## [Unreleased]
  - NA
 
-## [1.2.4] - 2023-04-14
+## [1.2.7] - 2023-04-21
+
+### Added
+ - Added changes related to digital twin registry
+ - Validate input request attribute
+
+### Changed
+ - Upgrade spring expression to 6.0.8 version
+ - Spring boot upgraded to 3.0.5
+
+### Fixed
+ - Fixed for cross site scripting
+ - Veracode issue fix
+
+## [1.2.4] - 2023-04-20
 
 ### Added
  - Support Digital Twin registry in Autosetup

DEPENDENCIES

@@ -136,7 +136,7 @@ maven/mavencentral/org.springframework/spring-beans/6.0.4, Apache-2.0, approved,
 maven/mavencentral/org.springframework/spring-context-support/6.0.4, Apache-2.0, approved, #6960
 maven/mavencentral/org.springframework/spring-context/6.0.4, Apache-2.0, approved, #5936
 maven/mavencentral/org.springframework/spring-core/6.0.7, Apache-2.0 AND BSD-3-Clause, approved, #5948
-maven/mavencentral/org.springframework/spring-expression/6.0.4, Apache-2.0, approved, #3284
+maven/mavencentral/org.springframework/spring-expression/6.0.8, Apache-2.0, approved, #3284
 maven/mavencentral/org.springframework/spring-jcl/6.0.4, Apache-2.0, approved, #3283
 maven/mavencentral/org.springframework/spring-jdbc/6.0.4, Apache-2.0, approved, #5924
 maven/mavencentral/org.springframework/spring-orm/6.0.4, Apache-2.0, approved, #5925

README.md

@@ -12,8 +12,8 @@ This service will help service provider to set up DFT/SDE with EDC and EDC as se
 ### Software Version
 
 ```shell
-Application version: 1.2.4
-Helm release version: 1.2.4
+Application version: 1.2.7
+Helm release version: 1.2.7
 ```
 
 

charts/orchestrator/Chart.yaml

@@ -38,14 +38,15 @@ sources:
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.2.4
+version: 1.2.7
 
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.2.4"
+appVersion: "1.2.7"
+
 dependencies:
   - condition: postgresql.enabled
     name: postgresql

charts/orchestrator/README.md

@@ -1,6 +1,6 @@
 # autosetup
 
-![Version: 1.2.4](https://img.shields.io/badge/Version-1.2.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.4](https://img.shields.io/badge/AppVersion-1.2.4-informational?style=flat-square)
+![Version: 1.2.7](https://img.shields.io/badge/Version-1.2.7-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 1.2.7](https://img.shields.io/badge/AppVersion-1.2.7-informational?style=flat-square)
 
 This service will help service provider to set up DFT/SDE with EDC and EDC as service in service provider environment.
 

pom.xml

@@ -6,12 +6,12 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>3.0.2</version>
+		<version>3.0.5</version>
 		<relativePath /> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>org.eclipse.tractusx</groupId>
 	<artifactId>auto-setup</artifactId>
-	<version>1.2.4</version>
+	<version>1.2.7</version>
 	<name>auto-setup</name>
 	<description>auto-setup</description>
 	<properties>
@@ -208,6 +208,11 @@
 			<artifactId>spring-boot-configuration-processor</artifactId>
 			<optional>true</optional>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-expression</artifactId>
+			<version>6.0.8</version>
+		</dependency>
 		<dependency>
 			<groupId>org.springframework.security</groupId>
 			<artifactId>spring-security-oauth2-client</artifactId>
@@ -218,6 +223,11 @@
 				</exclusion>
 			</exclusions>
 		</dependency>
+		<dependency>
+			<groupId>org.springframework</groupId>
+			<artifactId>spring-webmvc</artifactId>
+			<version>6.0.8</version>
+		</dependency>
 		<dependency>
 			<groupId>com.h2database</groupId>
 			<artifactId>h2</artifactId>

src/main/java/org/eclipse/tractusx/autosetup/config/SecurityConfig.java

@@ -20,7 +20,12 @@
 
 package org.eclipse.tractusx.autosetup.config;
 
-import lombok.SneakyThrows;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+import java.util.Map;
+import java.util.stream.Stream;
+
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.boot.autoconfigure.web.ServerProperties;
 import org.springframework.context.annotation.Bean;
@@ -36,16 +41,12 @@
 import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.util.matcher.AnyRequestMatcher;
+import org.springframework.security.web.header.writers.XXssProtectionHeaderWriter.HeaderValue;
 import org.springframework.web.cors.CorsConfiguration;
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
-import java.util.Arrays;
-import java.util.Collection;
-import java.util.List;
-import java.util.Map;
-import java.util.stream.Stream;
+import lombok.SneakyThrows;
 
 @Configuration
 @EnableWebSecurity
@@ -118,9 +119,14 @@ public SecurityFilterChain filterChain(HttpSecurity http, Jwt2AuthenticationConv
             .anyRequest().authenticated();
         // @formatter:on
 
-		http.headers().xssProtection().and()
-				.contentSecurityPolicy("default-src 'self'; script-src 'self' 'unsafe-inline'").and()
-				.httpStrictTransportSecurity().requestMatcher(AnyRequestMatcher.INSTANCE);
+		http.headers().xssProtection(xssProtection -> xssProtection.headerValue(HeaderValue.ENABLED_MODE_BLOCK));
+
+		http.headers()
+		      .contentSecurityPolicy("default-src 'self'; script-src 'self'")
+		      .and()
+		      .httpStrictTransportSecurity()
+		      		.includeSubDomains(true)
+		      		.maxAgeInSeconds(15724800);
 
 		return http.build();
 	}

src/main/java/org/eclipse/tractusx/autosetup/constant/ToolType.java

@@ -22,6 +22,6 @@
 
 public enum ToolType {
 
-	DFT_WITH_EDC, DFT, EDC, DFT_WITH_EDC_TRACTUS, EDC_TRACTUS
+	DFT_WITH_EDC, DFT, EDC, DFT_WITH_EDC_TRACTUS, EDC_TRACTUS, DT_REGISTRY
 
 }

src/main/java/org/eclipse/tractusx/autosetup/controller/AppDetailsController.java

@@ -42,6 +42,7 @@
 import io.swagger.v3.oas.annotations.media.Schema;
 import io.swagger.v3.oas.annotations.responses.ApiResponse;
 import io.swagger.v3.oas.annotations.responses.ApiResponses;
+import jakarta.validation.Valid;
 
 @RestController
 public class AppDetailsController {
@@ -54,7 +55,7 @@ public class AppDetailsController {
 	@ApiResponses(value = {
 			@ApiResponse(responseCode = "200", description = "OK", content = @Content(schema = @Schema(implementation = AppDetails.class))) })
 	@PostMapping("/internal/app-details")
-	public AppDetails createOrUpdateAppInfo(@RequestBody AppDetailsRequest appDetailsRequest) {
+	public AppDetails createOrUpdateAppInfo(@Valid @RequestBody AppDetailsRequest appDetailsRequest) {
 		return appDetailsService.createOrUpdateAppInfo(appDetailsRequest);
 	}
 
@@ -80,7 +81,7 @@ public List<AppDetails> getAllAppInfo() {
 	@ApiResponses(value = {
 			@ApiResponse(responseCode = "200", description = "OK", content = @Content(schema = @Schema(implementation = AppServiceCatalog.class))) })
 	@PostMapping("/internal/catalog-service")
-	public AppServiceCatalog createCatalogService(@RequestBody AppServiceCatalogPojo appServiceCatalog) {
+	public AppServiceCatalog createCatalogService(@Valid @RequestBody AppServiceCatalogPojo appServiceCatalog) {
 		return appDetailsService.createCatalogService(appServiceCatalog);
 	}
 
@@ -105,7 +106,7 @@ public List<AppServiceCatalog> getAllCatalogService() {
 			@ApiResponse(responseCode = "200", description = "OK", content = @Content(schema = @Schema(implementation = AppServiceCatalogAndCustomerMapping.class))) })
 	@PostMapping("/internal/catalog-service-mapping")
 	public AppServiceCatalogAndCustomerMapping createCatalogServiceMapping(
-			@RequestBody AppServiceCatalogAndCustomerMappingPojo appServiceCatalogAndCustomerMapping) {
+			@Valid @RequestBody AppServiceCatalogAndCustomerMappingPojo appServiceCatalogAndCustomerMapping) {
 		return appDetailsService.createCatalogServiceMapping(appServiceCatalogAndCustomerMapping);
 	}
 

src/main/java/org/eclipse/tractusx/autosetup/controller/AutoSetupHandlerController.java

@@ -68,9 +68,9 @@ public String getAllInstallPackages() {
 	@ApiResponses(value = {
 			@ApiResponse(responseCode = "200", description = "Created", content = @Content(schema = @Schema(implementation = UUID.class))) })
 	@PutMapping("/internal/update-package/{executionId}")
-	public String updateDftPackage(@PathVariable("executionId") String executionId,
+	public String updateDftPackage(@PathVariable("executionId") UUID executionId,
 			@RequestBody DFTUpdateRequest dftUpdateRequest) {
-		return appHandlerService.updateDftPackage(executionId, dftUpdateRequest);
+		return appHandlerService.updateDftPackage(executionId.toString(), dftUpdateRequest);
 	}
 
 	// portal access
@@ -88,26 +88,26 @@ public String createPackage(@Valid @RequestBody AutoSetupRequest autoSetupReques
 			@ApiResponse(responseCode = "200", description = "Updated", content = @Content(schema = @Schema(implementation = UUID.class))) })
 
 	@PutMapping("/autosetup/{executionId}")
-	public String updatePackage(@PathVariable("executionId") String executionId,
+	public String updatePackage(@PathVariable("executionId") UUID executionId,
 			@RequestBody @Valid AutoSetupRequest autoSetupRequest) {
-		return appHandlerService.updatePackage(autoSetupRequest, executionId);
+		return appHandlerService.updatePackage(autoSetupRequest, executionId.toString());
 	}
 
 	// portal access
 	@Operation(summary = "Delete autosetup packages", description = "This API will use to delete the existing packages created by the Auto setup process")
 	@ApiResponses(value = {
 			@ApiResponse(responseCode = "200", description = "Deleted", content = @Content(schema = @Schema(implementation = UUID.class))) })
 	@DeleteMapping("/autosetup/{executionId}")
-	public String deletePackage(@PathVariable("executionId") String executionId) {
-		return appHandlerService.deletePackage(executionId);
+	public String deletePackage(@PathVariable("executionId") UUID executionId) {
+		return appHandlerService.deletePackage(executionId.toString());
 	}
 
 	// portal access
 	@Operation(summary = "Check Auto setup execution status", description = "This API will use to check/verify Auto setup process execution status")
 	@ApiResponses(value = {
 			@ApiResponse(responseCode = "200", description = "OK", content = @Content(schema = @Schema(implementation = AutoSetupResponse.class))) })
 	@GetMapping("/autosetup/{executionId}")
-	public AutoSetupResponse getCheckDetails(@PathVariable("executionId") String executionId) {
-		return autoSetupTriggerManager.getCheckDetails(executionId);
+	public AutoSetupResponse getCheckDetails(@PathVariable("executionId") UUID executionId) {
+		return autoSetupTriggerManager.getCheckDetails(executionId.toString());
 	}
 }