From 1687c5ba774c29661070d0168b7f191fe8d487f4 Mon Sep 17 00:00:00 2001
From: YevhenBondarenko <ybondarenko@thingsboard.io>
Date: Fri, 10 Jun 2022 12:56:32 +0200
Subject: [PATCH 1/7] fixed antisamy vulnerabilities

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 78c4ae6fa2..e8f6990ec7 100755
--- a/pom.xml
+++ b/pom.xml
@@ -119,7 +119,7 @@
         <hibernate-validator.version>6.0.20.Final</hibernate-validator.version>
         <javax.el.version>3.0.0</javax.el.version>
         <javax.validation-api.version>2.0.1.Final</javax.validation-api.version>
-        <antisamy.version>1.6.4</antisamy.version>
+        <antisamy.version>1.6.8</antisamy.version>
         <snmp4j.version>2.8.5</snmp4j.version>
         <!--         TEST SCOPE         -->
         <awaitility.version>4.1.0</awaitility.version>

From d965f85f22852d6921c9641667943b242c234879 Mon Sep 17 00:00:00 2001
From: YevhenBondarenko <ybondarenko@thingsboard.io>
Date: Fri, 10 Jun 2022 13:15:57 +0200
Subject: [PATCH 2/7] fixed gson vulnerabilities

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index e8f6990ec7..aa29e71bf0 100755
--- a/pom.xml
+++ b/pom.xml
@@ -70,7 +70,7 @@
         <json-schema-validator.version>2.2.6</json-schema-validator.version>
         <californium.version>3.0.0</californium.version>
         <leshan.version>2.0.0-M5</leshan.version>
-        <gson.version>2.6.2</gson.version>
+        <gson.version>2.9.0</gson.version>
         <freemarker.version>2.3.30</freemarker.version>
         <mail.version>1.6.2</mail.version>
         <curator.version>4.2.0</curator.version>

From a1e812bc0c856150272b67565162b226a46b16f2 Mon Sep 17 00:00:00 2001
From: YevhenBondarenko <ybondarenko@thingsboard.io>
Date: Fri, 10 Jun 2022 14:21:35 +0200
Subject: [PATCH 3/7] fixed spring vulnerabilities

---
 pom.xml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index aa29e71bf0..2f2bcdab5c 100755
--- a/pom.xml
+++ b/pom.xml
@@ -39,9 +39,9 @@
         <javax-annotation.version>1.3.2</javax-annotation.version>
         <jakarta.xml.bind-api.version>2.3.2</jakarta.xml.bind-api.version>
         <jaxb-runtime.version>2.3.2</jaxb-runtime.version>
-        <spring-boot.version>2.5.12</spring-boot.version>
+        <spring-boot.version>2.5.14</spring-boot.version>
         <spring-data.version>2.5.10</spring-data.version>
-        <spring.version>5.3.18</spring.version>
+        <spring.version>5.3.20</spring.version>
         <spring-redis.version>5.5.10</spring-redis.version>
         <spring-security.version>5.6.2</spring-security.version>
         <spring-data-redis.version>2.5.10</spring-data-redis.version>

From 98c78cd511d8c9b6822f538fd6733866fadda1fa Mon Sep 17 00:00:00 2001
From: YevhenBondarenko <ybondarenko@thingsboard.io>
Date: Fri, 10 Jun 2022 20:02:56 +0200
Subject: [PATCH 4/7] updated spring redis and spring security versions

---
 pom.xml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pom.xml b/pom.xml
index 2f2bcdab5c..3c34cd0f4c 100755
--- a/pom.xml
+++ b/pom.xml
@@ -40,11 +40,11 @@
         <jakarta.xml.bind-api.version>2.3.2</jakarta.xml.bind-api.version>
         <jaxb-runtime.version>2.3.2</jaxb-runtime.version>
         <spring-boot.version>2.5.14</spring-boot.version>
-        <spring-data.version>2.5.10</spring-data.version>
+        <spring-data.version>2.5.11</spring-data.version>
         <spring.version>5.3.20</spring.version>
-        <spring-redis.version>5.5.10</spring-redis.version>
-        <spring-security.version>5.6.2</spring-security.version>
-        <spring-data-redis.version>2.5.10</spring-data-redis.version>
+        <spring-redis.version>5.5.12</spring-redis.version>
+        <spring-security.version>5.6.5</spring-security.version>
+        <spring-data-redis.version>2.5.11</spring-data-redis.version>
         <jedis.version>3.7.1</jedis.version>
         <jjwt.version>0.7.0</jjwt.version>
         <slf4j.version>1.7.32</slf4j.version>

From 08d5cb5e930d71fa5f3116ba47e01ff89c3b19a2 Mon Sep 17 00:00:00 2001
From: YevhenBondarenko <ybondarenko@thingsboard.io>
Date: Sat, 11 Jun 2022 15:05:14 +0200
Subject: [PATCH 5/7] migrated spring boot to version 2.7 due to
 vulnerabilities

---
 ...ngfoxHandlerProviderBeanPostProcessor.java | 61 +++++++++++++++++++
 .../ThingsboardSecurityConfiguration.java     | 15 +++--
 .../resources/application-test.properties     |  2 +
 pom.xml                                       | 12 ++--
 4 files changed, 79 insertions(+), 11 deletions(-)
 create mode 100644 application/src/main/java/org/thingsboard/server/config/SpringfoxHandlerProviderBeanPostProcessor.java

diff --git a/application/src/main/java/org/thingsboard/server/config/SpringfoxHandlerProviderBeanPostProcessor.java b/application/src/main/java/org/thingsboard/server/config/SpringfoxHandlerProviderBeanPostProcessor.java
new file mode 100644
index 0000000000..7e53c7f120
--- /dev/null
+++ b/application/src/main/java/org/thingsboard/server/config/SpringfoxHandlerProviderBeanPostProcessor.java
@@ -0,0 +1,61 @@
+/**
+ * Copyright © 2016-2022 The Thingsboard Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.thingsboard.server.config;
+
+import org.springframework.beans.BeansException;
+import org.springframework.beans.factory.config.BeanPostProcessor;
+import org.springframework.stereotype.Component;
+import org.springframework.util.ReflectionUtils;
+import org.springframework.web.servlet.mvc.method.RequestMappingInfoHandlerMapping;
+import org.thingsboard.server.queue.util.TbCoreComponent;
+import springfox.documentation.spring.web.plugins.WebMvcRequestHandlerProvider;
+
+import java.lang.reflect.Field;
+import java.util.List;
+import java.util.stream.Collectors;
+
+@TbCoreComponent
+@Component
+//TODO: remove after fixing issue https://github.com/springfox/springfox/issues/3462 or after migration from springfox to springdoc
+public class SpringfoxHandlerProviderBeanPostProcessor implements BeanPostProcessor {
+
+    @Override
+    public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
+        if (bean instanceof WebMvcRequestHandlerProvider) {
+            customizeSpringfoxHandlerMappings(getHandlerMappings(bean));
+        }
+        return bean;
+    }
+
+    private <T extends RequestMappingInfoHandlerMapping> void customizeSpringfoxHandlerMappings(List<T> mappings) {
+        List<T> copy = mappings.stream()
+                .filter(mapping -> mapping.getPatternParser() == null)
+                .collect(Collectors.toList());
+        mappings.clear();
+        mappings.addAll(copy);
+    }
+
+    @SuppressWarnings("unchecked")
+    private List<RequestMappingInfoHandlerMapping> getHandlerMappings(Object bean) {
+        try {
+            Field field = ReflectionUtils.findField(bean.getClass(), "handlerMappings");
+            field.setAccessible(true);
+            return (List<RequestMappingInfoHandlerMapping>) field.get(bean);
+        } catch (IllegalArgumentException | IllegalAccessException e) {
+            throw new IllegalStateException(e);
+        }
+    }
+}
diff --git a/application/src/main/java/org/thingsboard/server/config/ThingsboardSecurityConfiguration.java b/application/src/main/java/org/thingsboard/server/config/ThingsboardSecurityConfiguration.java
index 823bbf35e3..76c631bddb 100644
--- a/application/src/main/java/org/thingsboard/server/config/ThingsboardSecurityConfiguration.java
+++ b/application/src/main/java/org/thingsboard/server/config/ThingsboardSecurityConfiguration.java
@@ -181,13 +181,18 @@ public class ThingsboardSecurityConfiguration extends WebSecurityConfigurerAdapt
     @Autowired
     private OAuth2AuthorizationRequestResolver oAuth2AuthorizationRequestResolver;
 
+    @Override
+    public void configure(WebSecurity web) throws Exception {
+        web.ignoring().antMatchers("/*.js","/*.css","/*.ico","/assets/**","/static/**");
+    }
+
     @Override
     protected void configure(HttpSecurity http) throws Exception {
-        http.authorizeHttpRequests((authorizeHttpRequests) ->
-                authorizeHttpRequests
-                        .antMatchers("/*.js","/*.css","/*.ico","/assets/**","/static/**")
-                        .permitAll()
-        );
+//        http.authorizeHttpRequests((authorizeHttpRequests) ->
+//                authorizeHttpRequests
+//                        .antMatchers("/*.js","/*.css","/*.ico","/assets/**","/static/**")
+//                        .permitAll()
+//        );
         http.headers().cacheControl().and().frameOptions().disable()
                 .and()
                 .cors()
diff --git a/application/src/test/resources/application-test.properties b/application/src/test/resources/application-test.properties
index 518c9b42d3..279d1e99be 100644
--- a/application/src/test/resources/application-test.properties
+++ b/application/src/test/resources/application-test.properties
@@ -55,3 +55,5 @@ queue.rule-engine.queues[2].partitions=2
 queue.rule-engine.queues[2].processing-strategy.retries=1
 queue.rule-engine.queues[2].processing-strategy.pause-between-retries=0
 queue.rule-engine.queues[2].processing-strategy.max-pause-between-retries=0
+
+usage.stats.report.enabled=false
\ No newline at end of file
diff --git a/pom.xml b/pom.xml
index 3c34cd0f4c..770b9ed9f5 100755
--- a/pom.xml
+++ b/pom.xml
@@ -39,12 +39,12 @@
         <javax-annotation.version>1.3.2</javax-annotation.version>
         <jakarta.xml.bind-api.version>2.3.2</jakarta.xml.bind-api.version>
         <jaxb-runtime.version>2.3.2</jaxb-runtime.version>
-        <spring-boot.version>2.5.14</spring-boot.version>
-        <spring-data.version>2.5.11</spring-data.version>
+        <spring-boot.version>2.7.0</spring-boot.version>
+        <spring-data.version>2.7.0</spring-data.version>
         <spring.version>5.3.20</spring.version>
         <spring-redis.version>5.5.12</spring-redis.version>
-        <spring-security.version>5.6.5</spring-security.version>
-        <spring-data-redis.version>2.5.11</spring-data-redis.version>
+        <spring-security.version>5.7.1</spring-security.version>
+        <spring-data-redis.version>2.7.0</spring-data-redis.version>
         <jedis.version>3.7.1</jedis.version>
         <jjwt.version>0.7.0</jjwt.version>
         <slf4j.version>1.7.32</slf4j.version>
@@ -112,7 +112,7 @@
         <ua-parser.version>1.4.3</ua-parser.version>
         <commons-beanutils.version>1.9.4</commons-beanutils.version>
         <commons-collections.version>3.2.2</commons-collections.version>
-        <micrometer.version>1.8.3</micrometer.version>
+        <micrometer.version>1.9.0</micrometer.version>
         <protobuf-dynamic.version>1.0.3TB</protobuf-dynamic.version>
         <wire-schema.version>3.4.0</wire-schema.version>
         <twilio.version>8.17.0</twilio.version>
@@ -127,7 +127,7 @@
         <dbunit.version>2.7.2</dbunit.version>
         <hsqldb.version>2.6.1</hsqldb.version>
         <java-websocket.version>1.5.2</java-websocket.version>
-        <jupiter.version>5.7.2</jupiter.version> <!-- keep the same version as spring-boot-starter-test depend on jupiter-->
+        <jupiter.version>5.8.2</jupiter.version> <!-- keep the same version as spring-boot-starter-test depend on jupiter-->
         <json-path.version>2.6.0</json-path.version>
         <spring-test-dbunit.version>1.3.0</spring-test-dbunit.version> <!-- 2016 -->
         <takari-cpsuite.version>1.2.7</takari-cpsuite.version> <!-- 2015 -->

From 50f307260889e79d1e83e1675c27bcafd2eec218 Mon Sep 17 00:00:00 2001
From: YevhenBondarenko <ybondarenko@thingsboard.io>
Date: Mon, 13 Jun 2022 10:13:39 +0200
Subject: [PATCH 6/7] allow circular references

---
 .../config/SpringfoxHandlerProviderBeanPostProcessor.java       | 2 +-
 transport/coap/src/main/resources/tb-coap-transport.yml         | 2 ++
 transport/http/src/main/resources/tb-http-transport.yml         | 2 ++
 transport/lwm2m/src/main/resources/tb-lwm2m-transport.yml       | 2 ++
 transport/mqtt/src/main/resources/tb-mqtt-transport.yml         | 2 ++
 transport/snmp/src/main/resources/tb-snmp-transport.yml         | 2 ++
 6 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/application/src/main/java/org/thingsboard/server/config/SpringfoxHandlerProviderBeanPostProcessor.java b/application/src/main/java/org/thingsboard/server/config/SpringfoxHandlerProviderBeanPostProcessor.java
index 7e53c7f120..feec10c86f 100644
--- a/application/src/main/java/org/thingsboard/server/config/SpringfoxHandlerProviderBeanPostProcessor.java
+++ b/application/src/main/java/org/thingsboard/server/config/SpringfoxHandlerProviderBeanPostProcessor.java
@@ -27,7 +27,7 @@ import java.lang.reflect.Field;
 import java.util.List;
 import java.util.stream.Collectors;
 
-@TbCoreComponent
+//@TbCoreComponent
 @Component
 //TODO: remove after fixing issue https://github.com/springfox/springfox/issues/3462 or after migration from springfox to springdoc
 public class SpringfoxHandlerProviderBeanPostProcessor implements BeanPostProcessor {
diff --git a/transport/coap/src/main/resources/tb-coap-transport.yml b/transport/coap/src/main/resources/tb-coap-transport.yml
index 5262fbaef1..ef25058751 100644
--- a/transport/coap/src/main/resources/tb-coap-transport.yml
+++ b/transport/coap/src/main/resources/tb-coap-transport.yml
@@ -19,6 +19,8 @@ spring.main.web-environment: "${WEB_APPLICATION_ENABLE:false}"
 # If you enabled process metrics you should set 'web-application-type' to 'servlet' value.
 spring.main.web-application-type: "${WEB_APPLICATION_TYPE:none}"
 
+spring.main.allow-circular-references: "true"
+
 server:
   # Server bind address (has no effect if web-environment is disabled).
   address: "${HTTP_BIND_ADDRESS:0.0.0.0}"
diff --git a/transport/http/src/main/resources/tb-http-transport.yml b/transport/http/src/main/resources/tb-http-transport.yml
index 7574687ecc..1478f88f4d 100644
--- a/transport/http/src/main/resources/tb-http-transport.yml
+++ b/transport/http/src/main/resources/tb-http-transport.yml
@@ -14,6 +14,8 @@
 # limitations under the License.
 #
 
+spring.main.allow-circular-references: "true"
+
 server:
   # Server bind address
   address: "${HTTP_BIND_ADDRESS:0.0.0.0}"
diff --git a/transport/lwm2m/src/main/resources/tb-lwm2m-transport.yml b/transport/lwm2m/src/main/resources/tb-lwm2m-transport.yml
index 19d70e0bc2..387c0f95ed 100644
--- a/transport/lwm2m/src/main/resources/tb-lwm2m-transport.yml
+++ b/transport/lwm2m/src/main/resources/tb-lwm2m-transport.yml
@@ -19,6 +19,8 @@ spring.main.web-environment: "${WEB_APPLICATION_ENABLE:false}"
 # If you enabled process metrics you should set 'web-application-type' to 'servlet' value.
 spring.main.web-application-type: "${WEB_APPLICATION_TYPE:none}"
 
+spring.main.allow-circular-references: "true"
+
 server:
   # Server bind address (has no effect if web-environment is disabled).
   address: "${HTTP_BIND_ADDRESS:0.0.0.0}"
diff --git a/transport/mqtt/src/main/resources/tb-mqtt-transport.yml b/transport/mqtt/src/main/resources/tb-mqtt-transport.yml
index 1a6f04e598..14339f5056 100644
--- a/transport/mqtt/src/main/resources/tb-mqtt-transport.yml
+++ b/transport/mqtt/src/main/resources/tb-mqtt-transport.yml
@@ -19,6 +19,8 @@ spring.main.web-environment: "${WEB_APPLICATION_ENABLE:false}"
 # If you enabled process metrics you should set 'web-application-type' to 'servlet' value.
 spring.main.web-application-type: "${WEB_APPLICATION_TYPE:none}"
 
+spring.main.allow-circular-references: "true"
+
 server:
   # Server bind address (has no effect if web-environment is disabled).
   address: "${HTTP_BIND_ADDRESS:0.0.0.0}"
diff --git a/transport/snmp/src/main/resources/tb-snmp-transport.yml b/transport/snmp/src/main/resources/tb-snmp-transport.yml
index 6ff1a37442..82060defb3 100644
--- a/transport/snmp/src/main/resources/tb-snmp-transport.yml
+++ b/transport/snmp/src/main/resources/tb-snmp-transport.yml
@@ -19,6 +19,8 @@ spring.main.web-environment: "${WEB_APPLICATION_ENABLE:false}"
 # If you enabled process metrics you should set 'web-application-type' to 'servlet' value.
 spring.main.web-application-type: "${WEB_APPLICATION_TYPE:none}"
 
+spring.main.allow-circular-references: "true"
+
 server:
   # Server bind address (has no effect if web-environment is disabled).
   address: "${HTTP_BIND_ADDRESS:0.0.0.0}"

From 619cabf514ca14a13c1cb0892d645e92959888b9 Mon Sep 17 00:00:00 2001
From: YevhenBondarenko <ybondarenko@thingsboard.io>
Date: Mon, 13 Jun 2022 16:55:28 +0200
Subject: [PATCH 7/7] fixed install app

---
 .../org/thingsboard/server/ThingsboardInstallApplication.java | 4 +++-
 .../SpringfoxHandlerProviderBeanPostProcessor.java            | 3 +--
 2 files changed, 4 insertions(+), 3 deletions(-)
 rename application/src/main/java/org/thingsboard/server/{config => springfox}/SpringfoxHandlerProviderBeanPostProcessor.java (97%)

diff --git a/application/src/main/java/org/thingsboard/server/ThingsboardInstallApplication.java b/application/src/main/java/org/thingsboard/server/ThingsboardInstallApplication.java
index efc1e55701..e90ed98351 100644
--- a/application/src/main/java/org/thingsboard/server/ThingsboardInstallApplication.java
+++ b/application/src/main/java/org/thingsboard/server/ThingsboardInstallApplication.java
@@ -32,7 +32,9 @@ import java.util.Arrays;
         "org.thingsboard.server.dao",
         "org.thingsboard.server.common.stats",
         "org.thingsboard.server.common.transport.config.ssl",
-        "org.thingsboard.server.cache"})
+        "org.thingsboard.server.cache",
+        "org.thingsboard.server.springfox"
+})
 public class ThingsboardInstallApplication {
 
     private static final String SPRING_CONFIG_NAME_KEY = "--spring.config.name";
diff --git a/application/src/main/java/org/thingsboard/server/config/SpringfoxHandlerProviderBeanPostProcessor.java b/application/src/main/java/org/thingsboard/server/springfox/SpringfoxHandlerProviderBeanPostProcessor.java
similarity index 97%
rename from application/src/main/java/org/thingsboard/server/config/SpringfoxHandlerProviderBeanPostProcessor.java
rename to application/src/main/java/org/thingsboard/server/springfox/SpringfoxHandlerProviderBeanPostProcessor.java
index feec10c86f..af03c72004 100644
--- a/application/src/main/java/org/thingsboard/server/config/SpringfoxHandlerProviderBeanPostProcessor.java
+++ b/application/src/main/java/org/thingsboard/server/springfox/SpringfoxHandlerProviderBeanPostProcessor.java
@@ -13,7 +13,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-package org.thingsboard.server.config;
+package org.thingsboard.server.springfox;
 
 import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.config.BeanPostProcessor;
@@ -27,7 +27,6 @@ import java.lang.reflect.Field;
 import java.util.List;
 import java.util.stream.Collectors;
 
-//@TbCoreComponent
 @Component
 //TODO: remove after fixing issue https://github.com/springfox/springfox/issues/3462 or after migration from springfox to springdoc
 public class SpringfoxHandlerProviderBeanPostProcessor implements BeanPostProcessor {