Merge pull request #13356 from smatvienko-tb/hotfix/rc-vulnerability-fix-090525

Fix vulnerabilities
2025-05-13 14:38:32 +03:00 · 2025-05-13 14:38:32 +03:00 · 7fe6710d52
commit 7fe6710d52
parent cc9ac82b12 afdfe451d5
11 changed files with 151 additions and 47 deletions
--- a/common/cluster-api/pom.xml
+++ b/common/cluster-api/pom.xml
@ -60,10 +60,6 @@
            <groupId>jakarta.annotation</groupId>
            <artifactId>jakarta.annotation-api</artifactId>
        </dependency>
        <dependency>
            <groupId>com.github.java-json-tools</groupId>
            <artifactId>json-schema-validator</artifactId>
        </dependency>
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-api</artifactId>
--- a/common/dao-api/pom.xml
+++ b/common/dao-api/pom.xml
@ -56,10 +56,6 @@
            <groupId>jakarta.annotation</groupId>
            <artifactId>jakarta.annotation-api</artifactId>
        </dependency>
        <dependency>
            <groupId>com.github.java-json-tools</groupId>
            <artifactId>json-schema-validator</artifactId>
        </dependency>
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-api</artifactId>
--- a/dao/pom.xml
+++ b/dao/pom.xml
@ -59,6 +59,10 @@
            <groupId>org.thingsboard.common</groupId>
            <artifactId>util</artifactId>
        </dependency>
        <dependency>
            <groupId>com.networknt</groupId>
            <artifactId>json-schema-validator</artifactId>
        </dependency>
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-api</artifactId>
--- a/dao/src/main/java/org/thingsboard/server/dao/component/BaseComponentDescriptorService.java
+++ b/dao/src/main/java/org/thingsboard/server/dao/component/BaseComponentDescriptorService.java
@ -16,10 +16,10 @@
 package org.thingsboard.server.dao.component;
 import com.fasterxml.jackson.databind.JsonNode;
-import com.github.fge.jsonschema.core.exceptions.ProcessingException;
+import com.networknt.schema.JsonSchema;
-import com.github.fge.jsonschema.core.report.ProcessingReport;
+import com.networknt.schema.JsonSchemaFactory;
-import com.github.fge.jsonschema.main.JsonSchemaFactory;
+import com.networknt.schema.SpecVersion;
-import com.github.fge.jsonschema.main.JsonValidator;
+import com.networknt.schema.ValidationMessage;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Service;
@ -36,6 +36,7 @@ import org.thingsboard.server.dao.service.DataValidator;
 import org.thingsboard.server.dao.service.Validator;
 import java.util.Optional;
 import java.util.Set;
 /**
 * @author Andrew Shvayka
@ -89,15 +90,18 @@ public class BaseComponentDescriptorService implements ComponentDescriptorServic
    @Override
    public boolean validate(TenantId tenantId, ComponentDescriptor component, JsonNode configuration) {
        JsonValidator validator = JsonSchemaFactory.byDefault().getValidator();
        try {
            if (!component.getConfigurationDescriptor().has("schema")) {
                throw new DataValidationException("Configuration descriptor doesn't contain schema property!");
            }
            JsonNode configurationSchema = component.getConfigurationDescriptor().get("schema");
-            ProcessingReport report = validator.validate(configurationSchema, configuration);
+
-            return report.isSuccess();
+            JsonSchemaFactory factory = JsonSchemaFactory.getInstance(SpecVersion.VersionFlag.V4);
-        } catch (ProcessingException e) {
+            JsonSchema schema = factory.getSchema(configurationSchema);
            Set<ValidationMessage> validationMessages = schema.validate(configuration);
            return validationMessages.isEmpty();
        } catch (Exception e) {
            throw new IncorrectParameterException(e.getMessage(), e);
        }
    }
--- a/dao/src/test/java/org/thingsboard/server/dao/component/BaseComponentDescriptorServiceTest.java
+++ b/dao/src/test/java/org/thingsboard/server/dao/component/BaseComponentDescriptorServiceTest.java
@ -0,0 +1,98 @@
 /**
 * Copyright © 2016-2025 The Thingsboard Authors
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.thingsboard.server.dao.component;
 import com.fasterxml.jackson.databind.JsonNode;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.mockito.Mockito;
 import org.thingsboard.common.util.JacksonUtil;
 import org.thingsboard.server.common.data.id.TenantId;
 import org.thingsboard.server.common.data.plugin.ComponentClusteringMode;
 import org.thingsboard.server.common.data.plugin.ComponentDescriptor;
 import org.thingsboard.server.common.data.plugin.ComponentScope;
 import org.thingsboard.server.common.data.plugin.ComponentType;
 import org.thingsboard.server.dao.exception.IncorrectParameterException;
 import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 class BaseComponentDescriptorServiceTest {
    private BaseComponentDescriptorService service;
    private ComponentDescriptor componentDescriptor;
    private TenantId tenantId;
    @BeforeEach
    void setUp() {
        service = Mockito.spy(BaseComponentDescriptorService.class);
        tenantId = TenantId.SYS_TENANT_ID;
        // Create a simple component descriptor
        componentDescriptor = new ComponentDescriptor();
        componentDescriptor.setType(ComponentType.ACTION);
        componentDescriptor.setScope(ComponentScope.TENANT);
        componentDescriptor.setClusteringMode(ComponentClusteringMode.ENABLED);
        componentDescriptor.setName("Test Component");
        componentDescriptor.setClazz("org.thingsboard.test.TestComponent");
        // Create configuration descriptor with schema from JSON string
        String configDescriptorJson = """
                {
                  "schema": {
                    "type": "object",
                    "properties": {
                      "testField": {
                        "type": "string"
                      }
                    },
                    "required": ["testField"]
                  }
                }""";
        componentDescriptor.setConfigurationDescriptor(JacksonUtil.toJsonNode(configDescriptorJson));
    }
    @Test
    void testValidate() {
        // Create valid configuration from JSON string
        String validConfigJson = "{\"testField\": \"test value\"}";
        JsonNode validConfig = JacksonUtil.toJsonNode(validConfigJson);
        // Create invalid configuration (missing required field) from JSON string
        String invalidConfigJson = "{}";
        JsonNode invalidConfig = JacksonUtil.toJsonNode(invalidConfigJson);
        // Test valid configuration
        boolean validResult = service.validate(tenantId, componentDescriptor, validConfig);
        assertTrue(validResult, "Valid configuration should pass validation");
        // Test invalid configuration
        boolean invalidResult = service.validate(tenantId, componentDescriptor, invalidConfig);
        assertFalse(invalidResult, "Invalid configuration should fail validation");
        // Test with component descriptor without schema
        ComponentDescriptor noSchemaDescriptor = new ComponentDescriptor(componentDescriptor);
        noSchemaDescriptor.setConfigurationDescriptor(JacksonUtil.toJsonNode("{}"));
        // Should throw exception when schema is missing
        assertThrows(IncorrectParameterException.class, () -> {
            service.validate(tenantId, noSchemaDescriptor, validConfig);
        }, "Should throw exception when schema is missing");
    }
 }
--- a/monitoring/pom.xml
+++ b/monitoring/pom.xml
@ -42,7 +42,7 @@
        <pkg.implementationTitle>ThingsBoard Monitoring Service</pkg.implementationTitle>
        <pkg.mainClass>org.thingsboard.monitoring.ThingsboardMonitoringApplication</pkg.mainClass>
-        <californium.version>2.6.1</californium.version>
+        <californium.version>2.7.4</californium.version>
        <leshan.version>2.0.0-M4</leshan.version>
    </properties>
--- a/pom.xml
+++ b/pom.xml
@ -42,13 +42,14 @@
        <jakarta.xml.bind-api.version>4.0.2</jakarta.xml.bind-api.version>
        <javax.xml.bind-api.version>2.4.0-b180830.0359</javax.xml.bind-api.version>
        <jaxb-runtime.version>4.0.5</jaxb-runtime.version>
-        <tomcat.version>10.1.39</tomcat.version> <!--Remove after update spring-boot to new version-->
+        <tomcat.version>10.1.40</tomcat.version> <!-- Vulnerability fix, Remove after update spring-boot to new version-->
        <net.minidev.json-smart>2.5.2</net.minidev.json-smart> <!-- Vulnerability fix, CVE-2024-57699, Remove after update spring-boot 3.2.12 to a newer version-->
        <spring-boot.version>3.2.12</spring-boot.version>
        <spring-data.version>3.2.12</spring-data.version>
        <spring-data-redis.version>3.2.12</spring-data-redis.version>
        <spring.version>6.1.15</spring.version>
        <spring-redis.version>6.2.11</spring-redis.version>
-        <spring-security.version>6.2.8</spring-security.version>
+        <spring-security.version>6.3.8</spring-security.version>
        <jedis.version>5.1.5</jedis.version>
        <jjwt.version>0.12.5</jjwt.version>
        <slf4j.version>2.0.13</slf4j.version>
@ -57,7 +58,7 @@
        <rat.version>0.10</rat.version> <!-- unused -->
        <cassandra.version>4.17.0</cassandra.version>
        <metrics.version>4.2.25</metrics.version>
-        <cassandra-all.version>3.11.17</cassandra-all.version> <!-- tools -->
+        <cassandra-all.version>5.0.4</cassandra-all.version> <!-- tools -->
        <guava.version>33.1.0-jre</guava.version>
        <caffeine.version>3.1.8</caffeine.version>
        <commons-lang3.version>3.14.0</commons-lang3.version>
@ -74,7 +75,7 @@
        <jackson-databind.version>2.17.2</jackson-databind.version>
        <fasterxml-classmate.version>1.7.0</fasterxml-classmate.version>
        <auth0-jwt.version>4.4.0</auth0-jwt.version>
-        <json-schema-validator.version>2.2.14</json-schema-validator.version>
+        <json-schema-validator.version>1.5.6</json-schema-validator.version>
        <milo.version>0.6.12</milo.version>
        <californium.version>3.12.1</californium.version>
        <leshan.version>2.0.0-M15</leshan.version>
@ -102,7 +103,7 @@
        <jts.version>1.19.0</jts.version>
        <bouncycastle.version>1.78.1</bouncycastle.version>
        <winsw.version>2.0.1</winsw.version>
-        <postgresql.driver.version>42.7.3</postgresql.driver.version>
+        <postgresql.driver.version>42.7.5</postgresql.driver.version>
        <sonar.exclusions>org/thingsboard/server/gen/**/*,
            org/thingsboard/server/extensions/core/plugin/telemetry/gen/**/*
        </sonar.exclusions>
@ -112,7 +113,7 @@
        <!-- IMPORTANT: If you change the version of the kafka client, make sure to synchronize our overwritten implementation of the
        org.apache.kafka.common.network.NetworkReceive class in the application module. It addresses the issue https://issues.apache.org/jira/browse/KAFKA-4090.
        Here is the source to track https://github.com/apache/kafka/tree/trunk/clients/src/main/java/org/apache/kafka/common/network -->
-        <kafka.version>3.7.1</kafka.version>
+        <kafka.version>3.7.2</kafka.version>
        <bucket4j.version>8.10.1</bucket4j.version>
        <antlr.version>3.5.3</antlr.version>
        <snakeyaml.version>2.2</snakeyaml.version>
@ -1163,6 +1164,13 @@
                <artifactId>tomcat-embed-websocket</artifactId>
                <version>${tomcat.version}</version>
            </dependency>
            <!-- Vulnerability fix - transitive dependency from Spring Boot, remove after Spring Boot upgrade -->
            <dependency>
                <groupId>net.minidev</groupId>
                <artifactId>json-smart</artifactId>
                <version>${net.minidev.json-smart}</version>
            </dependency>
            <!-- ...Vulnerability fix - transitive dependency from Spring Boot, remove after Spring Boot upgrade -->
            <dependency>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter</artifactId>
@ -1183,6 +1191,18 @@
                <artifactId>spring-security-oauth2-jose</artifactId>
                <version>${spring-security.version}</version>
            </dependency>
            <!-- Vulnerability fix - transitive dependency from Spring Boot, remove after Spring Boot upgrade -->
            <dependency>
                <groupId>org.springframework.security</groupId>
                <artifactId>spring-security-config</artifactId>
                <version>${spring-security.version}</version>
            </dependency>
            <dependency>
                <groupId>org.springframework.security</groupId>
                <artifactId>spring-security-web</artifactId>
                <version>${spring-security.version}</version>
            </dependency>
            <!-- ... Vulnerability fix - transitive dependency from Spring Boot, remove after Spring Boot upgrade -->
            <dependency>
                <groupId>org.springframework</groupId>
                <artifactId>spring-core</artifactId>
@ -1600,15 +1620,9 @@
                <version>${auth0-jwt.version}</version>
            </dependency>
            <dependency>
-                <groupId>com.github.java-json-tools</groupId>
+                <groupId>com.networknt</groupId>
                <artifactId>json-schema-validator</artifactId>
                <version>${json-schema-validator.version}</version>
                <exclusions>
                    <exclusion>
                        <groupId>com.sun.mail</groupId>
                        <artifactId>mailapi</artifactId>
                    </exclusion>
                </exclusions>
            </dependency>
            <dependency>
                <groupId>org.eclipse.leshan</groupId>
@ -1827,11 +1841,6 @@
                <artifactId>cassandra-all</artifactId>
                <version>${cassandra-all.version}</version>
            </dependency>
            <dependency>
                <groupId>org.apache.cassandra</groupId>
                <artifactId>cassandra-thrift</artifactId>
                <version>${cassandra-all.version}</version>
            </dependency>
            <dependency>
                <groupId>org.junit.vintage</groupId>
                <artifactId>junit-vintage-engine</artifactId>
@ -2224,7 +2233,7 @@
            </dependency>
            <dependency>
                <groupId>org.mock-server</groupId>
-                <artifactId>mockserver-netty</artifactId>
+                <artifactId>mockserver-netty-no-dependencies</artifactId>
                <version>${mock-server.version}</version>
                <scope>test</scope>
                <exclusions>
@ -2236,7 +2245,7 @@
            </dependency>
            <dependency>
                <groupId>org.mock-server</groupId>
-                <artifactId>mockserver-client-java</artifactId>
+                <artifactId>mockserver-client-java-no-dependencies</artifactId>
                <version>${mock-server.version}</version>
                <scope>test</scope>
            </dependency>
--- a/rule-engine/rule-engine-components/pom.xml
+++ b/rule-engine/rule-engine-components/pom.xml
@ -141,12 +141,12 @@
        </dependency>
        <dependency>
            <groupId>org.mock-server</groupId>
-            <artifactId>mockserver-netty</artifactId>
+            <artifactId>mockserver-netty-no-dependencies</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.mock-server</groupId>
-            <artifactId>mockserver-client-java</artifactId>
+            <artifactId>mockserver-client-java-no-dependencies</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
--- a/rule-engine/rule-engine-components/src/test/java/org/thingsboard/rule/engine/mqtt/TbMqttNodeTest.java
+++ b/rule-engine/rule-engine-components/src/test/java/org/thingsboard/rule/engine/mqtt/TbMqttNodeTest.java
@ -181,7 +181,8 @@ public class TbMqttNodeTest extends AbstractRuleNodeUpgradeTest {
        SslContext actualSslContext = mqttClientConfig.getValue().getSslContext();
        assertThat(actualSslContext)
                .usingRecursiveComparison()
-                .ignoringFields("ctx", "ctxLock", "sessionContext.context.ctx", "sessionContext.context.ctxLock")
+                .ignoringFields("ctx", "ctxLock", "sessionContext.context.ctx", "sessionContext.context.ctxLock",
                        "sslContext")
                .isEqualTo(SslContextBuilder.forClient().build());
    }
--- a/tools/pom.xml
+++ b/tools/pom.xml
@ -55,10 +55,6 @@
            <groupId>org.apache.cassandra</groupId>
            <artifactId>cassandra-all</artifactId>
        </dependency>
        <dependency>
            <groupId>org.apache.cassandra</groupId>
            <artifactId>cassandra-thrift</artifactId>
        </dependency>
        <dependency>
            <groupId>commons-io</groupId>
            <artifactId>commons-io</artifactId>
--- a/tools/src/main/java/org/thingsboard/client/tools/migrator/WriterBuilder.java
+++ b/tools/src/main/java/org/thingsboard/client/tools/migrator/WriterBuilder.java
@ -59,7 +59,7 @@ public class WriterBuilder {
    public static CQLSSTableWriter getTsWriter(File dir) {
        return CQLSSTableWriter.builder()
-                .inDirectory(dir)
+                .inDirectory(dir.getAbsolutePath())
                .forTable(tsSchema)
                .using("INSERT INTO thingsboard.ts_kv_cf (entity_type, entity_id, key, partition, ts, bool_v, str_v, long_v, dbl_v, json_v) " +
                        "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)")
@ -68,7 +68,7 @@ public class WriterBuilder {
    public static CQLSSTableWriter getLatestWriter(File dir) {
        return CQLSSTableWriter.builder()
-                .inDirectory(dir)
+                .inDirectory(dir.getAbsolutePath())
                .forTable(latestSchema)
                .using("INSERT INTO thingsboard.ts_kv_latest_cf (entity_type, entity_id, key, ts, bool_v, str_v, long_v, dbl_v, json_v) " +
                        "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)")
@ -77,7 +77,7 @@ public class WriterBuilder {
    public static CQLSSTableWriter getPartitionWriter(File dir) {
        return CQLSSTableWriter.builder()
-                .inDirectory(dir)
+                .inDirectory(dir.getAbsolutePath())
                .forTable(partitionSchema)
                .using("INSERT INTO thingsboard.ts_kv_partitions_cf (entity_type, entity_id, key, partition) " +
                        "VALUES (?, ?, ?, ?)")