Fix Sonar security vulnerabilities

Change-Id: I33e94fe2701508216c2389db75e826f2cc705f15
Issue-ID: NONRTRIC-141
Signed-off-by: RehanRaza <muhammad.rehan.raza@est.tech>

diff --git a/dashboard/webapp-backend/pom.xml b/dashboard/webapp-backend/pom.xml
index bbbf2a4..e847561 100644 (file)
--- a/dashboard/webapp-backend/pom.xml
+++ b/dashboard/webapp-backend/pom.xml
@@ -36,6 +36,7 @@ limitations under the License.
     <properties>
         <springfox.version>2.9.2</springfox.version>
         <immutable.version>2.7.1</immutable.version>
+        <apache-axis2.version>1.7.9</apache-axis2.version>
         <formatter-maven-plugin.version>2.8.1</formatter-maven-plugin.version>
         <spotless-maven-plugin.version>1.18.0</spotless-maven-plugin.version>
         <!-- Set by Jenkins -->
@@ -107,6 +108,11 @@ limitations under the License.
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.apache.axis2</groupId>
+            <artifactId>axis2-kernel</artifactId>
+            <version>${apache-axis2.version}</version>
+        </dependency>
         <!-- Bridge uses of Apache commons logging, like EPSDK-FW -->
         <dependency>
             <groupId>org.slf4j</groupId>

diff --git a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/util/HttpsURLConnectionUtils.java b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/util/HttpsURLConnectionUtils.java
index a4fbcea..f687483 100644 (file)
--- a/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/util/HttpsURLConnectionUtils.java
+++ b/dashboard/webapp-backend/src/main/java/org/oransc/ric/portal/dashboard/util/HttpsURLConnectionUtils.java
@@ -23,13 +23,13 @@ package org.oransc.ric.portal.dashboard.util;
 
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
-import java.security.cert.X509Certificate;
 
 import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
+
+import org.apache.axis2.java.security.TrustAllTrustManager;
 
 /**
  * Disables and enables certificate and host-name checking in
@@ -45,22 +45,7 @@ public final class HttpsURLConnectionUtils {
     private static final HostnameVerifier trivialHostnameVerifier =
         (hostname, sslSession) -> hostname.equalsIgnoreCase(sslSession.getPeerHost());
 
-    private static final TrustManager[] UNQUESTIONING_TRUST_MANAGER = new TrustManager[] {new X509TrustManager() {
-        @Override
-        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
-            return new java.security.cert.X509Certificate[0];
-        }
-
-        @Override
-        public void checkClientTrusted(X509Certificate[] certs, String authType) {
-            // Do nothing.
-        }
-
-        @Override
-        public void checkServerTrusted(X509Certificate[] certs, String authType) {
-            // Do nothing.
-        }
-    }};
+    private static final TrustManager[] UNQUESTIONING_TRUST_MANAGER = new TrustManager[] {new TrustAllTrustManager()};
 
     public static void turnOffSslChecking() throws NoSuchAlgorithmException, KeyManagementException {
         HttpsURLConnection.setDefaultHostnameVerifier(trivialHostnameVerifier);