chore: close another bunch of security issues (#612)

* chore: pom.xml: update helix-core to 1.3.0

close CVE-2023-38647

Refs: IN-790

* chore: pom.xml: update json to 20231013

close CVE-2023-5072

Refs: IN-790

* chore: pom.xml: update json to 20240303

Refs: IN-790

* chore: pom.xml: update antisamy to 1.7.6 (close CVE-2024-23635

Refs: IN-790

* chore: pom.xml: update xercesImpl to 2.12.2 (close CVE-2022-23437)

Refs: IN-790

* chore: pom.xml: update jdom2 to 2.0.6.1

close CVE-2021-33813

Refs: IN-790

* chore: pom.xml: update commons-fileupload to 1.5

close CVE-2023-24998

Refs: IN-790

* chore: pom.xml: update guava to 33.3.1

close CVE-2023-2976

Refs: IN-790

* chore: general cleanup of dead or deprecate code

Author: M0Rf30

carbonio-jetty-libs/pom.xml

@@ -414,7 +414,7 @@
     <dependency>
       <groupId>org.apache.helix</groupId>
       <artifactId>helix-core</artifactId>
-      <version>0.6.1-incubating</version>
+      <version>1.3.0</version>
       <exclusions>
         <exclusion>
           <groupId>com.noelios.restlet</groupId>
@@ -584,8 +584,8 @@
     </dependency>
     <dependency>
       <groupId>org.jdom</groupId>
-      <artifactId>jdom</artifactId>
-      <version>1.1.3</version>
+      <artifactId>jdom2</artifactId>
+      <version>2.0.6.1</version>
     </dependency>
     <dependency>
       <groupId>org.jfree</groupId>
@@ -680,4 +680,4 @@
       </plugin>
     </plugins>
   </build>
-</project>
+</project>

client/pom.xml

@@ -100,6 +100,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-source-plugin</artifactId>
+        <version>3.3.1</version>
         <executions>
           <execution>
             <id>attach-sources</id>
@@ -113,4 +114,4 @@
     </plugins>
   </build>
 
-</project>
+</project>

common/pom.xml

@@ -246,6 +246,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-source-plugin</artifactId>
+        <version>3.3.1</version>
         <executions>
           <execution>
             <id>attach-sources</id>

common/src/main/java/com/zimbra/common/net/CustomHostnameVerifier.java

@@ -24,20 +24,19 @@
 import com.google.common.collect.Sets;
 import com.zimbra.common.util.ZimbraLog;
 
-
 public class CustomHostnameVerifier implements HostnameVerifier {
 
-
     public static void verifyHostname(String hostname, SSLSession session) throws IOException {
-        if (NetConfig.getInstance().isAllowMismatchedCerts()) return;
+        if (NetConfig.getInstance().isAllowMismatchedCerts())
+            return;
 
         try {
             InetAddress.getByName(hostname);
         } catch (UnknownHostException uhe) {
             throw new UnknownHostException("Could not resolve SSL sessions server hostname: " + hostname);
         }
 
-        javax.security.cert.X509Certificate[] certs = session.getPeerCertificateChain();
+        java.security.cert.Certificate[] certs = session.getPeerCertificates();
         if (certs == null || certs.length == 0)
             throw new SSLPeerUnverifiedException("No server certificates found: " + hostname);
 
@@ -52,14 +51,14 @@ public static void verifyHostname(String hostname, SSLSession session) throws IO
 
     }
 
-    private static java.security.cert.X509Certificate certJavax2Java(javax.security.cert.X509Certificate cert) {
+    private static java.security.cert.X509Certificate certJavax2Java(java.security.cert.Certificate cert) {
         try {
             ByteArrayInputStream bis = new ByteArrayInputStream(cert.getEncoded());
             CertificateFactory cf = CertificateFactory.getInstance("X.509");
             return (java.security.cert.X509Certificate) cf.generateCertificate(bis);
-        } catch (CertificateException | CertificateEncodingException e) {
+        } catch (CertificateException e) {
         }
-      return null;
+        return null;
     }
 
     @Override
@@ -68,7 +67,7 @@ public boolean verify(String hostname, SSLSession session) {
             verifyHostname(hostname, session);
         } catch (IOException e) {
             ZimbraLog.security.debug(
-                "Hostname verification failed: hostname = " + hostname, e);
+                    "Hostname verification failed: hostname = " + hostname, e);
             return false;
         }
         return true;

common/src/main/java/com/zimbra/common/net/SSLCertInfo.java

@@ -68,7 +68,7 @@ public SSLCertInfo(String alias, String hostname, X509Certificate cert, boolean
 
         serialNumber = cert.getSerialNumber().toString(16).toUpperCase();
 
-        String issuerDn = cert.getIssuerDN().getName();
+        String issuerDn = cert.getIssuerX500Principal().getName();
         issuerCommonName = getComponent(issuerDn, COMMON_NAME);
         issuerOrganizationUnit = getComponent(issuerDn, ORGANIZATION_UNIT);
         issuerOrganization = getComponent(issuerDn, ORGANIZATION);

common/src/test/java/com/zimbra/common/util/BEncodingTest.java

@@ -25,15 +25,15 @@ public class BEncodingTest {
   @Test
   void test() throws Exception {
     List<Object> list = new ArrayList<Object>();
-    list.add(new Integer(654));
+    list.add(Integer.valueOf(654));
     list.add("hwhergk");
     list.add(new StringBuilder("74x"));
 
     Map<String, Object> map = new HashMap<String, Object>();
-    map.put("testing", new Long(5));
+    map.put("testing", Long.valueOf(5));
     map.put("foo2", "bar");
     map.put("herp", list);
-    map.put("Foo", new Float(6.7));
+    map.put("Foo", Float.valueOf((float) 6.7));
     map.put("yy", new TreeMap<Object, Object>());
 
     String encoded = BEncoding.encode(map);

native/pom.xml

@@ -48,7 +48,7 @@
             <configuration>
               <target>
                 <ant antfile="${basedir}/ant-native.xml">
-                  <target name="generate-native-headers"/>
+                  <target name="generate-native-headers" />
                 </ant>
               </target>
             </configuration>
@@ -67,6 +67,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-source-plugin</artifactId>
+        <version>3.3.1</version>
         <executions>
           <execution>
             <id>attach-sources</id>
@@ -81,4 +82,4 @@
   </build>
 
 
-</project>
+</project>

pom.xml

@@ -156,7 +156,7 @@
       <dependency>
         <groupId>commons-fileupload</groupId>
         <artifactId>commons-fileupload</artifactId>
-        <version>1.4</version>
+        <version>1.5</version>
       </dependency>
       <dependency>
         <groupId>com.zextras.carbonio.files</groupId>
@@ -191,7 +191,7 @@
       <dependency>
         <groupId>org.apache.commons</groupId>
         <artifactId>commons-compress</artifactId>
-        <version>1.20</version>
+        <version>1.21</version>
       </dependency>
       <dependency>
         <groupId>ant-1.7.0-ziputil-patched</groupId>
@@ -261,7 +261,7 @@
       <dependency>
         <groupId>xerces</groupId>
         <artifactId>xercesImpl</artifactId>
-        <version>2.12.0</version>
+        <version>2.12.2</version>
       </dependency>
       <dependency>
         <groupId>javax.mail</groupId>
@@ -340,7 +340,7 @@
       <dependency>
         <groupId>org.json</groupId>
         <artifactId>json</artifactId>
-        <version>20230227</version>
+        <version>20240303</version>
       </dependency>
       <dependency>
         <groupId>org.apache.logging.log4j</groupId>
@@ -439,7 +439,7 @@
       <dependency>
         <groupId>org.owasp.antisamy</groupId>
         <artifactId>antisamy</artifactId>
-        <version>1.7.4</version>
+        <version>1.7.6</version>
       </dependency>
       <dependency>
         <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
@@ -816,7 +816,7 @@
     <jackson.version>2.8.11</jackson.version>
     <bouncycastle.version>1.78.1</bouncycastle.version>
     <asm.version>8.0.1</asm.version>
-    <guava.version>28.1-jre</guava.version>
+    <guava.version>33.3.1-jre</guava.version>
     <jython.version>2.7.4</jython.version>
     <nekohtml.version>1.9.22</nekohtml.version>
     <log4j.version>2.20.0</log4j.version>
@@ -925,21 +925,24 @@
               <phase>validate</phase>
               <configuration>
                 <target>
-                  <pathconvert property="compile_classpath_value" refid="maven.compile.classpath"/>
-                  <pathconvert property="runtime_classpath_value" refid="maven.runtime.classpath"/>
-                  <pathconvert property="test_classpath_value" refid="maven.test.classpath"/>
-                  <!--mvn properties shared with all modules while building project-->
+                  <pathconvert property="compile_classpath_value" refid="maven.compile.classpath" />
+                  <pathconvert property="runtime_classpath_value" refid="maven.runtime.classpath" />
+                  <pathconvert property="test_classpath_value" refid="maven.test.classpath" />
+                  <!--mvn
+                  properties shared with all modules while building project-->
                   <propertyfile file="${project.build.directory}/mvn-ant-shared-build.properties">
-                    <!--required to set carbonio.buildinfo.version-->
-                    <entry key="mvn_revision" value="${revision}"/>
+                    <!--required
+                    to set carbonio.buildinfo.version-->
+                    <entry key="mvn_revision" value="${revision}" />
 
-                    <!--properties needed by some ant tasks-->
-                    <entry key="compile_classpath" value="${compile_classpath_value}"/>
-                    <entry key="runtime_classpath" value="${runtime_classpath_value}"/>
-                    <entry key="test_classpath" value="${test_classpath_value}"/>
+                    <!--properties
+                    needed by some ant tasks-->
+                    <entry key="compile_classpath" value="${compile_classpath_value}" />
+                    <entry key="runtime_classpath" value="${runtime_classpath_value}" />
+                    <entry key="test_classpath" value="${test_classpath_value}" />
                   </propertyfile>
                   <propertyfile file="${project.build.directory}/mvn-ant-shared-build.properties">
-                    <entry key="mvn_revision" value="${revision}"/>
+                    <entry key="mvn_revision" value="${revision}" />
                   </propertyfile>
                 </target>
               </configuration>
@@ -1053,7 +1056,8 @@
           <artifactId>maven-enforcer-plugin</artifactId>
           <version>3.1.0</version>
           <dependencies>
-            <!-- https://github-wiki-see.page/m/GoogleCloudPlatform/cloud-opensource-java/wiki/Linkage-Checker-Enforcer-Rule -->
+            <!--
+            https://github-wiki-see.page/m/GoogleCloudPlatform/cloud-opensource-java/wiki/Linkage-Checker-Enforcer-Rule -->
             <dependency>
               <groupId>com.google.cloud.tools</groupId>
               <artifactId>linkage-checker-enforcer-rules</artifactId>
@@ -1075,10 +1079,10 @@
               <configuration>
                 <rules>
                   <!-- No duplicate version of dependency in POM -->
-                  <banDuplicatePomDependencyVersions/>
+                  <banDuplicatePomDependencyVersions />
                   <!-- Dependencies must converge.
                   If it fails use dependency management to declare which one to use. -->
-                  <dependencyConvergence/>
+                  <dependencyConvergence />
                 </rules>
               </configuration>
             </execution>
@@ -1147,4 +1151,4 @@
     </plugins>
   </build>
 
-</project>
+</project>

soap/pom.xml

@@ -152,9 +152,10 @@
             </goals>
             <configuration>
               <target>
-                <taskdef classpathref="maven.plugin.classpath" resource="net/sf/antcontrib/antlib.xml"/>
+                <taskdef classpathref="maven.plugin.classpath"
+                  resource="net/sf/antcontrib/antlib.xml" />
                 <ant antfile="${basedir}/ant-generate-soap-docs.xml">
-                  <target name="generate-soap-api-doc"/>
+                  <target name="generate-soap-api-doc" />
                 </ant>
               </target>
             </configuration>
@@ -166,9 +167,10 @@
             </goals>
             <configuration>
               <target>
-                <taskdef classpathref="maven.plugin.classpath" resource="net/sf/antcontrib/antlib.xml"/>
+                <taskdef classpathref="maven.plugin.classpath"
+                  resource="net/sf/antcontrib/antlib.xml" />
                 <ant antfile="${basedir}/ant-generate-soap-docs.xml">
-                  <target name="generate-soap-api-changelog"/>
+                  <target name="generate-soap-api-changelog" />
                 </ant>
               </target>
             </configuration>
@@ -181,9 +183,10 @@
             </goals>
             <configuration>
               <target>
-                <taskdef classpathref="maven.plugin.classpath" resource="net/sf/antcontrib/antlib.xml"/>
+                <taskdef classpathref="maven.plugin.classpath"
+                  resource="net/sf/antcontrib/antlib.xml" />
                 <ant antfile="${basedir}/ant-generate-soap-docs.xml">
-                  <target name="generate-wsdl"/>
+                  <target name="generate-wsdl" />
                 </ant>
               </target>
             </configuration>
@@ -193,6 +196,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-source-plugin</artifactId>
+        <version>3.3.1</version>
         <executions>
           <execution>
             <id>attach-sources</id>
@@ -207,4 +211,4 @@
   </build>
 
 
-</project>
+</project>