chore(maven) and fix(remoting): #28 and SAST-mitigations

.github/workflows/trivy.yml

@@ -44,7 +44,7 @@ jobs:
       - name: Resolve git 7-chars sha
         id: git-sha7
         run: |
-          echo "SHA7=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
+          echo "SHA7=sha-${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
 
   trivy-analyze-config:
     runs-on: ubuntu-latest

.github/workflows/veracode.yml

@@ -110,7 +110,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Tar gzip files for veracode upload
         run: |-
-          tar -czvf ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}.tar.gz ${{ matrix.variant.dir }}/lib/*.jar ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}-*.jar
+          tar -czvf ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}.tar.gz ${{ matrix.variant.dir }}/target/lib/*.jar ${{ matrix.variant.dir }}/target/${{ matrix.variant.name }}-*.jar
       - name: Veracode Upload And Scan
         uses: veracode/[email protected]
         if: |

DEPENDENCIES

@@ -40,6 +40,7 @@ maven/mavencentral/commons-codec/commons-codec/1.15, Apache-2.0 AND BSD-3-Clause
 maven/mavencentral/commons-collections/commons-collections/3.2.2, Apache-2.0, approved, CQ10385
 maven/mavencentral/commons-io/commons-io/2.11.0, Apache-2.0, approved, CQ23745
 maven/mavencentral/commons-lang/commons-lang/2.6, Apache-2.0, approved, CQ6183
+maven/mavencentral/commons-logging/commons-logging/1.2, Apache-2.0, approved, CQ10162
 maven/mavencentral/io.github.classgraph/classgraph/4.8.154, MIT, approved, CQ22530
 maven/mavencentral/io.mikael/urlbuilder/2.0.9, Apache-2.0, approved, #9815
 maven/mavencentral/io.sgr/s2-geometry-library-java/1.0.0, Apache-2.0, approved, CQ22121
@@ -220,6 +221,5 @@ maven/mavencentral/org.springframework/spring-expression/5.3.28, Apache-2.0, app
 maven/mavencentral/org.springframework/spring-jcl/5.3.28, Apache-2.0, approved, CQ23156
 maven/mavencentral/org.springframework/spring-web/5.3.28, Apache-2.0 AND LicenseRef-Public-Domain, approved, CQ23157
 maven/mavencentral/org.springframework/spring-webmvc/5.3.28, Apache-2.0, approved, CQ23158
-maven/mavencentral/org.xerial.snappy/snappy-java/1.1.7.6, Apache-2.0 AND (Apache-2.0 AND BSD-3-Clause), approved, #9098
-maven/mavencentral/org.yaml/snakeyaml/1.30, Apache-2.0, approved, clearlydefined
+maven/mavencentral/org.xerial.snappy/snappy-java/1.1.10.2, Apache-2.0 AND (Apache-2.0 AND BSD-3-Clause), approved, #9098
 maven/mavencentral/org.yaml/snakeyaml/2.0, Apache-2.0 AND (Apache-2.0 OR BSD-3-Clause OR EPL-1.0 OR GPL-2.0-or-later OR LGPL-2.1-or-later), approved, #7275

conforming/pom.xml

@@ -169,6 +169,25 @@
     </dependencyManagement>
 
     <build>
+        <resources>
+            <resource>
+                <directory>..</directory>
+                <includes>
+                    <include>LICENSE</include>
+                    <include>DEPENDENCIES</include>
+                    <include>SECURITY.md</include>
+                    <include>NOTICE.md</include>
+                </includes>
+                <targetPath>META-INF</targetPath>
+            </resource>
+            <resource>
+                <directory>.</directory>
+                <includes>
+                    <include>README.md</include>
+                </includes>
+                <targetPath>META-INF</targetPath>
+            </resource>
+        </resources>
         <plugins>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>

docs/ProvisioningOntop.drawio

@@ -1,4 +1,5 @@
 <!--
+ * Copyright (c) 2022,2023 T-Systems International GmbH
  * Copyright (c) 2022,2023 Contributors to the Eclipse Foundation
  *
  * See the NOTICE file(s) distributed with this work for additional
@@ -15,7 +16,6 @@
  * under the License.
  *
  * SPDX-License-Identifier: Apache-2.0
-
 -->
 
 <mxfile host="app.diagrams.net" modified="2023-07-20T06:37:28.929Z" agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" etag="O-j3X3T_TgC0_Z88hgmF" version="21.6.2" type="device">

docs/README.md

@@ -52,3 +52,12 @@ The [Remoting Agent (KA-RMT)](../remoting) which binds typical REST services to
 
 The [Conforming Agent (KA-CONF)](conforming) is not a real binding agent, but it 
 can play the role of any other Agent in the Knowledge Agent architecture (Matchmaking Agent, Binding Agent, EDC Transfer) by testing the conformity of surrounding components (and the various KA-SPARQL profiles). The conforming agent contains no real business data (only reference sample data) and needs no connection to any backend service.
+
+## NOTICE
+
+This work is licensed under the [Apache-2.0](https://www.apache.org/licenses/LICENSE-2.0).
+
+- SPDX-License-Identifier: Apache-2.0
+- SPDX-FileCopyrightText: 2022,2023 T-Systems International GmbH
+- SPDX-FileCopyrightText: 2022,2023 Contributors to the Eclipse Foundation
+- Source URL: https://github.com/eclipse-tractusx/knowledge-agents

docs/RemotingRDF4J.drawio

@@ -1,4 +1,5 @@
 <!--
+ * Copyright (c) 2022,2023 T-Systems International GmbH
  * Copyright (c) 2022,2023 Contributors to the Eclipse Foundation
  *
  * See the NOTICE file(s) distributed with this work for additional
@@ -15,7 +16,6 @@
  * under the License.
  *
  * SPDX-License-Identifier: Apache-2.0
-
 -->
 
 <mxfile host="app.diagrams.net" modified="2023-07-06T07:16:13.908Z" agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/114.0" etag="KaKQFhKat864VoIxXJ1i" version="21.5.2" type="device">

pom.xml

@@ -44,6 +44,7 @@
         <rdf4j.version>4.3.3</rdf4j.version>
         <slf4j.version>2.0.7</slf4j.version>
         <httpcomponents.version>4.5.14</httpcomponents.version>
+        <commons.logging.version>1.2</commons.logging.version>
         <jackson.version>2.15.2</jackson.version>
         <jackson.databind.version>2.15.2</jackson.databind.version>
         <jaxb.version>2.3.0</jaxb.version>
@@ -57,6 +58,8 @@
         <tomcat.version>9.0.78</tomcat.version>
         <netty.version>4.1.94.Final</netty.version>
         <jetty.version>9.4.51.v20230217</jetty.version>
+        <org.yaml.snakeyaml.version>2.0</org.yaml.snakeyaml.version>
+        <snappy.version>1.1.10.2</snappy.version>
         <!-- REPO -->
         <repo>tractusx/</repo>
         <platform>linux/amd64</platform>

provisioning/pom.xml

@@ -117,6 +117,25 @@
     </dependencies>
 
     <build>
+        <resources>
+            <resource>
+                <directory>..</directory>
+                <includes>
+                    <include>LICENSE</include>
+                    <include>DEPENDENCIES</include>
+                    <include>SECURITY.md</include>
+                    <include>NOTICE.md</include>
+                </includes>
+                <targetPath>META-INF</targetPath>
+            </resource>
+            <resource>
+                <directory>.</directory>
+                <includes>
+                    <include>README.md</include>
+                </includes>
+                <targetPath>META-INF</targetPath>
+            </resource>
+        </resources>
         <plugins>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>

remoting/pom.xml

@@ -57,15 +57,33 @@
         <groupId>org.eclipse.rdf4j</groupId>
         <artifactId>rdf4j-storage</artifactId>
         <type>pom</type>
+        <exclusions>
+          <exclusion>
+              <groupId>org.xerial.snappy</groupId>
+              <artifactId>snappy-java</artifactId>
+          </exclusion>
+        </exclusions>
       </dependency>
 
       <dependency>
-        <groupId>org.slf4j</groupId>
-        <artifactId>slf4j-simple</artifactId>
-        <version>${slf4j.version}</version>
+        <groupId>org.xerial.snappy</groupId>
+        <artifactId>snappy-java</artifactId>
+        <version>${snappy.version}</version>
       </dependency>
 
       <dependency>
+          <groupId>commons-logging</groupId>
+          <artifactId>commons-logging</artifactId>
+          <version>${commons.logging.version}</version>
+      </dependency>
+
+       <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-simple</artifactId>
+            <version>${slf4j.version}</version>
+       </dependency>
+
+        <dependency>
          <groupId>org.junit.jupiter</groupId>
          <artifactId>junit-jupiter-engine</artifactId>
          <scope>test</scope>
@@ -130,6 +148,18 @@
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-web</artifactId>
             <version>${spring.boot.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.yaml</groupId>
+                    <artifactId>snakeyaml</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
+        <dependency>
+            <groupId>org.yaml</groupId>
+            <artifactId>snakeyaml</artifactId>
+            <version>${org.yaml.snakeyaml.version}</version>
         </dependency>
 
         <dependency>
@@ -247,6 +277,25 @@
     </dependencyManagement>
 
     <build>
+        <resources>
+            <resource>
+                <directory>..</directory>
+                <includes>
+                    <include>LICENSE</include>
+                    <include>DEPENDENCIES</include>
+                    <include>SECURITY.md</include>
+                    <include>NOTICE.md</include>
+                </includes>
+                <targetPath>META-INF</targetPath>
+            </resource>
+            <resource>
+                <directory>.</directory>
+                <includes>
+                    <include>README.md</include>
+                </includes>
+                <targetPath>META-INF</targetPath>
+            </resource>
+        </resources>
         <plugins>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>

remoting/src/main/docker/Dockerfile

@@ -27,6 +27,8 @@ COPY target/lib/netty-*.jar /opt/lib/
 COPY target/lib/jetty-*.jar /opt/lib/
 COPY target/lib/spring-*.jar /opt/lib/
 COPY target/lib/httpmime-*.jar /opt/lib/
+COPY target/lib/commons-logging-*.jar /opt/lib/
+COPY target/lib/snappy-java-*.jar /opt/lib/
 
 COPY resources/web/logging.properties /opt/conf/
 COPY resources/web/server.xml /opt/conf/
@@ -84,8 +86,6 @@ RUN	mkdir -p /var/rdf4j/server/conf && \
     rm /usr/local/tomcat/conf/server.xml && \
     rm /usr/local/tomcat/conf/tomcat-users.xml && \
     rm /usr/local/tomcat/conf/web.xml && \
-    wget -q "https://repo1.maven.org/maven2/commons-logging/commons-logging/1.2/commons-logging-1.2.jar" -O /usr/local/tomcat/webapps/rdf4j-server/WEB-INF/lib/commons-logging-1.2.jar && \
-    wget -q "https://repo1.maven.org/maven2/org/xerial/snappy/snappy-java/1.1.10.2/snappy-java-1.1.10.2.jar" -O /usr/local/tomcat/webapps/rdf4j-server/WEB-INF/lib/snappy-java-1.1.10.2.jar && \
     chown -R tomcat:tomcat /var/rdf4j /usr/local/tomcat && \
 	chmod 775 /usr/local/tomcat /usr/local/tomcat/bin /usr/local/tomcat/bin/catalina.sh /var/rdf4j/server 
 

remoting/src/main/java/org/eclipse/tractusx/agents/remoting/Invocation.java

@@ -234,7 +234,7 @@ public String toString() {
      */
     public static Object traversePath(Object source, String... path) throws SailException {
         if (logger.isTraceEnabled()) {
-            logger.trace(String.format("Accessing a path of length %d under %s", path.length, source));
+            logger.trace(String.format("Accessing a path of length %d under %d", path.length, System.identityHashCode(source)));
         }
         for (String elem : path) {
             if (elem != null && elem.length() > 0) {
@@ -282,8 +282,9 @@ public static String convertObjectToString(Object source) throws SailException {
                 }
             }
         } else if(source instanceof Element) {
-            TransformerFactory transFactory = TransformerFactory.newInstance();
             try {
+                TransformerFactory transFactory = TransformerFactory.newInstance();
+                transFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
                 Transformer transformer = transFactory.newTransformer();
                 StringWriter buffer = new StringWriter();
                 transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");

remoting/src/main/java/org/eclipse/tractusx/agents/remoting/callback/CallbackController.java

@@ -43,8 +43,6 @@ public class CallbackController implements org.springframework.web.servlet.mvc.C
 
     public static ObjectMapper objectMapper=new ObjectMapper();
 
-    public static DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-
     public static final Map<CallbackToken, AtomicReference<Object>> pending=new HashMap<>();
 
     /**
@@ -104,6 +102,8 @@ public ModelAndView handleRequest(javax.servlet.http.HttpServletRequest request,
             if(request.getContentType().contains("json")) {
                 callback=objectMapper.readTree(request.getInputStream());
             } else if(request.getContentType().contains("xml")) {
+                DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+                factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
                 DocumentBuilder builder = factory.newDocumentBuilder();
                 callback=builder.parse(request.getInputStream()).getDocumentElement();
             } else {