From 56918c804bd86f4f9fccaed2c818a676f27b021c Mon Sep 17 00:00:00 2001
From: Sukalpo Mitra <sukalpomitra@gmail.com>
Date: Fri, 7 Jun 2024 15:47:09 +0800
Subject: [PATCH] Security vulnerability fixes and multi arch support

---
 .github/workflows/build-deploy.yml |  4 +++
 Dockerfile                         |  1 +
 docs-core/pom.xml                  | 11 +++++--
 docs-web-common/pom.xml            |  9 ++++--
 docs-web/pom.xml                   |  9 ++++--
 pom.xml                            | 51 ++++++++++++++++++++++++------
 6 files changed, 68 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/build-deploy.yml b/.github/workflows/build-deploy.yml
index f4369b27..2373f1d1 100644
--- a/.github/workflows/build-deploy.yml
+++ b/.github/workflows/build-deploy.yml
@@ -37,6 +37,9 @@ jobs:
       - 
         name: Checkout
         uses: actions/checkout@v2
+      -
+        name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
       - 
         name: Download war artifact
         uses: actions/download-artifact@v2
@@ -79,6 +82,7 @@ jobs:
         uses: docker/build-push-action@v2
         with:
           context: .
+          platforms: linux/amd64,linux/arm64
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.metadata.outputs.tags }}
           labels: ${{ steps.metadata.outputs.labels }}
diff --git a/Dockerfile b/Dockerfile
index 1ba2f695..5d953c41 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -48,6 +48,7 @@ RUN apt-get update && \
     tesseract-ocr-sqi \
     && apt-get clean && \
     rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get upgrade libgnutls30 -y -q
 RUN dpkg-reconfigure -f noninteractive tzdata
 
 # Install Jetty
diff --git a/docs-core/pom.xml b/docs-core/pom.xml
index dd5d2c0f..03d85df2 100644
--- a/docs-core/pom.xml
+++ b/docs-core/pom.xml
@@ -63,13 +63,13 @@
     </dependency>
 
     <dependency>
-      <groupId>log4j</groupId>
-      <artifactId>log4j</artifactId>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-core</artifactId>
     </dependency>
 
     <dependency>
       <groupId>org.slf4j</groupId>
-      <artifactId>slf4j-log4j12</artifactId>
+      <artifactId>slf4j-reload4j</artifactId>
     </dependency>
 
     <dependency>
@@ -158,6 +158,11 @@
       <artifactId>fr.opensagres.poi.xwpf.converter.pdf</artifactId>
     </dependency>
 
+    <dependency>
+        <groupId>xerces</groupId>
+        <artifactId>xercesImpl</artifactId>
+    </dependency>
+
     <!-- ImageIO plugins -->
     <dependency>
       <groupId>com.twelvemonkeys.imageio</groupId>
diff --git a/docs-web-common/pom.xml b/docs-web-common/pom.xml
index 2de08cee..9406978a 100644
--- a/docs-web-common/pom.xml
+++ b/docs-web-common/pom.xml
@@ -31,6 +31,11 @@
       <groupId>org.glassfish.jersey.media</groupId>
       <artifactId>jersey-media-json-processing</artifactId>
     </dependency>
+
+    <dependency>
+        <groupId>org.eclipse.parsson</groupId>
+        <artifactId>parsson</artifactId>
+    </dependency>
       
     <!-- Other external dependencies -->
     <dependency>
@@ -49,8 +54,8 @@
     </dependency>
     
     <dependency>
-      <groupId>log4j</groupId>
-      <artifactId>log4j</artifactId>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-core</artifactId>
     </dependency>
   
     <dependency>
diff --git a/docs-web/pom.xml b/docs-web/pom.xml
index 47efd922..212f3b77 100644
--- a/docs-web/pom.xml
+++ b/docs-web/pom.xml
@@ -46,6 +46,11 @@
       <groupId>org.glassfish.jersey.inject</groupId>
       <artifactId>jersey-hk2</artifactId>
     </dependency>
+
+    <dependency>
+        <groupId>org.eclipse.parsson</groupId>
+        <artifactId>parsson</artifactId>
+    </dependency>
       
     <!-- Other external dependencies -->
     <dependency>
@@ -64,8 +69,8 @@
     </dependency>
     
     <dependency>
-      <groupId>log4j</groupId>
-      <artifactId>log4j</artifactId>
+      <groupId>org.apache.logging.log4j</groupId>
+      <artifactId>log4j-core</artifactId>
     </dependency>
   
     <dependency>
diff --git a/pom.xml b/pom.xml
index b2240060..daeae2d5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -16,18 +16,19 @@
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 
     <!-- Dependencies version (external) -->
-    <org.apache.commons.commons-compress.version>1.22</org.apache.commons.commons-compress.version>
+    <org.apache.commons.commons-compress.version>1.25.0</org.apache.commons.commons-compress.version>
     <org.apache.commons.commons-lang3.version>3.12.0</org.apache.commons.commons-lang3.version>
     <commons-io.commons-io.version>2.11.0</commons-io.commons-io.version>
     <org.apache.commons.commons-email.version>1.5</org.apache.commons.commons-email.version>
     <org.freemarker.freemarker.version>2.3.32</org.freemarker.freemarker.version>
-    <com.google.guava.guava.version>31.1-jre</com.google.guava.guava.version>
-    <log4j.log4j.version>1.2.17</log4j.log4j.version>
+    <com.google.guava.guava.version>33.0.0-jre</com.google.guava.guava.version>
+    <log4j.log4j.version>2.22.1</log4j.log4j.version>
     <org.slf4j.version>1.7.30</org.slf4j.version>
+    <org.slf4j-reload4j.version>2.0.11</org.slf4j-reload4j.version>
     <org.slf4j.jcl-over-slf4j.version>1.7.30</org.slf4j.jcl-over-slf4j.version>
     <org.slf4j.jul-to-slf4j.version>1.7.30</org.slf4j.jul-to-slf4j.version>
     <junit.junit.version>4.13.2</junit.junit.version>
-    <com.h2database.h2.version>1.4.199</com.h2database.h2.version>
+    <com.h2database.h2.version>2.2.224</com.h2database.h2.version>
     <jakarta.json.jakarta.json-api.version>2.1.1</jakarta.json.jakarta.json-api.version>
     <at.favre.lib.bcrypt.version>0.10.2</at.favre.lib.bcrypt.version>
     <org.apache.lucene.version>8.7.0</org.apache.lucene.version>
@@ -37,6 +38,7 @@
     <joda-time.joda-time.version>2.12.2</joda-time.joda-time.version>
     <org.hibernate.hibernate.version>6.3.1.Final</org.hibernate.hibernate.version>
     <fr.opensagres.xdocreport.version>2.0.4</fr.opensagres.xdocreport.version>
+    <xerces.xercesImpl.version>2.12.2</xerces.xercesImpl.version>
     <net.java.dev.jna.jna.version>5.13.0</net.java.dev.jna.jna.version>
     <com.twelvemonkeys.imageio.version>3.9.4</com.twelvemonkeys.imageio.version>
     <com.levigo.jbig2.levigo-jbig2-imageio.version>2.0</com.levigo.jbig2.levigo-jbig2-imageio.version>
@@ -45,11 +47,12 @@
     <org.subethamail.subethasmtp-wiser.version>1.2</org.subethamail.subethasmtp-wiser.version>
     <com.icegreen.greenmail.version>1.6.14</com.icegreen.greenmail.version>
     <org.jsoup.jsoup.version>1.15.4</org.jsoup.jsoup.version>
-    <com.squareup.okhttp3.okhttp.version>4.10.0</com.squareup.okhttp3.okhttp.version>
+    <com.squareup.okhttp3.okhttp.version>4.12.0</com.squareup.okhttp3.okhttp.version>
     <org.apache.directory.api.version>2.1.3</org.apache.directory.api.version>
     <org.apache.directory.server.apacheds-all.version>2.0.0.AM27</org.apache.directory.server.apacheds-all.version>
 
-    <org.glassfish.jersey.version>3.0.10</org.glassfish.jersey.version>
+    <org.glassfish.jersey.version>3.1.5</org.glassfish.jersey.version>
+    <parsson.version>1.1.5</parsson.version>
     <jakarta.servlet.jakarta.servlet-api.version>5.0.0</jakarta.servlet.jakarta.servlet-api.version>
     <org.eclipse.jetty.jetty-server.version>11.0.20</org.eclipse.jetty.jetty-server.version>
     <org.eclipse.jetty.jetty-webapp.version>11.0.20</org.eclipse.jetty.jetty-webapp.version>
@@ -219,15 +222,15 @@
       </dependency>
 
       <dependency>
-        <groupId>log4j</groupId>
-        <artifactId>log4j</artifactId>
+        <groupId>org.apache.logging.log4j</groupId>
+        <artifactId>log4j-core</artifactId>
         <version>${log4j.log4j.version}</version>
       </dependency>
 
       <dependency>
         <groupId>org.slf4j</groupId>
-        <artifactId>slf4j-log4j12</artifactId>
-        <version>${org.slf4j.version}</version>
+        <artifactId>slf4j-reload4j</artifactId>
+        <version>${org.slf4j-reload4j.version}</version>
       </dependency>
 
       <dependency>
@@ -270,6 +273,12 @@
         <groupId>org.glassfish.jersey.media</groupId>
         <artifactId>jersey-media-json-processing</artifactId>
         <version>${org.glassfish.jersey.version}</version>
+        <exclusions>
+            <exclusion>
+                <groupId>org.eclipse.parsson</groupId>
+                <artifactId>parsson</artifactId>
+            </exclusion>
+        </exclusions>
       </dependency>
 
       <dependency>
@@ -315,6 +324,12 @@
         <version>${org.glassfish.jersey.version}</version>
       </dependency>
 
+      <dependency>
+        <groupId>org.eclipse.parsson</groupId>
+        <artifactId>parsson</artifactId>
+        <version>${parsson.version}</version>
+      </dependency>
+
       <dependency>
         <groupId>jakarta.json</groupId>
         <artifactId>jakarta.json-api</artifactId>
@@ -403,6 +418,12 @@
         <groupId>fr.opensagres.xdocreport</groupId>
         <artifactId>fr.opensagres.odfdom.converter.pdf</artifactId>
         <version>${fr.opensagres.xdocreport.version}</version>
+        <exclusions>
+            <exclusion>
+                <groupId>xerces</groupId>
+                <artifactId>xercesImpl</artifactId>
+            </exclusion>
+        </exclusions>
       </dependency>
 
       <dependency>
@@ -411,6 +432,12 @@
         <version>${fr.opensagres.xdocreport.version}</version>
       </dependency>
 
+      <dependency>
+        <groupId>xerces</groupId>
+        <artifactId>xercesImpl</artifactId>
+        <version>${xerces.xercesImpl.version}</version>
+      </dependency>
+
       <dependency>
         <groupId>org.subethamail</groupId>
         <artifactId>subethasmtp-wiser</artifactId>
@@ -420,6 +447,10 @@
             <groupId>javax.mail</groupId>
             <artifactId>mail</artifactId>
           </exclusion>
+          <exclusion>
+            <groupId>log4j</groupId>
+            <artifactId>log4j</artifactId>
+          </exclusion>
         </exclusions>
       </dependency>