Merge pull request #322 from TreeBASE/copilot/fix-dependabot-alerts

Update dependencies to address security vulnerabilities

Author: rvosa

oai-pmh_data_provider/data_provider_web/pom.xml

@@ -124,6 +124,13 @@
       <groupId>struts</groupId>
       <artifactId>struts</artifactId>
       <version>1.2.9</version>
+      <exclusions>
+		<!-- Exclude old ANTLR 2.7.2 - Hibernate 5 requires 2.7.7 -->
+		<exclusion>
+          <groupId>antlr</groupId>
+          <artifactId>antlr</artifactId>
+		</exclusion>
+      </exclusions>
 	</dependency>
 	<dependency>
       <groupId>opensymphony</groupId>
@@ -134,6 +141,21 @@
       <groupId>displaytag</groupId>
       <artifactId>displaytag</artifactId>
       <version>1.1.1</version>
+      <exclusions>
+		<!-- Exclude old SLF4J versions -->
+		<exclusion>
+          <groupId>org.slf4j</groupId>
+          <artifactId>slf4j-api</artifactId>
+		</exclusion>
+		<exclusion>
+          <groupId>org.slf4j</groupId>
+          <artifactId>slf4j-log4j12</artifactId>
+		</exclusion>
+		<exclusion>
+          <groupId>org.slf4j</groupId>
+          <artifactId>jcl104-over-slf4j</artifactId>
+		</exclusion>
+      </exclusions>
 	</dependency>
 	<dependency>
       <groupId>struts-menu</groupId>
@@ -160,7 +182,20 @@
 		<exclusion>
 	  	  <groupId>javax.servlet</groupId>
 		  <artifactId>jstl</artifactId>
-		</exclusion>      
+		</exclusion>
+		<!-- Exclude old SLF4J versions -->
+		<exclusion>
+          <groupId>org.slf4j</groupId>
+          <artifactId>slf4j-api</artifactId>
+		</exclusion>
+		<exclusion>
+          <groupId>org.slf4j</groupId>
+          <artifactId>slf4j-log4j12</artifactId>
+		</exclusion>
+		<exclusion>
+          <groupId>org.slf4j</groupId>
+          <artifactId>jcl104-over-slf4j</artifactId>
+		</exclusion>
       </exclusions>        
 	</dependency>
 	<dependency>
@@ -244,6 +279,12 @@
       <groupId>javax.servlet</groupId>
       <artifactId>servlet-api</artifactId>
       <version>2.4</version>
+	</dependency>
+	<!-- Velocity 1.7 compatible with Spring 4.x -->
+	<dependency>
+      <groupId>org.apache.velocity</groupId>
+      <artifactId>velocity</artifactId>
+      <version>1.7</version>
 	</dependency>
 	<dependency>
       <groupId>velocity-tools</groupId>
@@ -265,6 +306,20 @@
       <artifactId>treebase-core</artifactId>
       <version>1.0-SNAPSHOT</version>
 	</dependency>
+
+    <!-- SLF4J 2.0.16 for compatibility with Log4j 2.24.3 -->
+    <dependency>
+        <groupId>org.slf4j</groupId>
+        <artifactId>slf4j-api</artifactId>
+        <version>2.0.16</version>
+    </dependency>
+
+    <!-- Log4j 2.x SLF4J binding -->
+    <dependency>
+        <groupId>org.apache.logging.log4j</groupId>
+        <artifactId>log4j-slf4j2-impl</artifactId>
+        <version>2.24.3</version>
+    </dependency>
 
   </dependencies>
 

oai-pmh_data_provider/data_provider_web/src/main/java/org/cipres/treebase/web/compat/AbstractCommandController.java

@@ -0,0 +1,96 @@
+package org.cipres.treebase.web.compat;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.validation.Validator;
+import org.springframework.web.bind.ServletRequestDataBinder;
+import org.springframework.web.servlet.ModelAndView;
+import org.springframework.web.servlet.mvc.AbstractController;
+
+/**
+ * Compatibility class to bridge Spring 3.x AbstractCommandController to Spring 4.x
+ * This class provides a similar API to the removed Spring 3.x AbstractCommandController
+ * by extending AbstractController and implementing command binding manually
+ */
+public abstract class AbstractCommandController extends AbstractController {
+    
+    private Class<?> commandClass;
+    private String commandName = "command";
+    private Validator validator;
+    
+    public void setCommandClass(Class<?> commandClass) {
+        this.commandClass = commandClass;
+    }
+    
+    public Class<?> getCommandClass() {
+        return commandClass;
+    }
+    
+    public void setCommandName(String commandName) {
+        this.commandName = commandName;
+    }
+    
+    public String getCommandName() {
+        return commandName;
+    }
+    
+    public void setValidator(Validator validator) {
+        this.validator = validator;
+    }
+    
+    public Validator getValidator() {
+        return validator;
+    }
+    
+    @Override
+    protected ModelAndView handleRequestInternal(HttpServletRequest request, HttpServletResponse response) throws Exception {
+        Object command = createCommand();
+        ServletRequestDataBinder binder = createBinder(request, command);
+        binder.bind(request);
+        org.springframework.validation.BindException errors = new org.springframework.validation.BindException(binder.getBindingResult());
+        
+        // Validate if validator is set
+        if (validator != null) {
+            validator.validate(command, errors);
+        }
+        
+        return handle(request, response, command, errors);
+    }
+    
+    protected Object createCommand() throws Exception {
+        if (commandClass != null) {
+            return commandClass.newInstance();
+        }
+        return new Object();
+    }
+    
+    protected ServletRequestDataBinder createBinder(HttpServletRequest request, Object command) throws Exception {
+        ServletRequestDataBinder binder = new ServletRequestDataBinder(command, getCommandName());
+        initBinder(request, binder);
+        return binder;
+    }
+    
+    protected void initBinder(HttpServletRequest request, ServletRequestDataBinder binder) throws Exception {
+        // Override to customize binder
+    }
+    
+    /**
+     * Template method for handling the command.
+     * Subclasses must override this method to process the bound command object.
+     * This version includes binding errors for validation.
+     */
+    protected ModelAndView handle(HttpServletRequest request, HttpServletResponse response, Object command, org.springframework.validation.BindException errors) throws Exception {
+        // Default implementation calls the 3-parameter version for backwards compatibility
+        return handle(request, response, command);
+    }
+    
+    /**
+     * Template method for handling the command.
+     * Subclasses can override this method to process the bound command object.
+     * Override the 4-parameter version if you need access to binding errors.
+     */
+    protected ModelAndView handle(HttpServletRequest request, HttpServletResponse response, Object command) throws Exception {
+        throw new UnsupportedOperationException("Subclasses must override either handle(request, response, command) or handle(request, response, command, errors)");
+    }
+}

oai-pmh_data_provider/data_provider_web/src/main/java/org/cipres/treebase/web/controllers/OAIPMHController.java

@@ -12,7 +12,7 @@
 
 import org.springframework.validation.BindException;
 import org.springframework.web.servlet.ModelAndView;
-import org.springframework.web.servlet.mvc.AbstractCommandController;
+import org.cipres.treebase.web.compat.AbstractCommandController;
 import org.treebase.oai.web.command.Identify;
 import org.treebase.oai.web.command.OAIPMHCommand;
 import org.treebase.oai.web.util.IdentifyUtil;

oai-pmh_data_provider/data_provider_web/src/test/java/org/treebase/oai/PackageTestSuite.java

@@ -1,23 +1,13 @@
 package org.treebase.oai;
 
-import junit.framework.Test;
-import junit.framework.TestSuite;
-
-
+import org.junit.runner.RunWith;
+import org.junit.runners.Suite;
+import org.junit.runners.Suite.SuiteClasses;
+
+@RunWith(Suite.class)
+@SuiteClasses({
+	org.treebase.oai.web.PackageTestSuite.class
+})
 public class PackageTestSuite {
-
-
-	public static void main(String[] args) {
-		junit.textui.TestRunner.run(suite());
-	}
-
-	
-	public static Test suite() {
-		TestSuite suite = new TestSuite("Tests in package " + PackageTestSuite.class.getName());
-
-		suite.addTest(org.treebase.oai.web.PackageTestSuite.suite());
-
-		return suite;
-	}
+	// JUnit 4 suite - test classes are specified in @SuiteClasses annotation
 }
-

oai-pmh_data_provider/data_provider_web/src/test/java/org/treebase/oai/web/PackageTestSuite.java

@@ -1,29 +1,15 @@
 package org.treebase.oai.web;
 
-import junit.framework.Test;
-import junit.framework.TestSuite;
-
-
+import org.junit.runner.RunWith;
+import org.junit.runners.Suite;
+import org.junit.runners.Suite.SuiteClasses;
+
+@RunWith(Suite.class)
+@SuiteClasses({
+	org.treebase.oai.web.command.PackageTestSuite.class,
+	org.treebase.oai.web.controller.PackageTestSuite.class,
+	org.treebase.oai.web.util.PackageTestSuite.class
+})
 public class PackageTestSuite {
-
-
-	public static void main(String[] args) {
-		junit.textui.TestRunner.run(suite());
-	}
-
-	
-	public static Test suite() {
-		TestSuite suite = new TestSuite("Tests in package " + PackageTestSuite.class.getName());
-
-		//suite.addTestSuite(ContextManagerTest.class);
-		//suite.addTestSuite(RangeExpressionTest.class);
-		//suite.addTestSuite(TreebaseIDStringTest.class);
-		//suite.addTestSuite(TreebaseUtilTest.class);
-
-		suite.addTest(org.treebase.oai.web.command.PackageTestSuite.suite());
-		suite.addTest(org.treebase.oai.web.controller.PackageTestSuite.suite());
-		suite.addTest(org.treebase.oai.web.util.PackageTestSuite.suite());
-		
-		return suite;
-	}
+	// JUnit 4 suite - test classes are specified in @SuiteClasses annotation
 }

oai-pmh_data_provider/data_provider_web/src/test/java/org/treebase/oai/web/command/IdentifyTest.java

@@ -2,27 +2,24 @@
 
 import java.util.Date;
 
-import org.springframework.test.AbstractDependencyInjectionSpringContextTests;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.test.context.ContextConfiguration;
+import org.springframework.test.context.junit4.SpringJUnit4ClassRunner;
 
+import static org.junit.Assert.assertNotNull;
 
-public class IdentifyTest extends AbstractDependencyInjectionSpringContextTests {
+@RunWith(SpringJUnit4ClassRunner.class)
+@ContextConfiguration(locations = {"classpath:applicationContext.xml"})
+public class IdentifyTest {
 
+	@Autowired
 	private Identify identify;
 
-	public void setIdentify(Identify identify) {
-		this.identify = identify;
-	}
-
-	@Override
-	protected String[] getConfigLocations() { 
-	return new String[]{"applicationContext.xml"};
-	} 
-	
+	@Test
 	public void testLoadIdentify() {
-	
-		this.assertNotNull(identify);
-		
+		assertNotNull(identify);
 	}
 
-
 }

oai-pmh_data_provider/data_provider_web/src/test/java/org/treebase/oai/web/command/PackageTestSuite.java

@@ -1,18 +1,13 @@
 package org.treebase.oai.web.command;
 
-import junit.framework.Test;
-import junit.framework.TestSuite;
-
+import org.junit.runner.RunWith;
+import org.junit.runners.Suite;
+import org.junit.runners.Suite.SuiteClasses;
+
+@RunWith(Suite.class)
+@SuiteClasses({
+	IdentifyTest.class
+})
 public class PackageTestSuite {
-
-	public static Test suite() {
-		TestSuite suite = new TestSuite("Test for org.cipres.treebase.auxdata");
-		
-		suite.addTestSuite(IdentifyTest.class);
-	
-	
-		
-		return suite;
-	}
-
+	// JUnit 4 suite - test classes are specified in @SuiteClasses annotation
 }