[PRODSEC-8961] fix for commons-net vulnerability

This reverts commit cc0955e012.

.github/workflows/ci.yml

@@ -28,6 +28,23 @@ jobs:
     steps:
       - uses: Alfresco/alfresco-build-tools/.github/actions/pre-commit@v1.35.0
 
+  veracode_sca:
+    name: "Veracode - Source Clear Scan (SCA)"
+    runs-on: ubuntu-latest
+    if: >
+      github.ref_name == 'master' ||
+      github.event_name == 'pull_request'
+    steps:
+      - uses: actions/checkout@v3
+      - uses: Alfresco/alfresco-build-tools/.github/actions/get-build-info@v1.34.0
+      - uses: Alfresco/alfresco-build-tools/.github/actions/setup-java-build@v1.34.0
+      - name: "Clean-up SNAPSHOT artifacts"
+        run: find "${HOME}/.m2/repository/" -type d -name "*-SNAPSHOT*" | xargs -r -l rm -rf
+      - uses: Alfresco/alfresco-build-tools/.github/actions/veracode@v1.34.0
+        continue-on-error: true
+        with:
+          srcclr-api-token: ${{ secrets.SRCCLR_API_TOKEN }}
+
   build:
     name: "Build application"
     runs-on: ubuntu-latest

archetypes/alfresco-allinone-archetype/pom.xml

@@ -11,7 +11,7 @@
   <parent>
     <groupId>org.alfresco.maven</groupId>
     <artifactId>alfresco-sdk-aggregator</artifactId>
-    <version>4.8.0</version>
+    <version>4.9.0-SNAPSHOT</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
 

archetypes/alfresco-allinone-archetype/src/main/resources/archetype-resources/__rootArtifactId__-platform-docker/src/main/docker/Dockerfile

@@ -14,10 +14,16 @@ RUN java -jar $TOMCAT_DIR/alfresco-mmt/alfresco-mmt*.jar install \
               $TOMCAT_DIR/amps $TOMCAT_DIR/webapps/alfresco -directory -nobackup -force
 
 COPY alfresco-global.properties $TOMCAT_DIR/shared/classes/alfresco-global.properties
-COPY dev-log4j2.properties $TOMCAT_DIR/shared/classes/alfresco/extension
+COPY dev-log4j2.properties $TOMCAT_DIR/shared/classes/alfresco/extension/dev-log4j2.properties
 COPY disable-webscript-caching-context.xml $TOMCAT_DIR/shared/classes/alfresco/extension
 
 # Copy Dockerfile to avoid an error if no license file exists
 COPY Dockerfile license/*.* $TOMCAT_DIR/webapps/alfresco/WEB-INF/classes/alfresco/extension/license/
 
+# Move the log file
+RUN sed -i -e "s_appender.rolling.fileName\=alfresco.log_appender.rolling.fileName\=${TOMCAT_DIR}/logs\/alfresco.log_" \
+        ${TOMCAT_DIR}/shared/classes/alfresco/extension/dev-log4j2.properties && \
+    sed -i -e "s_appender.rolling.filePattern=alfresco.log.%d{yyyy-MM-dd}_appender.rolling.filePattern\=${TOMCAT_DIR}/logs\/alfresco.log.%d{yyyy-MM-dd}_" \
+        ${TOMCAT_DIR}/shared/classes/alfresco/extension/dev-log4j2.properties
+
 USER ${USERNAME}

archetypes/alfresco-allinone-archetype/src/main/resources/archetype-resources/__rootArtifactId__-platform-docker/src/main/docker/dev-log4j2.properties

@@ -1,19 +1,11 @@
-#set( $symbol_pound = '#' )
-#set( $symbol_dollar = '$' )
-#set( $symbol_escape = '\' )
-# Set root logger level to error
-#log4j2.rootLogger=error, Console, File
 rootLogger.level=error
 rootLogger.appenderRef.stdout.ref=ConsoleAppender
 rootLogger.appenderRef.rolling.ref=RollingAppender
 
-
 # All outputs currently set to be a ConsoleAppender.
 appender.console.type=Console
 appender.console.name=ConsoleAppender
 appender.console.layout.type=PatternLayout
-appender.console.layout.pattern=%d{ISO8601} %x %-5p [%c{3}] [%t] %replace{%m}{[\r\n]+}{}%n
-
 # use log4j NDC to replace %x with tenant domain / username
 appender.console.layout.pattern=%d{ISO8601} %x %-5p [%c{3}] [%t] %replace{%m}{[\r\n]+}{}%n
 
@@ -206,10 +198,6 @@ logger.alfresco-repo-node-db-NodeStringLengthWorker.level=info
 logger.alfresco-repo-workflow.name=org.alfresco.repo.workflow
 logger.alfresco-repo-workflow.level=info
 
-# CIFS server debugging
-logger.alfresco-smb.protocol.name=org.alfresco.smb.protocol
-logger.alfresco-smb.protocol.level=error
-
 # FTP server debugging
 logger.alfresco-ftp-protocol.name=org.alfresco.ftp.protocol
 logger.alfresco-ftp-protocol.level=error
@@ -368,7 +356,6 @@ logger.alfresco-repo-domain-schema-script-DeleteNotExistsExecutor.level=off
 logger.alfresco-repo-search-impl-solr-facet-SolrFacetServiceImpl.name=org.alfresco.repo.search.impl.solr.facet.SolrFacetServiceImpl
 logger.alfresco-repo-search-impl-solr-facet-SolrFacetServiceImpl.level=info
 
-
 # Bulk Filesystem Import Tool
 logger.alfresco-repo-bulkimport.name=org.alfresco.repo.bulkimport
 logger.alfresco-repo-bulkimport.level=warn
@@ -386,9 +373,6 @@ logger.alfresco-repo-content-metadata-AbstractMappingMetadataExtracter.level=war
 logger.apache-pdfbox-pdmodel-font-PDSimpleFont.name=org.apache.pdfbox.pdmodel.font.PDSimpleFont
 logger.apache-pdfbox-pdmodel-font-PDSimpleFont.level=fatal
 
-logger.apache-pdfbox-pdmodel-font-PDFont.name=org.apache.pdfbox.pdmodel.font.PDFont
-logger.apache-pdfbox-pdmodel-font-PDFont=fatal
-
 logger.apache-pdfbox-pdmodel-font-PDCIDFont.name=org.apache.pdfbox.pdmodel.font.PDCIDFont
 logger.apache-pdfbox-pdmodel-font-PDCIDFont.level=fatal
 
@@ -398,7 +382,6 @@ logger.alfresco-repo-search-impl-noindex-NoIndexIndexer.level=fatal
 
 logger.alfresco-repo-search-impl-noindex-NoIndexSearchService.name=org.alfresco.repo.search.impl.noindex.NoIndexSearchService
 logger.alfresco-repo-search-impl-noindex-NoIndexSearchService.level=fatal
-.
 
 # lucene index warnings
 logger.alfresco-repo-search-impl-lucene-index-IndexInfo.name=org.alfresco.repo.search.impl.lucene.index.IndexInfo
@@ -421,10 +404,9 @@ logger.alfresco-enterprise-repo-authorization-AuthorizationsConsistencyMonitor.l
 #-----------------------------------------------------------------------
 # Platform module logging
 #-----------------------------------------------------------------------
-logger.${package}-platformsample-DemoComponent.name=${package}.platformsample.DemoComponent
-logger.${package}-platformsample-DemoComponent.level=debug
-logger.${package}-platformsample-HelloWorldWebScript.name=${package}.platformsample.HelloWorldWebScript
-logger.${package}-platformsample-HelloWorldWebScript.level=debug
-
+logger.platformsample-DemoComponent.name=${package}.platformsample.DemoComponent
+logger.platformsample-DemoComponent.level=debug
+logger.platformsample-HelloWorldWebScript.name=${package}.platformsample.HelloWorldWebScript
+logger.platformsample-HelloWorldWebScript.level=debug
 
 

archetypes/alfresco-platform-jar-archetype/pom.xml

@@ -12,7 +12,7 @@
   <parent>
     <groupId>org.alfresco.maven</groupId>
     <artifactId>alfresco-sdk-aggregator</artifactId>
-    <version>4.8.0</version>
+    <version>4.9.0-SNAPSHOT</version>
     <relativePath>../../pom.xml</relativePath>
   </parent>
 

archetypes/alfresco-share-jar-archetype/pom.xml

@@ -14,7 +14,7 @@
     <parent>
         <groupId>org.alfresco.maven</groupId>
         <artifactId>alfresco-sdk-aggregator</artifactId>
-        <version>4.8.0</version>
+        <version>4.9.0-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

archetypes/archetypes-it/pom.xml

@@ -17,7 +17,7 @@
     <parent>
         <groupId>org.alfresco.maven</groupId>
         <artifactId>alfresco-sdk-aggregator</artifactId>
-        <version>4.8.0</version>
+        <version>4.9.0-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

modules/alfresco-rad/pom.xml

@@ -10,7 +10,7 @@
     <parent>
         <groupId>org.alfresco.maven</groupId>
         <artifactId>alfresco-sdk-aggregator</artifactId>
-        <version>4.8.0</version>
+        <version>4.9.0-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 

plugins/alfresco-maven-plugin/pom.xml

@@ -8,7 +8,7 @@
     <parent>
         <groupId>org.alfresco.maven</groupId>
         <artifactId>alfresco-sdk-aggregator</artifactId>
-        <version>4.8.0</version>
+        <version>4.9.0-SNAPSHOT</version>
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
@@ -92,7 +92,7 @@
         <dependency>
             <groupId>org.codehaus.plexus</groupId>
             <artifactId>plexus-archiver</artifactId>
-            <version>3.4</version>
+            <version>4.9.2</version>
         </dependency>
         <dependency>
             <groupId>org.apache.maven</groupId>
@@ -102,7 +102,7 @@
         <dependency>
             <groupId>org.apache.maven</groupId>
             <artifactId>maven-core</artifactId>
-            <version>3.2.5</version>
+            <version>3.9.7</version>
         </dependency>
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
@@ -112,7 +112,7 @@
         <dependency>
             <groupId>commons-net</groupId>
             <artifactId>commons-net</artifactId>
-            <version>3.6</version>
+            <version>3.10.0</version>
         </dependency>
         <dependency>
             <groupId>commons-io</groupId>
@@ -127,7 +127,12 @@
         <dependency>
             <groupId>org.alfrescolabs.alfresco-technical-validation</groupId>
             <artifactId>org.alfrescolabs.alfresco-technical-validation</artifactId>
-            <version>0.4.0</version>
+            <version>0.6.0</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-lang</groupId>
+            <artifactId>commons-lang</artifactId>
+            <version>2.6</version>
         </dependency>
         <dependency>
             <groupId>org.twdata.maven</groupId>
@@ -138,7 +143,7 @@
         <dependency>
             <groupId>org.zeroturnaround</groupId>
             <artifactId>zt-zip</artifactId>
-            <version>1.11</version>
+            <version>1.17</version>
         </dependency>
         <dependency>
             <groupId>de.schlichtherle.truezip</groupId>

pom.xml

@@ -3,7 +3,7 @@
     <modelVersion>4.0.0</modelVersion>
     <groupId>org.alfresco.maven</groupId>
     <artifactId>alfresco-sdk-aggregator</artifactId>
-    <version>4.8.0</version>
+    <version>4.9.0-SNAPSHOT</version>
     <name>Alfresco SDK</name>
     <description>This aggregator Project builds all modules required for the Alfresco SDK</description>
     <packaging>pom</packaging>

srcclr.yml

@@ -0,0 +1,3 @@
+# To avoid the provided dependencies we set the scope to runtime. See: https://docs.veracode.com/r/c_sc_scan_directives
+# runtime: to restrict the scan to compile and runtime dependencies.
+scope: runtime