HERESUP-27616 IAM-6079 Fix dependency vulnurablities

Signed-off-by: ashikuma <ashish.kumar@here.com>

Author: ashishKhushiKumar

.github/workflows/test.yml

@@ -8,7 +8,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         with:
           path: $HOME/.m2
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}

here-oauth-client/pom.xml

@@ -81,8 +81,8 @@
     <dependencies>
         <!-- compile dependencies -->
         <dependency>
-            <groupId>org.ini4j</groupId>
-            <artifactId>ini4j</artifactId>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-configuration2</artifactId>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>

here-oauth-client/src/main/java/com/here/account/auth/provider/FromHereCredentialsIniStream.java

@@ -4,12 +4,16 @@
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.Reader;
+import java.util.Iterator;
 import java.util.Objects;
 import java.util.Properties;
 
 import com.here.account.util.Clock;
 import com.here.account.util.SettableSystemClock;
-import org.ini4j.Ini;
+import org.apache.commons.configuration2.INIConfiguration;
+import org.apache.commons.configuration2.ex.ConfigurationException;
+import org.apache.commons.configuration2.HierarchicalConfiguration;
+import org.apache.commons.configuration2.tree.ImmutableNode;
 
 import com.here.account.auth.OAuth1ClientCredentialsProvider;
 import com.here.account.http.HttpConstants.HttpMethods;
@@ -64,30 +68,38 @@ protected static ClientAuthorizationRequestProvider getClientCredentialsProvider
         try {
             Properties properties = getPropertiesFromIni(inputStream, sectionName);
             return FromSystemProperties.getClientCredentialsProviderWithDefaultTokenEndpointUrl(clock, properties);
-        } catch (IOException e) {
+        } catch (IOException | ConfigurationException e) {
             throw new RequestProviderException("trouble FromFile " + e, e);
         }
     }
 
     static final String DEFAULT_INI_SECTION_NAME = "default";
-    
-    static Properties getPropertiesFromIni(InputStream inputStream, String sectionName) throws IOException {
-        Ini ini = new Ini();
+
+    static Properties getPropertiesFromIni(InputStream inputStream, String sectionName) throws IOException, ConfigurationException {
         try (Reader reader = new InputStreamReader(inputStream, OAuthConstants.UTF_8_CHARSET)) {
-            ini.load(reader);
-            Ini.Section section = ini.get(sectionName);
+            INIConfiguration ini = new INIConfiguration();
+            ini.read(reader);
+            HierarchicalConfiguration<ImmutableNode> section = ini.getSection(sectionName);
             Properties properties = new Properties();
-            properties.put(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_ENDPOINT_URL_PROPERTY,
-                    section.get(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_ENDPOINT_URL_PROPERTY));
-            properties.put(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_ID_PROPERTY,
-                    section.get(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_ID_PROPERTY));
-            properties.put(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_SECRET_PROPERTY,
-                    section.get(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_SECRET_PROPERTY));
-            // scope is optional
-            String scope = section.get(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_SCOPE_PROPERTY);
-            if (null != scope)
-                properties.put(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_SCOPE_PROPERTY, scope);
-
+            Iterator<String> it = section.getKeys();
+            while (it.hasNext()) {
+                String key = it.next();
+                String value = section.getString(key);
+                switch (key.replaceAll("\\.+", ".")) {
+                    case OAuth1ClientCredentialsProvider.FromProperties.TOKEN_ENDPOINT_URL_PROPERTY:
+                        properties.put(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_ENDPOINT_URL_PROPERTY, value);
+                        break;
+                    case OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_ID_PROPERTY:
+                        properties.put(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_ID_PROPERTY, value);
+                        break;
+                    case OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_SECRET_PROPERTY:
+                        properties.put(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_SECRET_PROPERTY, value);
+                        break;
+                    case OAuth1ClientCredentialsProvider.FromProperties.TOKEN_SCOPE_PROPERTY:
+                        properties.put(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_SCOPE_PROPERTY, value);
+                        break;
+                }
+            }
             return properties;
         }
     }

here-oauth-client/src/test/java/com/here/account/auth/provider/FromHereCredentialsIniStreamTest.java

@@ -20,6 +20,7 @@
 import com.here.account.http.HttpProvider.HttpRequestAuthorizer;
 import com.here.account.oauth2.ClientAuthorizationRequestProvider;
 import com.here.account.util.Clock;
+import org.apache.commons.configuration2.ex.ConfigurationException;
 import org.junit.Test;
 import org.mockito.Mockito;
 
@@ -84,7 +85,7 @@ public int read() throws IOException {
     }
 
     @Test(expected = RuntimeException.class)
-    public void test_invalid_stream() throws IOException {
+    public void test_invalid_stream() throws IOException, ConfigurationException {
         FromHereCredentialsIniStream.getPropertiesFromIni(null, TEST_DEFAULT_INI_SECTION_NAME);
     }
 

pom.xml

@@ -65,8 +65,8 @@
 
         <!-- Declare versions for dependencies -->
         <apache.httpclient.version>4.5.13</apache.httpclient.version>
-        <ini4j.version>0.5.4</ini4j.version>
-        <jackson.version>2.13.3</jackson.version>
+        <commons-configuration2.version>2.12.0</commons-configuration2.version>
+        <jackson.version>2.13.4.2</jackson.version>
         <junit.version>4.13.1</junit.version>
         <mockito.version>1.10.19</mockito.version>
         <ning.version>1.8.17</ning.version>
@@ -105,9 +105,9 @@
     <dependencyManagement>
         <dependencies>
             <dependency>
-                <groupId>org.ini4j</groupId>
-                <artifactId>ini4j</artifactId>
-                <version>${ini4j.version}</version>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-configuration2</artifactId>
+                <version>${commons-configuration2.version}</version>
             </dependency>
             <dependency>
                 <groupId>com.fasterxml.jackson.core</groupId>