HERESUP-27616 IAM-6079 Replace ini4j dependency to apache commons-configuration2, update jackson-databind and async-http-client version to fix high risk vulnerablity"

ashishKhushiKumar · ashishKhushiKumar · commit 98c87a68f5ba · 2025-06-26T17:32:24.000+05:30
Signed-off-by: ashikuma &lt;ashish.kumar@here.com&gt;
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -8,7 +8,7 @@ jobs:
     steps:
       - uses: actions/checkout@v2
       - name: Cache local Maven repository
-        uses: actions/cache@v2
+        uses: actions/cache@v4
         with:
           path: $HOME/.m2
           key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
diff --git a/here-oauth-client/pom.xml b/here-oauth-client/pom.xml
@@ -81,8 +81,8 @@
     <dependencies>
         <!-- compile dependencies -->
         <dependency>
-            <groupId>org.ini4j</groupId>
-            <artifactId>ini4j</artifactId>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-configuration2</artifactId>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
diff --git a/here-oauth-client/src/main/java/com/here/account/auth/provider/FromHereCredentialsIniStream.java b/here-oauth-client/src/main/java/com/here/account/auth/provider/FromHereCredentialsIniStream.java
@@ -9,7 +9,10 @@
 
 import com.here.account.util.Clock;
 import com.here.account.util.SettableSystemClock;
-import org.ini4j.Ini;
+import org.apache.commons.configuration2.INIConfiguration;
+import org.apache.commons.configuration2.ex.ConfigurationException;
+import org.apache.commons.configuration2.HierarchicalConfiguration;
+import org.apache.commons.configuration2.tree.ImmutableNode;
 
 import com.here.account.auth.OAuth1ClientCredentialsProvider;
 import com.here.account.http.HttpConstants.HttpMethods;
@@ -64,27 +67,27 @@ protected static ClientAuthorizationRequestProvider getClientCredentialsProvider
         try {
             Properties properties = getPropertiesFromIni(inputStream, sectionName);
             return FromSystemProperties.getClientCredentialsProviderWithDefaultTokenEndpointUrl(clock, properties);
-        } catch (IOException e) {
+        } catch (IOException | ConfigurationException e) {
             throw new RequestProviderException("trouble FromFile " + e, e);
         }
     }
 
     static final String DEFAULT_INI_SECTION_NAME = "default";
-    
-    static Properties getPropertiesFromIni(InputStream inputStream, String sectionName) throws IOException {
-        Ini ini = new Ini();
+
+    static Properties getPropertiesFromIni(InputStream inputStream, String sectionName) throws IOException, ConfigurationException {
         try (Reader reader = new InputStreamReader(inputStream, OAuthConstants.UTF_8_CHARSET)) {
-            ini.load(reader);
-            Ini.Section section = ini.get(sectionName);
+            INIConfiguration ini = new INIConfiguration();
+            ini.read(reader);
             Properties properties = new Properties();
+            HierarchicalConfiguration<ImmutableNode> section = ini.getSection(sectionName);
             properties.put(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_ENDPOINT_URL_PROPERTY,
-                    section.get(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_ENDPOINT_URL_PROPERTY));
+                    section.getString(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_ENDPOINT_URL_PROPERTY));
             properties.put(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_ID_PROPERTY,
-                    section.get(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_ID_PROPERTY));
+                    section.getString(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_ID_PROPERTY));
             properties.put(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_SECRET_PROPERTY,
-                    section.get(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_SECRET_PROPERTY));
+                    section.getString(OAuth1ClientCredentialsProvider.FromProperties.ACCESS_KEY_SECRET_PROPERTY));
             // scope is optional
-            String scope = section.get(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_SCOPE_PROPERTY);
+            String scope = section.getString(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_SCOPE_PROPERTY);
             if (null != scope)
                 properties.put(OAuth1ClientCredentialsProvider.FromProperties.TOKEN_SCOPE_PROPERTY, scope);
 
diff --git a/here-oauth-client/src/test/java/com/here/account/auth/provider/FromHereCredentialsIniStreamTest.java b/here-oauth-client/src/test/java/com/here/account/auth/provider/FromHereCredentialsIniStreamTest.java
@@ -23,6 +23,7 @@
 import org.junit.Test;
 import org.mockito.Mockito;
 
+import org.apache.commons.configuration2.ex.ConfigurationException;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
@@ -84,7 +85,7 @@ public int read() throws IOException {
     }
 
     @Test(expected = RuntimeException.class)
-    public void test_invalid_stream() throws IOException {
+    public void test_invalid_stream() throws IOException, ConfigurationException {
         FromHereCredentialsIniStream.getPropertiesFromIni(null, TEST_DEFAULT_INI_SECTION_NAME);
     }
 
diff --git a/pom.xml b/pom.xml
@@ -65,11 +65,11 @@
 
         <!-- Declare versions for dependencies -->
         <apache.httpclient.version>4.5.13</apache.httpclient.version>
-        <ini4j.version>0.5.4</ini4j.version>
-        <jackson.version>2.13.3</jackson.version>
+        <commons-configuration2.version>2.12.0</commons-configuration2.version>
+        <jackson.version>2.13.4.2</jackson.version>
         <junit.version>4.13.1</junit.version>
         <mockito.version>1.10.19</mockito.version>
-        <ning.version>1.8.17</ning.version>
+        <ning.version>1.9.0</ning.version>
         <browsermob.version>2.1.5</browsermob.version>
 
         <!-- configure surefire and maven to be individually skippable -->
@@ -105,9 +105,9 @@
     <dependencyManagement>
         <dependencies>
             <dependency>
-                <groupId>org.ini4j</groupId>
-                <artifactId>ini4j</artifactId>
-                <version>${ini4j.version}</version>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-configuration2</artifactId>
+                <version>${commons-configuration2.version}</version>
             </dependency>
             <dependency>
                 <groupId>com.fasterxml.jackson.core</groupId>

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,7 @@`
`23`	`23`	`import org.junit.Test;`
`24`	`24`	`import org.mockito.Mockito;`
`25`	`25`
	`26`	`+import org.apache.commons.configuration2.ex.ConfigurationException;`
`26`	`27`	`import java.io.ByteArrayInputStream;`
`27`	`28`	`import java.io.IOException;`
`28`	`29`	`import java.io.InputStream;`
`@@ -84,7 +85,7 @@ public int read() throws IOException {`
`84`	`85`	`}`
`85`	`86`
`86`	`87`	`@Test(expected = RuntimeException.class)`
`87`		`- public void test_invalid_stream() throws IOException {`
	`88`	`+ public void test_invalid_stream() throws IOException, ConfigurationException {`
`88`	`89`	`FromHereCredentialsIniStream.getPropertiesFromIni(null, TEST_DEFAULT_INI_SECTION_NAME);`
`89`	`90`	`}`
`90`	`91`