Security alert jetty version (#711)

* Inherit version from parent not define here. * Remove duped dependencies. * Upgrade jetty version https://nvd.nist.gov/vuln/detail/CVE-2019-10247 https://nvd.nist.gov/vuln/detail/CVE-2019-10246 https://nvd.nist.gov/vuln/detail/CVE-2019-10241 * Add longer timeout and some more logging. * Adjust log levels * More logging * More logging * Switch off https due to annoying issues with travis.
Consensys · Apr 24, 2019 · bd93f6d · bd93f6d
1 parent 7510c03
commit bd93f6d
Show file tree

Hide file tree

Showing 7 changed files with 17 additions and 20 deletions.
diff --git a/logback-build.xml b/logback-build.xml
@@ -9,7 +9,7 @@
         </encoder>
     </appender>
     <logger name="exec" level="DEBUG" />
-    <root level="ERROR">
+    <root level="INFO">
         <appender-ref ref="STDOUT" />
     </root>
 </configuration>
diff --git a/pom.xml b/pom.xml
@@ -41,7 +41,7 @@
 
     <properties>
         <jersey.version>2.27</jersey.version>
-        <jetty.version>9.4.10.v20180503</jetty.version>
+        <jetty.version>9.4.17.v20190418</jetty.version>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <maven.compiler.source>1.8</maven.compiler.source>
         <maven.compiler.target>1.8</maven.compiler.target>

diff --git a/server/pom.xml b/server/pom.xml
@@ -6,9 +6,6 @@
     <artifactId>server</artifactId>
     <packaging>pom</packaging>
 
-    <properties>
-        <jetty.version>9.4.14.v20181114</jetty.version>
-    </properties>
 
     <parent>
         <artifactId>tessera</artifactId>

diff --git a/server/server-utils/pom.xml b/server/server-utils/pom.xml
@@ -9,33 +9,29 @@
     <artifactId>server-utils</artifactId>
     <packaging>jar</packaging>
     <dependencies>
-        <dependency>
-            <groupId>org.eclipse.jetty</groupId>
-            <artifactId>jetty-server</artifactId>
-            <type>jar</type>
-        </dependency>
+
         <dependency>
             <groupId>com.jpmorgan.quorum</groupId>
             <artifactId>config</artifactId>
             <type>jar</type>
         </dependency>
+
         <dependency>
             <groupId>com.jpmorgan.quorum</groupId>
             <artifactId>security</artifactId>
             <type>jar</type>
         </dependency>
+
         <dependency>
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-unixsocket</artifactId>
             <type>jar</type>
         </dependency>
+
         <dependency>
             <groupId>org.eclipse.jetty</groupId>
             <artifactId>jetty-server</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.eclipse.jetty</groupId>
-            <artifactId>jetty-unixsocket</artifactId>
-        </dependency>
+
     </dependencies>
 </project>
diff --git a/tests/acceptance-test/src/test/java/config/ConfigBuilder.java b/tests/acceptance-test/src/test/java/config/ConfigBuilder.java
@@ -169,9 +169,9 @@ public Config build() {
                 null,
                 null
             );
-            enclaveServerConfig.setBindingAddress("https://0.0.0.0:" + enclavePort);
-            enclaveServerConfig.setServerAddress("https://localhost:" + enclavePort);
-            enclaveServerConfig.setSslConfig(sslConfig);
+            enclaveServerConfig.setBindingAddress("http://0.0.0.0:" + enclavePort);
+            enclaveServerConfig.setServerAddress("http://localhost:" + enclavePort);
+           // enclaveServerConfig.setSslConfig(sslConfig);
             enclaveServerConfig.setCommunicationType(CommunicationType.REST);
 
             servers.add(enclaveServerConfig);

diff --git a/tests/acceptance-test/src/test/java/suite/HttpsServerStatusCheck.java b/tests/acceptance-test/src/test/java/suite/HttpsServerStatusCheck.java
@@ -7,9 +7,13 @@
 import javax.net.ssl.SSLContext;
 import java.io.IOException;
 import java.net.URL;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 public class HttpsServerStatusCheck implements ServerStatusCheck {
 
+    private static final Logger LOGGER = LoggerFactory.getLogger(HttpsServerStatusCheck.class);
+
     private final URL url;
 
     private final SslConfig sslConfig;
@@ -32,7 +36,7 @@ public boolean checkStatus() {
 
             return true;
         } catch (IOException ex) {
-            LOGGER.warn(ex.getMessage());
+            LOGGER.warn("url: {}, message: {}",url,ex.getMessage());
             LOGGER.debug(null, ex);
             return false;
         } finally {

diff --git a/tests/acceptance-test/src/test/resources/logback-test.xml b/tests/acceptance-test/src/test/resources/logback-test.xml
@@ -14,8 +14,8 @@
     <logger name="io.grpc" level="INFO" />
     <logger name="io.netty" level="INFO" />
 
-    <logger name="suite.GrpcPartyInfoCheck" level="DEBUG" />
-  <logger name="suite.RestPartyInfoChecker" level="DEBUG" />
+    <logger name="suite.GrpcPartyInfoCheck" level="INFO" />
+  <logger name="suite.RestPartyInfoChecker" level="INFO" />
     <root level="INFO">
         <appender-ref ref="STDOUT"/>
     </root>