[BUG] High vulnerabilities found in org.apache.cxf_cxf-core version 3.1.2

[pc-dhutton]

Describe the bug After running a twist-lock scan on FuelSdk a few vulnerabilities appeared in some of the jars used to make it. Most of these vulnerabilities can be fixed but excluding them from FuelSdk POM and bringing in the latest versions. However, that is not the case with org.apache.cxf_cxf-core version 3.1.2. When updating cxf from 3.1.2 to 3.3.10 an incompatibility error is raised.

java.lang.IncompatibleClassChangeError: class org.apache.cxf.jaxws.WrapperClassGenerator has interface org.apache.cxf.common.util.ASMHelper as super class at java.base/java.lang.ClassLoader.defineClass1(Native Method) at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1016) at java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:174) at java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:802) at java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:700) at java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:623) at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581) at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:521) at org.apache.cxf.jaxws.support.JaxWsServiceFactoryBean.generatedWrapperBeanClass(JaxWsServiceFactoryBean.java:672) at org.apache.cxf.jaxws.support.JaxWsServiceFactoryBean.getExtraClass(JaxWsServiceFactoryBean.java:645) at org.apache.cxf.wsdl.service.factory.ReflectionServiceFactoryBean.buildServiceFromWSDL(ReflectionServiceFactoryBean.java:417) at org.apache.cxf.wsdl.service.factory.ReflectionServiceFactoryBean.initializeServiceModel(ReflectionServiceFactoryBean.java:525) at org.apache.cxf.wsdl.service.factory.ReflectionServiceFactoryBean.create(ReflectionServiceFactoryBean.java:261) at org.apache.cxf.jaxws.support.JaxWsServiceFactoryBean.create(JaxWsServiceFactoryBean.java:199) at org.apache.cxf.frontend.AbstractWSDLBasedEndpointFactory.createEndpoint(AbstractWSDLBasedEndpointFactory.java:102) at org.apache.cxf.frontend.ClientFactoryBean.create(ClientFactoryBean.java:91) at org.apache.cxf.frontend.ClientProxyFactoryBean.create(ClientProxyFactoryBean.java:157) at org.apache.cxf.jaxws.JaxWsProxyFactoryBean.create(JaxWsProxyFactoryBean.java:142) at org.apache.cxf.jaxws.ServiceImpl.createPort(ServiceImpl.java:493) at org.apache.cxf.jaxws.ServiceImpl.getPort(ServiceImpl.java:359) at org.apache.cxf.jaxws.ServiceImpl.getPort(ServiceImpl.java:350) at javax.xml.ws.Service.getPort(Service.java:169) at com.exacttarget.fuelsdk.internal.PartnerAPI.getSoap(PartnerAPI.java:63) at com.exacttarget.fuelsdk.ETSoapConnection.<init>(ETSoapConnection.java:102) at com.exacttarget.fuelsdk.ETSoapConnection.<init>(ETSoapConnection.java:210) at com.exacttarget.fuelsdk.ETClient.buildClients(ETClient.java:219) at com.exacttarget.fuelsdk.ETClient.<init>(ETClient.java:197) at com.package.packageservice.delegates.ExactTargetFuelSdkDelegate.getFueldSdkEtclient(ExactTargetFuelSdkDelegate.java:1813) at com.package.packageservice.delegates.ExactTargetFuelSdkDelegate.validateEmail(ExactTargetFuelSdkDelegate.java:1098) at com.package.packageservice.services.implementations.ExactTargetServiceImpl.validateEmailAddress(ExactTargetServiceImpl.java:74) at com.package.packageservice.delegates.ExactTargetFuelSdkDelegateIntegrationTests.testValidateEmail(ExactTargetFuelSdkDelegateIntegrationTests.java:120) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:566) at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50) at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12) at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47) at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17) at org.springframework.test.context.junit4.statements.RunBeforeTestExecutionCallbacks.evaluate(RunBeforeTestExecutionCallbacks.java:74) at org.springframework.test.context.junit4.statements.RunAfterTestExecutionCallbacks.evaluate(RunAfterTestExecutionCallbacks.java:84) at org.springframework.test.context.junit4.statements.RunBeforeTestMethodCallbacks.evaluate(RunBeforeTestMethodCallbacks.java:75) at org.springframework.test.context.junit4.statements.RunAfterTestMethodCallbacks.evaluate(RunAfterTestMethodCallbacks.java:86) at org.springframework.test.context.junit4.statements.SpringRepeat.evaluate(SpringRepeat.java:84) at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325) at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:251) at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.runChild(SpringJUnit4ClassRunner.java:97) at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290) at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288) at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58) at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268) at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26) at org.springframework.test.context.junit4.statements.RunBeforeTestClassCallbacks.evaluate(RunBeforeTestClassCallbacks.java:61) at org.springframework.test.context.junit4.statements.RunAfterTestClassCallbacks.evaluate(RunAfterTestClassCallbacks.java:70) at org.junit.runners.ParentRunner.run(ParentRunner.java:363) at org.springframework.test.context.junit4.SpringJUnit4ClassRunner.run(SpringJUnit4ClassRunner.java:190) at org.junit.runner.JUnitCore.run(JUnitCore.java:137) at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:69) at com.intellij.rt.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:33) at com.intellij.rt.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:220) at com.intellij.rt.junit.JUnitStarter.main(JUnitStarter.java:53)

To Reproduce

1. Exclude org.apache.cxf from your pom that's using FuelSdk <exclusion> <groupId>org.apache.cxf</groupId> <artifactId>cxf-core</artifactId> </exclusion>

2. Include the 3.3.10 version <dependency> <groupId>org.apache.cxf</groupId> <artifactId>cxf-core</artifactId> <version>3.3.10</version> </dependency>

3. Run a test case

4. FuelSdk client fails to initialize

5. The stack track above is shown

Expected behavior FuelSdk client should initialize with versions of CXF that do not contain any vulnerabilities

Screenshots If applicable, add screenshots to help explain your problem.

Note: Because the developers need to copy and paste the code snippet, including a code snippet as a media file (e.g. gif) is not sufficient.

Environment

• SDK Version [e.g. 1.1.0]
• 11
• Java/ JDK version
• 11

The bug has the severity

• [x ] Critical: The defect affects critical functionality or critical data. It does not have a workaround.
• [ ] Major: The defect affects major functionality or major data. It has a workaround but is not obvious and is difficult.
• [ ] Minor: The defect affects minor functionality or non-critical data. It has an easy workaround.
• [ ] Trivial: The defect does not affect functionality or data. It does not even need a workaround. It does not impact productivity or efficiency. It is merely an inconvenience.

[gmazza]

@pc-dhutton While we're awaiting the main branch to get fixed, my fork uses the latest CXF 3.5.0: https://github.com/gmazza/FuelSDK-Java .