Fix CVEs, upgrade JDK to 17, fix build issues

Author: claytonparnell

Dockerfile

@@ -1,4 +1,4 @@
-FROM openjdk:8
+FROM openjdk:17-bullseye
 
 ENV DEBIAN_FRONTEND=noninteractive
 
@@ -70,19 +70,13 @@ RUN find / -depth -name maven-shared-utils -type d -exec rm -r "{}" \; \
  # remove plexus-utils directory because plexus-utils has vulnerabilities
  # comment out if need to use maven utilities
  && find / -depth -name plexus-utils -type d -exec rm -r "{}" \; \
- # remove old version of commons-compress with vulnerability
- && find / -depth -name commons-compress -type d -exec rm -r "{}/1.20" \; \
  # remove jar files from common-io v2.5 and 2.6 both have vulnerabilities
  && find / -name commons-io*2.5.jar -type f -exec rm "{}" \; \
  && find / -name commons-io*2.6.jar -type f -exec rm "{}" \; \
- # remove jackson-databind
- && find / -name jackson-databind -type d -exec rm -r "{}/2.13.3" \; \
  # remove junit-4.12.jar
  && find / -name junit-4.12.jar -type f -exec rm "{}" \; \
  # remove maven-compiler-plugin jar from maven repo
  && find / -name maven-compiler-plugin*.jar -type f -exec rm "{}" \; \
- # remove guava jar files
- && rm /usr/share/java/guava.jar && rm /root/.m2/repository/com/google/guava/guava/10.0.1/guava-10.0.1.jar \
  # remove commons-codec jar
  && find / -name commons-codec-1.11.jar -type f -exec rm "{}" \;
 

pom.xml

@@ -19,7 +19,7 @@
   <parent>
     <groupId>org.springframework.boot</groupId>
     <artifactId>spring-boot-starter-parent</artifactId>
-    <version>2.7.0</version>
+    <version>3.1.2</version>
   </parent>
   <modelVersion>4.0.0</modelVersion>
   <groupId>org.amazonaws.sagemaker</groupId>
@@ -32,8 +32,9 @@
         <artifactId>maven-compiler-plugin</artifactId>
         <version>3.10.1</version>
         <configuration>
-          <source>8</source>
-          <target>8</target>
+          <source>17</source>
+          <target>17</target>
+          <release>17</release>
         </configuration>
       </plugin>
       <plugin>
@@ -42,6 +43,7 @@
         <version>3.4.1</version>
         <executions>
           <execution>
+            <id>shade-spark-ml-serving</id>
             <phase>package</phase>
             <goals>
               <goal>shade</goal>
@@ -79,9 +81,13 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-surefire-plugin</artifactId>
-        <version>2.22.2</version>
+        <version>3.1.2</version>
         <configuration>
-          <forkCount>0</forkCount>
+          <reuseForks>false</reuseForks>
+          <forkCount>1</forkCount>
+          <argLine>--add-opens java.base/java.lang=ALL-UNNAMED</argLine>
+          <argLine>--add-opens java.base/java.lang.reflect=ALL-UNNAMED</argLine>
+          <argLine>--add-opens java.base/java.net=ALL-UNNAMED</argLine>
           <useSystemClassLoader>false</useSystemClassLoader>
         </configuration>
       </plugin>
@@ -177,12 +183,12 @@
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-jetty</artifactId>
-      <version>2.7.5</version>
+      <version>3.1.2</version>
     </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-web</artifactId>
-      <version>2.7.5</version>
+      <version>3.1.2</version>
       <exclusions>
         <exclusion>
           <artifactId>spring-boot-starter-tomcat</artifactId>
@@ -193,12 +199,12 @@
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter</artifactId>
-      <version>2.7.5</version>
+      <version>3.1.2</version>
     </dependency>
     <dependency>
       <groupId>org.mockito</groupId>
-      <artifactId>mockito-core</artifactId>
-      <version>3.12.4</version>
+      <artifactId>mockito-inline</artifactId>
+      <version>3.9.0</version>
       <scope>test</scope>
     </dependency>
     <dependency>
@@ -233,19 +239,31 @@
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-test</artifactId>
-      <version>2.7.5</version>
+      <version>3.1.2</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.springframework</groupId>
+      <artifactId>spring-test</artifactId>
+      <version>6.0.11</version>
       <scope>test</scope>
     </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-starter-json</artifactId>
-      <version>2.7.5</version>
+      <version>3.1.2</version>
     </dependency>
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-databind</artifactId>
       <version>2.14.0-rc2</version>
     </dependency>
+    <!-- https://mvnrepository.com/artifact/com.github.fommil.netlib/core  -->
+    <dependency>
+      <groupId>com.github.fommil.netlib</groupId>
+      <artifactId>core</artifactId>
+      <version>1.1.2</version>
+    </dependency>
     <dependency>
       <groupId>com.fasterxml.jackson.core</groupId>
       <artifactId>jackson-core</artifactId>
@@ -259,57 +277,62 @@
     <dependency>
       <groupId>com.jayway.jsonpath</groupId>
       <artifactId>json-path</artifactId>
-      <version>2.7.0</version>
+      <version>2.8.0</version>
+    </dependency>
+    <dependency>
+      <groupId>org.codehaus.plexus</groupId>
+      <artifactId>plexus-archiver</artifactId>
+      <version>4.8.0</version>
     </dependency>
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-web</artifactId>
-      <version>5.3.29</version>
+      <version>6.0.11</version>
     </dependency>
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-beans</artifactId>
-      <version>5.3.29</version>
+      <version>6.0.11</version>
     </dependency>
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-webmvc</artifactId>
-      <version>5.3.29</version>
+      <version>6.0.11</version>
     </dependency>
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-core</artifactId>
-      <version>5.3.29</version>
+      <version>6.0.11</version>
     </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot-autoconfigure</artifactId>
-      <version>2.7.14</version>
+      <version>3.1.2</version>
     </dependency>
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-context</artifactId>
-      <version>5.3.23</version>
+      <version>6.0.11</version>
     </dependency>
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-expression</artifactId>
-      <version>5.3.23</version>
+      <version>6.0.11</version>
     </dependency>
     <dependency>
       <groupId>org.springframework.boot</groupId>
       <artifactId>spring-boot</artifactId>
-      <version>2.7.5</version>
+      <version>3.1.2</version>
     </dependency>
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-aop</artifactId>
-      <version>5.3.23</version>
+      <version>6.0.11</version>
     </dependency>
     <dependency>
       <groupId>org.springframework</groupId>
       <artifactId>spring-jcl</artifactId>
-      <version>5.3.23</version>
+      <version>6.0.11</version>
     </dependency>
     <dependency>
       <groupId>org.yaml</groupId>
@@ -329,42 +352,42 @@
     <dependency>
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-servlet</artifactId>
-      <version>9.4.49.v20220914</version>
+      <version>11.0.14</version>
     </dependency>
     <dependency>
         <groupId>org.eclipse.jetty</groupId>
         <artifactId>jetty-webapp</artifactId>
-        <version>9.4.49.v20220914</version>
+        <version>11.0.14</version>
     </dependency>
     <dependency>
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-util</artifactId>
-      <version>9.4.49.v20220914</version>
+      <version>11.0.14</version>
     </dependency>
     <dependency>
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-http</artifactId>
-      <version>9.4.49.v20220914</version>
+      <version>11.0.14</version>
     </dependency>
     <dependency>
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-io</artifactId>
-      <version>9.4.49.v20220914</version>
+      <version>11.0.14</version>
     </dependency>
     <dependency>
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-servlets</artifactId>
-      <version>9.4.49.v20220914</version>
+      <version>11.0.14</version>
     </dependency>
     <dependency>
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-server</artifactId>
-      <version>9.4.49.v20220914</version>
+      <version>11.0.14</version>
     </dependency>
     <dependency>
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-client</artifactId>
-      <version>9.4.49.v20220914</version>
+      <version>11.0.14</version>
     </dependency>
     <dependency>
       <groupId>org.eclipse.jetty.websocket</groupId>
@@ -394,22 +417,17 @@
     <dependency>
       <groupId>ch.qos.logback</groupId>
       <artifactId>logback-core</artifactId>
-      <version>1.2.11</version>
+      <version>1.4.8</version>
     </dependency>
     <dependency>
       <groupId>commons-codec</groupId>
       <artifactId>commons-codec</artifactId>
       <version>1.15</version>
     </dependency>
-    <!-- for MLP inference from Mleap -->
-    <dependency>
-      <groupId>com.github.fommil.netlib</groupId>
-      <artifactId>core</artifactId>
-      <version>1.1.2</version>
-    </dependency>
   </dependencies>
   <properties>
-    <java.version>1.8</java.version>
+    <java.version>1.17</java.version>
     <log4j2.version>2.17.1</log4j2.version>
+    <jakarta-servlet.version>5.0.0</jakarta-servlet.version>
   </properties>
 </project>

serve.sh

@@ -1,3 +1,3 @@
 #!/bin/bash
 # This is needed to make sure Java correctly detects CPU/Memory set by the container limits
-java -XX:+UnlockExperimentalVMOptions -XX:+UseCGroupMemoryLimitForHeap -jar /usr/local/lib/sparkml-serving-3.3.jar
+java -XX:+UnlockExperimentalVMOptions -jar /usr/local/lib/sparkml-serving-3.3.jar

src/main/java/com/amazonaws/sagemaker/configuration/BeanConfiguration.java

@@ -89,7 +89,7 @@ public ObjectMapper provideObjectMapper() {
     @Bean
     public JettyServletWebServerFactory provideJettyServletWebServerFactory() {
         final JettyServletWebServerFactory jettyServlet = new JettyServletWebServerFactory(
-            new Integer(this.getHttpListenerPort()));
+            Integer.parseInt(this.getHttpListenerPort()));
         final List<JettyServerCustomizer> serverCustomizerList = Lists.newArrayList();
         final JettyServerCustomizer serverCustomizer = server -> {
             final QueuedThreadPool threadPool = server.getBean(QueuedThreadPool.class);

src/test/java/com/amazonaws/sagemaker/configuration/BeanConfigurationTest.java

@@ -19,22 +19,32 @@
 import com.amazonaws.sagemaker.utils.SystemUtils;
 import java.io.File;
 import org.junit.Assert;
-import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.powermock.api.mockito.PowerMockito;
-import org.powermock.core.classloader.annotations.PrepareForTest;
-import org.powermock.modules.junit4.PowerMockRunner;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.mockito.MockedStatic;
+import org.mockito.Mockito;
 import org.springframework.boot.web.embedded.jetty.JettyServletWebServerFactory;
 
-@RunWith(PowerMockRunner.class)
-@PrepareForTest(SystemUtils.class)
 public class BeanConfigurationTest {
 
     public BeanConfigurationTest() {
     }
 
     private BeanConfiguration configuration = new BeanConfiguration();
 
+    private MockedStatic<SystemUtils> mockedSystemUtils;
+
+    @BeforeEach
+    void setUpStaticMocks() {
+        mockedSystemUtils = Mockito.mockStatic(SystemUtils.class);
+    }
+
+    @AfterEach
+    void tearDownStaticMocks() {
+        mockedSystemUtils.closeOnDemand();
+    }
+
     @Test
     public void testModelLocationNotNull() {
         Assert.assertNotNull(configuration.provideModelFile());
@@ -89,8 +99,7 @@ public void testJettyServletWebServerFactoryNotNull() {
 
     @Test
     public void testParsePortFromEnvironment() {
-        PowerMockito.mockStatic(System.class);
-        PowerMockito.when(SystemUtils.getEnvironmentVariable("SAGEMAKER_BIND_TO_PORT")).thenReturn("7070");
+        mockedSystemUtils.when(() -> SystemUtils.getEnvironmentVariable("SAGEMAKER_BIND_TO_PORT")).thenReturn("7070");
         Assert.assertEquals(configuration.getHttpListenerPort(), "7070");
     }