Remove commons-text dependency (#2817)

And thus fix vulnerability that it brings. Also decrease dependencies.

Signed-off-by: Avgustin Marinov <Avgustin.Marinov@bosch.com>

hawkbit-artifact/hawkbit-artifact-fs/src/test/java/org/eclipse/hawkbit/artifact/fs/FileArtifactStorageTest.java

@@ -36,7 +36,7 @@ import org.junit.jupiter.api.Test;
 class FileArtifactStorageTest {
 
     private static final String TENANT = "test_tenant";
-    @SuppressWarnings("java:S1068") // used for tests only, no need of secure random
+    @SuppressWarnings("java:S2245") // used for tests only, no need of secure random
     private static final Random RND = new Random();
 
     private static FileArtifactProperties artifactResourceProperties;

hawkbit-repository/hawkbit-repository-api/pom.xml

@@ -51,10 +51,6 @@
             <groupId>com.cronutils</groupId>
             <artifactId>cron-utils</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-text</artifactId>
-        </dependency>
         <dependency>
             <groupId>org.jsoup</groupId>
             <artifactId>jsoup</artifactId>

hawkbit-repository/hawkbit-repository-api/src/main/java/org/eclipse/hawkbit/repository/rsql/VirtualPropertyResolver.java

@@ -14,12 +14,11 @@ import static org.eclipse.hawkbit.tenancy.configuration.TenantConfigurationPrope
 
 import java.time.Duration;
 
-import org.apache.commons.text.StringSubstitutor;
-import org.apache.commons.text.lookup.StringLookupFactory;
 import org.eclipse.hawkbit.repository.helper.SystemSecurityContextHolder;
 import org.eclipse.hawkbit.repository.helper.TenantConfigurationManagementHolder;
 import org.eclipse.hawkbit.tenancy.configuration.DurationHelper;
 import org.eclipse.hawkbit.tenancy.configuration.PollingTime;
+import org.springframework.util.PropertyPlaceholderHelper;
 
 /**
  * Adds macro capabilities to RSQL expressions that are used to filter for targets.
@@ -41,12 +40,10 @@ import org.eclipse.hawkbit.tenancy.configuration.PollingTime;
  */
 public class VirtualPropertyResolver {
 
-    private static final StringSubstitutor STRING_SUBSTITUTOR = new StringSubstitutor(
-            StringLookupFactory.builder().get().functionStringLookup(VirtualPropertyResolver::lookup),
-            StringSubstitutor.DEFAULT_PREFIX, StringSubstitutor.DEFAULT_SUFFIX, StringSubstitutor.DEFAULT_ESCAPE);
+    private static final PropertyPlaceholderHelper HELPER = new PropertyPlaceholderHelper("${", "}", null, '$', true);
 
     public String replace(final String input) {
-        return STRING_SUBSTITUTOR.replace(input);
+        return HELPER.replacePlaceholders(input, VirtualPropertyResolver::lookup);
     }
 
     private static String lookup(final String rhs) {
@@ -78,8 +75,8 @@ public class VirtualPropertyResolver {
     private static long calculateOverdueTimestamp(final PollingTime.PollingInterval pollingInterval, final Duration pollingOverdueTime) {
         return System.currentTimeMillis()
                 - (pollingInterval.getDeviationPercent() == 0
-                        ? pollingInterval.getInterval().toMillis()
-                        : pollingInterval.getInterval().toMillis() * (100 + pollingInterval.getDeviationPercent()) / 100)
+                ? pollingInterval.getInterval().toMillis()
+                : pollingInterval.getInterval().toMillis() * (100 + pollingInterval.getDeviationPercent()) / 100)
                 - pollingOverdueTime.toMillis();
     }
 

hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/ql/rsql/VirtualPropertyResolverTest.java

@@ -14,7 +14,6 @@ import static org.mockito.Mockito.when;
 
 import java.util.concurrent.Callable;
 
-import org.apache.commons.text.StringSubstitutor;
 import org.eclipse.hawkbit.repository.TenantConfigurationManagement;
 import org.eclipse.hawkbit.repository.helper.SystemSecurityContextHolder;
 import org.eclipse.hawkbit.repository.helper.TenantConfigurationManagementHolder;
@@ -33,11 +32,11 @@ import org.springframework.context.annotation.Configuration;
 import org.springframework.test.context.bean.override.mockito.MockitoBean;
 import org.springframework.test.context.junit.jupiter.SpringExtension;
 
-@ExtendWith(SpringExtension.class)
 /**
  * Feature: Unit Tests - Repository<br/>
  * Story: Placeholder resolution for virtual properties
  */
+@ExtendWith(SpringExtension.class)
 class VirtualPropertyResolverTest {
 
     private static final TenantConfigurationValue<String> TEST_POLLING_TIME_INTERVAL =
@@ -78,7 +77,7 @@ class VirtualPropertyResolverTest {
     @Test
     void handleEscapedPlaceholder() {
         final String placeholder = "${OVERDUE_TS}";
-        final String escapedPlaceholder = StringSubstitutor.DEFAULT_ESCAPE + placeholder;
+        final String escapedPlaceholder = "$" + placeholder;
         final String testString = "lhs=lt=" + escapedPlaceholder;
 
         final String resolvedPlaceholders = substitutor.replace(testString);

hawkbit-repository/hawkbit-repository-jpa/src/test/java/org/eclipse/hawkbit/repository/jpa/scheduler/AutoAssignExecutorIntTest.java

@@ -144,8 +144,7 @@ class AutoAssignExecutorIntTest extends AbstractJpaIntegrationTest {
         verifyThatTargetsHaveDistributionSetAssignment(setB, targets.subList(10, 20), targetsCount);
 
         // Count the number of targets that will be assigned with setA
-        assertThat(targetManagement.countByRsqlAndNonDsAndCompatibleAndUpdatable(setA.getId(), targetFilterQuery.getQuery()))
-                .isEqualTo(15);
+        assertThat(targetManagement.countByRsqlAndNonDsAndCompatibleAndUpdatable(setA.getId(), targetFilterQuery.getQuery())).isEqualTo(15);
 
         // Run the check
         autoAssignChecker.checkAllTargets();

hawkbit-repository/hawkbit-repository-test/src/main/java/org/eclipse/hawkbit/repository/test/util/AbstractIntegrationTest.java

@@ -125,8 +125,7 @@ public abstract class AbstractIntegrationTest {
 
     protected static final URI LOCALHOST = URI.create("http://127.0.0.1");
     protected static final int DEFAULT_TEST_WEIGHT = 500;
-    @SuppressWarnings("java:S1068") // used for tests only, no need of secure random
-    protected static final Random RND = new Random();
+    protected static final Random RND = TestdataFactory.RND;
 
     /**
      * Number of {@link DistributionSetType}s that exist in every test case. One

hawkbit-repository/hawkbit-repository-test/src/main/java/org/eclipse/hawkbit/repository/test/util/TestdataFactory.java

@@ -20,13 +20,13 @@ import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Random;
 import java.util.Set;
 import java.util.UUID;
 import java.util.concurrent.atomic.AtomicLong;
 import java.util.stream.IntStream;
 
 import org.apache.commons.io.IOUtils;
-import org.apache.commons.lang3.RandomStringUtils;
 import org.eclipse.hawkbit.repository.ArtifactManagement;
 import org.eclipse.hawkbit.repository.Constants;
 import org.eclipse.hawkbit.repository.ControllerManagement;
@@ -90,12 +90,14 @@ import org.springframework.util.ObjectUtils;
 @SuppressWarnings("java:S107")
 public class TestdataFactory {
 
+    @SuppressWarnings("java:S2245") // used for tests only, no need of secure random
+    public static final Random RND = new Random();
+
     public static final String VISIBLE_SM_MD_KEY = "visibleMetdataKey";
     public static final String VISIBLE_SM_MD_VALUE = "visibleMetdataValue";
     public static final String INVISIBLE_SM_MD_KEY = "invisibleMetdataKey";
     public static final String INVISIBLE_SM_MD_VALUE = "invisibleMetdataValue";
 
-    public static final RandomStringUtils RANDOM_STRING_UTILS = RandomStringUtils.secure();
     public static final AtomicLong COUNTER = new AtomicLong();
 
     /**
@@ -197,8 +199,13 @@ public class TestdataFactory {
         this.systemSecurityContext = systemSecurityContext;
     }
 
+    private static final String ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
     public static String randomString(final int len) {
-        return RANDOM_STRING_UTILS.next(len, true, false);
+        final StringBuilder sb = new StringBuilder(len);
+        for (int i = 0; i < len; i++) {
+            sb.append(ALPHABET.charAt(RND.nextInt(ALPHABET.length())));
+        }
+        return sb.toString();
     }
 
     public static byte[] randomBytes(final int len) {

pom.xml

@@ -73,7 +73,6 @@
         <rsql-parser.version>2.1.0</rsql-parser.version>
         <commons-io.version>2.21.0</commons-io.version>
         <commons-collections4.version>4.5.0</commons-collections4.version>
-        <commons-text.version>1.14.0</commons-text.version>
         <io-protostuff.version>1.8.0</io-protostuff.version>
         <!-- test -->
         <rabbitmq.http-client.version>5.4.0</rabbitmq.http-client.version>
@@ -303,11 +302,6 @@
                 <artifactId>commons-collections4</artifactId>
                 <version>${commons-collections4.version}</version>
             </dependency>
-            <dependency>
-                <groupId>org.apache.commons</groupId>
-                <artifactId>commons-text</artifactId>
-                <version>${commons-text.version}</version>
-            </dependency>
 
             <!-- Test -->
             <dependency>