Fix critical dependency vulnerabilities and hardcoded credentials

.gitignore

@@ -0,0 +1,18 @@
+# Maven build artifacts
+target/
+
+# IDE files
+.idea/
+*.iml
+.vscode/
+.classpath
+.project
+.settings/
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Temporary files
+*.log
+*.tmp

call_graph.dot

@@ -0,0 +1,53 @@
+digraph G {
+  "BooksServlet.PreparedStatementDirectPara";
+  "BooksServlet.PreparedStatementDirectParaAsync";
+  "BooksServlet.PreparedStatementDirectParaIdentifier1";
+  "BooksServlet.PreparedStatementDirectParaIdentifier2";
+  "BooksServlet.PreparedStatementDirectParaIdentifier3";
+  "BooksServlet.PreparedStatementEexecuteQuerySQL";
+  "BooksServlet.PreparedStatementEexecuteQuerySQL";
+  "BooksServlet.StoredProcDirectPara";
+  "BooksServlet.StoredProcDirectParaAsync";
+  "BooksServlet.connect";
+  "BooksServlet.connectpsql";
+  "BooksServlet.createRecord";
+  "BooksServlet.doGet";
+  "BooksServlet.doPost";
+  "BooksServlet.executeQuerySQL";
+  "BooksServlet.executeQuerySQL";
+  "BooksServlet.executeSQL";
+  "BooksServlet.executeSQLHelper";
+  "BooksServlet.executeSQLHelper";
+  "BooksServlet.executeSQLHelper";
+  "BooksServlet.executeSQLWithAutogenkeys";
+  "BooksServlet.executeSQLWithColIndex";
+  "BooksServlet.executeUpdateSQL";
+  "BooksServlet.getCustomerPreparedStatement2";
+  "BooksServlet.getCustomersMultipleStoredProc";
+  "BooksServlet.getCustomersNonvulnerableStoredProc";
+  "BooksServlet.getCustomersPreparedStatement";
+  "BooksServlet.getCustomersPreparedStatementExecute";
+  "BooksServlet.getCustomersPreparedStatementExecuteQuery";
+  "BooksServlet.getCustomersPreparedStatementExecuteUpdate";
+  "BooksServlet.getCustomersStoredProc";
+  "BooksServlet.getCustomersStoredProc";
+  "BooksServlet.getCustomersStoredProc";
+  "BooksServlet.getCustomersStoredProc1";
+  "BooksServlet.getCustomersStoredProc2";
+  "BooksServlet.getCustomersStoredProcAsync";
+  "BooksServlet.getCustomersUpdateColName";
+  "BooksServlet.init";
+  "BooksServlet.insertCustomers";
+  "BooksServlet.isNumeric";
+  "BooksServlet.storedproccallbyName";
+  "BooksServlet.storedproccallwithsqlinj";
+  "CallableStatementTask.CallableStatementTask";
+  "CallableStatementTask.call";
+  "PrepareStatementTask.PrepareStatementTask";
+  "PrepareStatementTask.call";
+
+
+  "CallableStatementTask.CallableStatementTask" -> "CallableStatementTask.call";
+  "PrepareStatementTask.PrepareStatementTask" -> "PrepareStatementTask.call";
+
+  }

pom.xml

@@ -24,17 +24,17 @@
 		<dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-text</artifactId>
-            <version>1.9</version>
+            <version>1.10.0</version>
         </dependency>
        <dependency>
             <groupId>mysql</groupId>
             <artifactId>mysql-connector-java</artifactId>
-            <version>5.1.42</version>
+            <version>8.0.33</version>
         </dependency>
         <dependency>
 			<groupId>com.mchange</groupId>
 			<artifactId>c3p0</artifactId>
-			<version>0.9.5.2</version>
+			<version>0.10.0</version>
 		</dependency>
 		<dependency>
 			<groupId>org.jboss.weld</groupId>
@@ -66,7 +66,7 @@
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-core</artifactId>
-            <version>2.3</version>
+            <version>2.23.1</version>
             <optional>true</optional>
             <scope>test</scope>
         </dependency>
@@ -98,12 +98,12 @@
 	      <dependency>
 	        <groupId>org.mockito</groupId>
 	        <artifactId>mockito-core</artifactId>
-	        <version>2.28.2</version>
+	        <version>5.8.0</version>
 	      </dependency>
 	      <dependency>
 	        <groupId>com.google.errorprone</groupId>
 	        <artifactId>error_prone_annotations</artifactId>
-	        <version>2.7.1</version>
+	        <version>2.24.1</version>
 	      </dependency>
 	      <dependency>
 	        <groupId>org.webjars.bowergithub.webcomponents</groupId>

src/main/java/com/endor/AsyncServlet.java

@@ -318,12 +318,17 @@ private Connection connect() {
         Connection conn = null;
         boolean retval = false;
         try {
-            // Create database connection
+            // Create database connection using system properties
             System.out.println("Oracle JDBC Driver Loaded");
             System.out.println("Oracle Connecting..");
-            String nameForConnect = "sys as sysdba";
-            String pass1 = "Psmo0601";
-            String url = "jdbc:oracle:thin:@10.0.22.108:1521:XE";
+            String nameForConnect = System.getProperty("endor_db_user");
+            String pass1 = System.getProperty("endor_db_password");
+            String url = System.getProperty("endor_connection_url");
+
+            if (url == null || nameForConnect == null || pass1 == null || pass1.isEmpty()) {
+                throw new IllegalStateException("Database credentials must be provided via system properties");
+            }
+
             conn = DriverManager.getConnection(url, nameForConnect, pass1);
             System.out.println("Oracle Connected");
         } catch (Exception e) {
@@ -338,9 +343,14 @@ public static String insertCustomers(String first, String last, String pass) {
         StringBuffer sbuf = new StringBuffer();
 
         Connection conn = null;
-        String db = "jdbc:hsqldb:hsql://localhost/xdb";
-        String user = "SA";
-        String password = "";
+        String db = System.getProperty("endor_hsqldb_url", "jdbc:hsqldb:hsql://localhost/xdb");
+        String user = System.getProperty("endor_hsqldb_user", "SA");
+        String password = System.getProperty("endor_hsqldb_password");
+
+        // Return error string instead of throwing exception to match method signature
+        if (password == null) {
+            return "ERROR: Database password must be provided via endor_hsqldb_password system property";
+        }
 
         try {
             // Create database connection

src/main/java/com/endor/BooksServlet.java

@@ -35,9 +35,18 @@ public class BooksServlet extends HttpServlet {
     @Override
     public void init() throws ServletException {
         super.init();
-        connectionUrl =System.getProperty("endor_connection_url", "jdbc:oracle:thin:@10.0.22.108:1521:XE");
-        dbUser =System.getProperty("endor_db_user", "sys as sysdba");
-        dbPassword =System.getProperty("endor_db_password", "Psmo0601");
+        connectionUrl =System.getProperty("endor_connection_url");
+        if (connectionUrl == null) {
+            throw new ServletException("Database connection URL must be provided via endor_connection_url system property");
+        }
+        dbUser =System.getProperty("endor_db_user");
+        if (dbUser == null) {
+            throw new ServletException("Database user must be provided via endor_db_user system property");
+        }
+        dbPassword =System.getProperty("endor_db_password");
+        if (dbPassword == null || dbPassword.isEmpty()) {
+            throw new ServletException("Database password must be provided via endor_db_password system property");
+        }
         dbType =System.getProperty("endor_db_type", DB_TYPE_ORACLE);
 
     }
@@ -556,12 +565,17 @@ private Connection connect() {
     private Connection connectpsql() {
         Connection conn = null;
         try {
-            // Create database connection
-		      String dbURL = "jdbc:postgresql://localhost:5432/sqlinject?sslmode=disable";
-		      String user = "postgres";
-		      String password = "Psqlpsmo@1";
-			  conn = DriverManager.getConnection(dbURL, user, password);
-			  System.out.println("DB Connection established");
+            // Create database connection using system properties
+            String dbURL = System.getProperty("endor_connection_url");
+            String user = System.getProperty("endor_db_user");
+            String password = System.getProperty("endor_db_password");
+
+            if (dbURL == null || user == null || password == null || password.isEmpty()) {
+                throw new IllegalStateException("Database credentials must be provided via system properties");
+            }
+
+            conn = DriverManager.getConnection(dbURL, user, password);
+            System.out.println("DB Connection established");
         } catch (Exception e) {
             System.err.println("ERROR: failed to connect postgres SQL.");
             e.printStackTrace();
@@ -574,9 +588,14 @@ public static String insertCustomers(String first, String last, String pass) {
         StringBuffer sbuf = new StringBuffer();
 
         Connection conn = null;
-        String db = "jdbc:hsqldb:hsql://localhost/xdb";
-        String user = "SA";
-        String password = "";
+        String db = System.getProperty("endor_hsqldb_url", "jdbc:hsqldb:hsql://localhost/xdb");
+        String user = System.getProperty("endor_hsqldb_user", "SA");
+        String password = System.getProperty("endor_hsqldb_password");
+
+        // Return error string instead of throwing exception to match method signature
+        if (password == null) {
+            return "ERROR: Database password must be provided via endor_hsqldb_password system property";
+        }
 
         try {
             // Create database connection

src/main/java/com/endor/ExtraServlet.java

@@ -38,9 +38,18 @@ public class ExtraServlet extends HttpServlet {
     @Override
     public void init() throws ServletException {
         super.init();
-        connectionUrl =System.getProperty("endor_connection_url", "jdbc:oracle:thin:@10.0.22.108:1521:XE");
-        dbUser =System.getProperty("endor_db_user", "sys as sysdba");
-        dbPassword =System.getProperty("endor_db_password", "Psmo0601");
+        connectionUrl =System.getProperty("endor_connection_url");
+        if (connectionUrl == null) {
+            throw new ServletException("Database connection URL must be provided via endor_connection_url system property");
+        }
+        dbUser =System.getProperty("endor_db_user");
+        if (dbUser == null) {
+            throw new ServletException("Database user must be provided via endor_db_user system property");
+        }
+        dbPassword =System.getProperty("endor_db_password");
+        if (dbPassword == null || dbPassword.isEmpty()) {
+            throw new ServletException("Database password must be provided via endor_db_password system property");
+        }
         dbType =System.getProperty("endor_db_type", DB_TYPE_ORACLE);
 
     }

src/main/java/com/endor/GetInputStreamInnerTest.java

@@ -93,9 +93,18 @@ else if(multileg.equalsIgnoreCase("stored_procedure") && getCustomersStoredProc(
     @Override
     public void init() throws ServletException {
         super.init();
-        connectionUrl =System.getProperty("endor_connection_url", "jdbc:oracle:thin:@10.0.22.108:1521:XE");
-        dbUser =System.getProperty("endor_db_user", "sys as sysdba");
-        dbPassword =System.getProperty("endor_db_password", "Psmo0601");
+        connectionUrl =System.getProperty("endor_connection_url");
+        if (connectionUrl == null) {
+            throw new ServletException("Database connection URL must be provided via endor_connection_url system property");
+        }
+        dbUser =System.getProperty("endor_db_user");
+        if (dbUser == null) {
+            throw new ServletException("Database user must be provided via endor_db_user system property");
+        }
+        dbPassword =System.getProperty("endor_db_password");
+        if (dbPassword == null || dbPassword.isEmpty()) {
+            throw new ServletException("Database password must be provided via endor_db_password system property");
+        }
         dbType =System.getProperty("endor_db_type", DB_TYPE_ORACLE);
 
     }

src/main/java/com/endor/GetInputStreamTest.java

@@ -19,7 +19,7 @@ protected void doPost(HttpServletRequest request, HttpServletResponse response)
         doGet(request, response);
     }
 
-    private static final String POST_URL_GET_PARAMETER = "http://localhost:8080/endor-webapp/GetInputStreamInnerTest";
+    private static final String POST_URL_GET_PARAMETER = "https://localhost:8080/endor-webapp/GetInputStreamInnerTest";
 
 	@Override
     protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

src/main/java/com/endor/HttpURLConnectionExample.java

@@ -12,10 +12,10 @@ public class HttpURLConnectionExample {
 
     private static final String USER_AGENT = "Mozilla/5.0";
 
-    private static final String GET_URL = "http://localhost:8080";
+    private static final String GET_URL = "https://localhost:8080";
 
-    //private static final String POST_URL = "http://localhost:9090/SpringMVCExample/home";
-    private static final String POST_URL = "http://localhost:8080/endor-webapp/ExtraServlet";
+    //private static final String POST_URL = "https://localhost:9090/SpringMVCExample/home";
+    private static final String POST_URL = "https://localhost:8080/endor-webapp/ExtraServlet";
 
     private static final String POST_PARAMS = "userName=Pankaj";
 
@@ -167,7 +167,7 @@ public static int sendPOSTwithParameter(String last, String pass, String multile
     }
 
     public static String sendTRACE() throws IOException {
-    	String TRACE_URL = "http://localhost:8080/endor-webapp/httptrace";
+    	String TRACE_URL = "https://localhost:8080/endor-webapp/httptrace";
         URL obj = new URL(TRACE_URL);
         HttpURLConnection con = (HttpURLConnection) obj.openConnection();
         con.setRequestMethod("TRACE");

src/main/java/com/endor/NewSQLExitServlet.java

@@ -29,9 +29,18 @@ public class NewSQLExitServlet extends HttpServlet {
     @Override
     public void init() throws ServletException {
         super.init();
-        connectionUrl =System.getProperty("endor_connection_url", "jdbc:oracle:thin:@10.0.22.108:1521:XE");
-        dbUser =System.getProperty("endor_db_user", "sys as sysdba");
-        dbPassword =System.getProperty("endor_db_password", "Psmo0601");
+        connectionUrl =System.getProperty("endor_connection_url");
+        if (connectionUrl == null) {
+            throw new ServletException("Database connection URL must be provided via endor_connection_url system property");
+        }
+        dbUser =System.getProperty("endor_db_user");
+        if (dbUser == null) {
+            throw new ServletException("Database user must be provided via endor_db_user system property");
+        }
+        dbPassword =System.getProperty("endor_db_password");
+        if (dbPassword == null || dbPassword.isEmpty()) {
+            throw new ServletException("Database password must be provided via endor_db_password system property");
+        }
         dbType =System.getProperty("endor_db_type", DB_TYPE_ORACLE);
 
     }
@@ -147,19 +156,24 @@ public boolean getCustomersPreparedStatementExecuteNewExit(String name, String p
         return hasResults;
     }
 
-    /** Shiva use the following java system properties instead of new connection function.
+    /** Use the following java system properties for connection.
         -Dendor_connection_url="jdbc:postgresql://localhost:5432/sqlinject?sslmode=disable"
         -Dendor_db_user="postgres"
-        -Dendor_db_password=""Psqlpsmo@1"
+        -Dendor_db_password="<your-password>"
         -Dendor_db_type="Postgress"
      */
     private Connection connectpsql() {
         Connection conn = null;
         try {
-            // Create database connection
-            String dbURL = "jdbc:postgresql://localhost:5432/sqlinject?sslmode=disable";
-            String user = "postgres";
-            String password = "Psqlpsmo@1";
+            // Create database connection using system properties
+            String dbURL = System.getProperty("endor_connection_url");
+            String user = System.getProperty("endor_db_user");
+            String password = System.getProperty("endor_db_password");
+
+            if (dbURL == null || user == null || password == null || password.isEmpty()) {
+                throw new IllegalStateException("Database credentials must be provided via system properties");
+            }
+
             conn = DriverManager.getConnection(dbURL, user, password);
             System.out.println("DB Connection established");
         } catch (Exception e) {