Fixing CVE-2017-12620 CVE-2019-17571 in compiled jar (#4)

* Fixing CVE-2017-12620 CVE-2019-17571 in compiled jar

* Including security scanner

* Creating new version

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,70 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '45 18 * * 4'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'java', 'python' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

.github/workflows/main.yml

@@ -1,14 +1,18 @@
 name: Tests
 
-on: [push]
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
 
 jobs:
   test:
     runs-on: ubuntu-latest
     strategy:
       matrix:
         python-version: ["3.6", "3.7", "3.8", "3.9", "3.10"]
-        java-version: ["8", "11", "15", "17"]
+        java-version: ["8", "11", "17"]
 
     steps:
       - uses: actions/checkout@v2
@@ -21,6 +25,12 @@ jobs:
         with:
           java-version: ${{ matrix.java-version }}
           distribution: 'adopt'
+      - name: Verify vulnerabilities with Maven
+        working-directory: java
+        run: mvn verify
+      - name: Package with Maven
+        working-directory: java
+        run: mvn package
       - name: Install dependencies
         run: |
           python -m pip install --upgrade pip

.github/workflows/publish.yml

@@ -14,6 +14,17 @@ jobs:
         uses: actions/setup-python@v2
         with:
           python-version: 3.6
+      - name: Set up JDK 8
+        uses: actions/setup-java@v2
+        with:
+          java-version: 8
+          distribution: 'adopt'
+      - name: Verify vulnerabilities with Maven
+        working-directory: java
+        run: mvn verify
+      - name: Package with Maven
+        working-directory: java
+        run: mvn package
       - name: Create dist
         working-directory: ./python
         run: |

.gitignore

@@ -11,4 +11,5 @@
 **/.idea/*
 
 java/target/**/*
+python/cogroo4py/jars/**/*
 python/wheels/**/*

README.md

@@ -7,7 +7,7 @@ Uma interface para acessar o analisador morfológico e o corretor gramatical do
 
 # Pré-requisitos
  - interpretador Python 3.x
- - Java Runtime Environment (Testado nas versões 8, 11, 15 e 17)
+ - Java Runtime Environment (Testado nas versões 8, 11 e 17)
 
 # Como usar
 Instale usando o pip:

java/pom.xml

@@ -13,26 +13,52 @@
         <maven.compiler.target>8</maven.compiler.target>
     </properties>
 
+
+
     <dependencies>
         <dependency>
             <groupId>org.cogroo</groupId>
             <artifactId>cogroo-gc</artifactId>
             <version>4.2.0</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>log4j</groupId>
+                    <artifactId>log4j</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.cogroo</groupId>
             <artifactId>cogroo-ann</artifactId>
             <version>4.2.0</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>log4j</groupId>
+                    <artifactId>log4j</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.cogroo</groupId>
             <artifactId>cogroo-nlp</artifactId>
             <version>4.2.0</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>log4j</groupId>
+                    <artifactId>log4j</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.cogroo.lang.pt_br</groupId>
             <artifactId>cogroo-ann-pt_br</artifactId>
             <version>4.2.0</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>log4j</groupId>
+                    <artifactId>log4j</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.cogroo.lang.pt_br</groupId>
@@ -70,10 +96,51 @@
             <artifactId>log4j-1.2-api</artifactId>
             <version>2.14.1</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.opennlp</groupId>
+            <artifactId>opennlp-tools</artifactId>
+            <version>1.9.4</version>
+        </dependency>
     </dependencies>
 
     <build>
         <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-enforcer-plugin</artifactId>
+                <version>1.4.1</version>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>enforce</goal>
+                        </goals>
+                        <configuration>
+                            <rules>
+                                <bannedDependencies>
+                                    <excludes>
+                                        <exclude>log4j:log4j</exclude>
+                                    </excludes>
+                                </bannedDependencies>
+                            </rules>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.owasp</groupId>
+                <artifactId>dependency-check-maven</artifactId>
+                <version>6.5.0</version>
+                <configuration>
+                    <failBuildOnAnyVulnerability>true</failBuildOnAnyVulnerability>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>check</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-shade-plugin</artifactId>

java/src/main/java/Cogroo4PyBridge.java

@@ -18,6 +18,7 @@ public class Cogroo4PyBridge {
 
     public static void main(String[] args) throws IllegalArgumentException, IOException {
         Cogroo4PyBridge app = new Cogroo4PyBridge();
+        System.out.println(app.grammarCheck("Elas são bonita"));
     }
 
     public Cogroo4PyBridge() throws IllegalArgumentException, IOException {

python/setup.py

@@ -15,7 +15,7 @@ def package_files(directory):
 org_stubs_paths = package_files('org-stubs') + ['../py.typed']
 
 setup(name='cogroo4py',
-      version='0.4.2',
+      version='0.4.3',
       description='Interface for accessing CoGrOO from Python scripts using jpype',
       author='Guilherme Passero',
       author_email='[email protected]',