EA-2861 refactor and remove StorageObject and Swift dependency

owasp-suppress.xml

@@ -1,17 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-    <!-- We're not using Openstack Swift directly -->
-    <suppress>
-        <notes><![CDATA[file name: openstack-swift-2.6.0.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-swift@.*$</packageUrl>
-        <cve>CVE-2017-16613</cve>
-    </suppress>
 
-    <suppress>
-        <notes><![CDATA[file name: openstack-keystone-2.6.0.jar]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.jclouds\.api/openstack\-keystone@.*$</packageUrl>
-        <cve>CVE-2020-12689</cve>
-        <cve>CVE-2020-12691</cve>
-        <cve>CVE-2020-12690</cve>
-    </suppress>
 </suppressions>

pom.xml

@@ -4,12 +4,12 @@
     <parent>
         <groupId>eu.europeana</groupId>
         <artifactId>europeana-parent-pom</artifactId>
-        <version>2.4</version>
+        <version>2.5</version>
     </parent>
 
     <groupId>eu.europeana</groupId>
     <artifactId>object-storage</artifactId>
-    <version>1.11-SNAPSHOT</version>
+    <version>2.0-SNAPSHOT</version>
 
     <name>Object Storage library</name>
     <description>Java Library for storing and retrieving items in S3</description>
@@ -23,39 +23,28 @@
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-core</artifactId>
-            <version>2.23.0</version>
+            <version>2.23.1</version>
         </dependency>
 
-        <!-- Swift https://mvnrepository.com/artifact/org.apache.jclouds/jclouds-core -->
+        <!-- Use newer Jackson version that the one provided by Amazon S3 -->
+        <!-- https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind -->
         <dependency>
-            <groupId>org.apache.jclouds</groupId>
-            <artifactId>jclouds-core</artifactId>
-            <version>2.6.0</version>
-        </dependency>
-        <!-- Swift https://mvnrepository.com/artifact/org.apache.jclouds.api/openstack-swift -->
-        <dependency>
-            <groupId>org.apache.jclouds.api</groupId>
-            <artifactId>openstack-swift</artifactId>
-            <version>2.6.0</version>
+            <groupId>com.fasterxml.jackson.core</groupId>
+            <artifactId>jackson-databind</artifactId>
+            <version>2.17.1</version>
         </dependency>
 
         <!-- Amazon S3 https://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk -->
         <dependency>
             <groupId>com.amazonaws</groupId>
             <artifactId>aws-java-sdk-core</artifactId>
-            <version>1.12.720</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>com.fasterxml.jackson.core</groupId>
-                    <artifactId>jackson-databind</artifactId>
-                </exclusion>
-            </exclusions>
+            <version>1.12.740</version>
         </dependency>
         <!-- Amazon S3 https://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk-s3 -->
         <dependency>
             <groupId>com.amazonaws</groupId>
             <artifactId>aws-java-sdk-s3</artifactId>
-            <version>1.12.720</version>
+            <version>1.12.740</version>
         </dependency>
 
         <!-- IBM Cloud S3 https://mvnrepository.com/artifact/com.softlayer.api/softlayer-api-client -->
@@ -65,28 +54,28 @@
             <version>0.3.4</version>
         </dependency>
 
-        <!--JUnit https://mvnrepository.com/artifact/junit/junit -->
+        <!-- https://mvnrepository.com/artifact/commons-io/commons-io -->
         <dependency>
-            <groupId>junit</groupId>
-            <artifactId>junit</artifactId>
-            <version>4.13.2</version>
-            <scope>test</scope>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.16.1</version>
         </dependency>
 
-        <!-- Overriding to remove CVE-2022-25647 -->
+        <!-- https://mvnrepository.com/artifact/org.junit.jupiter/junit-jupiter-api -->
         <dependency>
-            <groupId>com.google.code.gson</groupId>
-            <artifactId>gson</artifactId>
-            <version>2.10</version>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-api</artifactId>
+            <version>5.10.2</version>
+            <scope>test</scope>
         </dependency>
 
-        <!-- Overriding to remove CVE-2020-36518, CVE-2022-42003, CVE-2022-42004-->
-        <!-- CVE-2022-45688 still there in latest version coming from transitive dependency hutool-json -->
-        <!-- Also present in the latest version of hutool-json-5.8.18.jar  Hence suppressed it-->
+        <!-- https://mvnrepository.com/artifact/javax.xml.bind/jaxb-api -->
+        <!-- Amazon S3 will complain that it's slower if jaxb-api is not provided -->
         <dependency>
-            <groupId>com.fasterxml.jackson.core</groupId>
-            <artifactId>jackson-databind</artifactId>
-            <version>2.17.1</version>
+            <groupId>javax.xml.bind</groupId>
+            <artifactId>jaxb-api</artifactId>
+            <version>2.3.1</version>
+            <scope>test</scope>
         </dependency>
 
     </dependencies>
@@ -99,15 +88,16 @@
                      To skip (e.g. during debugging) use 'mvn clean package')-->
                 <groupId>org.owasp</groupId>
                 <artifactId>dependency-check-maven</artifactId>
-                <version>8.4.3</version>
+                <version>9.2.0</version>
                 <configuration>
+                    <nvdApiKeyEnvironmentVariable>NVD_APIKEY</nvdApiKeyEnvironmentVariable>
+                    <!-- see EA-3505 why we host the known exploited vulnerabilties file ourselves -->
+                    <knownExploitedUrl>https://artifactory.eanadev.org/artifactory/ext-release-local/gov/cisa/www/known_exploited_vulnerabilities.json</knownExploitedUrl>
                     <failBuildOnCVSS>8</failBuildOnCVSS>
                     <suppressionFiles>
                         <suppressionFile>owasp-suppress.xml</suppressionFile>
                     </suppressionFiles>
-                    <!-- see EA-3505 why we host the known exploited vulnerabilties file ourselves -->
-                    <knownExploitedUrl>http://artifactory.eanadev.org/artifactory/ext-release-local/gov/cisa/www/known_exploited_vulnerabilities.json</knownExploitedUrl>
-                </configuration>
+               </configuration>
                 <executions>
                     <execution>
                         <goals>