Fix third-party lib CVEs & Upgrade core spring libs version . (2021.0) (#263)

* Fix third-party lib CVEs & Upgrade core spring libs version .

* Update CHANGELOG.md

Co-authored-by: Haotian Zhang <928016560@qq.com>

CHANGELOG.md

@@ -1,4 +1,5 @@
 # Change Log
 ---
 
+- [Upgrade: fix third-party lib CVEs & upgrade core spring libs version](https://github.com/Tencent/spring-cloud-tencent/pull/263)
 - [feat:support reading configuration from application.yml or application.properties.](https://github.com/Tencent/spring-cloud-tencent/pull/262)

pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.cloud</groupId>
 		<artifactId>spring-cloud-build</artifactId>
-		<version>3.1.2</version>
+		<version>3.1.3</version>
 		<relativePath/>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>
@@ -86,10 +86,13 @@
 
 	<properties>
 		<!-- Project revision -->
-		<revision>1.6.0-2021.0.2-SNAPSHOT</revision>
+		<revision>1.6.0-2021.0.3-SNAPSHOT</revision>
 
 		<!-- Spring Cloud -->
-		<spring.cloud.version>2021.0.2</spring.cloud.version>
+		<spring.cloud.version>2021.0.3</spring.cloud.version>
+
+		<!-- Spring Framework -->
+		<spring.framework.version>5.3.21</spring.framework.version>
 
 		<!-- Maven Plugin Versions -->
 		<jacoco.version>0.8.3</jacoco.version>
@@ -123,6 +126,15 @@
 				<type>pom</type>
 				<scope>import</scope>
 			</dependency>
+
+			<!-- Spring Framework Dependencies -->
+			<dependency>
+				<groupId>org.springframework</groupId>
+				<artifactId>spring-framework-bom</artifactId>
+				<version>${spring.framework.version}</version>
+				<type>pom</type>
+				<scope>import</scope>
+			</dependency>
 		</dependencies>
 	</dependencyManagement>
 

spring-cloud-tencent-commons/pom.xml

@@ -14,9 +14,8 @@
 	<name>Spring Cloud Tencent Commons</name>
 
 	<properties>
-		<commons.collections.version>3.2.2</commons.collections.version>
-		<commons.lang.version>2.5</commons.lang.version>
-		<commons.io.version>2.7</commons.io.version>
+		<commons.lang.version>2.6</commons.lang.version>
+		<commons.io.version>2.11.0</commons.io.version>
 	</properties>
 
 	<dependencies>
@@ -47,12 +46,6 @@
 			<artifactId>spring-cloud-starter</artifactId>
 		</dependency>
 
-		<dependency>
-			<groupId>commons-collections</groupId>
-			<artifactId>commons-collections</artifactId>
-			<version>${commons.collections.version}</version>
-		</dependency>
-
 		<dependency>
 			<groupId>commons-lang</groupId>
 			<artifactId>commons-lang</artifactId>

spring-cloud-tencent-dependencies/pom.xml

@@ -5,7 +5,7 @@
 	<parent>
 		<groupId>org.springframework.cloud</groupId>
 		<artifactId>spring-cloud-dependencies-parent</artifactId>
-		<version>3.1.2</version>
+		<version>3.1.3</version>
 		<relativePath/>
 	</parent>
 	<modelVersion>4.0.0</modelVersion>
@@ -70,12 +70,16 @@
 	</developers>
 
 	<properties>
-		<revision>1.6.0-2021.0.2-SNAPSHOT</revision>
+		<revision>1.6.0-2021.0.3-SNAPSHOT</revision>
+
+		<!-- Dependencies -->
 		<polaris.version>1.6.1</polaris.version>
-		<guava.version>31.1-jre</guava.version>
-		<logback.version>1.2.7</logback.version>
+		<guava.version>31.0.1-jre</guava.version>
+		<logback.version>1.2.11</logback.version>
 		<mocktio.version>4.5.1</mocktio.version>
 		<byte-buddy.version>1.12.10</byte-buddy.version>
+		<protobuf-java.version>3.16.1</protobuf-java.version>
+		<bcprov-jdk15on.version>1.69</bcprov-jdk15on.version>
 
 		<!-- Maven Plugin Versions -->
 		<maven-source-plugin.version>3.2.0</maven-source-plugin.version>
@@ -152,6 +156,26 @@
 				<groupId>com.google.guava</groupId>
 				<artifactId>guava</artifactId>
 				<version>${guava.version}</version>
+				<exclusions>
+					<exclusion>
+						<artifactId>jsr305</artifactId>
+						<groupId>com.google.code.findbugs</groupId>
+					</exclusion>
+					<exclusion>
+						<artifactId>animal-sniffer-annotations</artifactId>
+						<groupId>org.codehaus.mojo</groupId>
+					</exclusion>
+					<exclusion>
+						<artifactId>error_prone_annotations</artifactId>
+						<groupId>com.google.errorprone</groupId>
+					</exclusion>
+				</exclusions>
+			</dependency>
+
+			<dependency>
+				<groupId>ch.qos.logback</groupId>
+				<artifactId>logback-core</artifactId>
+				<version>${logback.version}</version>
 			</dependency>
 
 			<dependency>
@@ -160,6 +184,18 @@
 				<version>${logback.version}</version>
 			</dependency>
 
+			<dependency>
+				<groupId>com.google.protobuf</groupId>
+				<artifactId>protobuf-java</artifactId>
+				<version>${protobuf-java.version}</version>
+			</dependency>
+
+			<dependency>
+				<groupId>org.bouncycastle</groupId>
+				<artifactId>bcprov-jdk15on</artifactId>
+				<version>${bcprov-jdk15on.version}</version>
+			</dependency>
+
 			<dependency>
 				<groupId>org.mockito</groupId>
 				<artifactId>mockito-inline</artifactId>

spring-cloud-tencent-polaris-loadbalancer/src/main/java/com/tencent/cloud/polaris/loadbalancer/LoadBalancerUtils.java

@@ -27,10 +27,10 @@ import com.tencent.polaris.api.pojo.DefaultServiceInstances;
 import com.tencent.polaris.api.pojo.Instance;
 import com.tencent.polaris.api.pojo.ServiceInstances;
 import com.tencent.polaris.api.pojo.ServiceKey;
-import org.apache.commons.collections.CollectionUtils;
 import reactor.core.publisher.Flux;
 
 import org.springframework.cloud.client.ServiceInstance;
+import org.springframework.util.CollectionUtils;
 
 /**
  * load balancer utils.
@@ -54,7 +54,7 @@ public class LoadBalancerUtils {
 		}).collect(Collectors.toList());
 
 		String serviceName = null;
-		if (CollectionUtils.isNotEmpty(instances)) {
+		if (!CollectionUtils.isEmpty(instances)) {
 			serviceName = instances.get(0).getService();
 		}