CVE-2026-24400 Fix XXE vulnerability in isXmlEqualTo assertion in assertj-core (#162)

* Bump org.assertj:assertj-core from 1.6.1 to 3.27.7

Bumps [org.assertj:assertj-core](https://github.com/assertj/assertj) from 1.6.1 to 3.27.7.
- [Release notes](https://github.com/assertj/assertj/releases)
- [Commits](assertj/assertj@assertj-core-1.6.1...assertj-build-3.27.7)

---
updated-dependencies:
- dependency-name: org.assertj:assertj-core
  dependency-version: 3.27.7
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* CVE-2026-24400 Fix XXE vulnerability in isXmlEqualTo assertion

* update copyright

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: maximthomas <maxim.thomas@gmail.com>

Author: dependabot[bot]

commons/audit/core/src/test/java/org/forgerock/audit/AuditServiceImplTest.java

@@ -12,6 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2015-2016 ForgeRock AS.
+ * Portions copyright 2020-2026 3A Systems LLC.
  */
 
 package org.forgerock.audit;
@@ -28,7 +29,6 @@
 import static org.forgerock.json.resource.Requests.newQueryRequest;
 import static org.forgerock.json.resource.Responses.newQueryResponse;
 import static org.forgerock.json.resource.Responses.newResourceResponse;
-import static org.forgerock.util.test.assertj.AssertJPromiseAssert.assertThat;
 import static org.mockito.BDDMockito.given;
 import static org.mockito.Mockito.any;
 import static org.mockito.Mockito.eq;
@@ -70,6 +70,7 @@
 import org.forgerock.services.context.Context;
 import org.forgerock.services.context.RootContext;
 import org.forgerock.util.promise.Promise;
+import org.forgerock.util.test.assertj.AssertJPromiseAssert;
 import org.testng.annotations.BeforeMethod;
 import org.testng.annotations.Test;
 
@@ -108,7 +109,7 @@ public void shouldDelegateCreateRequestToRegisteredHandler() throws Exception {
 
         //then
         assertThat(auditService.isAuditing("access")).isTrue();
-        assertThat(promise)
+        AssertJPromiseAssert.assertThat(promise)
                 .succeeded()
                 .withObject()
                 .isInstanceOf(ResourceResponse.class);
@@ -133,7 +134,7 @@ public void shouldIgnoreCreateRequestIfAuditEventTopicNotMappedToHandler() throw
 
         //then
         assertThat(auditService.isAuditing(topic)).isFalse();
-        assertThat(promise)
+        AssertJPromiseAssert.assertThat(promise)
                 .succeeded()
                 .withObject()
                 .isInstanceOf(ResourceResponse.class);
@@ -158,7 +159,7 @@ public void shouldFailCreateRequestIfAuditEventTopicIsNotKnown() throws ServiceU
 
         //then
         assertThat(auditService.isAuditing("unknownTopic")).isFalse();
-        assertThat(promise)
+        AssertJPromiseAssert.assertThat(promise)
                 .failedWithException()
                 .isInstanceOf(ResourceException.class);
     }
@@ -187,7 +188,7 @@ public void shouldFailCreateRequestIfHandlerConfiguredForQueriesThrowsException(
         //then
         verify(queryHandler, times(1)).publishEvent(any(Context.class), eq("access"), any(JsonValue.class));
         verify(otherHandler, times(1)).publishEvent(any(Context.class), eq("access"), any(JsonValue.class));
-        assertThat(promise)
+        AssertJPromiseAssert.assertThat(promise)
                 .failedWithException()
                 .isInstanceOf(InternalServerErrorException.class);
     }
@@ -244,7 +245,7 @@ public void shouldDelegateReadRequestToConfiguredHandlerForQueries() throws Exce
                 auditService.handleRead(new RootContext(), readRequest);
 
         //then
-        assertThat(promise).isSameAs(dummyResponse);
+        AssertJPromiseAssert.assertThat(promise).isSameAs(dummyResponse);
         verifyZeroInteractions(otherAuditEventHandler);
     }
 
@@ -260,7 +261,7 @@ public void shouldNotSupportDeleteOfAuditEvents() throws ResourceException {
                         Requests.newDeleteRequest("_id"));
 
         //then
-        assertThat(promise)
+        AssertJPromiseAssert.assertThat(promise)
                 .failedWithException()
                 .isInstanceOf(NotSupportedException.class);
     }
@@ -278,7 +279,7 @@ public void shouldNotSupportPatchOfAuditEvents() throws ResourceException {
                         Requests.newPatchRequest("_id"));
 
         //then
-        assertThat(promise)
+        AssertJPromiseAssert.assertThat(promise)
                 .failedWithException()
                 .isInstanceOf(NotSupportedException.class);
     }
@@ -296,7 +297,7 @@ public void shouldNotSupportUpdateOfAuditEvents() throws ResourceException {
                         Requests.newUpdateRequest("_id", new JsonValue(new HashMap<String, Object>())));
 
         //then
-        assertThat(promise)
+        AssertJPromiseAssert.assertThat(promise)
                 .failedWithException()
                 .isInstanceOf(NotSupportedException.class);
     }
@@ -314,7 +315,7 @@ public void shouldNotSupportActions() throws ResourceException {
                         Requests.newActionRequest("access", "unknownAction"));
 
         //then
-        assertThat(promise)
+        AssertJPromiseAssert.assertThat(promise)
                 .failedWithException()
                 .isInstanceOf(BadRequestException.class);
     }
@@ -342,7 +343,7 @@ public void shouldDelegateQueryRequestToConfiguredHandlerForQueries() throws Exc
         //then
         verify(eventHandler).queryEvents(
                 any(Context.class), any(String.class), any(QueryRequest.class), any(QueryResourceHandler.class));
-        assertThat(promise).isSameAs(queryResponsePromise);
+        AssertJPromiseAssert.assertThat(promise).isSameAs(queryResponsePromise);
     }
 
     @Test
@@ -364,7 +365,7 @@ public void shouldFailCreateRequestIfAuditEventIsMissingTransactionId() throws R
                 auditService.handleCreate(new RootContext(), createRequest);
 
         //then
-        assertThat(promise)
+        AssertJPromiseAssert.assertThat(promise)
                 .failedWithException()
                 .isInstanceOf(BadRequestException.class);
     }
@@ -388,7 +389,7 @@ public void shouldFailCreateRequestIfAuditEventIsMissingTimestamp() throws Resou
                 auditService.handleCreate(new RootContext(), createRequest);
 
         //then
-        assertThat(promise)
+        AssertJPromiseAssert.assertThat(promise)
                 .failedWithException()
                 .isInstanceOf(BadRequestException.class);
     }
@@ -559,7 +560,7 @@ public void shouldFailCreateRequestIfAuditServiceIsShutdown() throws Exception {
                 auditService.handleCreate(new RootContext(), createRequest);
 
         //then
-        assertThat(promise)
+        AssertJPromiseAssert.assertThat(promise)
                 .failedWithException()
                 .isInstanceOf(ServiceUnavailableException.class)
                 .hasMessage("AuditService not running");
@@ -576,7 +577,7 @@ public void shouldFailReadRequestIfAuditServiceIsShutdown() {
                 auditService.handleRead(new RootContext(), readRequest);
 
         //then
-        assertThat(promise)
+        AssertJPromiseAssert.assertThat(promise)
                 .failedWithException()
                 .isInstanceOf(ServiceUnavailableException.class)
                 .hasMessage("AuditService not running");
@@ -594,7 +595,7 @@ public void shouldFailQueryRequestIfAuditServiceIsShutdown() {
                 mock(QueryResourceHandler.class));
 
         //then
-        assertThat(promise)
+        AssertJPromiseAssert.assertThat(promise)
                 .failedWithException()
                 .isInstanceOf(ServiceUnavailableException.class)
                 .hasMessage("AuditService not running");
@@ -654,7 +655,7 @@ public void shouldNotDelegateCreateRequestToADisabledHandler() throws Exception
 
         //then
         assertThat(auditService.isAuditing(topic)).isFalse();
-        assertThat(promise)
+        AssertJPromiseAssert.assertThat(promise)
                 .succeeded()
                 .withObject()
                 .isInstanceOf(ResourceResponse.class);
@@ -689,7 +690,7 @@ public void shouldDelegateFilteredCreateRequestToRegisteredHandler() throws Exce
 
         //then
         assertThat(auditService.isAuditing(topic)).isTrue();
-        assertThat(promise)
+        AssertJPromiseAssert.assertThat(promise)
                 .succeeded()
                 .withObject()
                 .isInstanceOf(ResourceResponse.class);
@@ -721,7 +722,7 @@ public void shouldNotDelegateReadRequestToConfiguredHandlerForQueriesWhenNoResou
                 auditService.handleRead(new RootContext(), readRequest);
 
         //then
-        assertThat(promise).failedWithException().isInstanceOf(BadRequestException.class);
+        AssertJPromiseAssert.assertThat(promise).failedWithException().isInstanceOf(BadRequestException.class);
         verifyZeroInteractions(otherAuditEventHandler);
     }
 
@@ -747,7 +748,7 @@ public void shouldNotDelegateReadRequestToConfiguredHandlerForQueriesWhenInvalid
                 auditService.handleRead(new RootContext(), readRequest);
 
         //then
-        assertThat(promise).failedWithException().isInstanceOf(BadRequestException.class);
+        AssertJPromiseAssert.assertThat(promise).failedWithException().isInstanceOf(BadRequestException.class);
         verifyZeroInteractions(otherAuditEventHandler);
     }
 

commons/audit/handler-csv/src/test/java/org/forgerock/audit/handlers/csv/CsvAuditEventHandlerTest.java

@@ -12,6 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2015-2016 ForgeRock AS.
+ * Portions copyright 2020-2026 3A Systems LLC.
  */
 
 package org.forgerock.audit.handlers.csv;
@@ -22,7 +23,6 @@
 import static org.forgerock.audit.AuditServiceProxy.*;
 import static org.forgerock.audit.handlers.csv.CsvAuditEventHandler.*;
 import static org.forgerock.json.JsonValue.*;
-import static org.forgerock.util.test.assertj.AssertJPromiseAssert.assertThat;
 import static org.mockito.Mockito.*;
 
 import java.io.File;
@@ -61,6 +61,7 @@
 import org.forgerock.services.context.RootContext;
 import org.forgerock.util.promise.Promise;
 import org.forgerock.util.promise.ResultHandler;
+import org.forgerock.util.test.assertj.AssertJPromiseAssert;
 import org.mockito.ArgumentCaptor;
 import org.testng.annotations.DataProvider;
 import org.testng.annotations.Test;
@@ -154,7 +155,7 @@ public void testCreatingAuditLogEntry() throws Exception {
                 csvHandler.publishEvent(context, "access", createRequest.getContent());
 
         //then
-        assertThat(promise)
+        AssertJPromiseAssert.assertThat(promise)
                 .succeeded()
                 .withObject()
                 .isInstanceOf(ResourceResponse.class);
@@ -182,7 +183,7 @@ public void testReadingAuditLogEntry() throws Exception {
                 csvHandler.readEvent(context, "access", readRequest.getResourcePathObject().tail(1).toString());
 
         //then
-        assertThat(promise)
+        AssertJPromiseAssert.assertThat(promise)
                 .succeeded()
                 .withObject()
                 .isInstanceOf(ResourceResponse.class);
@@ -230,7 +231,7 @@ public void testQueryOnAuditLogEntry() throws Exception {
                 csvHandler.queryEvents(context, "access", queryRequest, queryResourceHandler);
 
         //then
-        assertThat(promise).succeeded();
+        AssertJPromiseAssert.assertThat(promise).succeeded();
         verify(queryResourceHandler).handleResource(resourceCaptor.capture());
 
         final ResourceResponse resource = resourceCaptor.getValue();
@@ -268,7 +269,7 @@ private ResourceResponse createAccessEvent(AuditEventHandler auditEventHandler)
         final Promise<ResourceResponse, ResourceException> promise =
                 auditEventHandler.publishEvent(context, "access", createRequest.getContent());
 
-        assertThat(promise)
+        AssertJPromiseAssert.assertThat(promise)
                 .succeeded()
                 .isInstanceOf(ResourceResponse.class);
 

commons/audit/handler-elasticsearch/src/test/java/org/forgerock/audit/handlers/elasticsearch/ElasticsearchAuditEventHandlerTest.java

@@ -12,6 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2016 ForgeRock AS.
+ * Portions copyright 2020-2026 3A Systems LLC.
  */
 package org.forgerock.audit.handlers.elasticsearch;
 
@@ -22,7 +23,6 @@
 import static org.forgerock.json.JsonValue.json;
 import static org.forgerock.json.JsonValue.object;
 import static org.forgerock.util.promise.Promises.newResultPromise;
-import static org.forgerock.util.test.assertj.AssertJPromiseAssert.assertThat;
 import static org.mockito.Matchers.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
@@ -64,6 +64,7 @@
 import org.forgerock.util.promise.NeverThrowsException;
 import org.forgerock.util.promise.Promise;
 import org.forgerock.util.query.QueryFilter;
+import org.forgerock.util.test.assertj.AssertJPromiseAssert;
 import org.mockito.invocation.InvocationOnMock;
 import org.mockito.stubbing.Answer;
 import org.testng.annotations.BeforeTest;
@@ -170,7 +171,7 @@ public void testFailedQuery() throws Exception {
                 handler.queryEvents(mock(Context.class), "access", queryRequest, queryResourceHandler);
 
         // then
-        assertThat(result).failedWithException().isInstanceOf(InternalServerErrorException.class);
+        AssertJPromiseAssert.assertThat(result).failedWithException().isInstanceOf(InternalServerErrorException.class);
     }
 
     @Test
@@ -213,7 +214,7 @@ public void testFailedRead() throws Exception {
                 handler.readEvent(context, "authentication", "fake-id-that-does-not-exist");
 
         // then
-        assertThat(responsePromise).failedWithException().isInstanceOf(NotFoundException.class);
+        AssertJPromiseAssert.assertThat(responsePromise).failedWithException().isInstanceOf(NotFoundException.class);
     }
 
     @Test

commons/audit/handler-jms/src/test/java/org/forgerock/audit/handlers/jms/JmsAuditEventHandlerTest.java

@@ -12,7 +12,7 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2016 ForgeRock AS.
- * Portions copyright 2024 3A Systems LLC.
+ * Portions copyright 2020-2026 3A Systems LLC.
  */
 
 package org.forgerock.audit.handlers.jms;
@@ -22,7 +22,6 @@
 import static org.forgerock.audit.json.AuditJsonConfig.parseAuditEventHandlerConfiguration;
 import static org.forgerock.json.JsonValue.*;
 import static org.forgerock.json.test.assertj.AssertJJsonValueAssert.assertThat;
-import static org.forgerock.util.test.assertj.AssertJPromiseAssert.assertThat;
 import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.anyInt;
 import static org.mockito.Mockito.anyBoolean;
@@ -59,6 +58,7 @@
 import org.forgerock.json.resource.ResourceException;
 import org.forgerock.json.resource.ResourceResponse;
 import org.forgerock.util.promise.Promise;
+import org.forgerock.util.test.assertj.AssertJPromiseAssert;
 import org.mockito.ArgumentCaptor;
 import org.mockito.invocation.InvocationOnMock;
 import org.mockito.stubbing.Answer;
@@ -299,7 +299,7 @@ public void testJmsAuditEventHandlerPublishWithFailedRetry() throws Exception {
                 jmsAuditEventHandler.publishEvent(null, "TEST_AUDIT", json(object(field("name", "TestEvent"))));
 
         // then
-        assertThat(promise).failedWithException().isInstanceOf(InternalServerErrorException.class);
+        AssertJPromiseAssert.assertThat(promise).failedWithException().isInstanceOf(InternalServerErrorException.class);
 
     }
 
@@ -323,7 +323,7 @@ public void testQueryNotSupported() throws Exception {
         Promise<QueryResponse, ResourceException> response =
                 jmsAuditEventHandler.queryEvents(null, "TEST_AUDIT", Requests.newQueryRequest(""), null);
 
-        assertThat(response).failedWithException().isInstanceOf(NotSupportedException.class);
+        AssertJPromiseAssert.assertThat(response).failedWithException().isInstanceOf(NotSupportedException.class);
     }
 
     @Test
@@ -348,7 +348,7 @@ public void testReadNotSupported() throws Exception {
 
 
         // then
-        assertThat(response).failedWithException().isInstanceOf(NotSupportedException.class);
+        AssertJPromiseAssert.assertThat(response).failedWithException().isInstanceOf(NotSupportedException.class);
     }
 
     private JmsAuditEventHandlerConfiguration getDefaultConfiguration() throws Exception {

commons/auth-filters/authn-filter/jaspi-functional-tests/src/test/java/org/forgerock/caf/authn/ModuleAuditingIT.java

@@ -12,12 +12,12 @@
  * information: "Portions copyright [year] [name of copyright owner]".
  *
  * Copyright 2014-2016 ForgeRock AS.
+ * Portions copyright 2020-2026 3A Systems LLC.
  */
 
 package org.forgerock.caf.authn;
 
 import static org.assertj.core.api.Assertions.assertThat;
-import static org.forgerock.util.test.assertj.AssertJPromiseAssert.assertThat;
 import static org.assertj.core.data.MapEntry.entry;
 import static org.forgerock.caf.authn.AuthModuleParameters.moduleArray;
 import static org.forgerock.caf.authn.AuthModuleParameters.moduleParams;
@@ -42,6 +42,7 @@
 import org.forgerock.services.context.RootContext;
 import org.forgerock.util.promise.NeverThrowsException;
 import org.forgerock.util.promise.Promise;
+import org.forgerock.util.test.assertj.AssertJPromiseAssert;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.testng.annotations.DataProvider;
@@ -163,7 +164,7 @@ public void auditing(String dataName, AuthModuleParameters sessionModuleParams,
 
         Promise<Response, NeverThrowsException> result = handler.handle(new AttributesContext(new RootContext()),
                 request);
-        assertThat(result).succeeded();
+        AssertJPromiseAssert.assertThat(result).succeeded();
         assertThat(result.get().getStatus().getCode()).isEqualTo(expectedResponseStatus);
 
         JsonValue auditRecords = getAuditRecords(handler);