Skip to content

Commit

Permalink
Add versions to dependency management for CVEs
Browse files Browse the repository at this point in the history 
* com.nimbusds:nimbus-jose-jwt:9.31
* net.minidev:json-smart:2.4.11
* org.xerial.snappy:snappy-java:1.1.10.4
* org.yaml:snakeyaml:1.33

Fixes spring-cloud#5488
  • Loading branch information
@onobc
onobc committed Oct 3, 2023
1 parent fd1008f commit cdff301
Show file tree
Hide file tree
Showing 7 changed files with 91 additions and 49 deletions.
2 changes: 1 addition & 1 deletion spring-cloud-dataflow-build/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
<main.basedir>${basedir}</main.basedir>
<docs.main>${project.artifactId}</docs.main>
<!-- Keep spring boot version in sync between spring-cloud-dataflow-build and spring-boot-dependencies (parent and properties) -->
<spring-boot.version>2.7.15</spring-boot.version>
<spring-boot.version>2.7.16</spring-boot.version>
<docs.resources.dir>${project.build.directory}/build-docs</docs.resources.dir>
<refdocs.build.directory>${project.build.directory}/refdocs/</refdocs.build.directory>
<spring-asciidoctor-extensions.version>0.1.3.RELEASE</spring-asciidoctor-extensions.version>
Expand Down
69 changes: 58 additions & 11 deletions spring-cloud-dataflow-build/spring-cloud-dataflow-build-dependencies/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,34 +14,74 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
<!-- Keep spring boot version in sync between spring-cloud-dataflow-build and spring-boot-dependencies (parent and properties) -->
<version>2.7.15</version>
<version>2.7.16</version>
<relativePath/>
</parent>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<!-- Keep spring boot version in sync between spring-cloud-dataflow-build and spring-boot-dependencies (parent and properties) -->
<spring-boot.version>2.7.15</spring-boot.version>
<spring-boot.version>2.7.16</spring-boot.version>
<spring-cloud.version>2021.0.8</spring-cloud.version>
<spring-shell.version>2.1.12</spring-shell.version>
<junit.version>4.13.1</junit.version>
<commons-io.version>2.7</commons-io.version>
<commons-text.version>1.10.0</commons-text.version>
<testcontainers.version>1.17.6</testcontainers.version>
<!-- Specific version overrides to deal w/ CVEs -->
<snakeyaml.version>1.33</snakeyaml.version>
<json-smart.version>2.4.11</json-smart.version>
<nimbus-jose-jwt.version>9.31</nimbus-jose-jwt.version>
<snappy-java.version>1.1.10.4</snappy-java.version>
<commons-compress.version>1.24.0</commons-compress.version>
<postgresql.version>42.4.3</postgresql.version>
<prometheus-rsocket.version>1.5.2</prometheus-rsocket.version>
<java-cfenv.version>2.3.0</java-cfenv.version>
<spring-cloud-services-starter-config-client.version>3.5.4</spring-cloud-services-starter-config-client.version>
<kubernetes-fabric8-client.version>5.12.4</kubernetes-fabric8-client.version>
<junit.version>4.13.1</junit.version>
<junit-jupiter.version>5.9.2</junit-jupiter.version>
</properties>
<dependencyManagement>
<dependencies>

<dependency>
<groupId>org.junit</groupId>
<artifactId>junit-bom</artifactId>
<version>${junit-jupiter.version}</version>
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
<version>${json-smart.version}</version>
</dependency>
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>${nimbus-jose-jwt.version}</version>
</dependency>
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>${snakeyaml.version}</version>
</dependency>
<dependency>
<groupId>org.xerial.snappy</groupId>
<artifactId>snappy-java</artifactId>
<version>${snappy-java.version}</version>
</dependency>
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>${commons-compress.version}</version>
</dependency>
<dependency>
<groupId>org.testcontainers</groupId>
<artifactId>testcontainers-bom</artifactId>
<version>${testcontainers.version}</version>
<exclusions>
<exclusion>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
</exclusion>
</exclusions>
<type>pom</type>
<scope>import</scope>
</dependency>

<dependency>
<groupId>io.fabric8</groupId>
<artifactId>kubernetes-client-bom</artifactId>
Expand Down Expand Up @@ -70,11 +110,6 @@
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>${junit.version}</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
<artifactId>commons-io</artifactId>
Expand Down Expand Up @@ -130,6 +165,18 @@
<artifactId>spring-cloud-services-starter-config-client</artifactId>
<version>${spring-cloud-services-starter-config-client.version}</version>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>${junit.version}</version>
</dependency>
<dependency>
<groupId>org.junit</groupId>
<artifactId>junit-bom</artifactId>
<version>${junit-jupiter.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<profiles>
Expand Down
5 changes: 0 additions & 5 deletions spring-cloud-dataflow-dependencies/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,11 +91,6 @@
<artifactId>spring-cloud-starter-dataflow-server</artifactId>
<version>${project.version}</version>
</dependency>
<!-- <dependency>-->
<!-- <groupId>org.springframework.cloud</groupId>-->
<!-- <artifactId>spring-cloud-starter-dataflow-ui</artifactId>-->
<!-- <version>${project.version}</version>-->
<!-- </dependency>-->
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-starter-dataflow-server</artifactId>
Expand Down
47 changes: 32 additions & 15 deletions spring-cloud-dataflow-parent/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@
<java.version>1.8</java.version>
<javadoc.opts>-Xdoclint:none</javadoc.opts>
<maven-resources-plugin.version>3.3.1</maven-resources-plugin.version>
<spring-boot.version>2.7.15</spring-boot.version>
<spring.version>5.3.29</spring.version>
<spring-boot.version>2.7.16</spring-boot.version>
<spring.version>5.3.30</spring.version>
<spring-cloud-dataflow-ui.version>3.4.1-SNAPSHOT</spring-cloud-dataflow-ui.version>
<dataflow.version>${project.version}</dataflow.version>
<spring-cloud-dataflow-common.version>${project.version}</spring-cloud-dataflow-common.version>
Expand All @@ -29,21 +29,26 @@
<apache-directory-server.version>1.5.5</apache-directory-server.version>
<codearte-props2yml.version>0.5</codearte-props2yml.version>
<jettison.version>1.5.4</jettison.version>
<!-- Specific version overrides to deal w/ CVEs -->
<snakeyaml.version>1.33</snakeyaml.version>
<json-smart.version>2.4.11</json-smart.version>
<nimbus-jose-jwt.version>9.31</nimbus-jose-jwt.version>
<snappy-java.version>1.1.10.4</snappy-java.version>
<commons-compress.version>1.24.0</commons-compress.version>

<json-unit.version>2.11.1</json-unit.version>
<findbugs.version>3.0.2</findbugs.version>
<joda-time.version>2.10.6</joda-time.version>
<aws-java-sdk-ecr.version>1.12.513</aws-java-sdk-ecr.version>
<testcontainers.version>1.17.6</testcontainers.version>
<commons-compress.version>1.24.0</commons-compress.version>
<!-- only used for dataflow managed stream applications, e.g., tasklauncher -->
<stream-applications.version>4.0.0-SNAPSHOT</stream-applications.version>
<wavefront-spring-boot-bom.version>2.3.4</wavefront-spring-boot-bom.version>
<spring-cloud-dataflow-apps-docs-plugin.version>1.0.7</spring-cloud-dataflow-apps-docs-plugin.version>
<spring-cloud-dataflow-apps-metadata-plugin.version>1.0.7</spring-cloud-dataflow-apps-metadata-plugin.version>
<springdoc-openapi-ui.version>1.6.6</springdoc-openapi-ui.version>
<!-- update to ensure it is same as spring-boot-dependencies property, which doesn't seem to be imported -->
<spring-security.version>5.7.10</spring-security.version>
<spring-security.version>5.7.11</spring-security.version>
<jackson-bom.version>2.13.5</jackson-bom.version>
<guava.version>32.1.1-jre</guava.version>
</properties>
Expand All @@ -54,20 +59,37 @@
<artifactId>guava</artifactId>
<version>${guava.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-cbor</artifactId>
<version>${jackson-bom.version}</version>
</dependency>
<dependency>
<groupId>com.h2database</groupId>
<artifactId>h2</artifactId>
<version>2.2.222</version>
</dependency>
<dependency>
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
<version>${json-smart.version}</version>
</dependency>
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
<version>9.31</version>
<version>${nimbus-jose-jwt.version}</version>
</dependency>
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>${snakeyaml.version}</version>
</dependency>
<dependency>
<groupId>org.xerial.snappy</groupId>
<artifactId>snappy-java</artifactId>
<version>${snappy-java.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson</groupId>
<artifactId>jackson-bom</artifactId>
<version>${jackson-bom.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>com.squareup.okhttp3</groupId>
Expand All @@ -79,11 +101,6 @@
<artifactId>okio</artifactId>
<version>3.4.0</version>
</dependency>
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>${snakeyaml.version}</version>
</dependency>
<dependency>
<groupId>org.codehaus.jettison</groupId>
<artifactId>jettison</artifactId>
Expand Down
1 change: 0 additions & 1 deletion spring-cloud-dataflow-shell-core/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,6 @@
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>1.33</version>
</dependency>
<dependency>
<groupId>io.codearte.props2yaml</groupId>
Expand Down
15 changes: 0 additions & 15 deletions spring-cloud-skipper/spring-cloud-skipper-server/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,21 +18,6 @@
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>2.13.5</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>2.13.5</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.dataformat</groupId>
<artifactId>jackson-dataformat-yaml</artifactId>
<version>2.13.5</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
Expand Down
1 change: 0 additions & 1 deletion spring-cloud-skipper/spring-cloud-skipper-shell-commands/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,6 @@
<dependency>
<groupId>org.yaml</groupId>
<artifactId>snakeyaml</artifactId>
<version>1.33</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
Expand Down

0 comments on commit cdff301

Please sign in to comment.