From e40fbb11f2d2f9904b20700fec93dd299f46c621 Mon Sep 17 00:00:00 2001 From: Asif Sohail Mohammed Date: Tue, 26 Sep 2023 19:57:24 +0530 Subject: [PATCH 1/2] CVE fixes CVE-2022-36944, WS-2023-0116, CVE-2021-39194, CVE-2023-3635, CVE-2023-36479, CVE-2023-40167 Signed-off-by: Asif Sohail Mohammed Signed-off-by: Asif Sohail Mohammed --- build.gradle | 36 +++++++++++++++++++++++++++++++++--- settings.gradle | 4 ++-- 2 files changed, 35 insertions(+), 5 deletions(-) diff --git a/build.gradle b/build.gradle index 823673288d..83a6da7961 100644 --- a/build.gradle +++ b/build.gradle @@ -141,19 +141,25 @@ subprojects { } implementation('net.minidev:json-smart') { version { - require '2.4.11' + require '2.5.0' } because 'CVE from transitive dependencies' } implementation('org.eclipse.jetty:jetty-http') { version { - require '11.0.15' + require '11.0.16' } because 'CVE from transitive dependencies' } implementation('org.eclipse.jetty:jetty-server') { version { - require '11.0.15' + require '11.0.16' + } + because 'CVE from transitive dependencies' + } + implementation('org.eclipse.jetty:jetty-servlets') { + version { + require '11.0.16' } because 'CVE from transitive dependencies' } @@ -169,6 +175,30 @@ subprojects { } because 'Fixes CVE-2023-35165, CVE-2023-34455, CVE-2023-34453, CVE-2023-34454, CVE-2023-2976' } + implementation('com.squareup.okio:okio-jvm') { + version { + require '3.5.0' + } + because 'CVE from transitive dependencies' + } + implementation('com.charleskorn.kaml:kaml') { + version { + require '0.55.0' + } + because 'CVE from transitive dependencies' + } + implementation('org.bitbucket.b_c:jose4j') { + version { + require '0.9.3' + } + because 'CVE from transitive dependencies' + } + implementation('org.scala-lang:scala-library') { + version { + require '2.13.12' + } + because 'CVE from transitive dependencies' + } } } diff --git a/settings.gradle b/settings.gradle index 059aca1505..c8015e73ab 100644 --- a/settings.gradle +++ b/settings.gradle @@ -21,7 +21,7 @@ dependencyResolutionManagement { library('armeria-core', 'com.linecorp.armeria', 'armeria').versionRef('armeria') library('armeria-grpc', 'com.linecorp.armeria', 'armeria-grpc').versionRef('armeria') library('armeria-junit', 'com.linecorp.armeria', 'armeria-junit5').versionRef('armeria') - version('protobuf', '3.21.11') + version('protobuf', '3.24.3') library('protobuf-core', 'com.google.protobuf', 'protobuf-java').versionRef('protobuf') library('protobuf-util', 'com.google.protobuf', 'protobuf-java-util').versionRef('protobuf') version('opentelemetry', '0.16.0-alpha') @@ -37,7 +37,7 @@ dependencyResolutionManagement { version('bouncycastle', '1.76') library('bouncycastle-bcprov', 'org.bouncycastle', 'bcprov-jdk18on').versionRef('bouncycastle') library('bouncycastle-bcpkix', 'org.bouncycastle', 'bcpkix-jdk18on').versionRef('bouncycastle') - version('guava', '32.0.1-jre') + version('guava', '32.1.2-jre') library('guava-core', 'com.google.guava', 'guava').versionRef('guava') library('commons-lang3', 'org.apache.commons', 'commons-lang3').version('3.13.0') library('commons-io', 'commons-io', 'commons-io').version('2.13.0') From 72d89ded234bb84534897e8dc8541e19ebc46972 Mon Sep 17 00:00:00 2001 From: Asif Sohail Mohammed Date: Tue, 26 Sep 2023 21:25:30 +0530 Subject: [PATCH 2/2] Fix WS-2023-0236 Signed-off-by: Asif Sohail Mohammed Signed-off-by: Asif Sohail Mohammed --- build.gradle | 19 +------------------ .../parquet-codecs/build.gradle | 4 ++-- data-prepper-plugins/s3-sink/build.gradle | 2 +- data-prepper-plugins/s3-source/build.gradle | 10 +--------- settings.gradle | 5 +++++ 5 files changed, 10 insertions(+), 30 deletions(-) diff --git a/build.gradle b/build.gradle index 83a6da7961..55048fff11 100644 --- a/build.gradle +++ b/build.gradle @@ -89,6 +89,7 @@ subprojects { } dependencies { implementation platform('com.fasterxml.jackson:jackson-bom:2.15.0') + implementation platform('org.eclipse.jetty:jetty-bom:11.0.16') implementation platform('io.micrometer:micrometer-bom:1.10.5') implementation libs.guava.core implementation libs.slf4j.api @@ -145,24 +146,6 @@ subprojects { } because 'CVE from transitive dependencies' } - implementation('org.eclipse.jetty:jetty-http') { - version { - require '11.0.16' - } - because 'CVE from transitive dependencies' - } - implementation('org.eclipse.jetty:jetty-server') { - version { - require '11.0.16' - } - because 'CVE from transitive dependencies' - } - implementation('org.eclipse.jetty:jetty-servlets') { - version { - require '11.0.16' - } - because 'CVE from transitive dependencies' - } implementation('org.jetbrains.kotlin:kotlin-stdlib') { version { require '1.8.21' diff --git a/data-prepper-plugins/parquet-codecs/build.gradle b/data-prepper-plugins/parquet-codecs/build.gradle index 8be4217b7c..17b3dac53d 100644 --- a/data-prepper-plugins/parquet-codecs/build.gradle +++ b/data-prepper-plugins/parquet-codecs/build.gradle @@ -7,8 +7,8 @@ dependencies { implementation project(':data-prepper-api') implementation project(':data-prepper-plugins:common') implementation 'org.apache.avro:avro:1.11.0' - implementation 'org.apache.hadoop:hadoop-common:3.3.5' - implementation('org.apache.hadoop:hadoop-mapreduce-client-core:3.3.5') { + implementation libs.hadoop.common + implementation(libs.hadoop.mapreduce) { exclude group: 'org.apache.hadoop', module: 'hadoop-hdfs-client' } implementation 'org.apache.parquet:parquet-avro:1.13.1' diff --git a/data-prepper-plugins/s3-sink/build.gradle b/data-prepper-plugins/s3-sink/build.gradle index 6870392ee1..831db1254c 100644 --- a/data-prepper-plugins/s3-sink/build.gradle +++ b/data-prepper-plugins/s3-sink/build.gradle @@ -19,7 +19,7 @@ dependencies { implementation 'org.jetbrains.kotlin:kotlin-stdlib:1.8.21' implementation project(':data-prepper-plugins:avro-codecs') implementation 'org.apache.avro:avro:1.11.1' - implementation 'org.apache.hadoop:hadoop-common:3.3.6' + implementation libs.hadoop.common implementation 'org.apache.parquet:parquet-avro:1.13.1' implementation 'software.amazon.awssdk:apache-client' implementation 'org.jetbrains.kotlin:kotlin-stdlib-common:1.8.21' diff --git a/data-prepper-plugins/s3-source/build.gradle b/data-prepper-plugins/s3-source/build.gradle index 09996a83e2..f192e61cf1 100644 --- a/data-prepper-plugins/s3-source/build.gradle +++ b/data-prepper-plugins/s3-source/build.gradle @@ -47,19 +47,11 @@ dependencies { testImplementation project(':data-prepper-core') testImplementation project(':data-prepper-plugins:parquet-codecs') testImplementation 'org.apache.avro:avro:1.11.0' - testImplementation 'org.apache.hadoop:hadoop-common:3.3.5' + testImplementation testLibs.hadoop.common testImplementation 'org.apache.parquet:parquet-avro:1.13.1' testImplementation 'org.apache.parquet:parquet-column:1.13.1' testImplementation 'org.apache.parquet:parquet-common:1.13.1' testImplementation 'org.apache.parquet:parquet-hadoop:1.13.1' - constraints { - testImplementation('org.eclipse.jetty:jetty-bom') { - version { - require '11.0.14' - } - because 'Fixes CVE-2023-26048' - } - } } test { diff --git a/settings.gradle b/settings.gradle index c8015e73ab..4e15bc1257 100644 --- a/settings.gradle +++ b/settings.gradle @@ -43,6 +43,9 @@ dependencyResolutionManagement { library('commons-io', 'commons-io', 'commons-io').version('2.13.0') library('commons-codec', 'commons-codec', 'commons-codec').version('1.16.0') library('commons-compress', 'org.apache.commons', 'commons-compress').version('1.24.0') + version('hadoop', '3.3.6') + library('hadoop-common', 'org.apache.hadoop', 'hadoop-common').versionRef('hadoop') + library('hadoop-mapreduce', 'org.apache.hadoop', 'hadoop-mapreduce-client-core').versionRef('hadoop') } testLibs { version('junit', '5.8.2') @@ -51,6 +54,7 @@ dependencyResolutionManagement { version('awaitility', '4.2.0') version('spring', '5.3.28') version('slf4j', '2.0.6') + version('hadoop', '3.3.6') library('junit-core', 'org.junit.jupiter', 'junit-jupiter').versionRef('junit') library('junit-params', 'org.junit.jupiter', 'junit-jupiter-params').versionRef('junit') library('junit-engine', 'org.junit.jupiter', 'junit-jupiter-engine').versionRef('junit') @@ -64,6 +68,7 @@ dependencyResolutionManagement { library('awaitility', 'org.awaitility', 'awaitility').versionRef('awaitility') library('spring-test', 'org.springframework', 'spring-test').versionRef('spring') library('slf4j-simple', 'org.slf4j', 'slf4j-simple').versionRef('slf4j') + library('hadoop-common', 'org.apache.hadoop', 'hadoop-common').versionRef('hadoop') } } }