Remove SNAPSHOT dependencies (!279) · Merge requests · Open Subsurface Data Universe Software / Platform / Data Flow / Data Ingestion / csv-parser / csv-parser

Merged David Diederich requested to merge remove-snapshot-dependencies into master Aug 17, 2022

This automated MR removes usage of SNAPSHOT versions in the first party library dependencies. Since SNAPSHOT dependencies change frequently -- by their nature -- usage of them across projects is dangerous and should be avoided.

Dependency Information Before the Upgrade

Branch: master
SHA:    0d700d64bcce2f23f18695c879c9f758046781d4
Maven:  0.17.0-SNAPSHOT

Maven Dependencies	Root	testing/
core-lib-azure	0.15.0-rc4	0.15.0-rc4
core-lib-gcp	0.16.0-rc1
os-core-lib-aws	0.14.0-rc2	0.14.0-rc2
obm	0.15.0
oqm	0.15.0
os-core-common	0.13.0, 0.15.0-rc4	0.13.0, 0.15.0-rc4
os-core-lib-ibm	0.15.2
osm	0.15.0
(3rd Party) com.fasterxml.jackson.core.jackson-databind	2.13.2.1, 2.10.5, 2.13.2.2	2.13.2.2, 2.10.2
(3rd Party) org.apache.logging.log4j.log4j-api	2.17.1	2.12.1
(3rd Party) org.apache.logging.log4j.log4j-core	2.17.1	2.12.1
(3rd Party) org.apache.logging.log4j.log4j-jul	2.17.1	2.12.1
(3rd Party) org.apache.logging.log4j.log4j-slf4j-impl	2.17.1	2.12.1
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j	2.17.1	2.12.1
(3rd Party) org.springframework.spring-webmvc	5.2.8.RELEASE	5.2.8.RELEASE

Warning: Found Vulnerable Spring MVC dependency (<5.2.20 || >=5.3.0 <5.3.18)
├─ _Root_
│  ├─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │  └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│  │     └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
│  ├─ org.opengroup.osdu.csv-parser-azure == 0.17.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│  │        └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
│  ├─ org.opengroup.osdu.csv-parser-gcp == 0.17.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│  │        └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
│  ├─ org.opengroup.osdu.csv-parser-ibm == 0.17.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│  │        └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
│  └─ org.opengroup.osdu.csv-parser-aws == 0.17.0-SNAPSHOT
│     └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│        └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│           └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
└─ testing/
├─ org.opengroup.osdu.csv-parser-core-test == 0.17.0-SNAPSHOT
│  └─ org.springframework.boot.spring-boot-starter-web == 2.2.5.RELEASE
│     └─ org.springframework.boot.spring-boot-starter == 2.2.5.RELEASE
│        └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
├─ org.opengroup.osdu.csv-parser-azure-test == 0.17.0-SNAPSHOT
│  └─ org.opengroup.osdu.csv-parser-azure == 0.17.0-SNAPSHOT
│     └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│        └─ org.springframework.boot.spring-boot-starter-web == 2.2.5.RELEASE
│           └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
└─ org.opengroup.osdu.csv-parser-aws-test == 0.17.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.13.0
└─ org.springframework.boot.spring-boot-starter-web == 2.2.5.RELEASE
└─ org.springframework.spring-webmvc == 5.2.8.RELEASE

Critical: Found Vulnerable Jackson Databind dependency (<2.12.6.1 || >=2.13.0 <2.13.2.1)
├─ _Root_
│  ├─ org.opengroup.osdu.csv-parser-gcp == 0.17.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │     └─ com.fasterxml.jackson.core.jackson-databind == 2.10.5
│  └─ org.opengroup.osdu.csv-parser-ibm == 0.17.0-SNAPSHOT
│     └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│        └─ com.fasterxml.jackson.core.jackson-databind == 2.10.5
└─ testing/
└─ org.opengroup.osdu.csv-parser-azure-test == 0.17.0-SNAPSHOT
└─ org.opengroup.osdu.csv-parser-azure == 0.17.0-SNAPSHOT
└─ com.fasterxml.jackson.core.jackson-databind == 2.10.2

Dependency Information After the Upgrade

Branch: remove-snapshot-dependencies
SHA:    604720de9f52d089463dc24318d0f6ecccb7d2d9
Maven:  0.17.0-SNAPSHOT

Maven Dependencies	Root	testing/
core-lib-azure	0.15.0-rc4	0.15.0-rc4
core-lib-gcp	0.16.0-rc1	0.16.0, 0.16.0-rc1
os-core-lib-aws	0.14.0-rc2	0.14.0-rc2
obm	0.15.0	0.16.0, 0.15.0
oqm	0.15.0	0.16.0, 0.15.0
os-core-common	0.13.0, 0.15.0-rc4	0.13.0, 0.15.0-rc4, 0.16.1
os-core-lib-ibm	0.15.2	0.13.0
osm	0.15.0	0.16.0, 0.15.0
(3rd Party) com.fasterxml.jackson.core.jackson-databind	2.13.2.1, 2.10.5, 2.13.2.2	2.13.2.2, 2.10.2
(3rd Party) org.apache.logging.log4j.log4j-api	2.17.1	2.12.1
(3rd Party) org.apache.logging.log4j.log4j-core	2.17.1	2.12.1
(3rd Party) org.apache.logging.log4j.log4j-jul	2.17.1	2.12.1
(3rd Party) org.apache.logging.log4j.log4j-slf4j-impl	2.17.1	2.12.1
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j	2.17.1	2.12.1
(3rd Party) org.springframework.spring-webmvc	5.2.8.RELEASE	5.2.8.RELEASE

Warning: Found Vulnerable Spring MVC dependency (<5.2.20 || >=5.3.0 <5.3.18)
├─ _Root_
│  ├─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │  └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│  │     └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
│  ├─ org.opengroup.osdu.csv-parser-azure == 0.17.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│  │        └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
│  ├─ org.opengroup.osdu.csv-parser-gcp == 0.17.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│  │        └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
│  ├─ org.opengroup.osdu.csv-parser-ibm == 0.17.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│  │        └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
│  └─ org.opengroup.osdu.csv-parser-aws == 0.17.0-SNAPSHOT
│     └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│        └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│           └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
└─ testing/
├─ org.opengroup.osdu.csv-parser-core-test == 0.17.0-SNAPSHOT
│  └─ org.springframework.boot.spring-boot-starter-web == 2.2.5.RELEASE
│     └─ org.springframework.boot.spring-boot-starter == 2.2.5.RELEASE
│        └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
├─ org.opengroup.osdu.csv-parser-azure-test == 0.17.0-SNAPSHOT
│  └─ org.opengroup.osdu.csv-parser-azure == 0.17.0-SNAPSHOT
│     └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│        └─ org.springframework.boot.spring-boot-starter-web == 2.2.5.RELEASE
│           └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
├─ org.opengroup.osdu.csv-parser-aws-test == 0.17.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.13.0
│     └─ org.springframework.boot.spring-boot-starter-web == 2.2.5.RELEASE
│        └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
├─ org.opengroup.osdu.csv-parser-gcp-test == 0.17.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.16.1
│     └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
├─ org.opengroup.osdu.csv-parser-ibm-test == 0.17.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-lib-ibm == 0.13.0
│     └─ org.opengroup.osdu.os-core-common == 0.13.0
│        └─ org.springframework.boot.spring-boot-starter-web == 2.2.5.RELEASE
│           └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
└─ org.opengroup.osdu.csv-parser-anthos-test == 0.17.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.16.1
└─ org.springframework.spring-webmvc == 5.2.8.RELEASE

Critical: Found Vulnerable Jackson Databind dependency (<2.12.6.1 || >=2.13.0 <2.13.2.1)
├─ _Root_
│  ├─ org.opengroup.osdu.csv-parser-gcp == 0.17.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │     └─ com.fasterxml.jackson.core.jackson-databind == 2.10.5
│  └─ org.opengroup.osdu.csv-parser-ibm == 0.17.0-SNAPSHOT
│     └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│        └─ com.fasterxml.jackson.core.jackson-databind == 2.10.5
└─ testing/
├─ org.opengroup.osdu.csv-parser-azure-test == 0.17.0-SNAPSHOT
│  └─ org.opengroup.osdu.csv-parser-azure == 0.17.0-SNAPSHOT
│     └─ com.fasterxml.jackson.core.jackson-databind == 2.10.2
├─ org.opengroup.osdu.csv-parser-gcp-test == 0.17.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.16.1
│     └─ com.fasterxml.jackson.core.jackson-databind == 2.10.2
├─ org.opengroup.osdu.csv-parser-ibm-test == 0.17.0-SNAPSHOT
│  └─ com.amazonaws.aws-java-sdk-core == 1.11.1018
│     └─ com.fasterxml.jackson.core.jackson-databind == 2.10.2
└─ org.opengroup.osdu.csv-parser-anthos-test == 0.17.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.16.1
└─ com.fasterxml.jackson.core.jackson-databind == 2.10.2