Skip to content

Remove SNAPSHOT dependencies

David Diederich requested to merge remove-snapshot-dependencies into master

This automated MR removes usage of SNAPSHOT versions in the first party library dependencies. Since SNAPSHOT dependencies change frequently -- by their nature -- usage of them across projects is dangerous and should be avoided.

Dependency Information Before the Upgrade

Branch: master
SHA:    0d700d64bcce2f23f18695c879c9f758046781d4
Maven:  0.17.0-SNAPSHOT
Maven Dependencies Root testing/
core-lib-azure 0.15.0-rc4 0.15.0-rc4
core-lib-gcp 0.16.0-rc1
os-core-lib-aws 0.14.0-rc2 0.14.0-rc2
obm 0.15.0
oqm 0.15.0
os-core-common 0.13.0, 0.15.0-rc4 0.13.0, 0.15.0-rc4
os-core-lib-ibm 0.15.2
osm 0.15.0
(3rd Party) com.fasterxml.jackson.core.jackson-databind 2.13.2.1, 2.10.5, 2.13.2.2 2.13.2.2, 2.10.2
(3rd Party) org.apache.logging.log4j.log4j-api 2.17.1 2.12.1
(3rd Party) org.apache.logging.log4j.log4j-core 2.17.1 2.12.1
(3rd Party) org.apache.logging.log4j.log4j-jul 2.17.1 2.12.1
(3rd Party) org.apache.logging.log4j.log4j-slf4j-impl 2.17.1 2.12.1
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j 2.17.1 2.12.1
(3rd Party) org.springframework.spring-webmvc 5.2.8.RELEASE 5.2.8.RELEASE
Warning: Found Vulnerable Spring MVC dependency (<5.2.20 || >=5.3.0 <5.3.18)
├─ _Root_
│  ├─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │  └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│  │     └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
│  ├─ org.opengroup.osdu.csv-parser-azure == 0.17.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│  │        └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
│  ├─ org.opengroup.osdu.csv-parser-gcp == 0.17.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│  │        └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
│  ├─ org.opengroup.osdu.csv-parser-ibm == 0.17.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│  │        └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
│  └─ org.opengroup.osdu.csv-parser-aws == 0.17.0-SNAPSHOT
│     └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│        └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│           └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
└─ testing/
├─ org.opengroup.osdu.csv-parser-core-test == 0.17.0-SNAPSHOT
│  └─ org.springframework.boot.spring-boot-starter-web == 2.2.5.RELEASE
│     └─ org.springframework.boot.spring-boot-starter == 2.2.5.RELEASE
│        └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
├─ org.opengroup.osdu.csv-parser-azure-test == 0.17.0-SNAPSHOT
│  └─ org.opengroup.osdu.csv-parser-azure == 0.17.0-SNAPSHOT
│     └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│        └─ org.springframework.boot.spring-boot-starter-web == 2.2.5.RELEASE
│           └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
└─ org.opengroup.osdu.csv-parser-aws-test == 0.17.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.13.0
└─ org.springframework.boot.spring-boot-starter-web == 2.2.5.RELEASE
└─ org.springframework.spring-webmvc == 5.2.8.RELEASE
Critical: Found Vulnerable Jackson Databind dependency (<2.12.6.1 || >=2.13.0 <2.13.2.1)
├─ _Root_
│  ├─ org.opengroup.osdu.csv-parser-gcp == 0.17.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │     └─ com.fasterxml.jackson.core.jackson-databind == 2.10.5
│  └─ org.opengroup.osdu.csv-parser-ibm == 0.17.0-SNAPSHOT
│     └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│        └─ com.fasterxml.jackson.core.jackson-databind == 2.10.5
└─ testing/
└─ org.opengroup.osdu.csv-parser-azure-test == 0.17.0-SNAPSHOT
└─ org.opengroup.osdu.csv-parser-azure == 0.17.0-SNAPSHOT
└─ com.fasterxml.jackson.core.jackson-databind == 2.10.2

Dependency Information After the Upgrade

Branch: remove-snapshot-dependencies
SHA:    604720de9f52d089463dc24318d0f6ecccb7d2d9
Maven:  0.17.0-SNAPSHOT
Maven Dependencies Root testing/
core-lib-azure 0.15.0-rc4 0.15.0-rc4
core-lib-gcp 0.16.0-rc1 0.16.0, 0.16.0-rc1
os-core-lib-aws 0.14.0-rc2 0.14.0-rc2
obm 0.15.0 0.16.0, 0.15.0
oqm 0.15.0 0.16.0, 0.15.0
os-core-common 0.13.0, 0.15.0-rc4 0.13.0, 0.15.0-rc4, 0.16.1
os-core-lib-ibm 0.15.2 0.13.0
osm 0.15.0 0.16.0, 0.15.0
(3rd Party) com.fasterxml.jackson.core.jackson-databind 2.13.2.1, 2.10.5, 2.13.2.2 2.13.2.2, 2.10.2
(3rd Party) org.apache.logging.log4j.log4j-api 2.17.1 2.12.1
(3rd Party) org.apache.logging.log4j.log4j-core 2.17.1 2.12.1
(3rd Party) org.apache.logging.log4j.log4j-jul 2.17.1 2.12.1
(3rd Party) org.apache.logging.log4j.log4j-slf4j-impl 2.17.1 2.12.1
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j 2.17.1 2.12.1
(3rd Party) org.springframework.spring-webmvc 5.2.8.RELEASE 5.2.8.RELEASE
Warning: Found Vulnerable Spring MVC dependency (<5.2.20 || >=5.3.0 <5.3.18)
├─ _Root_
│  ├─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │  └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│  │     └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
│  ├─ org.opengroup.osdu.csv-parser-azure == 0.17.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│  │        └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
│  ├─ org.opengroup.osdu.csv-parser-gcp == 0.17.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│  │        └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
│  ├─ org.opengroup.osdu.csv-parser-ibm == 0.17.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│  │        └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
│  └─ org.opengroup.osdu.csv-parser-aws == 0.17.0-SNAPSHOT
│     └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│        └─ org.springframework.boot.spring-boot-starter-web == 2.2.11.RELEASE
│           └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
└─ testing/
├─ org.opengroup.osdu.csv-parser-core-test == 0.17.0-SNAPSHOT
│  └─ org.springframework.boot.spring-boot-starter-web == 2.2.5.RELEASE
│     └─ org.springframework.boot.spring-boot-starter == 2.2.5.RELEASE
│        └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
├─ org.opengroup.osdu.csv-parser-azure-test == 0.17.0-SNAPSHOT
│  └─ org.opengroup.osdu.csv-parser-azure == 0.17.0-SNAPSHOT
│     └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│        └─ org.springframework.boot.spring-boot-starter-web == 2.2.5.RELEASE
│           └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
├─ org.opengroup.osdu.csv-parser-aws-test == 0.17.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.13.0
│     └─ org.springframework.boot.spring-boot-starter-web == 2.2.5.RELEASE
│        └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
├─ org.opengroup.osdu.csv-parser-gcp-test == 0.17.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.16.1
│     └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
├─ org.opengroup.osdu.csv-parser-ibm-test == 0.17.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-lib-ibm == 0.13.0
│     └─ org.opengroup.osdu.os-core-common == 0.13.0
│        └─ org.springframework.boot.spring-boot-starter-web == 2.2.5.RELEASE
│           └─ org.springframework.spring-webmvc == 5.2.8.RELEASE
└─ org.opengroup.osdu.csv-parser-anthos-test == 0.17.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.16.1
└─ org.springframework.spring-webmvc == 5.2.8.RELEASE
Critical: Found Vulnerable Jackson Databind dependency (<2.12.6.1 || >=2.13.0 <2.13.2.1)
├─ _Root_
│  ├─ org.opengroup.osdu.csv-parser-gcp == 0.17.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│  │     └─ com.fasterxml.jackson.core.jackson-databind == 2.10.5
│  └─ org.opengroup.osdu.csv-parser-ibm == 0.17.0-SNAPSHOT
│     └─ org.opengroup.osdu.csv-parser-core == 0.17.0-SNAPSHOT
│        └─ com.fasterxml.jackson.core.jackson-databind == 2.10.5
└─ testing/
├─ org.opengroup.osdu.csv-parser-azure-test == 0.17.0-SNAPSHOT
│  └─ org.opengroup.osdu.csv-parser-azure == 0.17.0-SNAPSHOT
│     └─ com.fasterxml.jackson.core.jackson-databind == 2.10.2
├─ org.opengroup.osdu.csv-parser-gcp-test == 0.17.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.16.1
│     └─ com.fasterxml.jackson.core.jackson-databind == 2.10.2
├─ org.opengroup.osdu.csv-parser-ibm-test == 0.17.0-SNAPSHOT
│  └─ com.amazonaws.aws-java-sdk-core == 1.11.1018
│     └─ com.fasterxml.jackson.core.jackson-databind == 2.10.2
└─ org.opengroup.osdu.csv-parser-anthos-test == 0.17.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.16.1
└─ com.fasterxml.jackson.core.jackson-databind == 2.10.2

Merge request reports