Full Upgrade of First Party Library Dependencies (!106) · Merge requests · OSDU Software / OSDU Data Platform / Data Flow / Data Ingestion / External Data Sources / EDS DMS

Chad Leong requested to merge dependency-upgrade into master Oct 12, 2023

This generated MR upgrades the first party libraries (other OSDU libraries) to utilize the latest release. The intent is to keep all dependent libraries up to date. This upgrade can be merged immediately without further approval if the CI pipeline reports success.

If this MR has failed, we need to work with the maintainers and affected provider teams to find a solution.

Dependency Information Before the Upgrade

Branch: master
SHA:    ee7686c2d069e440e643eca5d3532d178aeeb255
Maven:  0.24.0-SNAPSHOT

Maven Dependencies	Root	testing/
core-lib-azure	0.19.0	0.14.0
core-lib-gcp	0.19.0	0.19.0
os-core-lib-aws	0.21.0	0.21.0
obm	0.19.0	0.19.0
oqm	0.19.0	0.19.0
os-core-common	0.19.0	0.14.0, 0.19.0
osm	0.19.0	0.19.0
(3rd Party) com.fasterxml.jackson.core.jackson-databind	2.14.1	2.11.4, 2.14.1, 2.13.2.2
(3rd Party) org.apache.logging.log4j.log4j-api	2.17.2, 2.20.0	2.13.3, 2.17.2
(3rd Party) org.apache.logging.log4j.log4j-core	2.20.0	2.13.3
(3rd Party) org.apache.logging.log4j.log4j-jul	2.20.0	2.13.3
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j	2.17.2	2.13.3, 2.17.2
(3rd Party) org.springframework.spring-webmvc	5.3.27, 5.3.22	5.3.12, 5.3.24, 5.3.22
(3rd Party) org.yaml.snakeyaml	1.30, 2.0	1.27, 1.30

Critical: Found Vulnerable Snake YAML dependency (<2.0)
├─ _Root_
│  ├─ org.projectlombok.lombok == 1.18.8
│  │  └─ org.springdoc.springdoc-openapi-ui == 1.7.0
│  │     └─ org.springdoc.springdoc-openapi-webmvc-core == 1.7.0
│  │        └─ org.springdoc.springdoc-openapi-common == 1.7.0
│  │           └─ io.swagger.core.v3.swagger-core == 2.2.9
│  │              └─ org.yaml.snakeyaml == 1.30
│  └─ org.opengroup.osdu.eds-dms-core == 0.24.0-SNAPSHOT
│     └─ org.springframework.boot.spring-boot-starter-web == 2.7.12
│        └─ org.springframework.boot.spring-boot-starter == 2.7.12
│           └─ org.yaml.snakeyaml == 1.30
└─ testing/
├─ org.opengroup.osdu.edsdms.eds-dms-test-core == 0.24.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.14.0
│     └─ org.springframework.boot.spring-boot-starter-web == 2.4.12
│        └─ org.springframework.boot.spring-boot-starter == 2.4.12
│           └─ org.yaml.snakeyaml == 1.27
├─ org.opengroup.osdu.edsdms.eds-dms-test-aws == 0.24.0-SNAPSHOT
│  └─ org.opengroup.osdu.core.aws.os-core-lib-aws == 0.21.0
│     └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│        └─ org.springframework.boot.spring-boot-starter == 2.7.7
│           └─ org.yaml.snakeyaml == 1.30
├─ org.opengroup.osdu.eds-dms-test-azure == 0.24.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.19.0
│     └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│        └─ org.springframework.boot.spring-boot-starter == 2.7.7
│           └─ org.yaml.snakeyaml == 1.30
├─ org.opengroup.osdu.eds-dms-test-gc == 0.24.0-SNAPSHOT
│  └─ org.opengroup.osdu.core-lib-gcp == 0.19.0
│     └─ org.opengroup.osdu.oqm == 0.19.0
│        └─ org.springframework.boot.spring-boot-starter == 2.7.2
│           └─ org.yaml.snakeyaml == 1.30
└─ org.opengroup.osdu.eds-dms-test-baremetal == 0.24.0-SNAPSHOT
└─ org.opengroup.osdu.core-lib-gcp == 0.19.0
└─ org.opengroup.osdu.oqm == 0.19.0
└─ org.springframework.boot.spring-boot-starter == 2.7.2
└─ org.yaml.snakeyaml == 1.30

Dependency Information After the Upgrade

Branch: dependency-upgrade
SHA:    a873d3d7729f678977a32ad595488d216c549c98
Maven:  0.24.0-SNAPSHOT

Maven Dependencies	Root	testing/
core-lib-azure	0.23.2	0.23.2
core-lib-gc	0.23.1	0.23.1
os-core-lib-aws	0.23.0	0.23.0
os-core-common	0.23.3	0.23.3
(3rd Party) org.yaml.snakeyaml	1.30, 2.0	1.30, 1.27

Critical: Found Vulnerable Snake YAML dependency (<2.0)
├─ _Root_
│  ├─ org.projectlombok.lombok == 1.18.8
│  │  └─ org.springdoc.springdoc-openapi-ui == 1.7.0
│  │     └─ org.springdoc.springdoc-openapi-webmvc-core == 1.7.0
│  │        └─ org.springdoc.springdoc-openapi-common == 1.7.0
│  │           └─ io.swagger.core.v3.swagger-core == 2.2.9
│  │              └─ org.yaml.snakeyaml == 1.30
│  └─ org.opengroup.osdu.eds-dms-core == 0.24.0-SNAPSHOT
│     └─ org.springframework.boot.spring-boot-starter-web == 2.7.12
│        └─ org.springframework.boot.spring-boot-starter == 2.7.12
│           └─ org.yaml.snakeyaml == 1.30
└─ testing/
├─ org.opengroup.osdu.edsdms.eds-dms-test-core == 0.24.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.23.3
│     └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│        └─ org.springframework.boot.spring-boot-starter == 2.7.7
│           └─ org.yaml.snakeyaml == 1.30
├─ org.opengroup.osdu.edsdms.eds-dms-test-aws == 0.24.0-SNAPSHOT
│  └─ org.opengroup.osdu.core.aws.os-core-lib-aws == 0.23.0
│     └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│        └─ org.springframework.boot.spring-boot-starter == 2.7.7
│           └─ org.yaml.snakeyaml == 1.30
├─ org.opengroup.osdu.eds-dms-test-azure == 0.24.0-SNAPSHOT
│  └─ org.opengroup.osdu.core-lib-azure == 0.23.2
│     └─ org.redisson.redisson == 3.15.3
│        └─ org.yaml.snakeyaml == 1.27
├─ org.opengroup.osdu.eds-dms-test-gc == 0.24.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.23.3
│     └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│        └─ org.springframework.boot.spring-boot-starter == 2.7.7
│           └─ org.yaml.snakeyaml == 1.30
└─ org.opengroup.osdu.eds-dms-test-baremetal == 0.24.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.23.3
└─ org.springframework.boot.spring-boot-starter-web == 2.7.7
└─ org.springframework.boot.spring-boot-starter == 2.7.7
└─ org.yaml.snakeyaml == 1.30

Full Upgrade of First Party Library Dependencies

Dependency Information Before the Upgrade

Dependency Information After the Upgrade

Merge request reports