Skip to content

Upgrade First Party Library Dependencies for Release 0.18

David Diederich requested to merge dependency-upgrade into master

This MR upgrades the first party libraries (other OSDU libraries) to utilize the latest release. eds-dms had several security vulnerabilities, some of which were coming from using old first party libraries. All first party libraries were upgraded to their latest as part of this MR.

Dependency Information Before the Upgrade

Branch: master
SHA:    c47281c23d60c3f1dc1296d8f5112cb07eca0f09
Maven:  0.19.0-SNAPSHOT
Maven Dependencies Root testing/
core-lib-azure 0.14.0 0.14.0
core-lib-gcp 0.17.0 0.17.0
os-core-lib-aws 0.10.0 0.10.0
obm 0.17.0 0.17.0
oqm 0.17.0 0.17.0
os-core-common 0.10.0, 0.14.0, 0.17.0 0.14.0, 0.10.0, 0.17.0
osm 0.17.0 0.17.0
(3rd Party) com.fasterxml.jackson.core.jackson-databind 2.9.9, 2.11.4, 2.12.5 2.11.4, 2.9.9.3, 2.13.0, 2.13.2.2
(3rd Party) net.minidev.json-smart 2.3, 2.4.7 2.3
(3rd Party) org.apache.logging.log4j.log4j-api 2.11.2, 2.17.1, 2.14.1 2.13.3, 2.11.1, 2.17.2
(3rd Party) org.apache.logging.log4j.log4j-core 2.17.1 2.13.3
(3rd Party) org.apache.logging.log4j.log4j-jul 2.17.1 2.13.3
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j 2.11.2, 2.14.1 2.13.3, 2.17.2
(3rd Party) org.springframework.spring-webflux 5.3.12
(3rd Party) org.springframework.spring-webmvc 5.1.9.RELEASE, 5.3.12, 5.3.22 5.3.12, 5.3.6, 5.3.22
Critical: Found Vulnerable Jackson Databind dependency (<2.12.6.1 || >=2.13.0 <2.13.2.1)
├─ _Root_
│  ├─ org.projectlombok.lombok == 1.18.8
│  │  └─ com.fasterxml.jackson.core.jackson-databind == 2.9.9
│  ├─ org.opengroup.osdu.eds-dms-core == 0.19.0-SNAPSHOT
│  │  └─ com.fasterxml.jackson.core.jackson-databind == 2.9.9
│  ├─ org.opengroup.osdu.eds-dms-aws == 0.19.0-SNAPSHOT
│  │  └─ com.fasterxml.jackson.core.jackson-databind == 2.9.9
│  ├─ org.opengroup.osdu.eds-dms-azure == 0.19.0-SNAPSHOT
│  │  └─ com.fasterxml.jackson.core.jackson-databind == 2.11.4
│  └─ org.opengroup.osdu.eds-dms-gcp == 0.19.0-SNAPSHOT
│     └─ com.fasterxml.jackson.core.jackson-databind == 2.12.5
└─ testing/
├─ org.opengroup.osdu.edsdms.eds-dms-test-core == 0.19.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.14.0
│     └─ com.fasterxml.jackson.core.jackson-databind == 2.11.4
├─ org.opengroup.osdu.edsdms.eds-dms-test-aws == 0.19.0-SNAPSHOT
│  └─ com.fasterxml.jackson.core.jackson-databind == 2.9.9.3
└─ org.opengroup.osdu.eds-dms-test-azure == 0.19.0-SNAPSHOT
└─ com.fasterxml.jackson.core.jackson-databind == 2.13.0
Critical: Found Vulnerable Log4J dependency (<2.17.1)
Warning: Found Vulnerable Spring MVC dependency (<5.2.20 || >=5.3.0 <5.3.18)
├─ _Root_
│  ├─ org.opengroup.osdu.eds-dms-core == 0.19.0-SNAPSHOT
│  │  └─ org.springframework.boot.spring-boot-starter-web == 2.1.7.RELEASE
│  │     └─ org.springframework.spring-webmvc == 5.1.9.RELEASE
│  ├─ org.opengroup.osdu.eds-dms-aws == 0.19.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.os-core-common == 0.10.0
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.1.7.RELEASE
│  │        └─ org.springframework.spring-webmvc == 5.1.9.RELEASE
│  └─ org.opengroup.osdu.eds-dms-azure == 0.19.0-SNAPSHOT
│     └─ org.opengroup.osdu.eds-dms-core == 0.19.0-SNAPSHOT
│        └─ org.springframework.boot.spring-boot-starter-web == 2.4.12
│           └─ org.springframework.spring-webmvc == 5.3.12
└─ testing/
├─ org.opengroup.osdu.edsdms.eds-dms-test-core == 0.19.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.14.0
│     └─ org.springframework.boot.spring-boot-starter-web == 2.4.12
│        └─ org.springframework.spring-webmvc == 5.3.12
├─ org.opengroup.osdu.edsdms.eds-dms-test-aws == 0.19.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.10.0
│     └─ org.springframework.boot.spring-boot-starter-web == 2.4.5
│        └─ org.springframework.spring-webmvc == 5.3.6
└─ org.opengroup.osdu.eds-dms-test-azure == 0.19.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.14.0
└─ org.springframework.boot.spring-boot-starter-web == 2.4.12
└─ org.springframework.spring-webmvc == 5.3.12
Critical: Found Vulnerable JSON Smart dependency (<2.4.7)
├─ _Root_
│  └─ org.opengroup.osdu.eds-dms-core == 0.19.0-SNAPSHOT
│     └─ org.springframework.boot.spring-boot-starter-test == 2.1.6.RELEASE
│        └─ com.jayway.jsonpath.json-path == 2.4.0
│           └─ net.minidev.json-smart == 2.3
└─ testing/
└─ org.opengroup.osdu.eds-dms-test-azure == 0.19.0-SNAPSHOT
└─ com.azure.azure-identity == 1.2.5
└─ net.minidev.json-smart == 2.3
Warning: Found Vulnerable Spring WebFlux dependency (<5.2.20 || >=5.3.0 <5.3.18)
└─ _Root_
└─ org.opengroup.osdu.eds-dms-azure == 0.19.0-SNAPSHOT
└─ com.azure.spring.azure-spring-boot-starter-active-directory == 3.4.0
└─ org.springframework.boot.spring-boot-starter-webflux == 2.4.12
└─ org.springframework.spring-webflux == 5.3.12

Dependency Information After the Upgrade

Branch: dependency-upgrade
SHA:    53a73c5a2b10a83cc3c429395b602f2958a3a935
Maven:  0.19.0-SNAPSHOT
Maven Dependencies Root testing/
core-lib-azure 0.18.0 0.18.0
core-lib-gcp 0.18.0 0.18.0
os-core-lib-aws 0.18.0 0.18.0
obm 0.18.0 0.18.0
oqm 0.18.0 0.18.0
os-core-common 0.18.0 0.18.0
osm 0.18.0 0.18.0
(3rd Party) com.fasterxml.jackson.core.jackson-databind 2.9.9, 2.13.4, 2.12.5 2.13.4, 2.9.9.3, 2.13.0, 2.13.2.2
(3rd Party) net.minidev.json-smart 2.3, 2.4.7 2.3
(3rd Party) org.apache.logging.log4j.log4j-api 2.11.2, 2.17.1, 2.14.1 2.17.2
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j 2.11.2, 2.14.1 2.17.2
(3rd Party) org.springframework.spring-webflux 5.3.22
(3rd Party) org.springframework.spring-webmvc 5.1.9.RELEASE, 5.3.22 5.3.22
Critical: Found Vulnerable Jackson Databind dependency (<2.12.6.1 || >=2.13.0 <2.13.2.1)
├─ _Root_
│  ├─ org.projectlombok.lombok == 1.18.8
│  │  └─ com.fasterxml.jackson.core.jackson-databind == 2.9.9
│  ├─ org.opengroup.osdu.eds-dms-core == 0.19.0-SNAPSHOT
│  │  └─ com.fasterxml.jackson.core.jackson-databind == 2.9.9
│  ├─ org.opengroup.osdu.eds-dms-aws == 0.19.0-SNAPSHOT
│  │  └─ com.fasterxml.jackson.core.jackson-databind == 2.9.9
│  └─ org.opengroup.osdu.eds-dms-gcp == 0.19.0-SNAPSHOT
│     └─ com.fasterxml.jackson.core.jackson-databind == 2.12.5
└─ testing/
├─ org.opengroup.osdu.edsdms.eds-dms-test-aws == 0.19.0-SNAPSHOT
│  └─ com.fasterxml.jackson.core.jackson-databind == 2.9.9.3
└─ org.opengroup.osdu.eds-dms-test-azure == 0.19.0-SNAPSHOT
└─ com.fasterxml.jackson.core.jackson-databind == 2.13.0
Warning: Found Vulnerable Spring MVC dependency (<5.2.20 || >=5.3.0 <5.3.18)
└─ _Root_
├─ org.opengroup.osdu.eds-dms-core == 0.19.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.18.0
│     └─ org.springframework.spring-webmvc == 5.1.9.RELEASE
└─ org.opengroup.osdu.eds-dms-aws == 0.19.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.18.0
└─ org.springframework.spring-webmvc == 5.1.9.RELEASE
Critical: Found Vulnerable Log4J dependency (<2.17.1)
Critical: Found Vulnerable JSON Smart dependency (<2.4.7)
├─ _Root_
│  └─ org.opengroup.osdu.eds-dms-core == 0.19.0-SNAPSHOT
│     └─ org.springframework.boot.spring-boot-starter-test == 2.1.6.RELEASE
│        └─ com.jayway.jsonpath.json-path == 2.4.0
│           └─ net.minidev.json-smart == 2.3
└─ testing/
└─ org.opengroup.osdu.eds-dms-test-azure == 0.19.0-SNAPSHOT
└─ com.azure.azure-identity == 1.2.5
└─ net.minidev.json-smart == 2.3
Edited by David Diederich

Merge request reports

Loading