Upgrade First Party Library Dependencies for Release 0.18 (!19) · Merge requests · OSDU Software / OSDU Data Platform / Data Flow / Data Ingestion / External Data Sources / EDS DMS

David Diederich requested to merge dependency-upgrade into master Dec 13, 2022

This MR upgrades the first party libraries (other OSDU libraries) to utilize the latest release. eds-dms had several security vulnerabilities, some of which were coming from using old first party libraries. All first party libraries were upgraded to their latest as part of this MR.

Dependency Information Before the Upgrade

Branch: master
SHA:    c47281c23d60c3f1dc1296d8f5112cb07eca0f09
Maven:  0.19.0-SNAPSHOT

Maven Dependencies	Root	testing/
core-lib-azure	0.14.0	0.14.0
core-lib-gcp	0.17.0	0.17.0
os-core-lib-aws	0.10.0	0.10.0
obm	0.17.0	0.17.0
oqm	0.17.0	0.17.0
os-core-common	0.10.0, 0.14.0, 0.17.0	0.14.0, 0.10.0, 0.17.0
osm	0.17.0	0.17.0
(3rd Party) com.fasterxml.jackson.core.jackson-databind	2.9.9, 2.11.4, 2.12.5	2.11.4, 2.9.9.3, 2.13.0, 2.13.2.2
(3rd Party) net.minidev.json-smart	2.3, 2.4.7	2.3
(3rd Party) org.apache.logging.log4j.log4j-api	2.11.2, 2.17.1, 2.14.1	2.13.3, 2.11.1, 2.17.2
(3rd Party) org.apache.logging.log4j.log4j-core	2.17.1	2.13.3
(3rd Party) org.apache.logging.log4j.log4j-jul	2.17.1	2.13.3
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j	2.11.2, 2.14.1	2.13.3, 2.17.2
(3rd Party) org.springframework.spring-webflux	5.3.12
(3rd Party) org.springframework.spring-webmvc	5.1.9.RELEASE, 5.3.12, 5.3.22	5.3.12, 5.3.6, 5.3.22

Critical: Found Vulnerable Jackson Databind dependency (<2.12.6.1 || >=2.13.0 <2.13.2.1)
├─ _Root_
│  ├─ org.projectlombok.lombok == 1.18.8
│  │  └─ com.fasterxml.jackson.core.jackson-databind == 2.9.9
│  ├─ org.opengroup.osdu.eds-dms-core == 0.19.0-SNAPSHOT
│  │  └─ com.fasterxml.jackson.core.jackson-databind == 2.9.9
│  ├─ org.opengroup.osdu.eds-dms-aws == 0.19.0-SNAPSHOT
│  │  └─ com.fasterxml.jackson.core.jackson-databind == 2.9.9
│  ├─ org.opengroup.osdu.eds-dms-azure == 0.19.0-SNAPSHOT
│  │  └─ com.fasterxml.jackson.core.jackson-databind == 2.11.4
│  └─ org.opengroup.osdu.eds-dms-gcp == 0.19.0-SNAPSHOT
│     └─ com.fasterxml.jackson.core.jackson-databind == 2.12.5
└─ testing/
├─ org.opengroup.osdu.edsdms.eds-dms-test-core == 0.19.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.14.0
│     └─ com.fasterxml.jackson.core.jackson-databind == 2.11.4
├─ org.opengroup.osdu.edsdms.eds-dms-test-aws == 0.19.0-SNAPSHOT
│  └─ com.fasterxml.jackson.core.jackson-databind == 2.9.9.3
└─ org.opengroup.osdu.eds-dms-test-azure == 0.19.0-SNAPSHOT
└─ com.fasterxml.jackson.core.jackson-databind == 2.13.0

Critical: Found Vulnerable Log4J dependency (<2.17.1)
Warning: Found Vulnerable Spring MVC dependency (<5.2.20 || >=5.3.0 <5.3.18)
├─ _Root_
│  ├─ org.opengroup.osdu.eds-dms-core == 0.19.0-SNAPSHOT
│  │  └─ org.springframework.boot.spring-boot-starter-web == 2.1.7.RELEASE
│  │     └─ org.springframework.spring-webmvc == 5.1.9.RELEASE
│  ├─ org.opengroup.osdu.eds-dms-aws == 0.19.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.os-core-common == 0.10.0
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.1.7.RELEASE
│  │        └─ org.springframework.spring-webmvc == 5.1.9.RELEASE
│  └─ org.opengroup.osdu.eds-dms-azure == 0.19.0-SNAPSHOT
│     └─ org.opengroup.osdu.eds-dms-core == 0.19.0-SNAPSHOT
│        └─ org.springframework.boot.spring-boot-starter-web == 2.4.12
│           └─ org.springframework.spring-webmvc == 5.3.12
└─ testing/
├─ org.opengroup.osdu.edsdms.eds-dms-test-core == 0.19.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.14.0
│     └─ org.springframework.boot.spring-boot-starter-web == 2.4.12
│        └─ org.springframework.spring-webmvc == 5.3.12
├─ org.opengroup.osdu.edsdms.eds-dms-test-aws == 0.19.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.10.0
│     └─ org.springframework.boot.spring-boot-starter-web == 2.4.5
│        └─ org.springframework.spring-webmvc == 5.3.6
└─ org.opengroup.osdu.eds-dms-test-azure == 0.19.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.14.0
└─ org.springframework.boot.spring-boot-starter-web == 2.4.12
└─ org.springframework.spring-webmvc == 5.3.12

Critical: Found Vulnerable JSON Smart dependency (<2.4.7)
├─ _Root_
│  └─ org.opengroup.osdu.eds-dms-core == 0.19.0-SNAPSHOT
│     └─ org.springframework.boot.spring-boot-starter-test == 2.1.6.RELEASE
│        └─ com.jayway.jsonpath.json-path == 2.4.0
│           └─ net.minidev.json-smart == 2.3
└─ testing/
└─ org.opengroup.osdu.eds-dms-test-azure == 0.19.0-SNAPSHOT
└─ com.azure.azure-identity == 1.2.5
└─ net.minidev.json-smart == 2.3

Warning: Found Vulnerable Spring WebFlux dependency (<5.2.20 || >=5.3.0 <5.3.18)
└─ _Root_
└─ org.opengroup.osdu.eds-dms-azure == 0.19.0-SNAPSHOT
└─ com.azure.spring.azure-spring-boot-starter-active-directory == 3.4.0
└─ org.springframework.boot.spring-boot-starter-webflux == 2.4.12
└─ org.springframework.spring-webflux == 5.3.12

Dependency Information After the Upgrade

Branch: dependency-upgrade
SHA:    53a73c5a2b10a83cc3c429395b602f2958a3a935
Maven:  0.19.0-SNAPSHOT

Maven Dependencies	Root	testing/
core-lib-azure	0.18.0	0.18.0
core-lib-gcp	0.18.0	0.18.0
os-core-lib-aws	0.18.0	0.18.0
obm	0.18.0	0.18.0
oqm	0.18.0	0.18.0
os-core-common	0.18.0	0.18.0
osm	0.18.0	0.18.0
(3rd Party) com.fasterxml.jackson.core.jackson-databind	2.9.9, 2.13.4, 2.12.5	2.13.4, 2.9.9.3, 2.13.0, 2.13.2.2
(3rd Party) net.minidev.json-smart	2.3, 2.4.7	2.3
(3rd Party) org.apache.logging.log4j.log4j-api	2.11.2, 2.17.1, 2.14.1	2.17.2
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j	2.11.2, 2.14.1	2.17.2
(3rd Party) org.springframework.spring-webflux	5.3.22
(3rd Party) org.springframework.spring-webmvc	5.1.9.RELEASE, 5.3.22	5.3.22

Critical: Found Vulnerable Jackson Databind dependency (<2.12.6.1 || >=2.13.0 <2.13.2.1)
├─ _Root_
│  ├─ org.projectlombok.lombok == 1.18.8
│  │  └─ com.fasterxml.jackson.core.jackson-databind == 2.9.9
│  ├─ org.opengroup.osdu.eds-dms-core == 0.19.0-SNAPSHOT
│  │  └─ com.fasterxml.jackson.core.jackson-databind == 2.9.9
│  ├─ org.opengroup.osdu.eds-dms-aws == 0.19.0-SNAPSHOT
│  │  └─ com.fasterxml.jackson.core.jackson-databind == 2.9.9
│  └─ org.opengroup.osdu.eds-dms-gcp == 0.19.0-SNAPSHOT
│     └─ com.fasterxml.jackson.core.jackson-databind == 2.12.5
└─ testing/
├─ org.opengroup.osdu.edsdms.eds-dms-test-aws == 0.19.0-SNAPSHOT
│  └─ com.fasterxml.jackson.core.jackson-databind == 2.9.9.3
└─ org.opengroup.osdu.eds-dms-test-azure == 0.19.0-SNAPSHOT
└─ com.fasterxml.jackson.core.jackson-databind == 2.13.0

Warning: Found Vulnerable Spring MVC dependency (<5.2.20 || >=5.3.0 <5.3.18)
└─ _Root_
├─ org.opengroup.osdu.eds-dms-core == 0.19.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.18.0
│     └─ org.springframework.spring-webmvc == 5.1.9.RELEASE
└─ org.opengroup.osdu.eds-dms-aws == 0.19.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.18.0
└─ org.springframework.spring-webmvc == 5.1.9.RELEASE

Critical: Found Vulnerable Log4J dependency (<2.17.1)
Critical: Found Vulnerable JSON Smart dependency (<2.4.7)
├─ _Root_
│  └─ org.opengroup.osdu.eds-dms-core == 0.19.0-SNAPSHOT
│     └─ org.springframework.boot.spring-boot-starter-test == 2.1.6.RELEASE
│        └─ com.jayway.jsonpath.json-path == 2.4.0
│           └─ net.minidev.json-smart == 2.3
└─ testing/
└─ org.opengroup.osdu.eds-dms-test-azure == 0.19.0-SNAPSHOT
└─ com.azure.azure-identity == 1.2.5
└─ net.minidev.json-smart == 2.3

Edited Dec 13, 2022 by David Diederich

Upgrade First Party Library Dependencies for Release 0.18

Dependency Information Before the Upgrade

Dependency Information After the Upgrade

Merge request reports