Remove SNAPSHOT dependencies (!48) · Merge requests · OSDU Software / OSDU Data Platform / Data Flow / Data Ingestion / External Data Sources / EDS DMS

David Diederich requested to merge dependency-upgrade-2 into master Feb 17, 2023

This automated MR removes usage of SNAPSHOT versions in the first party library dependencies. Since SNAPSHOT dependencies change frequently -- by their nature -- usage of them across projects is dangerous and should be avoided.

Dependency Information Before the Upgrade

Branch: master
SHA:    74d50777407b8cb8adc409d947eeebc9b13b8407
Maven:  0.20.0-SNAPSHOT

Maven Dependencies	Root	testing/
core-lib-azure	0.14.0	0.14.0
core-lib-gcp	0.19.0	0.19.0
os-core-lib-aws	0.19.0-rc3	0.19.0-SNAPSHOT
obm	0.19.0	0.19.0
oqm	0.19.0	0.19.0
os-core-common	0.19.0, 0.19.0-rc8, 0.19.0-rc2	0.14.0, 0.19.0-SNAPSHOT, 0.19.0-rc2
osm	0.19.0	0.19.0
(3rd Party) com.fasterxml.jackson.core.jackson-databind	2.14.1	2.11.4, 2.14.1, 2.13.2.2
(3rd Party) org.apache.logging.log4j.log4j-api	2.17.1, 2.17.2, 2.14.1	2.13.3, 2.17.2
(3rd Party) org.apache.logging.log4j.log4j-core	2.17.1	2.13.3
(3rd Party) org.apache.logging.log4j.log4j-jul	2.17.1	2.13.3
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j	2.17.1, 2.17.2, 2.14.1	2.13.3, 2.17.2
(3rd Party) org.springframework.spring-webmvc	5.3.24, 5.3.12, 5.3.22	5.3.12, 5.3.24, 5.3.22

Critical: Found Vulnerable Spring MVC dependency (<5.2.20 || >=5.3.0 <5.3.18)
├─ _Root_
│  └─ org.opengroup.osdu.eds-dms-azure == 0.20.0-SNAPSHOT
│     └─ org.opengroup.osdu.os-core-common == 0.19.0-rc2
│        └─ org.springframework.spring-webmvc == 5.3.12
└─ testing/
└─ org.opengroup.osdu.edsdms.eds-dms-test-core == 0.20.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.14.0
└─ org.springframework.boot.spring-boot-starter-web == 2.4.12
└─ org.springframework.spring-webmvc == 5.3.12

Critical: Found Vulnerable Log4J dependency (<2.17.1)
├─ _Root_
│  └─ org.opengroup.osdu.eds-dms-gc == 0.20.0-SNAPSHOT
│     └─ org.springframework.boot.spring-boot-starter-security == 2.5.6
│        └─ org.springframework.boot.spring-boot-starter == 2.5.6
│           └─ org.springframework.boot.spring-boot-starter-logging == 2.5.6
│              └─ org.apache.logging.log4j.log4j-to-slf4j == 2.14.1
│                 └─ org.apache.logging.log4j.log4j-api == 2.14.1
└─ testing/
├─ org.opengroup.osdu.edsdms.eds-dms-test-core == 0.20.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.14.0
│     └─ org.springframework.boot.spring-boot-starter-web == 2.4.12
│        └─ org.springframework.boot.spring-boot-starter == 2.4.12
│           └─ org.springframework.boot.spring-boot-starter-logging == 2.4.12
│              └─ org.apache.logging.log4j.log4j-to-slf4j == 2.13.3
│                 └─ org.apache.logging.log4j.log4j-api == 2.13.3
└─ org.opengroup.osdu.eds-dms-test-azure == 0.20.0-SNAPSHOT
└─ org.opengroup.osdu.core-lib-azure == 0.14.0
└─ org.springframework.boot.spring-boot-starter-log4j2 == 2.4.12
├─ org.apache.logging.log4j.log4j-core == 2.13.3
│  └─ org.apache.logging.log4j.log4j-api == 2.13.3
└─ org.apache.logging.log4j.log4j-jul == 2.13.3

Dependency Information After the Upgrade

Branch: dependency-upgrade-2
SHA:    23e4ecf60ff7a628caf6d5d39ea3844fab6a1384
Maven:  0.20.0-SNAPSHOT

Maven Dependencies	Root	testing/
core-lib-azure	0.14.0	0.14.0
core-lib-gcp	0.19.0	0.19.0
os-core-lib-aws	0.19.0	0.19.0
obm	0.19.0	0.19.0
oqm	0.19.0	0.19.0
os-core-common	0.19.0	0.14.0, 0.19.0
osm	0.19.0	0.19.0
(3rd Party) com.fasterxml.jackson.core.jackson-databind	2.14.1	2.11.4, 2.14.1, 2.13.2.2
(3rd Party) org.apache.logging.log4j.log4j-api	2.17.1, 2.17.2, 2.14.1	2.13.3, 2.17.2
(3rd Party) org.apache.logging.log4j.log4j-core	2.17.1	2.13.3
(3rd Party) org.apache.logging.log4j.log4j-jul	2.17.1	2.13.3
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j	2.17.1, 2.17.2, 2.14.1	2.13.3, 2.17.2
(3rd Party) org.springframework.spring-webmvc	5.3.24, 5.3.12, 5.3.22	5.3.12, 5.3.24, 5.3.22

Critical: Found Vulnerable Spring MVC dependency (<5.2.20 || >=5.3.0 <5.3.18)
├─ _Root_
│  └─ org.opengroup.osdu.eds-dms-azure == 0.20.0-SNAPSHOT
│     └─ org.opengroup.osdu.os-core-common == 0.19.0
│        └─ org.springframework.spring-webmvc == 5.3.12
└─ testing/
└─ org.opengroup.osdu.edsdms.eds-dms-test-core == 0.20.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.14.0
└─ org.springframework.boot.spring-boot-starter-web == 2.4.12
└─ org.springframework.spring-webmvc == 5.3.12

Critical: Found Vulnerable Log4J dependency (<2.17.1)
├─ _Root_
│  └─ org.opengroup.osdu.eds-dms-gc == 0.20.0-SNAPSHOT
│     └─ org.springframework.boot.spring-boot-starter-security == 2.5.6
│        └─ org.springframework.boot.spring-boot-starter == 2.5.6
│           └─ org.springframework.boot.spring-boot-starter-logging == 2.5.6
│              └─ org.apache.logging.log4j.log4j-to-slf4j == 2.14.1
│                 └─ org.apache.logging.log4j.log4j-api == 2.14.1
└─ testing/
├─ org.opengroup.osdu.edsdms.eds-dms-test-core == 0.20.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.14.0
│     └─ org.springframework.boot.spring-boot-starter-web == 2.4.12
│        └─ org.springframework.boot.spring-boot-starter == 2.4.12
│           └─ org.springframework.boot.spring-boot-starter-logging == 2.4.12
│              └─ org.apache.logging.log4j.log4j-to-slf4j == 2.13.3
│                 └─ org.apache.logging.log4j.log4j-api == 2.13.3
└─ org.opengroup.osdu.eds-dms-test-azure == 0.20.0-SNAPSHOT
└─ org.opengroup.osdu.core-lib-azure == 0.14.0
└─ org.springframework.boot.spring-boot-starter-log4j2 == 2.4.12
├─ org.apache.logging.log4j.log4j-core == 2.13.3
│  └─ org.apache.logging.log4j.log4j-api == 2.13.3
└─ org.apache.logging.log4j.log4j-jul == 2.13.3

Remove SNAPSHOT dependencies

Dependency Information Before the Upgrade

Dependency Information After the Upgrade

Merge request reports