Skip to content

Remove SNAPSHOT dependencies

David Diederich requested to merge dependency-upgrade-2 into master

This automated MR removes usage of SNAPSHOT versions in the first party library dependencies. Since SNAPSHOT dependencies change frequently -- by their nature -- usage of them across projects is dangerous and should be avoided.

Dependency Information Before the Upgrade

Branch: master
SHA:    74d50777407b8cb8adc409d947eeebc9b13b8407
Maven:  0.20.0-SNAPSHOT
Maven Dependencies Root testing/
core-lib-azure 0.14.0 0.14.0
core-lib-gcp 0.19.0 0.19.0
os-core-lib-aws 0.19.0-rc3 0.19.0-SNAPSHOT
obm 0.19.0 0.19.0
oqm 0.19.0 0.19.0
os-core-common 0.19.0, 0.19.0-rc8, 0.19.0-rc2 0.14.0, 0.19.0-SNAPSHOT, 0.19.0-rc2
osm 0.19.0 0.19.0
(3rd Party) com.fasterxml.jackson.core.jackson-databind 2.14.1 2.11.4, 2.14.1, 2.13.2.2
(3rd Party) org.apache.logging.log4j.log4j-api 2.17.1, 2.17.2, 2.14.1 2.13.3, 2.17.2
(3rd Party) org.apache.logging.log4j.log4j-core 2.17.1 2.13.3
(3rd Party) org.apache.logging.log4j.log4j-jul 2.17.1 2.13.3
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j 2.17.1, 2.17.2, 2.14.1 2.13.3, 2.17.2
(3rd Party) org.springframework.spring-webmvc 5.3.24, 5.3.12, 5.3.22 5.3.12, 5.3.24, 5.3.22
Critical: Found Vulnerable Spring MVC dependency (<5.2.20 || >=5.3.0 <5.3.18)
├─ _Root_
│  └─ org.opengroup.osdu.eds-dms-azure == 0.20.0-SNAPSHOT
│     └─ org.opengroup.osdu.os-core-common == 0.19.0-rc2
│        └─ org.springframework.spring-webmvc == 5.3.12
└─ testing/
└─ org.opengroup.osdu.edsdms.eds-dms-test-core == 0.20.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.14.0
└─ org.springframework.boot.spring-boot-starter-web == 2.4.12
└─ org.springframework.spring-webmvc == 5.3.12
Critical: Found Vulnerable Log4J dependency (<2.17.1)
├─ _Root_
│  └─ org.opengroup.osdu.eds-dms-gc == 0.20.0-SNAPSHOT
│     └─ org.springframework.boot.spring-boot-starter-security == 2.5.6
│        └─ org.springframework.boot.spring-boot-starter == 2.5.6
│           └─ org.springframework.boot.spring-boot-starter-logging == 2.5.6
│              └─ org.apache.logging.log4j.log4j-to-slf4j == 2.14.1
│                 └─ org.apache.logging.log4j.log4j-api == 2.14.1
└─ testing/
├─ org.opengroup.osdu.edsdms.eds-dms-test-core == 0.20.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.14.0
│     └─ org.springframework.boot.spring-boot-starter-web == 2.4.12
│        └─ org.springframework.boot.spring-boot-starter == 2.4.12
│           └─ org.springframework.boot.spring-boot-starter-logging == 2.4.12
│              └─ org.apache.logging.log4j.log4j-to-slf4j == 2.13.3
│                 └─ org.apache.logging.log4j.log4j-api == 2.13.3
└─ org.opengroup.osdu.eds-dms-test-azure == 0.20.0-SNAPSHOT
└─ org.opengroup.osdu.core-lib-azure == 0.14.0
└─ org.springframework.boot.spring-boot-starter-log4j2 == 2.4.12
├─ org.apache.logging.log4j.log4j-core == 2.13.3
│  └─ org.apache.logging.log4j.log4j-api == 2.13.3
└─ org.apache.logging.log4j.log4j-jul == 2.13.3

Dependency Information After the Upgrade

Branch: dependency-upgrade-2
SHA:    23e4ecf60ff7a628caf6d5d39ea3844fab6a1384
Maven:  0.20.0-SNAPSHOT
Maven Dependencies Root testing/
core-lib-azure 0.14.0 0.14.0
core-lib-gcp 0.19.0 0.19.0
os-core-lib-aws 0.19.0 0.19.0
obm 0.19.0 0.19.0
oqm 0.19.0 0.19.0
os-core-common 0.19.0 0.14.0, 0.19.0
osm 0.19.0 0.19.0
(3rd Party) com.fasterxml.jackson.core.jackson-databind 2.14.1 2.11.4, 2.14.1, 2.13.2.2
(3rd Party) org.apache.logging.log4j.log4j-api 2.17.1, 2.17.2, 2.14.1 2.13.3, 2.17.2
(3rd Party) org.apache.logging.log4j.log4j-core 2.17.1 2.13.3
(3rd Party) org.apache.logging.log4j.log4j-jul 2.17.1 2.13.3
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j 2.17.1, 2.17.2, 2.14.1 2.13.3, 2.17.2
(3rd Party) org.springframework.spring-webmvc 5.3.24, 5.3.12, 5.3.22 5.3.12, 5.3.24, 5.3.22
Critical: Found Vulnerable Spring MVC dependency (<5.2.20 || >=5.3.0 <5.3.18)
├─ _Root_
│  └─ org.opengroup.osdu.eds-dms-azure == 0.20.0-SNAPSHOT
│     └─ org.opengroup.osdu.os-core-common == 0.19.0
│        └─ org.springframework.spring-webmvc == 5.3.12
└─ testing/
└─ org.opengroup.osdu.edsdms.eds-dms-test-core == 0.20.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.14.0
└─ org.springframework.boot.spring-boot-starter-web == 2.4.12
└─ org.springframework.spring-webmvc == 5.3.12
Critical: Found Vulnerable Log4J dependency (<2.17.1)
├─ _Root_
│  └─ org.opengroup.osdu.eds-dms-gc == 0.20.0-SNAPSHOT
│     └─ org.springframework.boot.spring-boot-starter-security == 2.5.6
│        └─ org.springframework.boot.spring-boot-starter == 2.5.6
│           └─ org.springframework.boot.spring-boot-starter-logging == 2.5.6
│              └─ org.apache.logging.log4j.log4j-to-slf4j == 2.14.1
│                 └─ org.apache.logging.log4j.log4j-api == 2.14.1
└─ testing/
├─ org.opengroup.osdu.edsdms.eds-dms-test-core == 0.20.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.14.0
│     └─ org.springframework.boot.spring-boot-starter-web == 2.4.12
│        └─ org.springframework.boot.spring-boot-starter == 2.4.12
│           └─ org.springframework.boot.spring-boot-starter-logging == 2.4.12
│              └─ org.apache.logging.log4j.log4j-to-slf4j == 2.13.3
│                 └─ org.apache.logging.log4j.log4j-api == 2.13.3
└─ org.opengroup.osdu.eds-dms-test-azure == 0.20.0-SNAPSHOT
└─ org.opengroup.osdu.core-lib-azure == 0.14.0
└─ org.springframework.boot.spring-boot-starter-log4j2 == 2.4.12
├─ org.apache.logging.log4j.log4j-core == 2.13.3
│  └─ org.apache.logging.log4j.log4j-api == 2.13.3
└─ org.apache.logging.log4j.log4j-jul == 2.13.3

Merge request reports

Loading