Full Upgrade of First Party Library Dependencies
This generated MR upgrades the first party libraries (other OSDU libraries) to utilize the latest release. The intent is to keep all dependent libraries up to date. This upgrade can be merged immediately without further approval if the CI pipeline reports success.
If this MR has failed, we need to work with the maintainers and affected provider teams to find a solution.
Dependency Information Before the Upgrade
Branch: master
SHA: bccdc719098a010c1f2c8b9735fdfdc0774465aa
Maven: 0.24.0-SNAPSHOT
Maven Dependencies | Root | testing/indexer-queue-azure-enqueue/ |
---|---|---|
core-lib-azure | 0.19.0 | 0.16.0 |
os-core-lib-aws | 0.23.0 | |
os-core-common | 0.23.0, 0.16.0, 0.19.0 | 0.16.0 |
os-core-lib-ibm | 0.16.0 | |
(3rd Party) org.apache.logging.log4j.log4j-api | 2.17.1 | 2.13.3 |
(3rd Party) org.apache.logging.log4j.log4j-core | 2.17.1 | 2.13.3 |
(3rd Party) org.apache.logging.log4j.log4j-jul | 2.17.1 | 2.13.3 |
(3rd Party) org.apache.logging.log4j.log4j-slf4j-impl | 2.17.1 | 2.13.3 |
(3rd Party) org.springframework.spring-webmvc | 5.3.22, 5.1.19.RELEASE | 5.3.22 |
(3rd Party) org.yaml.snakeyaml | 1.30, 1.33, 2.0 | 1.27 |
Critical: Found Vulnerable Snake YAML dependency (<2.0)
├─ _Root_
│ ├─ org.opengroup.osdu.indexerqueue.aws.indexer-queue-aws == 0.24.0-SNAPSHOT
│ │ └─ org.opengroup.osdu.core.aws.os-core-lib-aws == 0.23.0
│ │ └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│ │ └─ org.springframework.boot.spring-boot-starter == 2.7.7
│ │ └─ org.yaml.snakeyaml == 1.30
│ └─ org.opengroup.osdu.indexerqueue.ibm.indexer-queue-ibm == 0.24.0-SNAPSHOT
│ └─ org.yaml.snakeyaml == 1.33
└─ testing/indexer-queue-azure-enqueue/
└─ org.opengroup.osdu.indexer-queue-azure-test == 0.24.0-SNAPSHOT
└─ org.opengroup.osdu.core-lib-azure == 0.16.0
└─ org.redisson.redisson == 3.15.3
└─ org.yaml.snakeyaml == 1.27
Critical: Found Vulnerable Spring MVC dependency (<5.2.20 || >=5.3.0 <5.3.18)
└─ _Root_
└─ org.opengroup.osdu.indexerqueue.ibm.indexer-queue-ibm == 0.24.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.16.0
└─ org.springframework.spring-webmvc == 5.1.19.RELEASE
Dependency Information After the Upgrade
Branch: dependency-upgrade
SHA: a6bbca90a702727489b3f6790029dd2c767c30ed
Maven: 0.24.0-SNAPSHOT
Maven Dependencies | Root | testing/indexer-queue-azure-enqueue/ |
---|---|---|
core-lib-azure | 0.24.0 | 0.24.0 |
os-core-lib-aws | 0.24.0 | |
os-core-common | 0.24.0, 0.24.0 | 0.24.0 |
os-core-lib-ibm | 0.24.0 | |
(3rd Party) org.apache.logging.log4j.log4j-api | 2.17.1 | 2.13.3 |
(3rd Party) org.springframework.spring-webmvc | 5.3.22, 5.1.19.RELEASE | 5.3.22 |
(3rd Party) org.yaml.snakeyaml | 1.30, 1.33, 2.0 | 1.27 |
Critical: Found Vulnerable Snake YAML dependency (<2.0)
├─ _Root_
│ ├─ org.opengroup.osdu.indexerqueue.aws.indexer-queue-aws == 0.24.0-SNAPSHOT
│ │ └─ org.opengroup.osdu.core.aws.os-core-lib-aws == 0.23.0
│ │ └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│ │ └─ org.springframework.boot.spring-boot-starter == 2.7.7
│ │ └─ org.yaml.snakeyaml == 1.30
│ └─ org.opengroup.osdu.indexerqueue.ibm.indexer-queue-ibm == 0.24.0-SNAPSHOT
│ └─ org.yaml.snakeyaml == 1.33
└─ testing/indexer-queue-azure-enqueue/
└─ org.opengroup.osdu.indexer-queue-azure-test == 0.24.0-SNAPSHOT
└─ org.opengroup.osdu.core-lib-azure == 0.23.2
└─ org.redisson.redisson == 3.15.3
└─ org.yaml.snakeyaml == 1.27
Critical: Found Vulnerable Spring MVC dependency (<5.2.20 || >=5.3.0 <5.3.18)
└─ _Root_
└─ org.opengroup.osdu.indexerqueue.ibm.indexer-queue-ibm == 0.24.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.23.3
└─ org.springframework.spring-webmvc == 5.1.19.RELEASE
Edited by Chad Leong