Merge branch 'lobtimo-cve' into 'master'

Resolve netty, spring, and io commons CVE See merge request !843

Merge branch 'lobtimo-cve' into 'master'
68d26e36 · Timothy Lobl · 0019953f · 3072043f · 68d26e36 · 68d26e36
Commit 68d26e36 authored 5 months ago by Timothy Lobl
--- a/NOTICE
+++ b/NOTICE
@@ -57,7 +57,7 @@ The following software have components provided under the terms of this license:
 - Apache HttpCore NIO (from http://hc.apache.org/httpcomponents-core-ga, http://hc.apache.org/httpcomponents-core/)
 - Apache Log4j API (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api)
 - Apache Log4j Core (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core)
- Apache Log4j JUL Adapter (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul)
+- Apache Log4j JUL Handler (from https://logging.apache.org/log4j/3.x/)
 - Apache Log4j SLF4J Binding (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl)
 - Apache Log4j to SLF4J Adapter (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-to-slf4j)
 - AssertJ Core (from https://assertj.github.io/doc/#assertj-core)
@@ -196,7 +196,7 @@ The following software have components provided under the terms of this license:
 - QpidJMS Client (from https://repo1.maven.org/maven2/org/apache/qpid/qpid-jms-client)
 - RabbitMQ Java Client (from http://www.rabbitmq.com, https://www.rabbitmq.com)
 - Reactive Streams Netty driver (from https://github.com/reactor/reactor-netty)
- Redisson (from http://redisson.org)
+- Redisson (from http://redisson.org, https://redisson.pro)
 - Retrofit (from https://github.com/square/retrofit, https://repo1.maven.org/maven2/com/squareup/retrofit2/retrofit)
 - RxJava (from https://github.com/ReactiveX/RxJava)
 - Servlet API (from https://repo1.maven.org/maven2/org/mortbay/jetty/servlet-api)
@@ -376,7 +376,7 @@ The following software have components provided under the terms of this license:
 - Protocol Buffer Java API (from http://code.google.com/p/protobuf, https://repo1.maven.org/maven2/com/google/protobuf/protobuf-java)
 - Protocol Buffers [Util] (from https://repo1.maven.org/maven2/com/google/protobuf/protobuf-java-util)
 - RE2/J (from http://github.com/google/re2j)
- Redisson (from http://redisson.org)
+- Redisson (from http://redisson.org, https://redisson.pro)
 - ReflectASM (from https://github.com/EsotericSoftware/reflectasm)
 - ServiceLocator Default Implementation (from https://repo1.maven.org/maven2/org/glassfish/hk2/hk2-locator)
 - Shaded Protobuf (from https://repo1.maven.org/maven2/io/prometheus/prometheus-metrics-shaded-protobuf)
@@ -424,7 +424,7 @@ The following software have components provided under the terms of this license:
 - LatencyUtils (from http://latencyutils.github.io/LatencyUtils/)
 - Netty/Common (from https://repo1.maven.org/maven2/io/netty/netty-common)
 - RabbitMQ Java Client (from http://www.rabbitmq.com, https://www.rabbitmq.com)
- Redisson (from http://redisson.org)
+- Redisson (from http://redisson.org, https://redisson.pro)
 - jersey-container-servlet (from https://repo1.maven.org/maven2/org/glassfish/jersey/containers/jersey-container-servlet)
 - jersey-container-servlet-core (from https://repo1.maven.org/maven2/org/glassfish/jersey/containers/jersey-container-servlet-core)
 - jersey-core-client (from https://repo1.maven.org/maven2/org/glassfish/jersey/core/jersey-client)

--- a/provider/indexer-aws/pom.xml
+++ b/provider/indexer-aws/pom.xml
@@ -30,7 +30,7 @@
  
  <properties>
      <deployment.environment>dev</deployment.environment>
-      <netty.version>4.1.51.Final</netty.version>
+      <netty.version>4.1.115.Final</netty.version>
      <mockito.version>3.11.2</mockito.version>
  </properties>

@@ -67,21 +67,19 @@
    <dependency>
        <groupId>org.opengroup.osdu.core.aws</groupId>
            <artifactId>os-core-lib-aws</artifactId>
-        <version>3.0.1</version>
+        <version>3.0.2</version>
    </dependency>

-    <!-- AWS managed packages -->
-    <dependency>
-       <groupId>io.netty</groupId>
-       <artifactId>netty-codec</artifactId>
-       <version>4.1.104.Final</version>
-     </dependency>
-
    <!-- Third party Apache 2.0 license packages -->
    <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-config</artifactId>
    </dependency>
+    <dependency>
+        <groupId>org.springframework.security</groupId>
+        <artifactId>spring-security-web</artifactId>
+        <version>6.3.4</version>
+    </dependency>
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-autoconfigure</artifactId>