Skip to content

GitLab

Commit 6c668794 authored by Alok Joshi's avatar Alok Joshi
Browse files

Merge branch 'upgrade_deps' into 'master' 

Fix security vulnerabilities

See merge request !90
parents 63b587ae a62a1b6c
Pipeline #39176 passed with stages
in 12 minutes and 22 seconds
Hide whitespace changes
Inline Side-by-side
NOTICE
View file @ 6c668794
......@@ -30,15 +30,16 @@ The following software have components provided under the terms of this license:
- Apache Log4j Core (from )
- Apache Log4j JUL Adapter (from )
- Apache Log4j SLF4J Binding (from )
- Apache Log4j to SLF4J Adapter (from )
- Asynchronous Http Client (from )
- Asynchronous Http Client Netty Utils (from )
- Azure Metrics Spring Boot Starter (from https://github.com/Microsoft/azure-spring-boot)
- Bean Validation API (from http://beanvalidation.org)
- Brave Instrumentation: Http Adapters (from )
- Brave instrumentation for Reactor Netty HTTP (from https://github.com/reactor/reactor-netty)
- Byte Buddy (without dependencies) (from )
- Byte Buddy Java agent (from )
- ClassMate (from http://github.com/cowtowncoder/java-classmate)
- Converter: Jackson (from )
- Core functionality for the Reactor Netty library (from https://github.com/reactor/reactor-netty)
- Elastic JNA Distribution (from https://github.com/java-native-access/jna)
- Elasticsearch: 5.0.0-alpha5 (from https://github.com/elastic/elasticsearch)
- Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
......@@ -49,6 +50,7 @@ The following software have components provided under the terms of this license:
- Guava ListenableFuture only (from )
- Guava: Google Core Libraries for Java (from https://github.com/google/guava.git)
- HPPC Collections (from http://labs.carrotsearch.com)
- HTTP functionality for the Reactor Netty library (from https://github.com/reactor/reactor-netty)
- Hibernate Validator Engine (from )
- IntelliJ IDEA Annotations (from http://www.jetbrains.org)
- J2ObjC Annotations (from https://github.com/google/j2objc/)
......@@ -68,6 +70,7 @@ The following software have components provided under the terms of this license:
- Jackson-module-Afterburner (from http://wiki.fasterxml.com/JacksonHome)
- Jackson-module-JAXB-annotations (from http://wiki.fasterxml.com/JacksonJAXBAnnotations)
- Jackson-module-parameter-names (from )
- Jakarta Bean Validation API (from https://beanvalidation.org)
- Java Native Access (from https://github.com/java-native-access/jna)
- Java Native Access Platform (from https://github.com/java-native-access/jna)
- Java UUID Generator (from http://wiki.fasterxml.com/JugHome)
......@@ -90,7 +93,6 @@ The following software have components provided under the terms of this license:
- Lucene Queries (from )
- Lucene QueryParsers (from )
- Lucene Sandbox (from )
- Lucene Spatial (from )
- Lucene Spatial 3D (from )
- Lucene Spatial Extras (from )
- Lucene Suggest (from )
......@@ -106,6 +108,7 @@ The following software have components provided under the terms of this license:
- Netty Reactive Streams Implementation (from )
- Netty/Buffer (from http://netty.io/)
- Netty/Codec (from )
- Netty/Codec/DNS (from )
- Netty/Codec/HTTP (from )
- Netty/Codec/HTTP2 (from )
- Netty/Codec/Socks (from )
......@@ -113,6 +116,7 @@ The following software have components provided under the terms of this license:
- Netty/Handler (from )
- Netty/Handler/Proxy (from )
- Netty/Resolver (from )
- Netty/Resolver/DNS (from )
- Netty/TomcatNative [BoringSSL - Static] (from )
- Netty/Transport (from http://netty.io/)
- Netty/Transport/Native/Unix/Common (from )
......@@ -136,12 +140,9 @@ The following software have components provided under the terms of this license:
- Spring AOP (from https://github.com/spring-projects/spring-framework)
- Spring Beans (from https://github.com/spring-projects/spring-framework)
- Spring Boot (from http://projects.spring.io/spring-boot/)
- Spring Boot Actuator (from http://projects.spring.io/spring-boot/)
- Spring Boot Actuator AutoConfigure (from https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-actuator-autoconfigure)
- Spring Boot AutoConfigure (from http://projects.spring.io/spring-boot/)
- Spring Boot Json Starter (from https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-json)
- Spring Boot Log4J2 Starter (from http://projects.spring.io/spring-boot/)
- Spring Boot Logging Starter (from http://projects.spring.io/spring-boot/)
- Spring Boot Starter (from http://projects.spring.io/spring-boot/)
- Spring Boot Tomcat Starter (from http://projects.spring.io/spring-boot/)
- Spring Boot Validation Starter (from http://projects.spring.io/spring-boot/)
......@@ -159,11 +160,16 @@ The following software have components provided under the terms of this license:
- StAX API (from http://stax.codehaus.org/)
- T-Digest (from https://github.com/tdunning/t-digest)
- Woodstox (from https://github.com/FasterXML/woodstox)
- Zipkin Reporter Brave (from https://repo1.maven.org/maven2/io/zipkin/reporter2/zipkin-reporter-brave)
- Zipkin Reporter: Core (from )
- Zipkin v2 (from )
- aalto-xml (from )
- aggs-matrix-stats (from https://github.com/elastic/elasticsearch)
- brave (from )
- cli (from https://github.com/elastic/elasticsearch)
- compiler (from http://github.com/spullara/mustache.java)
- elasticsearch-core (from https://github.com/elastic/elasticsearch)
- elasticsearch-geo (from https://github.com/elastic/elasticsearch)
- error-prone annotations (from )
- io.grpc:grpc-context (from https://github.com/grpc/grpc-java)
- jackson-databind (from http://github.com/FasterXML/jackson)
......@@ -171,6 +177,7 @@ The following software have components provided under the terms of this license:
- javax.inject (from http://code.google.com/p/atinject/)
- lang-mustache (from https://github.com/elastic/elasticsearch)
- lettuce (from http://github.com/mp911de/lettuce/wiki)
- mapper-extras (from https://github.com/elastic/elasticsearch)
- micrometer-core (from https://github.com/micrometer-metrics/micrometer)
- micrometer-registry-azure-monitor (from https://github.com/micrometer-metrics/micrometer)
- org.apiguardian:apiguardian-api (from https://github.com/apiguardian-team/apiguardian)
......@@ -184,9 +191,7 @@ The following software have components provided under the terms of this license:
- secure-sm (from https://github.com/elastic/elasticsearch)
- swagger-annotations (from )
- swagger-jaxrs (from )
- tomcat-annotations-api (from http://tomcat.apache.org/)
- tomcat-embed-core (from http://tomcat.apache.org/)
- tomcat-embed-el (from http://tomcat.apache.org/)
- tomcat-embed-websocket (from http://tomcat.apache.org/)
- x-content (from https://github.com/elastic/elasticsearch)
......@@ -196,6 +201,7 @@ BSD-2-Clause
The following software have components provided under the terms of this license:
- Lucene Common Analyzers (from )
- Lucene Core (from )
- StAX (from http://stax.codehaus.org/)
- Stax2 API (from http://github.com/FasterXML/stax2-api)
......@@ -214,7 +220,6 @@ The following software have components provided under the terms of this license:
- Microsoft Application Insights Java SDK Spring Boot starter (from https://github.com/Microsoft/ApplicationInsights-Java)
- Microsoft Application Insights Java SDK Web Module (from https://github.com/Microsoft/ApplicationInsights-Java)
- Microsoft Application Insights Log4j 2 Appender (from https://github.com/Microsoft/ApplicationInsights-Java)
- NanoHttpd-Core (from )
- Netty/Codec/HTTP (from )
- Reflections (from http://github.com/ronmamo/reflections)
- SnakeYAML (from http://www.snakeyaml.org)
......@@ -251,7 +256,6 @@ CDDL-1.0
========================================================================
The following software have components provided under the terms of this license:
- JavaMail API (from )
- javax.annotation-api (from http://jcp.org/en/jsr/detail?id=250)
========================================================================
......@@ -260,7 +264,6 @@ CDDL-1.1
The following software have components provided under the terms of this license:
- JavaBeans Activation Framework (from )
- JavaBeans(TM) Activation Framework (from http://java.sun.com/javase/technologies/desktop/javabeans/jaf/index.jsp)
- tomcat-embed-core (from http://tomcat.apache.org/)
========================================================================
......@@ -270,8 +273,6 @@ The following software have components provided under the terms of this license:
- Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
- JUnit Jupiter (Aggregator) (from https://junit.org/junit5/)
- Logback Classic Module (from )
- Logback Core Module (from )
- Microsoft Application Insights Java SDK Core (from https://github.com/Microsoft/ApplicationInsights-Java)
- Microsoft Application Insights Java SDK Spring Boot starter (from https://github.com/Microsoft/ApplicationInsights-Java)
- Microsoft Application Insights Java SDK Web Module (from https://github.com/Microsoft/ApplicationInsights-Java)
......@@ -304,7 +305,6 @@ GPL-2.0-only
The following software have components provided under the terms of this license:
- JavaBeans Activation Framework (from )
- JavaMail API (from )
- javax.annotation-api (from http://jcp.org/en/jsr/detail?id=250)
- tomcat-embed-core (from http://tomcat.apache.org/)
......@@ -322,7 +322,6 @@ The following software have components provided under the terms of this license:
- Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
- JavaBeans Activation Framework (from )
- JavaMail API (from )
- jakarta.annotation-api (from https://projects.eclipse.org/projects/ee4j.ca)
- javax.annotation-api (from http://jcp.org/en/jsr/detail?id=250)
- tomcat-embed-core (from http://tomcat.apache.org/)
......@@ -352,8 +351,6 @@ The following software have components provided under the terms of this license:
- Java Native Access (from https://github.com/java-native-access/jna)
- Java Native Access Platform (from https://github.com/java-native-access/jna)
- Javassist (from http://www.javassist.org/)
- Logback Classic Module (from )
- Logback Core Module (from )
- Microsoft Application Insights Java SDK Core (from https://github.com/Microsoft/ApplicationInsights-Java)
- Microsoft Application Insights Java SDK Spring Boot starter (from https://github.com/Microsoft/ApplicationInsights-Java)
- Microsoft Application Insights Java SDK Web Module (from https://github.com/Microsoft/ApplicationInsights-Java)
......@@ -382,8 +379,6 @@ The following software have components provided under the terms of this license:
- Azure Java Client Authentication Library for AutoRest (from https://github.com/Azure/autorest-clientruntime-for-java)
- Azure Java Client Runtime for ARM (from https://github.com/Azure/autorest-clientruntime-for-java)
- Azure Java Client Runtime for AutoRest (from https://github.com/Azure/autorest-clientruntime-for-java)
- Azure Metrics Spring Boot Starter (from https://github.com/Microsoft/azure-spring-boot)
- Azure Spring Boot AutoConfigure (from https://github.com/Microsoft/azure-spring-boot)
- Checker Qual (from https://checkerframework.org)
- Extensions on Apache Proton-J library (from https://github.com/Azure/qpid-proton-j-extensions)
- JOpt Simple (from http://pholser.github.io/jopt-simple)
......@@ -391,7 +386,6 @@ The following software have components provided under the terms of this license:
- Java Client Runtime for AutoRest (from https://github.com/Azure/autorest-clientruntime-for-java)
- Java JWT (from http://www.jwt.io)
- Lucene Core (from )
- Lucene Sandbox (from )
- Microsoft Application Insights Java SDK Core (from https://github.com/Microsoft/ApplicationInsights-Java)
- Microsoft Application Insights Java SDK Spring Boot starter (from https://github.com/Microsoft/ApplicationInsights-Java)
- Microsoft Application Insights Java SDK Web Module (from https://github.com/Microsoft/ApplicationInsights-Java)
......@@ -437,6 +431,7 @@ MPL-2.0
The following software have components provided under the terms of this license:
- Javassist (from http://www.javassist.org/)
- OkHttp (from )
========================================================================
PHP-3.01
......@@ -496,9 +491,9 @@ unknown
The following software have components provided under the terms of this license:
- Byte Buddy (without dependencies) (from )
- Checker Qual (from https://checkerframework.org)
- JUnit Jupiter (Aggregator) (from https://junit.org/junit5/)
- JavaBeans Activation Framework API jar (from )
- JavaMail API (from )
- Spongy Castle (from http://rtyley.github.io/spongycastle/)
- jakarta.xml.bind-api (from )
- org.junit.jupiter:junit-jupiter-api (from http://junit.org/junit5/)
......
pom.xml
View file @ 6c668794
......@@ -29,32 +29,22 @@
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<repos.id>os-core</repos.id>
<repos.url>https://pkgs.dev.azure.com/slb-des-ext-collaboration/_packaging/os-core/maven/v1</repos.url>
<org.springframework.version>5.1.9.RELEASE</org.springframework.version>
<checkstyle.version>3.1.0</checkstyle.version>
<junit.jupiter.version>5.6.0</junit.jupiter.version>
<mockito-junit-jupiter.version>2.23.0</mockito-junit-jupiter.version>
<maven.surefire.version>2.22.2</maven.surefire.version>
<javax.inject.version>1</javax.inject.version>
<azure.identity.version>1.1.3</azure.identity.version>
<azure.keyvault.version>4.2.2</azure.keyvault.version>
<azure.spring.data.cosmos.version>3.1.0</azure.spring.data.cosmos.version>
<azure.storage.version>12.8.0</azure.storage.version>
<azure.servicebus.version>3.4.0</azure.servicebus.version>
<azure.core.version>1.11.0</azure.core.version>
<azure.core.http.netty.version>1.6.2</azure.core.http.netty.version>
<azure.msal4j.version>1.7.1</azure.msal4j.version>
<azure.appinsights.version>2.5.1</azure.appinsights.version>
<azure.appinsights.log4j.version>2.5.1</azure.appinsights.log4j.version>
<azure.spring.boot.version>2.3.5</azure.spring.boot.version>
<checkstyle.version>3.1.0</checkstyle.version>
<jackson.version>2.11.4</jackson.version>
<reactor.version>Dysprosium-SR12</reactor.version>
<netty.version>4.1.51.Final</netty.version>
<azure.appinsights.version>2.6.3</azure.appinsights.version>
<azure.appinsights.log4j.version>2.6.3</azure.appinsights.log4j.version>
<azure.spring.boot.version>3.4.0</azure.spring.boot.version>
<lombok.version>1.18.16</lombok.version>
<osdu.oscorecommon.version>0.9.0-rc5</osdu.oscorecommon.version>
<mockito-junit-jupiter.version>2.23.0</mockito-junit-jupiter.version>
<spring-boot-starter-log4j2.version>2.3.4.RELEASE</spring-boot-starter-log4j2.version>
<osdu.oscorecommon.version>0.9.0-rc7</osdu.oscorecommon.version>
<azure-mgmt-eventgrid.version>1.0.0-beta-3</azure-mgmt-eventgrid.version>
<azure-security-keyvault-keys.version>4.2.3</azure-security-keyvault-keys.version>
<documentdb-bulkexecutor.version>2.12.0</documentdb-bulkexecutor.version>
<azure-eventgrid.version>1.2.0</azure-eventgrid.version>
<json-smart.version>2.4.6</json-smart.version>
<azure.servicebus.version>3.6.3</azure.servicebus.version>
<io.micrometer.version>1.6.6</io.micrometer.version>
</properties>
<licenses>
......@@ -70,43 +60,17 @@
inherit this list. -->
<dependencyManagement>
<dependencies>
<!-- Bill of materials to make sure a consistent set of
versions is used for Reactor 3 and Netty artifacts. -->
<dependency>
<groupId>io.projectreactor</groupId>
<artifactId>reactor-bom</artifactId>
<version>${reactor.version}</version>
<groupId>com.azure.spring</groupId>
<artifactId>azure-spring-boot-bom</artifactId>
<version>${azure.spring.boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-bom</artifactId>
<version>${netty.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-core</artifactId>
<version>${azure.core.version}</version>
</dependency>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-core-http-netty</artifactId>
<version>${azure.core.http.netty.version}</version>
</dependency>
<dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>msal4j</artifactId>
<version>${azure.msal4j.version}</version>
</dependency>
<!-- BOM for Azure Spring Boot Starters like azure-active-directory-spring-boot-starter,
azure-cosmosdb-spring-boot-starter etc. -->
<dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>azure-spring-boot-bom</artifactId>
<version>${azure.spring.boot.version}</version>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-common</artifactId>
<version>${osdu.oscorecommon.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
......@@ -115,22 +79,10 @@
<artifactId>lombok</artifactId>
<version>${lombok.version}</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.fasterxml.jackson/jackson-bom -->
<dependency>
<groupId>com.fasterxml.jackson</groupId>
<artifactId>jackson-bom</artifactId>
<version>${jackson.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<dependencies>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-core-http-netty</artifactId>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
......@@ -141,12 +93,10 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>${org.springframework.version}</version>
</dependency>
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${org.springframework.version}</version>
</dependency>
......@@ -171,23 +121,35 @@
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-identity</artifactId>
<version>${azure.identity.version}</version>
<exclusions>
<exclusion>
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
</exclusion>
</exclusions>
</dependency>
<!--
azure-identity:1.2.5 comes with problem dependency: net.minidev:json-smart:jar:2.3
because of that we need to enforce the higher version
-->
<dependency>
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
<version>${json-smart.version}</version>
</dependency>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-security-keyvault-secrets</artifactId>
<version>${azure.keyvault.version}</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.azure/azure-spring-data-cosmos -->
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-spring-data-cosmos</artifactId>
<version>${azure.spring.data.cosmos.version}</version>
</dependency>
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-storage-blob</artifactId>
<version>${azure.storage.version}</version>
</dependency>
<dependency>
<groupId>com.microsoft.azure</groupId>
......@@ -202,13 +164,13 @@
<version>${azure.appinsights.version}</version>
</dependency>
<dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>azure-spring-boot-metrics-starter</artifactId>
<groupId>io.micrometer</groupId>
<artifactId>micrometer-registry-azure-monitor</artifactId>
<version>${io.micrometer.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-log4j2</artifactId>
<version>${spring-boot-starter-log4j2.version}</version>
</dependency>
<dependency>
<groupId>com.microsoft.azure</groupId>
......@@ -216,14 +178,6 @@
<version>${azure.appinsights.log4j.version}</version>
</dependency>
<!-- Other dependencies -->
<dependency>
<groupId>javax.inject</groupId>
<artifactId>javax.inject</artifactId>
<version>${javax.inject.version}</version>
</dependency>
<!-- Test dependencies -->
<dependency>
<groupId>org.junit.jupiter</groupId>
......@@ -249,7 +203,7 @@
<dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>azure-eventgrid</artifactId>
<version>1.2.0</version>
<version>${azure-eventgrid.version}</version>
<exclusions>
<exclusion>
<artifactId>azure-client-runtime</artifactId>
......@@ -275,7 +229,6 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-test</artifactId>
<version>5.2.8.RELEASE</version>
<scope>test</scope>
<exclusions>
<exclusion>
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment