Commit c0d35ae1 authored by David Diederich's avatar David Diederich
Browse files

Merge branch 'cherry-pick-log4j' into 'release/0.12'

Upgrade vulnerable dependencies according to WhiteSource alerts

See merge request !129
parents f10340fe 3500e23d
Pipeline #81823 passed with stages
in 7 minutes and 8 seconds
......@@ -9,49 +9,49 @@ The following software have components provided under the terms of this license:
- Apache Commons Codec (from https://commons.apache.org/proper/commons-codec/)
- Apache Commons Lang (from http://commons.apache.org/proper/commons-lang/)
- Apache Commons Logging (from http://commons.apache.org/proper/commons-logging/)
- Apache HttpAsyncClient (from http://hc.apache.org/httpcomponents-asyncclient)
- Apache HttpClient (from http://hc.apache.org/httpcomponents-client)
- Apache HttpClient Cache (from http://hc.apache.org/httpcomponents-client)
- Apache HttpCore (from http://hc.apache.org/httpcomponents-core-ga)
- Apache HttpCore NIO (from http://hc.apache.org/httpcomponents-core-ga)
- Apache Log4j API (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api)
- Apache Log4j to SLF4J Adapter (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-to-slf4j)
- Apache Lucene (module: backward-codecs) (from https://lucene.apache.org/)
- Bean Validation API (from http://beanvalidation.org)
- Byte Buddy (without dependencies) (from https://repo1.maven.org/maven2/net/bytebuddy/byte-buddy)
- Byte Buddy (without dependencies) (from )
- Byte Buddy agent (from https://repo1.maven.org/maven2/net/bytebuddy/byte-buddy-agent)
- ClassMate (from http://github.com/cowtowncoder/java-classmate)
- Commons Logging (from http://commons.apache.org/logging/)
- Elastic JNA Distribution (from https://github.com/java-native-access/jna)
- Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
- FindBugs-jsr305 (from http://findbugs.sourceforge.net/)
- Google HTTP Client Library for Java (from https://repo1.maven.org/maven2/com/google/http-client/google-http-client)
- Gson (from https://repo1.maven.org/maven2/com/google/code/gson/gson)
- Gson (from http://code.google.com/p/google-gson/)
- Guava InternalFutureFailureAccess and InternalFutures (from https://repo1.maven.org/maven2/com/google/guava/failureaccess)
- Guava: Google Core Libraries for Java (from https://repo1.maven.org/maven2/com/google/guava/guava)
- Guava: Google Core Libraries for Java (from https://github.com/google/guava)
- HPPC Collections (from https://repo1.maven.org/maven2/com/carrotsearch/hppc)
- Hibernate Validator Engine (from https://repo1.maven.org/maven2/org/hibernate/validator/hibernate-validator)
- HttpClient (from http://hc.apache.org/httpcomponents-client)
- HttpCore NIO (from http://hc.apache.org/httpcomponents-core-ga)
- J2ObjC Annotations (from https://github.com/google/j2objc/)
- JBoss Logging 3 (from http://www.jboss.org)
- JSON Web Token support for the JVM (from https://repo1.maven.org/maven2/io/jsonwebtoken/jjwt)
- Jackson dataformat: CBOR (from http://github.com/FasterXML/jackson-dataformats-binary)
- Jackson datatype: JSR310 (from https://repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jsr310)
- Jackson datatype: jdk8 (from https://repo1.maven.org/maven2/com/fasterxml/jackson/datatype/jackson-datatype-jdk8)
- Jackson-Datatype-JSR310 (from http://wiki.fasterxml.com/JacksonModuleJSR310)
- Jackson-annotations (from http://github.com/FasterXML/jackson)
- Jackson-core (from http://wiki.fasterxml.com/JacksonHome)
- Jackson-dataformat-Smile (from http://wiki.fasterxml.com/JacksonForSmile)
- Jackson-core (from https://github.com/FasterXML/jackson-core)
- Jackson-dataformat-Smile (from )
- Jackson-dataformat-YAML (from https://github.com/FasterXML/jackson)
- Jackson-module-parameter-names (from https://repo1.maven.org/maven2/com/fasterxml/jackson/module/jackson-module-parameter-names)
- Jackson-datatype-jdk8 (from )
- Jackson-module-parameter-names (from )
- Jakarta Bean Validation API (from https://beanvalidation.org)
- Jakarta Expression Language 4.0 (from https://projects.eclipse.org/projects/ee4j.el)
- Java Servlet API (from http://servlet-spec.java.net)
- Javassist (from http://www.javassist.org/)
- Joda-Time (from https://www.joda.org/joda-time/)
- Joda-Time (from http://www.joda.org/joda-time/)
- Lucene Common Analyzers (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-analyzers-common)
- Lucene Core (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-core)
- Lucene Core (from )
- Lucene Grouping (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-grouping)
- Lucene Highlighter (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-highlighter)
- Lucene Join (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-join)
- Lucene Memory (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-memory)
- Lucene Memory (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-backward-codecs)
- Lucene Miscellaneous (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-misc)
- Lucene Queries (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-queries)
- Lucene QueryParsers (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-queryparser)
......@@ -71,22 +71,16 @@ The following software have components provided under the terms of this license:
- OpenCensus (from https://github.com/census-instrumentation/opencensus-java)
- PowerMock (from http://www.powermock.org)
- PowerMock (from http://www.powermock.org)
- PowerMock (from http://www.powermock.org)
- PowerMock (from http://www.powermock.org)
- SnakeYAML (from http://www.snakeyaml.org)
- SnakeYAML (from http://code.google.com/p/snakeyaml/)
- Spring AOP (from https://github.com/spring-projects/spring-framework)
- Spring Beans (from https://github.com/spring-projects/spring-framework)
- Spring Boot (from http://projects.spring.io/spring-boot/)
- Spring Boot AutoConfigure (from http://projects.spring.io/spring-boot/)
- Spring Boot Json Starter (from https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-json)
- Spring Boot Logging Starter (from http://projects.spring.io/spring-boot/)
- Spring Boot Starter (from http://projects.spring.io/spring-boot/)
- Spring Boot Tomcat Starter (from https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-tomcat)
- Spring Boot Web Starter (from https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-web)
- Spring Boot Validation Starter (from http://projects.spring.io/spring-boot/)
- Spring Boot Web Starter (from http://projects.spring.io/spring-boot/)
- Spring Commons Logging Bridge (from https://github.com/spring-projects/spring-framework)
- Spring Context (from https://github.com/spring-projects/spring-framework)
- Spring Core (from https://github.com/spring-projects/spring-framework)
- Spring Expression Language (SpEL) (from https://github.com/spring-projects/spring-framework)
- Spring TestContext Framework (from https://github.com/spring-projects/spring-framework)
- Spring Web (from https://github.com/spring-projects/spring-framework)
- Spring Web MVC (from https://github.com/spring-projects/spring-framework)
- T-Digest (from https://github.com/tdunning/t-digest)
......@@ -99,19 +93,25 @@ The following software have components provided under the terms of this license:
- elasticsearch-x-content (from https://github.com/elastic/elasticsearch)
- error-prone annotations (from https://repo1.maven.org/maven2/com/google/errorprone/error_prone_annotations)
- io.grpc:grpc-context (from https://github.com/grpc/grpc-java)
- jackson-databind (from http://wiki.fasterxml.com/JacksonHome)
- jackson-databind (from http://github.com/FasterXML/jackson)
- javax.inject (from http://code.google.com/p/atinject/)
- lang-mustache (from https://github.com/elastic/elasticsearch)
- lettuce (from http://github.com/mp911de/lettuce/wiki)
- lettuce (from http://github.com/lettuce-io/lettuce-core)
- mapper-extras (from https://github.com/elastic/elasticsearch)
- parent-join (from https://github.com/elastic/elasticsearch)
- powermock-core (from http://www.powermock.org)
- powermock-reflect (from https://repo1.maven.org/maven2/org/powermock/powermock-reflect)
- rank-eval (from https://github.com/elastic/elasticsearch)
- rest (from https://github.com/elastic/elasticsearch)
- rest-high-level (from https://github.com/elastic/elasticsearch)
- rxjava (from https://github.com/ReactiveX/RxJava)
- server (from https://github.com/elastic/elasticsearch)
- spring-boot-starter-validation (from https://spring.io/projects/spring-boot)
- spring-test (from https://repo1.maven.org/maven2/org/springframework/spring-test)
- spring-boot (from https://spring.io/projects/spring-boot)
- spring-boot-autoconfigure (from https://spring.io/projects/spring-boot)
- spring-boot-starter (from https://spring.io/projects/spring-boot)
- spring-boot-starter-json (from https://spring.io/projects/spring-boot)
- spring-boot-starter-logging (from https://spring.io/projects/spring-boot)
- spring-boot-starter-tomcat (from https://spring.io/projects/spring-boot)
- swagger-annotations (from https://repo1.maven.org/maven2/io/swagger/swagger-annotations)
- swagger-jaxrs (from https://repo1.maven.org/maven2/io/swagger/swagger-jaxrs)
- tomcat-embed-core (from http://tomcat.apache.org/)
......@@ -125,7 +125,7 @@ The following software have components provided under the terms of this license:
- Hamcrest (from http://hamcrest.org/JavaHamcrest/)
- Hamcrest Core (from https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core)
- Lucene Common Analyzers (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-analyzers-common)
- Reflections (from http://github.com/ronmamo/reflections)
- Reflections (from http://code.google.com/p/reflections/)
========================================================================
BSD-3-Clause
......@@ -136,11 +136,11 @@ The following software have components provided under the terms of this license:
- Hamcrest (from http://hamcrest.org/JavaHamcrest/)
- Hamcrest Core (from https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core)
- Lucene Common Analyzers (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-analyzers-common)
- Lucene Core (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-core)
- Lucene Core (from )
- Lucene Suggest (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-suggest)
- Mockito (from http://www.mockito.org)
- Reflections (from http://github.com/ronmamo/reflections)
- SnakeYAML (from http://www.snakeyaml.org)
- Reflections (from http://code.google.com/p/reflections/)
- SnakeYAML (from http://code.google.com/p/snakeyaml/)
- Spring Core (from https://github.com/spring-projects/spring-framework)
========================================================================
......@@ -163,7 +163,7 @@ CPL-1.0
========================================================================
The following software have components provided under the terms of this license:
- JUnit (from http://junit.org)
- JUnit (from )
- System Rules (from http://stefanbirkner.github.io/system-rules/)
========================================================================
......@@ -171,19 +171,19 @@ EPL-1.0
========================================================================
The following software have components provided under the terms of this license:
- Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
- Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Logback Classic Module (from http://logback.qos.ch)
- Logback Core Module (from http://logback.qos.ch)
- SnakeYAML (from http://www.snakeyaml.org)
- Jakarta Expression Language 4.0 (from https://projects.eclipse.org/projects/ee4j.el)
- Logback Classic Module (from https://repo1.maven.org/maven2/ch/qos/logback/logback-classic)
- Logback Core Module (from https://repo1.maven.org/maven2/ch/qos/logback/logback-core)
- SnakeYAML (from http://code.google.com/p/snakeyaml/)
========================================================================
EPL-2.0
========================================================================
The following software have components provided under the terms of this license:
- Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
- Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Jakarta Expression Language 4.0 (from https://projects.eclipse.org/projects/ee4j.el)
========================================================================
GPL-2.0-only
......@@ -198,15 +198,15 @@ GPL-2.0-or-later
========================================================================
The following software have components provided under the terms of this license:
- SnakeYAML (from http://www.snakeyaml.org)
- SnakeYAML (from http://code.google.com/p/snakeyaml/)
========================================================================
GPL-2.0-with-classpath-exception
========================================================================
The following software have components provided under the terms of this license:
- Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
- Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Jakarta Expression Language 4.0 (from https://projects.eclipse.org/projects/ee4j.el)
- Java Servlet API (from http://servlet-spec.java.net)
- tomcat-embed-core (from http://tomcat.apache.org/)
......@@ -215,9 +215,9 @@ GPL-3.0-only
========================================================================
The following software have components provided under the terms of this license:
- Expression Language 3.0 (from https://projects.eclipse.org/projects/ee4j.el)
- Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Project Lombok (from http://projectlombok.org)
- Jakarta Expression Language 4.0 (from https://projects.eclipse.org/projects/ee4j.el)
- Project Lombok (from https://projectlombok.org)
========================================================================
LGPL-2.1-only
......@@ -226,8 +226,8 @@ The following software have components provided under the terms of this license:
- Elastic JNA Distribution (from https://github.com/java-native-access/jna)
- Javassist (from http://www.javassist.org/)
- Logback Classic Module (from http://logback.qos.ch)
- Logback Core Module (from http://logback.qos.ch)
- Logback Classic Module (from https://repo1.maven.org/maven2/ch/qos/logback/logback-classic)
- Logback Core Module (from https://repo1.maven.org/maven2/ch/qos/logback/logback-core)
========================================================================
LGPL-2.1-or-later
......@@ -235,7 +235,7 @@ LGPL-2.1-or-later
The following software have components provided under the terms of this license:
- Javassist (from http://www.javassist.org/)
- SnakeYAML (from http://www.snakeyaml.org)
- SnakeYAML (from http://code.google.com/p/snakeyaml/)
========================================================================
LGPL-3.0-only
......@@ -249,15 +249,15 @@ MIT
========================================================================
The following software have components provided under the terms of this license:
- Checker Qual (from https://checkerframework.org)
- JOpt Simple (from http://pholser.github.com/jopt-simple)
- Checker Qual (from )
- JOpt Simple (from http://jopt-simple.github.io/jopt-simple)
- JUL to SLF4J bridge (from http://www.slf4j.org)
- Lucene Core (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-core)
- Lucene Core (from )
- Mockito (from http://www.mockito.org)
- Netty/Common (from https://repo1.maven.org/maven2/io/netty/netty-common)
- Project Lombok (from http://projectlombok.org)
- Project Lombok (from https://projectlombok.org)
- SLF4J API Module (from http://www.slf4j.org)
- java jwt (from https://github.com/auth0/java-jwt)
- java jwt (from http://www.jwt.io)
========================================================================
MPL-1.1
......@@ -273,36 +273,29 @@ The following software have components provided under the terms of this license:
- Javassist (from http://www.javassist.org/)
========================================================================
SPL-1.0
========================================================================
The following software have components provided under the terms of this license:
- Checker Qual (from https://checkerframework.org)
========================================================================
SunPro
========================================================================
The following software have components provided under the terms of this license:
- Lucene Core (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-core)
- Lucene Core (from )
========================================================================
WTFPL
========================================================================
The following software have components provided under the terms of this license:
- Reflections (from http://github.com/ronmamo/reflections)
- Reflections (from http://code.google.com/p/reflections/)
========================================================================
public-domain
========================================================================
The following software have components provided under the terms of this license:
- Guava: Google Core Libraries for Java (from https://repo1.maven.org/maven2/com/google/guava/guava)
- Guava: Google Core Libraries for Java (from https://github.com/google/guava)
- HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
- Joda-Time (from https://www.joda.org/joda-time/)
- Project Lombok (from http://projectlombok.org)
- Joda-Time (from http://www.joda.org/joda-time/)
- Project Lombok (from https://projectlombok.org)
- Spring Web (from https://github.com/spring-projects/spring-framework)
========================================================================
......@@ -310,8 +303,8 @@ unknown
========================================================================
The following software have components provided under the terms of this license:
- Byte Buddy (without dependencies) (from https://repo1.maven.org/maven2/net/bytebuddy/byte-buddy)
- Checker Qual (from https://checkerframework.org)
- Byte Buddy (without dependencies) (from )
- Checker Qual (from )
- System Rules (from http://stefanbirkner.github.io/system-rules/)
......@@ -35,6 +35,7 @@
<netty-bom.version>4.1.63.Final</netty-bom.version>
<snakeyaml.version>1.26</snakeyaml.version>
<commons-codec.version>1.14</commons-codec.version>
<log4j2.version>2.15.0</log4j2.version>
</properties>
<licenses>
......@@ -61,6 +62,17 @@
<type>pom</type>
<scope>import</scope>
</dependency>
<!--<editor-fold desc="Overriding spring-boot-dependencies. Fix: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">-->
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-bom</artifactId>
<version>${log4j2.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<!--</editor-fold>-->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment