[MS 38485] update netty-bom vulnerability (!268) · Merge requests · OSDU Software / OSDU Data Platform / System / Lib / core / OS Core Common

VidyaDharani Lokam requested to merge az/vl-fix-netty-vulnerability into master May 07, 2024

update netty-bom dependency from 4.1.70.Final to 4.1.109.Final to remediate vulnerability.

mvn dependency:tree before changes:

[INFO] |  +- io.netty:netty-common:jar:4.1.70.Final:compile
[INFO] |  +- io.netty:netty-transport:jar:4.1.70.Final:compile
[INFO] |  |  +- io.netty:netty-buffer:jar:4.1.70.Final:compile
[INFO] |  |  \- io.netty:netty-resolver:jar:4.1.70.Final:compile
[INFO] |  \- io.netty:netty-handler:jar:4.1.70.Final:compile
[INFO] |     \- io.netty:netty-codec:jar:4.1.70.Final:compile

mvn dependency:tree after changes:

[INFO] |  +- io.netty:netty-common:jar:4.1.109.Final:compile
[INFO] |  +- io.netty:netty-transport:jar:4.1.109.Final:compile
[INFO] |  |  +- io.netty:netty-buffer:jar:4.1.109.Final:compile
[INFO] |  |  \- io.netty:netty-resolver:jar:4.1.109.Final:compile
[INFO] |  \- io.netty:netty-handler:jar:4.1.109.Final:compile
[INFO] |     +- io.netty:netty-transport-native-unix-common:jar:4.1.109.Final:compile
[INFO] |     \- io.netty:netty-codec:jar:4.1.109.Final:compile

The changes were tested with Ingestion workflow (pipeline) and EDS-DMS (pipeline) services and the pipelines are green.

Edited May 07, 2024 by VidyaDharani Lokam

[MS 38485] update netty-bom vulnerability

Merge request reports