[MSCOSDU-1851] fix json, io.netty, reactor-core vulnerabilities

265ea377 · VidyaDharani Lokam · Chad Leong · ef86d457 · 265ea377 · 265ea377
Commit 265ea377 authored 1 year ago by VidyaDharani Lokam Committed by Chad Leong 1 year ago
--- a/NOTICE
+++ b/NOTICE
@@ -536,8 +536,8 @@ GPL-3.0-only
 The following software have components provided under the terms of this license:

 - Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
+- Jakarta XML Binding API (from https://repo1.maven.org/maven2/jakarta/xml/bind/jakarta.xml.bind-api, https://repo1.maven.org/maven2/org/jboss/spec/javax/xml/bind/jboss-jaxb-api_2.3_spec)
 - Java Servlet 4.0 API
- Old JAXB Core (from <https://eclipse-ee4j.github.io/jaxb-ri/>, https://eclipse-ee4j.github.io/jaxb-ri/, https://repo1.maven.org/maven2/com/sun/xml/bind/jaxb-impl)

 ========================================================================
 ISC
@@ -554,13 +554,6 @@ The following software have components provided under the terms of this license:

 - aalto-xml (from https://github.com/FasterXML/aalto-xml, https://repo1.maven.org/maven2/com/fasterxml/aalto-xml)

-========================================================================
-Info-ZIP
-========================================================================
-The following software have components provided under the terms of this license:
-
- ClassGraph (from https://github.com/classgraph/classgraph)
-
 ========================================================================
 LGPL-2.1-only
 ========================================================================
@@ -698,7 +691,6 @@ The following software have components provided under the terms of this license:
 - JSON in Java (from https://github.com/douglascrockford/JSON-java)
 - Microsoft Azure client library for Blob Storage (from https://github.com/Azure/azure-sdk-for-java)
 - Undertow Core (from <https://repo1.maven.org/maven2/io/undertow/undertow-core>, https://repo1.maven.org/maven2/io/undertow/undertow-core)
- Undertow Servlet (from <https://repo1.maven.org/maven2/io/undertow/undertow-servlet>, https://repo1.maven.org/maven2/io/undertow/undertow-servlet)
 - Undertow WebSockets JSR356 implementations (from <https://repo1.maven.org/maven2/io/undertow/undertow-websockets-jsr>, https://repo1.maven.org/maven2/io/undertow/undertow-websockets-jsr)
 - XNIO API (from <http://www.jboss.org/xnio>, http://www.jboss.org/xnio)
 - XNIO NIO Implementation (from <https://repo1.maven.org/maven2/org/jboss/xnio/xnio-nio>, https://repo1.maven.org/maven2/org/jboss/xnio/xnio-nio)

--- a/provider/notification-azure/pom.xml
+++ b/provider/notification-azure/pom.xml
@@ -38,26 +38,34 @@
    <springframework.version>4.3.0.RELEASE</springframework.version>
    <reactor.netty.version>0.11.0.RELEASE</reactor.netty.version>
    <reactor.core.version>3.3.0.RELEASE</reactor.core.version>
-    <osdu.corelibazure.version>0.25.0-rc1</osdu.corelibazure.version>
+    <osdu.corelibazure.version>0.25.0-rc2</osdu.corelibazure.version>
    <junit.version>5.6.0</junit.version>
    <jjwt.version>3.8.1</jjwt.version>
    <mockito.version>2.23.0</mockito.version>
    <spring-boot.version>2.7.7</spring-boot.version>
    <reactor-core.version>3.4.6</reactor-core.version>
-    <reactor-netty.version>1.0.7</reactor-netty.version>
+    <reactor-netty.version>1.1.13</reactor-netty.version>
    <oauth2-oidc-sdk.version>6.0</oauth2-oidc-sdk.version>
    <woodstox-core.version>5.4.0</woodstox-core.version>
    <spring-webmvc.version>5.3.22</spring-webmvc.version>
    <undertow.version>2.2.26.Final</undertow.version>
    <spring-boot-maven-plugin.version>2.7.6</spring-boot-maven-plugin.version>
    <xnio-api.version>3.8.8.Final</xnio-api.version>
-    <netty.version>4.1.98.Final</netty.version>
+    <netty.version>4.1.101.Final</netty.version>
+    <snakeyaml-version>2.0</snakeyaml-version>
  </properties>

  <dependencyManagement>
    <dependencies>
      <!-- netty-bom dependency to be declared before spring-boot-dependencies,
      to pull all netty-transitive dependencies with same version -->
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-bom</artifactId>
+        <version>${netty.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
      <dependency>
        <groupId>org.springframework.security</groupId>
        <artifactId>spring-security-bom</artifactId>
@@ -72,13 +80,6 @@
 	    <type>pom</type>
 	    <scope>import</scope>
 	  </dependency>
-      <dependency>
-        <groupId>io.netty</groupId>
-        <artifactId>netty-bom</artifactId>
-        <version>${netty.version}</version>
-        <type>pom</type>
-        <scope>import</scope>
-      </dependency>
      <!-- Inherit managed dependencies from core-lib-azure -->
      <dependency>
        <groupId>org.opengroup.osdu</groupId>
@@ -156,12 +157,6 @@
      <groupId>org.opengroup.osdu</groupId>
      <artifactId>core-lib-azure</artifactId>
      <version>${osdu.corelibazure.version}</version>
-      <exclusions>
-        <exclusion>
-          <groupId>com.microsoft.azure</groupId>
-          <artifactId>documentdb-bulkexecutor</artifactId>
-        </exclusion>
-      </exclusions>
    </dependency>

    <!-- Spring Dependencies -->
@@ -210,6 +205,11 @@
      <groupId>io.projectreactor.netty</groupId>
      <artifactId>reactor-netty</artifactId>
    </dependency>
+    <dependency>
+      <groupId>io.projectreactor.netty</groupId>
+      <artifactId>reactor-netty-http</artifactId>
+      <version>${reactor-netty.version}</version>
+    </dependency>
    <dependency>
      <groupId>io.projectreactor</groupId>
      <artifactId>reactor-core</artifactId>
@@ -219,6 +219,11 @@
      <artifactId>oauth2-oidc-sdk</artifactId>
      <version>${oauth2-oidc-sdk.version}</version>
    </dependency>
+    <dependency>
+      <groupId>org.yaml</groupId>
+      <artifactId>snakeyaml</artifactId>
+      <version>${snakeyaml-version}</version>
+    </dependency>


    <!-- Azure Dependencies -->