From 404909306218c32d190b4b22c749d2bbe9e7b714 Mon Sep 17 00:00:00 2001
From: Spencer Sutton <suttonsp@amazon.com>
Date: Fri, 9 Jul 2021 17:56:24 +0000
Subject: [PATCH] Putting package overrides where they make sense
commit e6381f29
Author: Spencer Sutton <suttonsp@amazon.com>
Date: Fri Jul 09 2021 10:28:25 GMT-0500 (Central Daylight Time)
Merge
commit 3b894340
Author: Spencer Sutton <suttonsp@amazon.com>
Date: Fri Jul 09 2021 10:11:47 GMT-0500 (Central Daylight Time)
Putting package overrides where they make sense
commit 8f855742
Author: Spencer Sutton <suttonsp@amazon.com>
Date: Fri Jul 09 2021 09:31:46 GMT-0500 (Central Daylight Time)
Specifically designating undertow versions
commit 182323cc
Author: Spencer Sutton <suttonsp@amazon.com>
Date: Fri Jul 09 2021 09:30:47 GMT-0500 (Central Daylight Time)
Specifically designating undertow versions
commit 73167e8d
Author: Spencer Sutton <suttonsp@amazon.com>
Date: Fri Jul 09 2021 09:11:47 GMT-0500 (Central Daylight Time)
Fixing security vulnerabilities
commit 3ae26b8d
Author: Spencer Sutton <suttonsp@amazon.com>
Date: Wed Jun 09 2021 17:16:26 GMT-0500 (Central Daylight Time)
Merge
commit 06c26d76
Author: Spencer Sutton <suttonsp@amazon.com>
Date: Tue Jun 08 2021 10:22:41 GMT-0500 (Central Daylight Time)
Overriding packages with known vulnerabilities
commit f1ce7c02
Author: Spencer Sutton <suttonsp@amazon.com>
Date: Tue Jun 08 2021 12:10:03 GMT-0500 (Central Daylight Time)
Overriding packages with known vulnerabilities
commit 2b850b24
Author: Spencer Sutton <suttonsp@amazon.com>
Date: Tue Jun 08 2021 10:43:05 GMT-0500 (Central Daylight Time)
Adding comment
commit 06c26d76
Author: Spencer Sutton <suttonsp@amazon.com>
Date: Tue Jun 08 2021 10:22:41 GMT-0500 (Central Daylight Time)
Overriding packages with known vulnerabilities
commit 4bcf667c
Author: Spencer Sutton <suttonsp@amazon.com>
Date: Tue Jun 08 2021 10:03:50 GMT-0500 (Central Daylight Time)
Merge branch 'master' into dev
commit dd821317
Author: Spencer Sutton <suttonsp@amazon.com>
Date: Thu May 27 2021 11:02:20 GMT-0500 (Central Daylight Time)
Locking down maven central
commit a792aeda
Author: Spencer Sutton <suttonsp@amazon.com>
Date: Thu May 27 2021 10:13:20 GMT-0500 (Central Daylight Time)
"Excluding springs default security, locking down mvn central"
---
notification-core/pom.xml | 84 ++++++++++++++++++++++++++--
pom.xml | 13 +++++
provider/notification-aws/pom.xml | 93 +------------------------------
3 files changed, 93 insertions(+), 97 deletions(-)
diff --git a/notification-core/pom.xml b/notification-core/pom.xml
index 4fadc3d86..de0485a83 100644
--- a/notification-core/pom.xml
+++ b/notification-core/pom.xml
@@ -36,6 +36,8 @@
<maven.compiler.target>${java.version}</maven.compiler.target>
<maven.compiler.source>${java.version}</maven.compiler.source>
<springfox-version>2.7.0</springfox-version>
+ <netty.version>4.1.65.Final</netty.version>
+ <undertow.version>2.1.7.Final</undertow.version>
</properties>
<dependencies>
@@ -131,11 +133,6 @@
</exclusion>
</exclusions>
</dependency>
- <dependency>
- <groupId>io.undertow</groupId>
- <artifactId>undertow-core</artifactId>
- <version>2.0.27.Final</version>
- </dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-validation</artifactId>
@@ -215,6 +212,83 @@
<artifactId>spring-test</artifactId>
<scope>test</scope>
</dependency>
+
+ <!-- overriding packages with known vulnerabilities -->
+ <!-- See: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Anetty&cpe_product=cpe%3A%2F%3Anetty%3Anetty&cpe_version=cpe%3A%2F%3Anetty%3Anetty%3A4.1.38-->
+ <!-- See: https://ossindex.sonatype.org/component/pkg:maven/com.google.oauth-client/google-oauth-client@1.30.1?utm_source=dependency-check&utm_medium=integration&utm_content=6.1.6-->
+ <!-- See: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aredhat&cpe_product=cpe%3A%2F%3Aredhat%3Aundertow&cpe_version=cpe%3A%2F%3Aredhat%3Aundertow%3A2.0.23-->
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-transport</artifactId>
+ <version>${netty.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-transport-native-unix-common</artifactId>
+ <version>${netty.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-codec</artifactId>
+ <version>${netty.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-buffer</artifactId>
+ <version>${netty.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-common</artifactId>
+ <version>${netty.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-resolver</artifactId>
+ <version>${netty.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-handler</artifactId>
+ <version>${netty.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-codec-http</artifactId>
+ <version>${netty.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-codec-http2</artifactId>
+ <version>${netty.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-transport-native-epoll</artifactId>
+ <version>${netty.version}</version>
+ <classifier>linux-x86_64</classifier>
+ <type>jar</type>
+ </dependency>
+ <dependency>
+ <groupId>com.google.oauth-client</groupId>
+ <artifactId>google-oauth-client</artifactId>
+ <version>1.31.5</version>
+ </dependency>
+ <dependency>
+ <groupId>io.undertow</groupId>
+ <artifactId>undertow-core</artifactId>
+ <version>${undertow.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.undertow</groupId>
+ <artifactId>undertow-servlet</artifactId>
+ <version>${undertow.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>io.undertow</groupId>
+ <artifactId>undertow-websockets-jsr</artifactId>
+ <version>${undertow.version}</version>
+ </dependency>
</dependencies>
<build>
<plugins>
diff --git a/pom.xml b/pom.xml
index a17544220..cf205fe87 100644
--- a/pom.xml
+++ b/pom.xml
@@ -53,6 +53,19 @@
<artifactId>os-core-common</artifactId>
<version>${os-core-common.version}</version>
</dependency>
+
+ <!-- overriding packages with known vulnerabilities -->
+ <!-- See: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Afasterxml&cpe_product=cpe%3A%2F%3Afasterxml%3Ajackson-databind&cpe_version=cpe%3A%2F%3Afasterxml%3Ajackson-databind%3A2.9.9-->
+ <dependency>
+ <groupId>com.fasterxml.jackson.core</groupId>
+ <artifactId>jackson-core</artifactId>
+ <version>2.12.3</version>
+ </dependency>
+ <dependency>
+ <groupId>com.fasterxml.jackson.core</groupId>
+ <artifactId>jackson-databind</artifactId>
+ <version>2.12.3</version>
+ </dependency>
</dependencies>
</dependencyManagement>
diff --git a/provider/notification-aws/pom.xml b/provider/notification-aws/pom.xml
index 7a433db70..f2cf1a2f1 100644
--- a/provider/notification-aws/pom.xml
+++ b/provider/notification-aws/pom.xml
@@ -36,27 +36,13 @@
<maven.compiler.target>${java.version}</maven.compiler.target>
<maven.compiler.source>${java.version}</maven.compiler.source>
<aws.version>1.11.1018</aws.version>
- <netty.version>4.1.65.Final</netty.version>
- <undertow.version>2.1.7.Final</undertow.version>
</properties>
<dependencies>
- <dependency>
- <groupId>org.opengroup.osdu</groupId>
- <artifactId>os-core-common</artifactId>
- <exclusions>
- <exclusion>
- <groupId>com.fasterxml.jackson.core</groupId>
- <artifactId>jackson-databind</artifactId>
- </exclusion>
- </exclusions>
- </dependency>
-
-
<dependency>
<groupId>org.opengroup.osdu.core.aws</groupId>
<artifactId>os-core-lib-aws</artifactId>
- <version>0.9.2-SNAPSHOT</version>
+ <version>0.10.0-SNAPSHOT</version>
</dependency>
<!-- https://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk-secretsmanager -->
@@ -103,83 +89,6 @@
<scope>test</scope>
</dependency>
- <!-- overriding packages with known vulnerabilities -->
- <!-- See: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Afasterxml&cpe_product=cpe%3A%2F%3Afasterxml%3Ajackson-databind&cpe_version=cpe%3A%2F%3Afasterxml%3Ajackson-databind%3A2.9.9-->
- <!-- See: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Anetty&cpe_product=cpe%3A%2F%3Anetty%3Anetty&cpe_version=cpe%3A%2F%3Anetty%3Anetty%3A4.1.38-->
- <!-- See: https://ossindex.sonatype.org/component/pkg:maven/com.google.oauth-client/google-oauth-client@1.30.1?utm_source=dependency-check&utm_medium=integration&utm_content=6.1.6-->
- <!-- See: https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aredhat&cpe_product=cpe%3A%2F%3Aredhat%3Aundertow&cpe_version=cpe%3A%2F%3Aredhat%3Aundertow%3A2.0.23-->
- <dependency>
- <groupId>io.netty</groupId>
- <artifactId>netty-transport</artifactId>
- <version>${netty.version}</version>
- </dependency>
- <dependency>
- <groupId>io.netty</groupId>
- <artifactId>netty-transport-native-unix-common</artifactId>
- <version>${netty.version}</version>
- </dependency>
- <dependency>
- <groupId>io.netty</groupId>
- <artifactId>netty-codec</artifactId>
- <version>${netty.version}</version>
- </dependency>
- <dependency>
- <groupId>io.netty</groupId>
- <artifactId>netty-buffer</artifactId>
- <version>${netty.version}</version>
- </dependency>
- <dependency>
- <groupId>io.netty</groupId>
- <artifactId>netty-common</artifactId>
- <version>${netty.version}</version>
- </dependency>
- <dependency>
- <groupId>io.netty</groupId>
- <artifactId>netty-resolver</artifactId>
- <version>${netty.version}</version>
- </dependency>
- <dependency>
- <groupId>io.netty</groupId>
- <artifactId>netty-handler</artifactId>
- <version>${netty.version}</version>
- </dependency>
- <dependency>
- <groupId>io.netty</groupId>
- <artifactId>netty-codec-http</artifactId>
- <version>${netty.version}</version>
- </dependency>
- <dependency>
- <groupId>io.netty</groupId>
- <artifactId>netty-codec-http2</artifactId>
- <version>${netty.version}</version>
- </dependency>
- <dependency>
- <groupId>io.netty</groupId>
- <artifactId>netty-transport-native-epoll</artifactId>
- <version>${netty.version}</version>
- <classifier>linux-x86_64</classifier>
- <type>jar</type>
- </dependency>
- <dependency>
- <groupId>com.google.oauth-client</groupId>
- <artifactId>google-oauth-client</artifactId>
- <version>1.31.5</version>
- </dependency>
- <dependency>
- <groupId>io.undertow</groupId>
- <artifactId>undertow-core</artifactId>
- <version>${undertow.version}</version>
- </dependency>
- <dependency>
- <groupId>io.undertow</groupId>
- <artifactId>undertow-servlet</artifactId>
- <version>${undertow.version}</version>
- </dependency>
- <dependency>
- <groupId>io.undertow</groupId>
- <artifactId>undertow-websockets-jsr</artifactId>
- <version>${undertow.version}</version>
- </dependency>
</dependencies>
<build>
--
GitLab