From 5d05407ece610c4754e47142022c3b4a6f24f759 Mon Sep 17 00:00:00 2001
From: VidyaDharani Lokam <vidyadharani_lokam@epam.com>
Date: Tue, 12 Dec 2023 19:39:53 +0000
Subject: [PATCH] [MSCOSDU-1851] fix json, io.netty, reactor-core
vulnerabilities
---
NOTICE | 10 +-------
provider/notification-azure/pom.xml | 37 ++++++++++++++++-------------
2 files changed, 22 insertions(+), 25 deletions(-)
diff --git a/NOTICE b/NOTICE
index 5c21b1975..c98d48db0 100644
--- a/NOTICE
+++ b/NOTICE
@@ -536,8 +536,8 @@ GPL-3.0-only
The following software have components provided under the terms of this license:
- Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
+- Jakarta XML Binding API (from https://repo1.maven.org/maven2/jakarta/xml/bind/jakarta.xml.bind-api, https://repo1.maven.org/maven2/org/jboss/spec/javax/xml/bind/jboss-jaxb-api_2.3_spec)
- Java Servlet 4.0 API
-- Old JAXB Core (from <https://eclipse-ee4j.github.io/jaxb-ri/>, https://eclipse-ee4j.github.io/jaxb-ri/, https://repo1.maven.org/maven2/com/sun/xml/bind/jaxb-impl)
========================================================================
ISC
@@ -554,13 +554,6 @@ The following software have components provided under the terms of this license:
- aalto-xml (from https://github.com/FasterXML/aalto-xml, https://repo1.maven.org/maven2/com/fasterxml/aalto-xml)
-========================================================================
-Info-ZIP
-========================================================================
-The following software have components provided under the terms of this license:
-
-- ClassGraph (from https://github.com/classgraph/classgraph)
-
========================================================================
LGPL-2.1-only
========================================================================
@@ -698,7 +691,6 @@ The following software have components provided under the terms of this license:
- JSON in Java (from https://github.com/douglascrockford/JSON-java)
- Microsoft Azure client library for Blob Storage (from https://github.com/Azure/azure-sdk-for-java)
- Undertow Core (from <https://repo1.maven.org/maven2/io/undertow/undertow-core>, https://repo1.maven.org/maven2/io/undertow/undertow-core)
-- Undertow Servlet (from <https://repo1.maven.org/maven2/io/undertow/undertow-servlet>, https://repo1.maven.org/maven2/io/undertow/undertow-servlet)
- Undertow WebSockets JSR356 implementations (from <https://repo1.maven.org/maven2/io/undertow/undertow-websockets-jsr>, https://repo1.maven.org/maven2/io/undertow/undertow-websockets-jsr)
- XNIO API (from <http://www.jboss.org/xnio>, http://www.jboss.org/xnio)
- XNIO NIO Implementation (from <https://repo1.maven.org/maven2/org/jboss/xnio/xnio-nio>, https://repo1.maven.org/maven2/org/jboss/xnio/xnio-nio)
diff --git a/provider/notification-azure/pom.xml b/provider/notification-azure/pom.xml
index 9e1552b16..7bee328c4 100644
--- a/provider/notification-azure/pom.xml
+++ b/provider/notification-azure/pom.xml
@@ -38,26 +38,34 @@
<springframework.version>4.3.0.RELEASE</springframework.version>
<reactor.netty.version>0.11.0.RELEASE</reactor.netty.version>
<reactor.core.version>3.3.0.RELEASE</reactor.core.version>
- <osdu.corelibazure.version>0.25.0-rc1</osdu.corelibazure.version>
+ <osdu.corelibazure.version>0.25.0-rc2</osdu.corelibazure.version>
<junit.version>5.6.0</junit.version>
<jjwt.version>3.8.1</jjwt.version>
<mockito.version>2.23.0</mockito.version>
<spring-boot.version>2.7.7</spring-boot.version>
<reactor-core.version>3.4.6</reactor-core.version>
- <reactor-netty.version>1.0.7</reactor-netty.version>
+ <reactor-netty.version>1.1.13</reactor-netty.version>
<oauth2-oidc-sdk.version>6.0</oauth2-oidc-sdk.version>
<woodstox-core.version>5.4.0</woodstox-core.version>
<spring-webmvc.version>5.3.22</spring-webmvc.version>
<undertow.version>2.2.26.Final</undertow.version>
<spring-boot-maven-plugin.version>2.7.6</spring-boot-maven-plugin.version>
<xnio-api.version>3.8.8.Final</xnio-api.version>
- <netty.version>4.1.98.Final</netty.version>
+ <netty.version>4.1.101.Final</netty.version>
+ <snakeyaml-version>2.0</snakeyaml-version>
</properties>
<dependencyManagement>
<dependencies>
<!-- netty-bom dependency to be declared before spring-boot-dependencies,
to pull all netty-transitive dependencies with same version -->
+ <dependency>
+ <groupId>io.netty</groupId>
+ <artifactId>netty-bom</artifactId>
+ <version>${netty.version}</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-bom</artifactId>
@@ -72,13 +80,6 @@
<type>pom</type>
<scope>import</scope>
</dependency>
- <dependency>
- <groupId>io.netty</groupId>
- <artifactId>netty-bom</artifactId>
- <version>${netty.version}</version>
- <type>pom</type>
- <scope>import</scope>
- </dependency>
<!-- Inherit managed dependencies from core-lib-azure -->
<dependency>
<groupId>org.opengroup.osdu</groupId>
@@ -156,12 +157,6 @@
<groupId>org.opengroup.osdu</groupId>
<artifactId>core-lib-azure</artifactId>
<version>${osdu.corelibazure.version}</version>
- <exclusions>
- <exclusion>
- <groupId>com.microsoft.azure</groupId>
- <artifactId>documentdb-bulkexecutor</artifactId>
- </exclusion>
- </exclusions>
</dependency>
<!-- Spring Dependencies -->
@@ -210,6 +205,11 @@
<groupId>io.projectreactor.netty</groupId>
<artifactId>reactor-netty</artifactId>
</dependency>
+ <dependency>
+ <groupId>io.projectreactor.netty</groupId>
+ <artifactId>reactor-netty-http</artifactId>
+ <version>${reactor-netty.version}</version>
+ </dependency>
<dependency>
<groupId>io.projectreactor</groupId>
<artifactId>reactor-core</artifactId>
@@ -219,6 +219,11 @@
<artifactId>oauth2-oidc-sdk</artifactId>
<version>${oauth2-oidc-sdk.version}</version>
</dependency>
+ <dependency>
+ <groupId>org.yaml</groupId>
+ <artifactId>snakeyaml</artifactId>
+ <version>${snakeyaml-version}</version>
+ </dependency>
<!-- Azure Dependencies -->
--
GitLab