From 7ddbc979fd8ea8f6dc49b9f9f7e97fdd69b5b3cf Mon Sep 17 00:00:00 2001
From: Solomon Ayalew <solxget@amazon.com>
Date: Thu, 7 Dec 2023 19:51:27 +0000
Subject: [PATCH] Fix Spring vulneraibilities
---
NOTICE | 8 +------
notification-core/pom.xml | 3 +--
pom.xml | 4 ++--
provider/notification-aws/pom.xml | 9 +++++---
provider/notification-azure/pom.xml | 23 ++++++++++++++-------
provider/notification-gc/pom.xml | 1 -
provider/notification-ibm/pom.xml | 4 +---
testing/notification-test-aws/pom.xml | 1 -
testing/notification-test-baremetal/pom.xml | 2 +-
testing/notification-test-core/pom.xml | 2 +-
testing/notification-test-gc/pom.xml | 2 +-
testing/notification-test-ibm/pom.xml | 2 +-
12 files changed, 30 insertions(+), 31 deletions(-)
diff --git a/NOTICE b/NOTICE
index 4d70dd1ab..d3e5525fb 100644
--- a/NOTICE
+++ b/NOTICE
@@ -347,6 +347,7 @@ The following software have components provided under the terms of this license:
- Hamcrest (from http://hamcrest.org/JavaHamcrest/)
- Hamcrest Core (from http://hamcrest.org/, http://hamcrest.org/JavaHamcrest/, https://repo1.maven.org/maven2/org/hamcrest/hamcrest-core)
- JBoss Jakarta Annotations API (from <https://github.com/jboss/jboss-jakarta-annotations-api_spec>, https://github.com/jboss/jboss-jakarta-annotations-api_spec)
+- Jackson module: Afterburner (from http://wiki.fasterxml.com/JacksonHome, https://github.com/FasterXML/jackson-modules-base)
- Jakarta Activation API (from https://github.com/eclipse-ee4j/jaf, https://github.com/jakartaee/jaf-api, https://repo1.maven.org/maven2/jakarta/activation/jakarta.activation-api)
- Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
- Jakarta WebSocket - Server API (from https://projects.eclipse.org/projects/ee4j.websocket, https://repo1.maven.org/maven2/org/jboss/spec/javax/websocket/jboss-websocket-api_1.1_spec)
@@ -696,13 +697,6 @@ The following software have components provided under the terms of this license:
- Netty/Codec (from https://repo1.maven.org/maven2/io/netty/netty-codec)
-========================================================================
-mit-old-style-no-advert
-========================================================================
-The following software have components provided under the terms of this license:
-
-- Brave (from https://repo1.maven.org/maven2/io/zipkin/brave/brave)
-
========================================================================
public-domain
========================================================================
diff --git a/notification-core/pom.xml b/notification-core/pom.xml
index 7541b2611..31b8af4ba 100644
--- a/notification-core/pom.xml
+++ b/notification-core/pom.xml
@@ -17,9 +17,8 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
- <groupId>org.opengroup.osdu</groupId>
+
<artifactId>notification-core</artifactId>
- <version>0.25.0-SNAPSHOT</version>
<name>notification-core</name>
<description>Core module for the notification service</description>
<packaging>jar</packaging>
diff --git a/pom.xml b/pom.xml
index 12904f40e..f31afcf7b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -25,7 +25,7 @@
<java.version>17</java.version>
<maven.compiler.target>${java.version}</maven.compiler.target>
<maven.compiler.source>${java.version}</maven.compiler.source>
- <os-core-common.version>0.24.0</os-core-common.version>
+ <os-core-common.version>0.25.0-rc2</os-core-common.version>
<log4j2.version>2.17.1</log4j2.version>
<json-smart.version>2.4.7</json-smart.version>
<openapi.version>1.6.14</openapi.version>
@@ -53,7 +53,7 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
- <version>2.7.7</version>
+ <version>2.7.17</version>
<type>pom</type>
<scope>import</scope>
</dependency>
diff --git a/provider/notification-aws/pom.xml b/provider/notification-aws/pom.xml
index 70ad1d5a8..ee634f5ad 100644
--- a/provider/notification-aws/pom.xml
+++ b/provider/notification-aws/pom.xml
@@ -17,9 +17,8 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
- <groupId>org.opengroup.osdu</groupId>
+
<artifactId>notification-aws</artifactId>
- <version>0.25.0-SNAPSHOT</version>
<name>notification-aws</name>
<description>AWS implementation for Notification service</description>
<packaging>jar</packaging>
@@ -61,6 +60,11 @@
<groupId>org.springframework.data</groupId>
<artifactId>spring-data-mongodb</artifactId>
</dependency>
+ <dependency>
+ <groupId>org.springframework.security</groupId>
+ <artifactId>spring-security-core</artifactId>
+ <version>5.8.2</version>
+ </dependency>
</dependencies>
</dependencyManagement>
@@ -87,7 +91,6 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-actuator</artifactId>
</dependency>
-
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-webmvc</artifactId>
diff --git a/provider/notification-azure/pom.xml b/provider/notification-azure/pom.xml
index d79335b97..2db28236e 100644
--- a/provider/notification-azure/pom.xml
+++ b/provider/notification-azure/pom.xml
@@ -18,7 +18,6 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>notification-azure</artifactId>
- <version>0.25.0-SNAPSHOT</version>
<name>notification-azure</name>
<description>Azure implementation for Notification service</description>
<packaging>jar</packaging>
@@ -40,7 +39,6 @@
<reactor.netty.version>0.11.0.RELEASE</reactor.netty.version>
<reactor.core.version>3.3.0.RELEASE</reactor.core.version>
<osdu.corelibazure.version>0.25.0-rc1</osdu.corelibazure.version>
- <osdu.oscorecommon.version>0.24.0</osdu.oscorecommon.version>
<junit.version>5.6.0</junit.version>
<jjwt.version>3.8.1</jjwt.version>
<mockito.version>2.23.0</mockito.version>
@@ -60,6 +58,20 @@
<dependencies>
<!-- netty-bom dependency to be declared before spring-boot-dependencies,
to pull all netty-transitive dependencies with same version -->
+ <dependency>
+ <groupId>org.springframework.security</groupId>
+ <artifactId>spring-security-bom</artifactId>
+ <version>5.7.11</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-dependencies</artifactId>
+ <version>2.7.17</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-bom</artifactId>
@@ -105,11 +117,6 @@
<artifactId>log4j-jul</artifactId>
<version>${log4j2.version}</version>
</dependency>
- <dependency>
- <groupId>org.springframework.boot</groupId>
- <artifactId>spring-boot-starter-webflux</artifactId>
- <version>2.5.12</version>
- </dependency>
<dependency>
<groupId>io.undertow</groupId>
<artifactId>undertow-core</artifactId>
@@ -143,7 +150,7 @@
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-common</artifactId>
- <version>${osdu.oscorecommon.version}</version>
+ <version>${os-core-common.version}</version>
</dependency>
<dependency>
<groupId>org.opengroup.osdu</groupId>
diff --git a/provider/notification-gc/pom.xml b/provider/notification-gc/pom.xml
index 4acf49e43..23dad6d11 100644
--- a/provider/notification-gc/pom.xml
+++ b/provider/notification-gc/pom.xml
@@ -17,7 +17,6 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<artifactId>notification-gc</artifactId>
- <version>0.25.0-SNAPSHOT</version>
<name>notification-gc</name>
<description>Google Cloud implementation for Notification service</description>
<packaging>jar</packaging>
diff --git a/provider/notification-ibm/pom.xml b/provider/notification-ibm/pom.xml
index c1a5e5e70..67a3a451c 100644
--- a/provider/notification-ibm/pom.xml
+++ b/provider/notification-ibm/pom.xml
@@ -14,9 +14,7 @@
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
- <groupId>org.opengroup.osdu</groupId>
<artifactId>notification-ibm</artifactId>
- <version>0.25.0-SNAPSHOT</version>
<name>notification-ibm</name>
<description>IBM implementation for Notification service</description>
<packaging>jar</packaging>
@@ -44,7 +42,7 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
- <version>2.7.7</version>
+ <version>2.7.17</version>
<type>pom</type>
<scope>import</scope>
</dependency>
diff --git a/testing/notification-test-aws/pom.xml b/testing/notification-test-aws/pom.xml
index b3c533b8b..d0166b1ff 100644
--- a/testing/notification-test-aws/pom.xml
+++ b/testing/notification-test-aws/pom.xml
@@ -51,7 +51,6 @@
<artifactId>notification-test-core</artifactId>
<version>0.25.0-SNAPSHOT</version>
</dependency>
-
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
diff --git a/testing/notification-test-baremetal/pom.xml b/testing/notification-test-baremetal/pom.xml
index 28f10a9a0..3af680a2e 100644
--- a/testing/notification-test-baremetal/pom.xml
+++ b/testing/notification-test-baremetal/pom.xml
@@ -46,7 +46,7 @@
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-common</artifactId>
- <version>0.24.0</version>
+ <version>0.25.0-rc2</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
diff --git a/testing/notification-test-core/pom.xml b/testing/notification-test-core/pom.xml
index f25c1f9d9..1ac045cd6 100644
--- a/testing/notification-test-core/pom.xml
+++ b/testing/notification-test-core/pom.xml
@@ -61,7 +61,7 @@
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-common</artifactId>
- <version>0.24.0</version>
+ <version>0.25.0-rc2</version>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
diff --git a/testing/notification-test-gc/pom.xml b/testing/notification-test-gc/pom.xml
index 70fa1deb4..5d032468c 100644
--- a/testing/notification-test-gc/pom.xml
+++ b/testing/notification-test-gc/pom.xml
@@ -46,7 +46,7 @@
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-common</artifactId>
- <version>0.24.0</version>
+ <version>0.25.0-rc2</version>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
diff --git a/testing/notification-test-ibm/pom.xml b/testing/notification-test-ibm/pom.xml
index 6dbedef05..016d394da 100644
--- a/testing/notification-test-ibm/pom.xml
+++ b/testing/notification-test-ibm/pom.xml
@@ -50,7 +50,7 @@
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>os-core-common</artifactId>
- <version>0.24.0</version>
+ <version>0.25.0-rc2</version>
</dependency>
--
GitLab