Notification merge requestshttps://community.opengroup.org/osdu/platform/system/notification/-/merge_requests2023-01-06T06:43:52Zhttps://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/312jar type vulnerability fix for notification-service2023-01-06T06:43:52ZPintu Guptajar type vulnerability fix for notification-serviceFollowing CVE has been fix into this MR :
| CVE-2022-25857 |
|------------------|
| CVE-2021-22573 |
| CVE-2022-22965 |
| PRISMA-2022-0239 |
| CVE-2022-22965 |
| CVE-2022-2053 |
| CVE-2022-1319 |
| CVE-2021-3859 |
| CVE...Following CVE has been fix into this MR :
| CVE-2022-25857 |
|------------------|
| CVE-2021-22573 |
| CVE-2022-22965 |
| PRISMA-2022-0239 |
| CVE-2022-22965 |
| CVE-2022-2053 |
| CVE-2022-1319 |
| CVE-2021-3859 |
| CVE-2022-42003 |
| CVE-2022-42004 |
| CVE-2022-31692 |
| CVE-2022-25647 |
## Type of change
- [ ] Bug Fix : vulnerability fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [NO]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ Yes] AWS
- [ Yes] Azure
- [Yes ] Google Cloud
- [ Yes] IBM
## Does this introduce a breaking change?
- [NO]
## What is the current behavior?
## What is the new/expected behavior? behavior will same as previous
## Have you added/updated Unit Tests and Integration Tests? No
## Any other useful informationM16 - Release 0.19Pintu GuptaPintu Guptahttps://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/328Fix spring vulnerabilities2023-01-18T19:56:30ZManish JangidFix spring vulnerabilities## Type of change
- [X] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES/NO]Yes
## Does this introduce a change in the clou...## Type of change
- [X] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES/NO]Yes
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [X] AWS
- [ ] Azure
- [ ] Google Cloud
- [ ] IBM
## Does this introduce a breaking change?
- [YES/NO] No
## What is the current behavior?
## What is the new/expected behavior?
## Have you added/updated Unit Tests and Integration Tests?
## Any other useful informationhttps://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/334Draft: GCP Reworked notification logic (GONRG-5700)2023-01-27T18:33:46ZDmitrii Novikov (EPAM)Draft: GCP Reworked notification logic (GONRG-5700)## Type of change
- [ ] Bug Fix
- [x] Feature
https://kb.epam.com/display/GONRG/OSDU+Notification+service+archtecture+proposal?moved=true
## Does this introduce a change in the core logic?
- [NO]
## Does this introduce a change in th...## Type of change
- [ ] Bug Fix
- [x] Feature
https://kb.epam.com/display/GONRG/OSDU+Notification+service+archtecture+proposal?moved=true
## Does this introduce a change in the core logic?
- [NO]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ ] AWS
- [ ] Azure
- [x] Google Cloud
- [ ] IBM
## Does this introduce a breaking change?
- [YES]
## What is the new/expected behavior?
1. Third-party subscriber subscribes/unsubscribes for specific OSDU events notifications via the Register service REST API
2. Register service publishes registration/unregistration info via the register-subscriber-control topic/exchange
3. Notification service instances process single (statically defined) subscription/queue to obtain registration info changes
4. Notification service instances persists/reads registration info in the shared database/cache.
5. OSDU services (Storage, Schema etc.) publish their events through corresponding topics/exchanges (records-changed, schema-changed etc.)
6. Notification service instances concurrently process single subscription/queue, statically defined per each original topic/exchange
7. Notification service publishes N (N is the number of third-party subscribtions) outgoing messages via the corresponding *-notification topic/exchange (example: records-changed-notification for records changed events). Each outgoing event is the original event enriched with the destination information (subscriber id). The original event is properly acknowledged upon end of processing.
7a. RabbitMQ: *-notification exchange should be a delayed exchange (type x-delayed-message), which requires special RabbitMQ rabbitmq_delayed_message_exchange plugin installed
7b. RabbitMQ: the outgoing event contains no x-delay header to be processed w/o time delay
8. Notification service instances concurrently process single subscription/queue, statically defined per each outgoing topic/exchange
9. Notification service collects corresponding subscription info from the DB (4) or distributed cache and sends notification (HTTP call to the endpoint) to the third-party subscriber. In case of successful call the outgoing message is properly acknowledged. In case of notification failure (third-party endpoint not available for instance) the following should be performed to provide notification delivery retry logic:
9a. GCP PubSub: the outgoing message is NACK-ed and then re-delivered after configured back-off time in accordance with Retry policy
9b. RabbitMQ: the outgoing message is ACK-ed and re-published (7) in the the corresponding *-notification exchange with x-delay and x-retries headers to be re-processed with time delay. If x-retries already present in the processed message header it's value should be incremented. If x-retries value equals to configured limit of retries, the message is not re-published. In further implementations it may be routed to dead letter queue (out of scope for now)Dmitrii Novikov (EPAM)Dmitrii Novikov (EPAM)https://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/333GCP Reworked notification logic (GONRG-5700)2023-01-27T18:34:04ZDmitrii Novikov (EPAM)GCP Reworked notification logic (GONRG-5700)## Type of change
- [ ] Bug Fix
- [x] Feature
https://kb.epam.com/display/GONRG/OSDU+Notification+service+archtecture+proposal?moved=true
## Does this introduce a change in the core logic?
- [NO]
## Does this introduce a change in th...## Type of change
- [ ] Bug Fix
- [x] Feature
https://kb.epam.com/display/GONRG/OSDU+Notification+service+archtecture+proposal?moved=true
## Does this introduce a change in the core logic?
- [NO]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ ] AWS
- [ ] Azure
- [x] Google Cloud
- [ ] IBM
## Does this introduce a breaking change?
- [YES]
## What is the new/expected behavior?
1. Third-party subscriber subscribes/unsubscribes for specific OSDU events notifications via the Register service REST API
2. Register service publishes registration/unregistration info via the register-subscriber-control topic/exchange
3. Notification service instances process single (statically defined) subscription/queue to obtain registration info changes
4. Notification service instances persists/reads registration info in the shared database/cache.
5. OSDU services (Storage, Schema etc.) publish their events through corresponding topics/exchanges (records-changed, schema-changed etc.)
6. Notification service instances concurrently process single subscription/queue, statically defined per each original topic/exchange
7. Notification service publishes N (N is the number of third-party subscribtions) outgoing messages via the corresponding *-notification topic/exchange (example: records-changed-notification for records changed events). Each outgoing event is the original event enriched with the destination information (subscriber id). The original event is properly acknowledged upon end of processing.
7a. RabbitMQ: *-notification exchange should be a delayed exchange (type x-delayed-message), which requires special RabbitMQ rabbitmq_delayed_message_exchange plugin installed
7b. RabbitMQ: the outgoing event contains no x-delay header to be processed w/o time delay
8. Notification service instances concurrently process single subscription/queue, statically defined per each outgoing topic/exchange
9. Notification service collects corresponding subscription info from the DB (4) or distributed cache and sends notification (HTTP call to the endpoint) to the third-party subscriber. In case of successful call the outgoing message is properly acknowledged. In case of notification failure (third-party endpoint not available for instance) the following should be performed to provide notification delivery retry logic:
9a. GCP PubSub: the outgoing message is NACK-ed and then re-delivered after configured back-off time in accordance with Retry policy
9b. RabbitMQ: the outgoing message is ACK-ed and re-published (7) in the the corresponding *-notification exchange with x-delay and x-retries headers to be re-processed with time delay. If x-retries already present in the processed message header it's value should be incremented. If x-retries value equals to configured limit of retries, the message is not re-published. In further implementations it may be routed to dead letter queue (out of scope for now)M16 - Release 0.19Dmitrii Novikov (EPAM)Dmitrii Novikov (EPAM)https://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/205Adding custom metrics to notification2023-02-04T05:30:55ZSaravanakumar VAdding custom metrics to notification## Type of change
- [ ] Bug Fix
- [ x ] Feature
## Does this introduce a change in the core logic?
- [NO]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ ] AWS
- [ x ] Azure
- [ ] GCP
- [...## Type of change
- [ ] Bug Fix
- [ x ] Feature
## Does this introduce a change in the core logic?
- [NO]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ ] AWS
- [ x ] Azure
- [ ] GCP
- [ ] IBM
## Does this introduce a breaking change?
- [NO]
## What is the current behavior?
Added custom metrics from micrometer
## What is the new/expected behavior?
## Have you added/updated Unit Tests and Integration Tests?
## Any other useful informationSaravanakumar VSaravanakumar Vhttps://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/252Added default value for HMAC_SECRET for int tests2023-02-04T05:30:55ZDmitrii Novikov (EPAM)Added default value for HMAC_SECRET for int testsAdded default value HMAC_SECRET for integration tests usage onlyAdded default value HMAC_SECRET for integration tests usage onlyDmitrii Novikov (EPAM)Dmitrii Novikov (EPAM)https://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/232Update os-core-lib-azure2023-02-04T05:30:58ZHarsheet ShahUpdate os-core-lib-azure## Type of change
- [ ] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES/NO]
## Does this introduce a change in the cloud p...## Type of change
- [ ] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES/NO]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ ] AWS
- [ ] Azure
- [ ] GCP
- [ ] IBM
## Does this introduce a breaking change?
- [YES/NO]
## What is the current behavior?
## What is the new/expected behavior?
## Have you added/updated Unit Tests and Integration Tests?
## Any other useful informationHarsheet ShahHarsheet Shahhttps://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/313Draft: Fixing Notification IT - Increasing read timeout2023-02-13T12:07:17ZHarsheet ShahDraft: Fixing Notification IT - Increasing read timeout## Type of change
- [ ] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES/NO] NO
## Does this introduce a change in the clou...## Type of change
- [ ] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES/NO] NO
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ ] AWS Yes
- [ ] Azure Yes
- [ ] Google Cloud Yes
- [ ] IBM Yes
## Does this introduce a breaking change?
- [YES/NO] No
## What is the current behavior?
## What is the new/expected behavior?
## Have you added/updated Unit Tests and Integration Tests?
Yes
Increasing the timeout for read, as storage creation take more time.
Logs
api-method=PUT operation-name={PUT [/records], consumes [application/json], produces [application/json]} user-id=51d2f791-795b-4c8d-9657-cd23b1f9f2a7 app-id=2f59abbc-7b40-4d0e-91b2-22ca3084bc84:storage.app End Web-API PUT /records Headers: {correlation-id:storage-notification-it,content-type:application/json} status=201** time=64933 **ms {correlation-id=storage-notification-it, data-partition-id=uptest522v3-dp1}
## Any other useful informationM16 - Release 0.19Harsheet ShahHarsheet Shahhttps://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/339Upgrade First Party Library Dependencies for Release 0.192023-02-18T07:31:18ZDavid Diederichd.diederich@opengroup.orgUpgrade First Party Library Dependencies for Release 0.19This automated MR upgrades the first party libraries (other OSDU libraries) to utilize the latest release.
The intent is to keep the OSDU projects utilizing the latest available code to ensure widespread usage and stability.
However, any...This automated MR upgrades the first party libraries (other OSDU libraries) to utilize the latest release.
The intent is to keep the OSDU projects utilizing the latest available code to ensure widespread usage and stability.
However, any library that is older than the previous release will be left as-is, since the upgrade is likely to be more complicated.
Furthermore, the upgrade should only be merged in the CI pipeline reports success.
If this MR has failed, we can spend a little time investigating to see if a trivial upgrade could achieve compatiblity to the new library.
But significant upgrade efforts should not occur on this MR, as part of the release tagging process.
Instead, significant work should be scheduled for a subsequent milestone.
### Dependency Information Before the Upgrade
```
Branch: master
SHA: 13844b414cc330f8d6228cb2129181d76a5b1f86
Maven: 0.20.0-SNAPSHOT
```
| Maven Dependencies | _Root_ | testing/ |
| ------------------------------------------------------- | ---------------- | -------------- |
| core-lib-azure | 0.19.0-rc8 | 0.12.0-rc10 |
| core-lib-gcp | 0.19.0-rc3 | |
| core-test-lib-gcp | | 0.0.2 |
| os-core-lib-aws | 0.19.0-rc3 | 0.14.0-rc2 |
| obm | 0.18.0 | |
| oqm | 0.18.0 | |
| os-core-common | 0.19.0-rc6 | 0.3.4, 0.3.6 |
| os-core-lib-ibm | 0.16.0-rc1 | 0.15.2 |
| osm | 0.18.0 | |
| (3rd Party) com.fasterxml.jackson.core.jackson-databind | 2.14.1, 2.13.2.2 | 2.13.2.2 |
| (3rd Party) net.minidev.json-smart | 2.4.7 | 2.4.6 |
| (3rd Party) org.apache.logging.log4j.log4j-api | 2.17.1 | 2.13.3, 2.11.1 |
| (3rd Party) org.apache.logging.log4j.log4j-core | 2.17.1 | 2.13.3 |
| (3rd Party) org.apache.logging.log4j.log4j-jul | 2.17.1 | 2.13.3 |
| (3rd Party) org.apache.logging.log4j.log4j-slf4j-impl | 2.17.1 | 2.13.3 |
| (3rd Party) org.apache.logging.log4j.log4j-to-slf4j | 2.17.1 | 2.11.2, 2.13.3 |
| (3rd Party) org.springframework.spring-webflux | 5.3.24 | |
| (3rd Party) org.springframework.spring-webmvc | 5.3.24 | 5.1.9.RELEASE |
### Dependency Information After the Upgrade
```
Branch: dependency-upgrade
SHA: 4afa989dcbb0b46d33127d3f124f010046f6bdf1
Maven: 0.20.0-SNAPSHOT
```
| Maven Dependencies | _Root_ | testing/ |
| ------------------------------------------------------- | ---------------- | -------------- |
| core-lib-azure | 0.19.0 | 0.12.0-rc10 |
| core-lib-gcp | 0.19.0 | |
| core-test-lib-gcp | | 0.0.2 |
| os-core-lib-aws | 0.19.0 | 0.14.0-rc2 |
| obm | 0.19.0 | |
| oqm | 0.19.0 | |
| os-core-common | 0.19.0 | 0.3.4, 0.3.6 |
| os-core-lib-ibm | 0.16.0-rc1 | 0.15.2 |
| osm | 0.19.0 | |
| (3rd Party) com.fasterxml.jackson.core.jackson-databind | 2.14.1, 2.13.2.2 | 2.13.2.2 |
| (3rd Party) net.minidev.json-smart | 2.4.7 | 2.4.6 |
| (3rd Party) org.apache.logging.log4j.log4j-api | 2.17.1 | 2.13.3, 2.11.1 |
| (3rd Party) org.apache.logging.log4j.log4j-core | 2.17.1 | 2.13.3 |
| (3rd Party) org.apache.logging.log4j.log4j-jul | 2.17.1 | 2.13.3 |
| (3rd Party) org.apache.logging.log4j.log4j-slf4j-impl | 2.17.1 | 2.13.3 |
| (3rd Party) org.apache.logging.log4j.log4j-to-slf4j | 2.17.1 | 2.11.2, 2.13.3 |
| (3rd Party) org.springframework.spring-webflux | 5.3.24 | |
| (3rd Party) org.springframework.spring-webmvc | 5.3.24 | 5.1.9.RELEASE |M16 - Release 0.19https://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/360Dummy to check Azure Code coverage dependency2023-04-11T10:17:05ZShreya ShahDummy to check Azure Code coverage dependency##Overview
To check azure code coverage dependency changes were successful or not
##References
https://community.opengroup.org/osdu/platform/ci-cd-pipelines/-/merge_requests/882##Overview
To check azure code coverage dependency changes were successful or not
##References
https://community.opengroup.org/osdu/platform/ci-cd-pipelines/-/merge_requests/882Shreya ShahShreya Shahhttps://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/352vulnerability fix2023-03-28T10:16:05ZPintu Guptavulnerability fixFollowing has been fix :
| cve | link |
|------------------|-------------------------------------------------|
| CVE-2022-25857 | https://nvd.nist.gov/vuln/detail/CVE-2022-25857 ...Following has been fix :
| cve | link |
|------------------|-------------------------------------------------|
| CVE-2022-25857 | https://nvd.nist.gov/vuln/detail/CVE-2022-25857 |
| CVE-2021-22573 | https://nvd.nist.gov/vuln/detail/CVE-2021-22573 |
| CVE-2022-22965 | https://nvd.nist.gov/vuln/detail/CVE-2022-22965 |
| PRISMA-2022-0239 | https://github.com/square/okhttp/issues/6738 |
| CVE-2022-22965 | https://nvd.nist.gov/vuln/detail/CVE-2022-22965 |
| CVE-2022-2053 | https://nvd.nist.gov/vuln/detail/CVE-2022-2053 |
| CVE-2022-1319 | https://www.cve.org/CVERecord?id=CVE-2022-1319 |
| CVE-2021-3859 | https://nvd.nist.gov/vuln/detail/CVE-2021-3859 |
| CVE-2022-42003 | https://nvd.nist.gov/vuln/detail/CVE-2022-42003 |
| CVE-2022-42004 | https://nvd.nist.gov/vuln/detail/CVE-2022-42004 |
| CVE-2022-31692 | https://nvd.nist.gov/vuln/detail/CVE-2022-31692 |
| CVE-2022-25647 | https://nvd.nist.gov/vuln/detail/CVE-2022-25647 |M17 - Release 0.20Pintu GuptaPintu Guptahttps://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/357Draft: Vulnerability Fixes For Notification Service2023-04-04T09:43:31ZKamalika SahaDraft: Vulnerability Fixes For Notification Service## Type of change
- [x] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES/NO]
## Does this introduce a change in the cloud p...## Type of change
- [x] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES/NO]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ ] AWS
- [x] Azure
- [ ] Google Cloud
- [ ] IBM
## Does this introduce a breaking change?
- [NO]
## What is the current behavior?
## What is the new/expected behavior?
## Have you added/updated Unit Tests and Integration Tests?
## Any other useful informationKamalika SahaKamalika Sahahttps://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/367ReadOnlyRootFileSystem changes for AWS2023-04-06T23:08:47ZAbhay JoshiReadOnlyRootFileSystem changes for AWS## Type of change
- [ ] Bug Fix
- [ X] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES/NO]
NO
## Does this introduce a change in the clou...## Type of change
- [ ] Bug Fix
- [ X] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES/NO]
NO
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ X] AWS
- [ ] Azure
- [ ] Google Cloud
- [ ] IBM
## Does this introduce a breaking change?
- [YES/NO]
No
## What is the current behavior?
System can write to AWS service pod
## What is the new/expected behavior?
System cannot write to AWS service pod
## Have you added/updated Unit Tests and Integration Tests?
No
## Any other useful informationM18 - Release 0.21Okoun-Ola Fabien HouetoAbhay JoshiOkoun-Ola Fabien Houetohttps://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/376Added exchange existence validation on service start (GONRG-6705)2023-04-21T11:18:15ZRiabokon Stanislav(EPAM)[GCP]Added exchange existence validation on service start (GONRG-6705)## Type of change
- [X] Bug Fix
- [ ] Feature
## Does this introduce a change in the core logic?
- [NO]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ ] AWS
- [ ] Azure
- [X] Google Cloud...## Type of change
- [X] Bug Fix
- [ ] Feature
## Does this introduce a change in the core logic?
- [NO]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ ] AWS
- [ ] Azure
- [X] Google Cloud
- [ ] IBM
## Does this introduce a breaking change?
- [NO]
## What is the new/expected behavior?
Added exchange existence validation on service startM18 - Release 0.21Riabokon Stanislav(EPAM)[GCP]Riabokon Stanislav(EPAM)[GCP]https://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/377Modify the version for spingdoc and name2023-04-25T23:42:19ZVaibhavi KamaniModify the version for spingdoc and nameModify the version for spingdoc and name.Modify the version for spingdoc and name.Vaibhavi KamaniVaibhavi Kamanihttps://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/123BugFix: Added the missing comma in gemerating Json using String format2023-05-03T15:16:03ZHouari ZegaiBugFix: Added the missing comma in gemerating Json using String format## Type of change
- [x] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES]
## Does this introduce a change in the cloud prov...## Type of change
- [x] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ ] AWS
- [ ] Azure
- [ ] GCP
- [ ] IBM
## Does this introduce a breaking change?
- [NO]
## What is the current behavior?
## What is the new/expected behavior?
Added the missing comma in generating Json using String format
## Have you added/updated Unit Tests and Integration Tests?
## Any other useful informationhttps://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/284Draft: GONGR-5878 gcp_wellbore_deploy virtualservice modifying2023-05-13T05:04:32ZVladyslav HundarchukDraft: GONGR-5878 gcp_wellbore_deploy virtualservice modifyingGCP_wellbore_deploy virtualservice removing "*".GCP_wellbore_deploy virtualservice removing "*".Vladyslav HundarchukVladyslav Hundarchukhttps://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/289Merge branch 'upgrade-dependencies' into 'master'2023-05-13T05:04:36ZHarsheet ShahMerge branch 'upgrade-dependencies' into 'master'## Type of change
- [ ] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES/NO]
## Does this introduce a change in the cloud p...## Type of change
- [ ] Bug Fix
- [ ] Feature
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES/NO]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ ] AWS
- [ ] Azure
- [ ] Google Cloud
- [ ] IBM
## Does this introduce a breaking change?
- [YES/NO]
## What is the current behavior?
## What is the new/expected behavior?
## Have you added/updated Unit Tests and Integration Tests?
## Any other useful informationhttps://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/369Full Upgrade of First Party Library Dependencies for Release 0.202023-05-22T15:50:25ZDavid Diederichd.diederich@opengroup.orgFull Upgrade of First Party Library Dependencies for Release 0.20This generated MR upgrades the first party libraries (other OSDU libraries) to utilize the latest release.
The intent is to try to fully upgrade all dependent libraries to see if the latest code will work.
It is expected that these will ...This generated MR upgrades the first party libraries (other OSDU libraries) to utilize the latest release.
The intent is to try to fully upgrade all dependent libraries to see if the latest code will work.
It is expected that these will often fail, since the upgrades were previously rejected for failing pipelines and have not been directly addressed yet.
This upgrade should only be merged in the CI pipeline reports success.
If this MR has failed, we can spend a little time investigating to see if a trivial upgrade could achieve compatiblity to the new library.
But significant upgrade efforts should not occur on this MR, as part of the release tagging process.
Instead, significant work should be scheduled for a subsequent milestone.
This MR may co-exist with a separate, smaller upgrade MR.
If both pass, this one should be used instead.
### Dependency Information Before the Upgrade
```
Branch: master
SHA: c90ffd91938b16d47f7037f8c3afb15c396aab99
Maven: 0.21.0-SNAPSHOT
```
| Maven Dependencies | _Root_ | testing/ |
| ----------------------------------------------------- | ---------- | -------------- |
| core-lib-azure | 0.19.0-rc8 | 0.12.0-rc10 |
| core-lib-gcp | 0.20.0-rc1 | |
| core-test-lib-gcp | | 0.0.2 |
| os-core-lib-aws | 0.21.0-rc1 | 0.14.0-rc2 |
| obm | 0.19.0 | |
| oqm | 0.19.0 | |
| os-core-common | 0.19.0-rc6 | 0.3.4, 0.3.6 |
| os-core-lib-ibm | 0.16.0-rc1 | 0.15.2 |
| osm | 0.20.0-rc2 | |
| (3rd Party) net.minidev.json-smart | 2.4.7 | 2.4.6 |
| (3rd Party) org.apache.logging.log4j.log4j-api | 2.17.1 | 2.13.3, 2.11.1 |
| (3rd Party) org.apache.logging.log4j.log4j-core | 2.17.1 | 2.13.3 |
| (3rd Party) org.apache.logging.log4j.log4j-jul | 2.17.1 | 2.13.3 |
| (3rd Party) org.apache.logging.log4j.log4j-slf4j-impl | 2.17.1 | 2.13.3 |
| (3rd Party) org.apache.logging.log4j.log4j-to-slf4j | 2.17.1 | 2.11.2, 2.13.3 |
| (3rd Party) org.springframework.spring-webmvc | 5.3.24 | 5.1.9.RELEASE |
| (3rd Party) org.yaml.snakeyaml | 1.30, 1.33 | 1.23, 1.27 |
```
Critical: Found Vulnerable Snake YAML dependency (<2.0)
├─ _Root_
│ ├─ org.projectlombok.lombok == 1.18.8
│ │ └─ org.springdoc.springdoc-openapi-ui == 1.6.9
│ │ └─ org.springdoc.springdoc-openapi-webmvc-core == 1.6.9
│ │ └─ org.springdoc.springdoc-openapi-common == 1.6.9
│ │ └─ io.swagger.core.v3.swagger-core == 2.2.0
│ │ └─ com.fasterxml.jackson.dataformat.jackson-dataformat-yaml == 2.13.4
│ │ └─ org.yaml.snakeyaml == 1.30
│ ├─ org.opengroup.osdu.notification-core == 0.21.0-SNAPSHOT
│ │ └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│ │ └─ org.springframework.boot.spring-boot-starter == 2.7.7
│ │ └─ org.yaml.snakeyaml == 1.33
│ ├─ org.opengroup.osdu.notification-gc == 0.21.0-SNAPSHOT
│ │ └─ org.opengroup.osdu.os-core-common == 0.19.0-rc6
│ │ └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│ │ └─ org.springframework.boot.spring-boot-starter == 2.7.7
│ │ └─ org.yaml.snakeyaml == 1.30
│ ├─ org.opengroup.osdu.notification-azure == 0.21.0-SNAPSHOT
│ │ └─ org.opengroup.osdu.core-lib-azure == 0.19.0-rc8
│ │ └─ org.redisson.redisson == 3.15.3
│ │ └─ org.yaml.snakeyaml == 1.33
│ ├─ org.opengroup.osdu.notification-ibm == 0.21.0-SNAPSHOT
│ │ └─ org.yaml.snakeyaml == 1.33
│ └─ org.opengroup.osdu.notification-aws == 0.21.0-SNAPSHOT
│ └─ org.springframework.boot.spring-boot-starter-actuator == 2.7.7
│ └─ org.springframework.boot.spring-boot-starter == 2.7.7
│ └─ org.yaml.snakeyaml == 1.33
└─ testing/
├─ org.opengroup.osdu.notification.notification-test-core == 0.21.0-SNAPSHOT
│ └─ org.opengroup.osdu.os-core-common == 0.3.4
│ └─ org.springframework.boot.spring-boot-starter-web == 2.1.7.RELEASE
│ └─ org.springframework.boot.spring-boot-starter == 2.1.7.RELEASE
│ └─ org.yaml.snakeyaml == 1.23
├─ org.opengroup.osdu.notification-test-azure == 0.21.0-SNAPSHOT
│ └─ org.opengroup.osdu.core-lib-azure == 0.12.0-rc10
│ └─ org.springframework.boot.spring-boot-starter-aop == 2.4.5
│ └─ org.springframework.boot.spring-boot-starter == 2.4.5
│ └─ org.yaml.snakeyaml == 1.27
├─ org.opengroup.osdu.notification-test-gc == 0.21.0-SNAPSHOT
│ └─ org.opengroup.osdu.os-core-common == 0.3.6
│ └─ org.springframework.boot.spring-boot-starter-web == 2.1.7.RELEASE
│ └─ org.springframework.boot.spring-boot-starter == 2.1.7.RELEASE
│ └─ org.yaml.snakeyaml == 1.23
├─ org.opengroup.osdu.notification-test-aws == 0.21.0-SNAPSHOT
│ └─ org.opengroup.osdu.os-core-common == 0.3.6
│ └─ org.springframework.boot.spring-boot-starter-web == 2.1.7.RELEASE
│ └─ org.springframework.boot.spring-boot-starter == 2.1.7.RELEASE
│ └─ org.yaml.snakeyaml == 1.23
├─ org.opengroup.osdu.notification-test-ibm == 0.21.0-SNAPSHOT
│ └─ org.opengroup.osdu.os-core-lib-ibm == 0.15.2
│ └─ org.springframework.boot.spring-boot-starter-security == 2.4.5
│ └─ org.springframework.boot.spring-boot-starter == 2.4.5
│ └─ org.yaml.snakeyaml == 1.27
└─ org.opengroup.osdu.notification-test-anthos == 0.21.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.3.6
└─ org.springframework.boot.spring-boot-starter-web == 2.1.7.RELEASE
└─ org.springframework.boot.spring-boot-starter == 2.1.7.RELEASE
└─ org.yaml.snakeyaml == 1.23
```
### Dependency Information After the Upgrade
```
Branch: dependency-upgrade
SHA: 9c87f102a8a3475be8b04e54ad05f69b23a05fc3
Maven: 0.21.0-SNAPSHOT
```
| Maven Dependencies | _Root_ | testing/ |
| --------------------------------------------------- | --------------- | --------------- |
| core-lib-azure | 0.20.0 | 0.20.0 |
| core-lib-gc | 0.20.0 | |
| core-test-lib-gcp | | 0.20.0 |
| os-core-lib-aws | 0.21.0-rc2 | 0.21.0-rc2 |
| obm | 0.20.0 | |
| oqm | 0.20.0 | |
| os-core-common | 0.20.1 | 0.20.1 |
| os-core-lib-ibm | 0.20.0 | 0.20.0 |
| osm | 0.20.0 | |
| (3rd Party) org.apache.logging.log4j.log4j-api | 2.17.1 | 2.17.2, 2.13.3 |
| (3rd Party) org.apache.logging.log4j.log4j-to-slf4j | 2.17.1 | 2.17.2, 2.13.3 |
| (3rd Party) org.yaml.snakeyaml | 1.30, 2.0, 1.33 | 1.30, 1.27, 2.0 |
```
Critical: Found Vulnerable Snake YAML dependency (<2.0)
├─ _Root_
│ ├─ org.projectlombok.lombok == 1.18.8
│ │ └─ org.springdoc.springdoc-openapi-ui == 1.6.9
│ │ └─ org.springdoc.springdoc-openapi-webmvc-core == 1.6.9
│ │ └─ org.springdoc.springdoc-openapi-common == 1.6.9
│ │ └─ io.swagger.core.v3.swagger-core == 2.2.0
│ │ └─ com.fasterxml.jackson.dataformat.jackson-dataformat-yaml == 2.13.4
│ │ └─ org.yaml.snakeyaml == 1.30
│ ├─ org.opengroup.osdu.notification-gc == 0.21.0-SNAPSHOT
│ │ └─ org.opengroup.osdu.os-core-common == 0.20.1
│ │ └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│ │ └─ org.springframework.boot.spring-boot-starter == 2.7.7
│ │ └─ org.yaml.snakeyaml == 1.30
│ └─ org.opengroup.osdu.notification-ibm == 0.21.0-SNAPSHOT
│ └─ org.yaml.snakeyaml == 1.33
└─ testing/
├─ org.opengroup.osdu.notification.notification-test-core == 0.21.0-SNAPSHOT
│ └─ org.opengroup.osdu.os-core-common == 0.20.1
│ └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│ └─ org.springframework.boot.spring-boot-starter == 2.7.7
│ └─ org.yaml.snakeyaml == 1.30
├─ org.opengroup.osdu.notification-test-azure == 0.21.0-SNAPSHOT
│ └─ org.opengroup.osdu.core-lib-azure == 0.20.0
│ └─ org.redisson.redisson == 3.15.3
│ └─ org.yaml.snakeyaml == 1.27
├─ org.opengroup.osdu.notification-test-gc == 0.21.0-SNAPSHOT
│ └─ org.opengroup.osdu.os-core-common == 0.20.1
│ └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│ └─ org.springframework.boot.spring-boot-starter == 2.7.7
│ └─ org.yaml.snakeyaml == 1.30
├─ org.opengroup.osdu.notification-test-aws == 0.21.0-SNAPSHOT
│ └─ org.opengroup.osdu.core.aws.os-core-lib-aws == 0.21.0-rc2
│ └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│ └─ org.springframework.boot.spring-boot-starter == 2.7.7
│ └─ org.yaml.snakeyaml == 1.30
└─ org.opengroup.osdu.notification-test-anthos == 0.21.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.20.1
└─ org.springframework.boot.spring-boot-starter-web == 2.7.7
└─ org.springframework.boot.spring-boot-starter == 2.7.7
└─ org.yaml.snakeyaml == 1.30
```M18 - Release 0.21Srinivasan NarayananSrinivasan Narayananhttps://community.opengroup.org/osdu/platform/system/notification/-/merge_requests/409Draft: CG Vulnerability Fix2023-07-04T17:58:17ZKamalika SahaDraft: CG Vulnerability Fix## Type of change
- [ ] Bug Fix
- [ ] Feature
- [x] Vulnerability Fix
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES/NO]
## Does this introduce...## Type of change
- [ ] Bug Fix
- [ ] Feature
- [x] Vulnerability Fix
**Please provide link to gitlab issue or ADR(Architecture Decision Record)**
## Does this introduce a change in the core logic?
- [YES/NO]
## Does this introduce a change in the cloud provider implementation, if so which cloud?
- [ ] AWS
- [x] Azure
- [ ] Google Cloud
- [ ] IBM
## Does this introduce a breaking change?
- [NO]
## What is the current behavior?
## What is the new/expected behavior?
## Have you added/updated Unit Tests and Integration Tests?
## Any other useful informationKamalika SahaKamalika Saha