Remove SNAPSHOT dependencies (!440) · Merge requests · OSDU Software / OSDU Data Platform / System / Notification

David Diederich requested to merge dependency-upgrade-2 into master Oct 13, 2023

This automated MR removes usage of SNAPSHOT versions in the first party library dependencies. Since SNAPSHOT dependencies change frequently -- by their nature -- usage of them across projects is dangerous and should be avoided.

Dependency Information Before the Upgrade

WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
Branch: master
SHA:    3fb4d8ea58dea89d6a28283e581e1815802cc1f0
Maven:  0.24.0-SNAPSHOT

Maven Dependencies	Root	testing/
core-lib-azure	0.21.0	0.12.0-rc10
core-lib-gc	0.21.0
core-test-lib-gcp		0.0.2
os-core-lib-aws	0.24.0-SNAPSHOT	0.23.0
oqm	0.21.0
os-core-common	0.19.0-rc6, 0.21.0	0.3.4, 0.3.6, 0.22.0-rc4
os-core-lib-ibm	0.16.0-rc1	0.15.2
(3rd Party) net.minidev.json-smart	2.4.7	2.4.6
(3rd Party) org.apache.logging.log4j.log4j-api	2.17.1	2.13.3, 2.11.1, 2.17.2
(3rd Party) org.apache.logging.log4j.log4j-core	2.17.1	2.13.3
(3rd Party) org.apache.logging.log4j.log4j-jul	2.17.1	2.13.3
(3rd Party) org.apache.logging.log4j.log4j-slf4j-impl	2.17.1	2.13.3
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j	2.17.1	2.11.2, 2.17.2, 2.13.3
(3rd Party) org.springframework.spring-webmvc	5.3.24	5.1.9.RELEASE, 5.3.24
(3rd Party) org.yaml.snakeyaml	1.30, 1.33, 2.0	1.23, 1.27, 1.30

Critical: Found Vulnerable Snake YAML dependency (<2.0)
├─ _Root_
│  ├─ org.projectlombok.lombok == 1.18.8
│  │  └─ org.springdoc.springdoc-openapi-ui == 1.6.14
│  │     └─ org.springdoc.springdoc-openapi-webmvc-core == 1.6.14
│  │        └─ org.springdoc.springdoc-openapi-common == 1.6.14
│  │           └─ io.swagger.core.v3.swagger-core == 2.2.7
│  │              └─ org.yaml.snakeyaml == 1.30
│  ├─ org.opengroup.osdu.notification-core == 0.24.0-SNAPSHOT
│  │  └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│  │     └─ org.springframework.boot.spring-boot-starter == 2.7.7
│  │        └─ org.yaml.snakeyaml == 1.33
│  ├─ org.opengroup.osdu.notification-gc == 0.24.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.os-core-common == 0.21.0
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│  │        └─ org.springframework.boot.spring-boot-starter == 2.7.7
│  │           └─ org.yaml.snakeyaml == 1.30
│  ├─ org.opengroup.osdu.notification-ibm == 0.24.0-SNAPSHOT
│  │  └─ org.yaml.snakeyaml == 1.33
│  └─ org.opengroup.osdu.notification-aws == 0.24.0-SNAPSHOT
│     └─ org.springframework.boot.spring-boot-starter-actuator == 2.7.7
│        └─ org.springframework.boot.spring-boot-starter == 2.7.7
│           └─ org.yaml.snakeyaml == 1.33
└─ testing/
├─ org.opengroup.osdu.notification.notification-test-core == 0.24.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.3.4
│     └─ org.springframework.boot.spring-boot-starter-web == 2.1.7.RELEASE
│        └─ org.springframework.boot.spring-boot-starter == 2.1.7.RELEASE
│           └─ org.yaml.snakeyaml == 1.23
├─ org.opengroup.osdu.notification-test-azure == 0.24.0-SNAPSHOT
│  └─ org.opengroup.osdu.core-lib-azure == 0.12.0-rc10
│     └─ org.springframework.boot.spring-boot-starter-aop == 2.4.5
│        └─ org.springframework.boot.spring-boot-starter == 2.4.5
│           └─ org.yaml.snakeyaml == 1.27
├─ org.opengroup.osdu.notification-test-gc == 0.24.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.3.6
│     └─ org.springframework.boot.spring-boot-starter-web == 2.1.7.RELEASE
│        └─ org.springframework.boot.spring-boot-starter == 2.1.7.RELEASE
│           └─ org.yaml.snakeyaml == 1.23
├─ org.opengroup.osdu.notification-test-aws == 0.24.0-SNAPSHOT
│  └─ org.opengroup.osdu.core.aws.os-core-lib-aws == 0.23.0
│     └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│        └─ org.springframework.boot.spring-boot-starter == 2.7.7
│           └─ org.yaml.snakeyaml == 1.30
├─ org.opengroup.osdu.notification-test-ibm == 0.24.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-lib-ibm == 0.15.2
│     └─ org.springframework.boot.spring-boot-starter-security == 2.4.5
│        └─ org.springframework.boot.spring-boot-starter == 2.4.5
│           └─ org.yaml.snakeyaml == 1.27
└─ org.opengroup.osdu.notification-test-baremetal == 0.24.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.3.6
└─ org.springframework.boot.spring-boot-starter-web == 2.1.7.RELEASE
└─ org.springframework.boot.spring-boot-starter == 2.1.7.RELEASE
└─ org.yaml.snakeyaml == 1.23

Dependency Information After the Upgrade

WARNING: The requested image's platform (linux/amd64) does not match the detected host platform (linux/arm64/v8) and no specific platform was requested
Branch: dependency-upgrade-2
SHA:    4bdda3239afc6f576a09f950a3867bdbea3995d4
Maven:  0.24.0-SNAPSHOT

Maven Dependencies	Root	testing/
core-lib-azure	0.21.0	0.12.0-rc10
core-lib-gc	0.21.0
core-test-lib-gcp		0.0.2
os-core-lib-aws	0.24.0	0.23.0
oqm	0.21.0
os-core-common	0.19.0-rc6, 0.21.0	0.3.4, 0.3.6, 0.22.0-rc4
os-core-lib-ibm	0.16.0-rc1	0.15.2
(3rd Party) net.minidev.json-smart	2.4.7	2.4.6
(3rd Party) org.apache.logging.log4j.log4j-api	2.17.1	2.13.3, 2.11.1, 2.17.2
(3rd Party) org.apache.logging.log4j.log4j-core	2.17.1	2.13.3
(3rd Party) org.apache.logging.log4j.log4j-jul	2.17.1	2.13.3
(3rd Party) org.apache.logging.log4j.log4j-slf4j-impl	2.17.1	2.13.3
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j	2.17.1	2.11.2, 2.17.2, 2.13.3
(3rd Party) org.springframework.spring-webmvc	5.3.24	5.1.9.RELEASE, 5.3.24
(3rd Party) org.yaml.snakeyaml	1.30, 1.33, 2.0	1.23, 1.27, 1.30

Critical: Found Vulnerable Snake YAML dependency (<2.0)
├─ _Root_
│  ├─ org.projectlombok.lombok == 1.18.8
│  │  └─ org.springdoc.springdoc-openapi-ui == 1.6.14
│  │     └─ org.springdoc.springdoc-openapi-webmvc-core == 1.6.14
│  │        └─ org.springdoc.springdoc-openapi-common == 1.6.14
│  │           └─ io.swagger.core.v3.swagger-core == 2.2.7
│  │              └─ org.yaml.snakeyaml == 1.30
│  ├─ org.opengroup.osdu.notification-core == 0.24.0-SNAPSHOT
│  │  └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│  │     └─ org.springframework.boot.spring-boot-starter == 2.7.7
│  │        └─ org.yaml.snakeyaml == 1.33
│  ├─ org.opengroup.osdu.notification-gc == 0.24.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.os-core-common == 0.21.0
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│  │        └─ org.springframework.boot.spring-boot-starter == 2.7.7
│  │           └─ org.yaml.snakeyaml == 1.30
│  ├─ org.opengroup.osdu.notification-ibm == 0.24.0-SNAPSHOT
│  │  └─ org.yaml.snakeyaml == 1.33
│  └─ org.opengroup.osdu.notification-aws == 0.24.0-SNAPSHOT
│     └─ org.springframework.boot.spring-boot-starter-actuator == 2.7.7
│        └─ org.springframework.boot.spring-boot-starter == 2.7.7
│           └─ org.yaml.snakeyaml == 1.33
└─ testing/
├─ org.opengroup.osdu.notification.notification-test-core == 0.24.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.3.4
│     └─ org.springframework.boot.spring-boot-starter-web == 2.1.7.RELEASE
│        └─ org.springframework.boot.spring-boot-starter == 2.1.7.RELEASE
│           └─ org.yaml.snakeyaml == 1.23
├─ org.opengroup.osdu.notification-test-azure == 0.24.0-SNAPSHOT
│  └─ org.opengroup.osdu.core-lib-azure == 0.12.0-rc10
│     └─ org.springframework.boot.spring-boot-starter-aop == 2.4.5
│        └─ org.springframework.boot.spring-boot-starter == 2.4.5
│           └─ org.yaml.snakeyaml == 1.27
├─ org.opengroup.osdu.notification-test-gc == 0.24.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-common == 0.3.6
│     └─ org.springframework.boot.spring-boot-starter-web == 2.1.7.RELEASE
│        └─ org.springframework.boot.spring-boot-starter == 2.1.7.RELEASE
│           └─ org.yaml.snakeyaml == 1.23
├─ org.opengroup.osdu.notification-test-aws == 0.24.0-SNAPSHOT
│  └─ org.opengroup.osdu.core.aws.os-core-lib-aws == 0.23.0
│     └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│        └─ org.springframework.boot.spring-boot-starter == 2.7.7
│           └─ org.yaml.snakeyaml == 1.30
├─ org.opengroup.osdu.notification-test-ibm == 0.24.0-SNAPSHOT
│  └─ org.opengroup.osdu.os-core-lib-ibm == 0.15.2
│     └─ org.springframework.boot.spring-boot-starter-security == 2.4.5
│        └─ org.springframework.boot.spring-boot-starter == 2.4.5
│           └─ org.yaml.snakeyaml == 1.27
└─ org.opengroup.osdu.notification-test-baremetal == 0.24.0-SNAPSHOT
└─ org.opengroup.osdu.os-core-common == 0.3.6
└─ org.springframework.boot.spring-boot-starter-web == 2.1.7.RELEASE
└─ org.springframework.boot.spring-boot-starter == 2.1.7.RELEASE
└─ org.yaml.snakeyaml == 1.23

Remove SNAPSHOT dependencies

Dependency Information Before the Upgrade

Dependency Information After the Upgrade

Merge request reports