Skip to content

Remove SNAPSHOT dependencies

David Diederich requested to merge snapshot-removal into master

This automated MR removes usage of SNAPSHOT versions in the first party library dependencies. Since SNAPSHOT dependencies change frequently -- by their nature -- usage of them across projects is dangerous and should be avoided.

Dependency Information Before the Upgrade

Branch: master
SHA:    904f9d8cf065ca811f85529034645a2037cf5e51
Maven:  0.25.0-SNAPSHOT, endpoint.1.0-SNAPSHOT
Maven Dependencies Root testing/ testing/notification-test-aws/build-aws/push-endpoint/
core-lib-azure 0.25.0-rc1 0.25.0-rc1
core-lib-gc 0.24.0
core-test-lib-gcp 0.0.2
os-core-lib-aws 0.25.0-SNAPSHOT 0.25.0-SNAPSHOT
oqm 0.24.0
os-core-common 0.25.0-rc2 0.25.0-rc2, 0.24.0 0.25.0-rc2
os-core-lib-ibm 0.24.0 0.24.0
(3rd Party) org.apache.logging.log4j.log4j-api 2.17.1 2.17.2, 2.13.3 2.20.0
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j 2.17.1 2.17.2, 2.13.3 2.20.0
(3rd Party) org.springframework.spring-webmvc 5.3.30, 5.3.13 5.3.30, 5.3.22 6.0.12
(3rd Party) org.yaml.snakeyaml 1.30, 2.0, 1.33 1.30, 1.27, 2.0 1.33
Critical: Found Vulnerable Snake YAML dependency (<2.0)
├─ _Root_
│  ├─ org.projectlombok.lombok == 1.18.26
│  │  └─ org.springdoc.springdoc-openapi-ui == 1.6.14
│  │     └─ org.springdoc.springdoc-openapi-webmvc-core == 1.6.14
│  │        └─ org.springdoc.springdoc-openapi-common == 1.6.14
│  │           └─ io.swagger.core.v3.swagger-core == 2.2.7
│  │              └─ org.yaml.snakeyaml == 1.30
│  ├─ org.opengroup.osdu.notification-gc == 0.25.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.notification-core == 0.25.0-SNAPSHOT
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.7.17
│  │        └─ org.springframework.boot.spring-boot-starter == 2.7.17
│  │           └─ org.yaml.snakeyaml == 1.30
│  ├─ org.opengroup.osdu.notification-azure == 0.25.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.core-lib-azure == 0.25.0-rc1
│  │     └─ org.redisson.redisson == 3.15.3
│  │        └─ org.yaml.snakeyaml == 1.30
│  ├─ org.opengroup.osdu.notification-ibm == 0.25.0-SNAPSHOT
│  │  └─ org.yaml.snakeyaml == 1.33
│  └─ org.opengroup.osdu.notification-aws == 0.25.0-SNAPSHOT
│     └─ org.springframework.boot.spring-boot-starter-actuator == 2.7.17
│        └─ org.springframework.boot.spring-boot-starter == 2.7.17
│           └─ org.yaml.snakeyaml == 1.30
├─ testing/
│  ├─ org.opengroup.osdu.notification.notification-test-core == 0.25.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.os-core-common == 0.25.0-rc2
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.7.17
│  │        └─ org.springframework.boot.spring-boot-starter == 2.7.17
│  │           └─ org.yaml.snakeyaml == 1.30
│  ├─ org.opengroup.osdu.notification-test-azure == 0.25.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.core-lib-azure == 0.25.0-rc1
│  │     └─ org.redisson.redisson == 3.15.3
│  │        └─ org.yaml.snakeyaml == 1.27
│  ├─ org.opengroup.osdu.notification-test-gc == 0.25.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.os-core-common == 0.25.0-rc2
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.7.17
│  │        └─ org.springframework.boot.spring-boot-starter == 2.7.17
│  │           └─ org.yaml.snakeyaml == 1.30
│  ├─ org.opengroup.osdu.notification-test-aws == 0.25.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.core.aws.os-core-lib-aws == 0.25.0-SNAPSHOT
│  │     └─ org.opengroup.osdu.os-core-common == 0.24.0
│  │        └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│  │           └─ org.springframework.boot.spring-boot-starter == 2.7.7
│  │              └─ org.yaml.snakeyaml == 1.30
│  └─ org.opengroup.osdu.notification-test-baremetal == 0.25.0-SNAPSHOT
│     └─ org.opengroup.osdu.os-core-common == 0.25.0-rc2
│        └─ org.springframework.boot.spring-boot-starter-web == 2.7.17
│           └─ org.springframework.boot.spring-boot-starter == 2.7.17
│              └─ org.yaml.snakeyaml == 1.30
└─ testing/notification-test-aws/build-aws/push-endpoint/
└─ org.example.notification-push-endpoint == 1.0-SNAPSHOT
└─ org.springframework.boot.spring-boot-starter-security == 3.1.4
└─ org.springframework.boot.spring-boot-starter == 3.1.4
└─ org.yaml.snakeyaml == 1.33
Critical: Found Vulnerable Spring MVC dependency (<5.2.20 || >=5.3.0 <5.3.18)
└─ _Root_
└─ org.opengroup.osdu.notification-aws == 0.25.0-SNAPSHOT
└─ org.springframework.spring-webmvc == 5.3.13

Dependency Information After the Upgrade

Branch: snapshot-removal
SHA:    d6224a235aeca13472a529ab8714683b27081d23
Maven:  0.25.0-SNAPSHOT, endpoint.1.0-SNAPSHOT
Maven Dependencies Root testing/ testing/notification-test-aws/build-aws/push-endpoint/
core-lib-azure 0.25.0-rc1 0.25.0-rc1
core-lib-gc 0.24.0
core-test-lib-gcp 0.0.2
os-core-lib-aws 0.25.0-rc3 0.25.0-rc3
oqm 0.24.0
os-core-common 0.25.0-rc2 0.25.0-rc2, 0.24.0 0.25.0-rc2
os-core-lib-ibm 0.24.0 0.24.0
(3rd Party) org.apache.logging.log4j.log4j-api 2.17.1 2.17.2, 2.13.3 2.20.0
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j 2.17.1 2.17.2, 2.13.3 2.20.0
(3rd Party) org.springframework.spring-webmvc 5.3.30, 5.3.13 5.3.30, 5.3.22 6.0.12
(3rd Party) org.yaml.snakeyaml 1.30, 2.0, 1.33 1.30, 1.27, 2.0 1.33
Critical: Found Vulnerable Snake YAML dependency (<2.0)
├─ _Root_
│  ├─ org.projectlombok.lombok == 1.18.26
│  │  └─ org.springdoc.springdoc-openapi-ui == 1.6.14
│  │     └─ org.springdoc.springdoc-openapi-webmvc-core == 1.6.14
│  │        └─ org.springdoc.springdoc-openapi-common == 1.6.14
│  │           └─ io.swagger.core.v3.swagger-core == 2.2.7
│  │              └─ org.yaml.snakeyaml == 1.30
│  ├─ org.opengroup.osdu.notification-gc == 0.25.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.notification-core == 0.25.0-SNAPSHOT
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.7.17
│  │        └─ org.springframework.boot.spring-boot-starter == 2.7.17
│  │           └─ org.yaml.snakeyaml == 1.30
│  ├─ org.opengroup.osdu.notification-azure == 0.25.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.core-lib-azure == 0.25.0-rc1
│  │     └─ org.redisson.redisson == 3.15.3
│  │        └─ org.yaml.snakeyaml == 1.30
│  ├─ org.opengroup.osdu.notification-ibm == 0.25.0-SNAPSHOT
│  │  └─ org.yaml.snakeyaml == 1.33
│  └─ org.opengroup.osdu.notification-aws == 0.25.0-SNAPSHOT
│     └─ org.springframework.boot.spring-boot-starter-actuator == 2.7.17
│        └─ org.springframework.boot.spring-boot-starter == 2.7.17
│           └─ org.yaml.snakeyaml == 1.30
├─ testing/
│  ├─ org.opengroup.osdu.notification.notification-test-core == 0.25.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.os-core-common == 0.25.0-rc2
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.7.17
│  │        └─ org.springframework.boot.spring-boot-starter == 2.7.17
│  │           └─ org.yaml.snakeyaml == 1.30
│  ├─ org.opengroup.osdu.notification-test-azure == 0.25.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.core-lib-azure == 0.25.0-rc1
│  │     └─ org.redisson.redisson == 3.15.3
│  │        └─ org.yaml.snakeyaml == 1.27
│  ├─ org.opengroup.osdu.notification-test-gc == 0.25.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.os-core-common == 0.25.0-rc2
│  │     └─ org.springframework.boot.spring-boot-starter-web == 2.7.17
│  │        └─ org.springframework.boot.spring-boot-starter == 2.7.17
│  │           └─ org.yaml.snakeyaml == 1.30
│  ├─ org.opengroup.osdu.notification-test-aws == 0.25.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.core.aws.os-core-lib-aws == 0.25.0-rc3
│  │     └─ org.opengroup.osdu.os-core-common == 0.24.0
│  │        └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│  │           └─ org.springframework.boot.spring-boot-starter == 2.7.7
│  │              └─ org.yaml.snakeyaml == 1.30
│  └─ org.opengroup.osdu.notification-test-baremetal == 0.25.0-SNAPSHOT
│     └─ org.opengroup.osdu.os-core-common == 0.25.0-rc2
│        └─ org.springframework.boot.spring-boot-starter-web == 2.7.17
│           └─ org.springframework.boot.spring-boot-starter == 2.7.17
│              └─ org.yaml.snakeyaml == 1.30
└─ testing/notification-test-aws/build-aws/push-endpoint/
└─ org.example.notification-push-endpoint == 1.0-SNAPSHOT
└─ org.springframework.boot.spring-boot-starter-security == 3.1.4
└─ org.springframework.boot.spring-boot-starter == 3.1.4
└─ org.yaml.snakeyaml == 1.33
Critical: Found Vulnerable Spring MVC dependency (<5.2.20 || >=5.3.0 <5.3.18)
└─ _Root_
└─ org.opengroup.osdu.notification-aws == 0.25.0-SNAPSHOT
└─ org.springframework.spring-webmvc == 5.3.13

Merge request reports

Loading