From d03cfaebf98ad8b961c2c57f2f0f32ab7185f68c Mon Sep 17 00:00:00 2001
From: VidyaDharani Lokam <vidyadharani_lokam@epam.com>
Date: Wed, 17 Jul 2024 15:21:52 +0000
Subject: [PATCH] [MS-43510] remediate tomcat vulnerability
---
NOTICE | 26 +--------------
partition-core-plus/pom.xml | 2 +-
partition-core/pom.xml | 15 ---------
pom.xml | 27 ++++++++++++++--
provider/partition-azure/pom.xml | 54 +++-----------------------------
provider/partition-gc/pom.xml | 2 +-
provider/partition-ibm/pom.xml | 6 ++--
7 files changed, 36 insertions(+), 96 deletions(-)
diff --git a/NOTICE b/NOTICE
index 41fd31f30..67afbf4d9 100644
--- a/NOTICE
+++ b/NOTICE
@@ -67,9 +67,6 @@ The following software have components provided under the terms of this license:
- BSON (from http://bsonspec.org, https://bsonspec.org)
- BSON Record Codec (from <https://www.mongodb.com/>, https://www.mongodb.com/)
- Bean Validation API (from http://beanvalidation.org)
-- Brave (from https://repo1.maven.org/maven2/io/zipkin/brave/brave)
-- Brave Instrumentation: Http Adapters (from https://repo1.maven.org/maven2/io/zipkin/brave/brave-instrumentation-http)
-- Brave instrumentation for Reactor Netty HTTP (from https://github.com/reactor/reactor-netty)
- Byte Buddy (without dependencies) (from https://repo1.maven.org/maven2/net/bytebuddy/byte-buddy)
- Byte Buddy Java agent (from https://repo1.maven.org/maven2/net/bytebuddy/byte-buddy-agent)
- ClassMate (from http://github.com/cowtowncoder/java-classmate)
@@ -160,7 +157,6 @@ The following software have components provided under the terms of this license:
- Netty/Common (from https://repo1.maven.org/maven2/io/netty/netty-common)
- Netty/Handler (from https://repo1.maven.org/maven2/io/netty/netty-handler)
- Netty/Handler/Proxy (from https://repo1.maven.org/maven2/io/netty/netty-handler-proxy)
-- Netty/Incubator/Codec/Classes/Quic (from <https://repo1.maven.org/maven2/io/netty/incubator/netty-incubator-codec-classes-quic>, https://repo1.maven.org/maven2/io/netty/incubator/netty-incubator-codec-classes-quic)
- Netty/Resolver (from https://repo1.maven.org/maven2/io/netty/netty-resolver)
- Netty/Resolver/DNS (from https://repo1.maven.org/maven2/io/netty/netty-resolver-dns)
- Netty/Resolver/DNS/Classes/MacOS (from https://repo1.maven.org/maven2/io/netty/netty-resolver-dns-classes-macos)
@@ -187,9 +183,7 @@ The following software have components provided under the terms of this license:
- PostgreSQL JDBC Driver
- Protocol Buffer extensions to the Google HTTP Client Library for Java. (from https://repo1.maven.org/maven2/com/google/http-client/google-http-client-protobuf)
- Proton-J (from https://repo1.maven.org/maven2/org/apache/qpid/proton-j)
-- QUIC functionality for the Reactor Netty library (from https://github.com/reactor/reactor-netty)
- QpidJMS Client (from https://repo1.maven.org/maven2/org/apache/qpid/qpid-jms-client)
-- Reactive Streams Netty driver (from https://github.com/reactor/reactor-netty)
- Redisson (from http://redisson.org)
- Retrofit (from https://github.com/square/retrofit, https://repo1.maven.org/maven2/com/squareup/retrofit2/retrofit)
- RxJava (from https://github.com/ReactiveX/RxJava)
@@ -233,9 +227,6 @@ The following software have components provided under the terms of this license:
- Standard Uri Template (from https://std-uritemplate.github.io/)
- Swagger UI (from <http://webjars.org>, http://webjars.org, https://www.webjars.org)
- Woodstox (from https://github.com/FasterXML/woodstox)
-- Zipkin Reporter Brave (from https://repo1.maven.org/maven2/io/zipkin/reporter2/zipkin-reporter-brave)
-- Zipkin Reporter: Core (from https://repo1.maven.org/maven2/io/zipkin/reporter2/zipkin-reporter)
-- Zipkin v2 (from https://repo1.maven.org/maven2/io/zipkin/zipkin2/zipkin)
- aws-encryption-sdk-java (from https://github.com/aws/aws-encryption-sdk-java)
- datastore-v1-proto-client (from https://repo1.maven.org/maven2/com/google/cloud/datastore/datastore-v1-proto-client)
- error-prone annotations (from https://repo1.maven.org/maven2/com/google/errorprone/error_prone_annotations)
@@ -353,13 +344,6 @@ The following software have components provided under the terms of this license:
- Spring Core (from http://www.springframework.org, https://github.com/spring-projects/spring-framework, https://repo1.maven.org/maven2/org/springframework/spring-core)
- ThreeTen backport (from https://github.com/ThreeTen/threetenbp, https://www.threeten.org/threetenbp)
-========================================================================
-BSL-1.0
-========================================================================
-The following software have components provided under the terms of this license:
-
-- Jackson-core (from http://wiki.fasterxml.com/JacksonHome, https://github.com/FasterXML/jackson-core)
-
========================================================================
Beerware
========================================================================
@@ -509,6 +493,7 @@ LGPL-2.1-only
========================================================================
The following software have components provided under the terms of this license:
+- Javassist (from http://www.javassist.org/, https://www.javassist.org/)
- Logback Classic Module (from http://logback.qos.ch, https://repo1.maven.org/maven2/ch/qos/logback/logback-classic)
- Logback Contrib :: JSON :: Classic (from https://repo1.maven.org/maven2/ch/qos/logback/contrib/logback-json-classic)
- Logback Contrib :: JSON :: Core (from https://repo1.maven.org/maven2/ch/qos/logback/contrib/logback-json-core)
@@ -534,8 +519,6 @@ The following software have components provided under the terms of this license:
- Animal Sniffer Annotations (from https://repo1.maven.org/maven2/org/codehaus/mojo/animal-sniffer-annotations)
- Apache HttpClient Cache (from http://hc.apache.org/httpcomponents-client, http://hc.apache.org/httpcomponents-client-ga)
-- Apache Log4j API (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api)
-- Apache Log4j to SLF4J Adapter (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-to-slf4j)
- Azure Java Client Authentication Library for AutoRest (from https://github.com/Azure/autorest-clientruntime-for-java)
- Azure Java Client Runtime for ARM (from https://github.com/Azure/autorest-clientruntime-for-java)
- Azure Java Client Runtime for AutoRest (from https://github.com/Azure/autorest-clientruntime-for-java)
@@ -595,13 +578,6 @@ The following software have components provided under the terms of this license:
- msal4j (from https://github.com/AzureAD/microsoft-authentication-library-for-java)
- msal4j-persistence-extension (from https://github.com/AzureAD/microsoft-authentication-extensions-for-java, https://github.com/AzureAD/microsoft-authentication-library-for-java)
-========================================================================
-MPL-1.1
-========================================================================
-The following software have components provided under the terms of this license:
-
-- Javassist (from http://www.javassist.org/, https://www.javassist.org/)
-
========================================================================
SAX-PD
========================================================================
diff --git a/partition-core-plus/pom.xml b/partition-core-plus/pom.xml
index 30dcf757e..af794c25e 100644
--- a/partition-core-plus/pom.xml
+++ b/partition-core-plus/pom.xml
@@ -21,7 +21,7 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
- <version>3.2.4</version>
+ <version>${spring-boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
diff --git a/partition-core/pom.xml b/partition-core/pom.xml
index c35cf0ac2..04e083321 100644
--- a/partition-core/pom.xml
+++ b/partition-core/pom.xml
@@ -40,21 +40,6 @@
<dependencyManagement>
<dependencies>
- <dependency>
- <groupId>org.springframework</groupId>
- <artifactId>spring-framework-bom</artifactId>
- <version>6.1.6</version>
- <type>pom</type>
- <scope>import</scope>
- </dependency>
- <dependency>
- <groupId>org.springframework.security</groupId>
- <artifactId>spring-security-bom</artifactId>
- <version>6.2.4</version>
- <type>pom</type>
- <scope>import</scope>
- </dependency>
-
<dependency>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
diff --git a/pom.xml b/pom.xml
index bb960a2d7..1a5a4fb8f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,9 @@
<maven.compiler.source>17</maven.compiler.source>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
<os-core-common.version>0.26.0</os-core-common.version>
- <org.springframework.boot.version>3.2.4</org.springframework.boot.version>
+ <spring-boot.version>3.3.1</spring-boot.version>
+ <spring-security.version>6.3.1</spring-security.version>
+ <spring-framework.version>6.1.10</spring-framework.version>
<log4j.version>2.21.1</log4j.version>
<guava.version>32.1.2-jre</guava.version>
<netty-version>4.1.107.Final</netty-version>
@@ -38,6 +40,27 @@
<dependencyManagement>
<dependencies>
+ <dependency>
+ <groupId>org.springframework.boot</groupId>
+ <artifactId>spring-boot-dependencies</artifactId>
+ <version>${spring-boot.version}</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework</groupId>
+ <artifactId>spring-framework-bom</artifactId>
+ <version>${spring-framework.version}</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.springframework.security</groupId>
+ <artifactId>spring-security-bom</artifactId>
+ <version>${spring-security.version}</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
<dependency>
<groupId>io.netty</groupId>
<artifactId>netty-bom</artifactId>
@@ -104,7 +127,7 @@
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
- <version>${org.springframework.boot.version}</version>
+ <version>${spring-boot.version}</version>
<executions>
<execution>
<id>build-info</id>
diff --git a/provider/partition-azure/pom.xml b/provider/partition-azure/pom.xml
index 1092c7c26..6eeda4d8e 100644
--- a/provider/partition-azure/pom.xml
+++ b/provider/partition-azure/pom.xml
@@ -14,9 +14,8 @@
<packaging>jar</packaging>
<properties>
- <osdu.corelibazure.version>0.26.0</osdu.corelibazure.version>
+ <core-lib-azure-spring6.version>0.27.0-rc3</core-lib-azure-spring6.version>
<junit.version>4.13.2</junit.version>
- <spring-framework-bom.version>6.1.6</spring-framework-bom.version>
<reactor-core.version>3.6.4</reactor-core.version>
<reactor-netty.version>1.1.17</reactor-netty.version>
<nimbus-jose-jwt.version>9.30.2</nimbus-jose-jwt.version>
@@ -25,33 +24,18 @@
<dependencyManagement>
<dependencies>
- <dependency>
- <groupId>io.netty</groupId>
- <artifactId>netty-bom</artifactId>
- <version>${netty-version}</version>
- <type>pom</type>
- <scope>import</scope>
- </dependency>
- <dependency>
- <groupId>org.springframework</groupId>
- <artifactId>spring-framework-bom</artifactId>
- <version>${spring-framework-bom.version}</version>
- <type>pom</type>
- <scope>import</scope>
- </dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
- <version>3.2.5</version>
+ <version>${spring-boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
-
<!-- Inherit managed dependencies from core-lib-azure -->
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>core-lib-azure-spring6</artifactId>
- <version>${osdu.corelibazure.version}</version>
+ <version>${core-lib-azure-spring6.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
@@ -93,7 +77,7 @@
<dependency>
<groupId>org.opengroup.osdu</groupId>
<artifactId>core-lib-azure-spring6</artifactId>
- <version>${osdu.corelibazure.version}</version>
+ <version>${core-lib-azure-spring6.version}</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
@@ -123,33 +107,6 @@
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-oauth2-jose</artifactId>
</dependency>
- <!-- reactor-netty related dependencies -->
- <dependency>
- <groupId>io.projectreactor.netty</groupId>
- <artifactId>reactor-netty-http</artifactId>
- <version>${reactor-netty.version}</version>
- </dependency>
- <dependency>
- <groupId>io.projectreactor.netty</groupId>
- <artifactId>reactor-netty-core</artifactId>
- <version>${reactor-netty.version}</version>
- </dependency>
- <dependency>
- <groupId>io.projectreactor.netty</groupId>
- <artifactId>reactor-netty-http-brave</artifactId>
- <version>${reactor-netty.version}</version>
- <scope>runtime</scope>
- </dependency>
- <dependency>
- <groupId>io.projectreactor.netty</groupId>
- <artifactId>reactor-netty</artifactId>
- <version>${reactor-netty.version}</version>
- </dependency>
- <dependency>
- <groupId>io.projectreactor</groupId>
- <artifactId>reactor-core</artifactId>
- <version>${reactor-core.version}</version>
- </dependency>
<!-- Azure dependencies -->
<!-- https://mvnrepository.com/artifact/com.azure/azure-storage-blob -->
<dependency>
@@ -166,7 +123,7 @@
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>spring-cloud-azure-starter-active-directory</artifactId>
- <version>5.10.0</version>
+ <version>5.13.0</version>
</dependency>
<!-- Other dependencies -->
<dependency>
@@ -174,7 +131,6 @@
<artifactId>lombok</artifactId>
<version>1.18.26</version>
</dependency>
-
<dependency>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
diff --git a/provider/partition-gc/pom.xml b/provider/partition-gc/pom.xml
index 6dcdb47eb..798bed6b7 100644
--- a/provider/partition-gc/pom.xml
+++ b/provider/partition-gc/pom.xml
@@ -27,7 +27,7 @@
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-dependencies</artifactId>
- <version>3.2.4</version>
+ <version>${spring-boot.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
diff --git a/provider/partition-ibm/pom.xml b/provider/partition-ibm/pom.xml
index 4ef62382f..d48e5aa4a 100644
--- a/provider/partition-ibm/pom.xml
+++ b/provider/partition-ibm/pom.xml
@@ -28,21 +28,21 @@
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-framework-bom</artifactId>
- <version>6.1.6</version>
+ <version>${spring-framework.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-bom</artifactId>
- <version>6.2.4</version>
+ <version>${spring-security.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
- <version>2.15.2</version>
+ <version>2.17.1</version>
</dependency>
</dependencies>
</dependencyManagement>
--
GitLab