Remove SNAPSHOT dependencies (!495) · Merge requests · OSDU Software / OSDU Data Platform / System / Partition

David Diederich requested to merge snapshot-removal into master Dec 08, 2023

This automated MR removes usage of SNAPSHOT versions in the first party library dependencies. Since SNAPSHOT dependencies change frequently -- by their nature -- usage of them across projects is dangerous and should be avoided.

Dependency Information Before the Upgrade

Branch: master
SHA:    c7c0061a0deac35a0375c656eb3867dad7a8e3b8
Maven:  0.25.0-SNAPSHOT

Maven Dependencies	Root	testing/
core-lib-azure	0.24.0
core-lib-gc	0.24.0	0.24.0
os-core-lib-aws	0.25.0-SNAPSHOT	0.25.0-SNAPSHOT
os-core-common	0.25.0-rc2	0.24.0
os-core-lib-ibm	0.24.0	0.24.0
os-osm-core	0.25.0-rc2
osm	0.24.0
(3rd Party) org.apache.logging.log4j.log4j-api	2.17.1, 2.17.2	2.17.2, 2.13.3
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j	2.17.1, 2.17.2	2.17.2, 2.13.3
(3rd Party) org.yaml.snakeyaml	2.0, 1.30, 1.33	1.30, 2.0

Critical: Found Vulnerable Snake YAML dependency (<2.0)
├─ _Root_
│  ├─ org.opengroup.osdu.partition-azure == 0.25.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.core-lib-azure == 0.24.0
│  │     └─ org.redisson.redisson == 3.15.3
│  │        └─ org.yaml.snakeyaml == 1.30
│  ├─ org.opengroup.osdu.partition-ibm == 0.25.0-SNAPSHOT
│  │  └─ org.yaml.snakeyaml == 1.33
│  ├─ org.opengroup.osdu.partition-gc == 0.25.0-SNAPSHOT
│  │  └─ org.springframework.boot.spring-boot-starter-security == 2.7.17
│  │     └─ org.springframework.boot.spring-boot-starter == 2.7.17
│  │        └─ org.yaml.snakeyaml == 1.30
│  └─ org.opengroup.osdu.partition-core-plus == 0.25.0-SNAPSHOT
│     └─ org.opengroup.osdu.partition-core == 0.25.0-SNAPSHOT
│        └─ org.springframework.boot.spring-boot-starter-web == 2.7.17
│           └─ org.springframework.boot.spring-boot-starter == 2.7.17
│              └─ org.yaml.snakeyaml == 1.30
└─ testing/
├─ org.opengroup.osdu.partition.partition-test-aws == 0.25.0-SNAPSHOT
│  └─ org.opengroup.osdu.core.aws.os-core-lib-aws == 0.25.0-SNAPSHOT
│     └─ org.opengroup.osdu.os-core-common == 0.24.0
│        └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│           └─ org.springframework.boot.spring-boot-starter == 2.7.7
│              └─ org.yaml.snakeyaml == 1.30
└─ org.opengroup.osdu.partition.partition-test-gc == 0.25.0-SNAPSHOT
└─ org.opengroup.osdu.core-lib-gc == 0.24.0
└─ org.opengroup.osdu.os-core-common == 0.24.0
└─ org.springframework.boot.spring-boot-starter-web == 2.7.7
└─ org.springframework.boot.spring-boot-starter == 2.7.7
└─ org.yaml.snakeyaml == 1.30

Dependency Information After the Upgrade

Branch: snapshot-removal
SHA:    b3c5f2c3a826fba5c514ff30b255e59fbf791065
Maven:  0.25.0-SNAPSHOT

Maven Dependencies	Root	testing/
core-lib-azure	0.24.0
core-lib-gc	0.24.0	0.24.0
os-core-lib-aws	0.25.0-rc3	0.25.0-rc3
os-core-common	0.25.0-rc2	0.24.0
os-core-lib-ibm	0.24.0	0.24.0
os-osm-core	0.25.0-rc2
osm	0.24.0
(3rd Party) org.apache.logging.log4j.log4j-api	2.17.1, 2.17.2	2.17.2, 2.13.3
(3rd Party) org.apache.logging.log4j.log4j-to-slf4j	2.17.1, 2.17.2	2.17.2, 2.13.3
(3rd Party) org.yaml.snakeyaml	2.0, 1.30, 1.33	1.30, 2.0

Critical: Found Vulnerable Snake YAML dependency (<2.0)
├─ _Root_
│  ├─ org.opengroup.osdu.partition-azure == 0.25.0-SNAPSHOT
│  │  └─ org.opengroup.osdu.core-lib-azure == 0.24.0
│  │     └─ org.redisson.redisson == 3.15.3
│  │        └─ org.yaml.snakeyaml == 1.30
│  ├─ org.opengroup.osdu.partition-ibm == 0.25.0-SNAPSHOT
│  │  └─ org.yaml.snakeyaml == 1.33
│  ├─ org.opengroup.osdu.partition-gc == 0.25.0-SNAPSHOT
│  │  └─ org.springframework.boot.spring-boot-starter-security == 2.7.17
│  │     └─ org.springframework.boot.spring-boot-starter == 2.7.17
│  │        └─ org.yaml.snakeyaml == 1.30
│  └─ org.opengroup.osdu.partition-core-plus == 0.25.0-SNAPSHOT
│     └─ org.opengroup.osdu.partition-core == 0.25.0-SNAPSHOT
│        └─ org.springframework.boot.spring-boot-starter-web == 2.7.17
│           └─ org.springframework.boot.spring-boot-starter == 2.7.17
│              └─ org.yaml.snakeyaml == 1.30
└─ testing/
├─ org.opengroup.osdu.partition.partition-test-aws == 0.25.0-SNAPSHOT
│  └─ org.opengroup.osdu.core.aws.os-core-lib-aws == 0.25.0-rc3
│     └─ org.opengroup.osdu.os-core-common == 0.24.0
│        └─ org.springframework.boot.spring-boot-starter-web == 2.7.7
│           └─ org.springframework.boot.spring-boot-starter == 2.7.7
│              └─ org.yaml.snakeyaml == 1.30
└─ org.opengroup.osdu.partition.partition-test-gc == 0.25.0-SNAPSHOT
└─ org.opengroup.osdu.core-lib-gc == 0.24.0
└─ org.opengroup.osdu.os-core-common == 0.24.0
└─ org.springframework.boot.spring-boot-starter-web == 2.7.7
└─ org.springframework.boot.spring-boot-starter == 2.7.7
└─ org.yaml.snakeyaml == 1.30

Remove SNAPSHOT dependencies

Dependency Information Before the Upgrade

Dependency Information After the Upgrade

Merge request reports