Merge branch 'fix-guava-netty-vulns' into 'master'

netty, guava vulnerability fixes See merge request !390

Merge branch 'fix-guava-netty-vulns' into 'master'
9d08b22a · Chad Leong · a0b18c1f · a92b71eb · 9d08b22a · 9d08b22a
Commit 9d08b22a authored 1 year ago by Chad Leong
--- a/NOTICE
+++ b/NOTICE
@@ -168,7 +168,6 @@ The following software have components provided under the terms of this license:
 - Kotlin Stdlib Common (from https://kotlinlang.org/)
 - Kotlin Stdlib Jdk7 (from <https://kotlinlang.org/>, https://kotlinlang.org/)
 - Kotlin Stdlib Jdk8 (from <https://kotlinlang.org/>, https://kotlinlang.org/)
- LatencyUtils (from http://latencyutils.github.io/LatencyUtils/)
 - Lucene Core (from https://repo1.maven.org/maven2/org/apache/lucene/lucene-core)
 - Metrics Core (from https://repo1.maven.org/maven2/io/dropwizard/metrics/metrics-core)
 - Microsoft Application Insights Java Agent (from https://github.com/Microsoft/ApplicationInsights-Java)
@@ -350,6 +349,7 @@ The following software have components provided under the terms of this license:
 - HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
 - Jodd BeanUtil (from http://jodd.org)
 - Jodd Core (from http://jodd.org)
+- LatencyUtils (from http://latencyutils.github.io/LatencyUtils/)
 - PostgreSQL JDBC Driver
 - Stax2 API (from http://github.com/FasterXML/stax2-api)
 - jersey-core-server (from https://repo1.maven.org/maven2/org/glassfish/jersey/core/jersey-server)
@@ -367,6 +367,7 @@ The following software have components provided under the terms of this license:
 - ASM Util (from http://asm.ow2.io/)
 - AspectJ Weaver (from http://www.aspectj.org, https://www.eclipse.org/aspectj/)
 - Class Model for Hk2 (from https://repo1.maven.org/maven2/org/glassfish/hk2/class-model)
+- FindBugs-jsr305 (from http://findbugs.sourceforge.net/)
 - GAX (Google Api eXtensions) for Java (Core) (from https://github.com/googleapis, https://github.com/googleapis/gax-java, https://repo1.maven.org/maven2/com/google/api/gax)
 - GAX (Google Api eXtensions) for Java (HTTP JSON) (from <https://repo1.maven.org/maven2/com/google/api/gax-httpjson>, https://repo1.maven.org/maven2/com/google/api/gax-httpjson)
 - GAX (Google Api eXtensions) for Java (gRPC) (from <https://repo1.maven.org/maven2/com/google/api/gax-grpc>, https://repo1.maven.org/maven2/com/google/api/gax-grpc)
@@ -494,6 +495,13 @@ The following software have components provided under the terms of this license:

 - JUnit (from http://junit.org)

+========================================================================
+EDL-1.0
+========================================================================
+The following software have components provided under the terms of this license:
+
+- Jakarta Activation API (from https://github.com/eclipse-ee4j/jaf, https://github.com/jakartaee/jaf-api, https://repo1.maven.org/maven2/jakarta/activation/jakarta.activation-api)
+
 ========================================================================
 EPL-1.0
 ========================================================================
@@ -506,7 +514,6 @@ The following software have components provided under the terms of this license:
 - JUnit Jupiter Params (from http://junit.org/junit5/, https://junit.org/junit5/)
 - JUnit Platform Commons (from http://junit.org/junit5/, https://junit.org/junit5/)
 - JUnit Platform Engine API (from http://junit.org/junit5/, https://junit.org/junit5/)
- Jakarta Activation API (from https://github.com/eclipse-ee4j/jaf, https://github.com/jakartaee/jaf-api, https://repo1.maven.org/maven2/jakarta/activation/jakarta.activation-api)
 - Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
 - Jakarta Bean Validation API (from https://beanvalidation.org)
 - Jakarta XML Binding API (from https://repo1.maven.org/maven2/jakarta/xml/bind/jakarta.xml.bind-api, https://repo1.maven.org/maven2/org/jboss/spec/javax/xml/bind/jboss-jaxb-api_2.3_spec)
@@ -800,7 +807,6 @@ cc-pd
 ========================================================================
 The following software have components provided under the terms of this license:

- Guava: Google Core Libraries for Java (from http://code.google.com/p/guava-libraries, https://github.com/google/guava, https://repo1.maven.org/maven2/com/google/guava/guava)
 - Netty/Codec (from https://repo1.maven.org/maven2/io/netty/netty-codec)

 ========================================================================
@@ -819,7 +825,6 @@ The following software have components provided under the terms of this license:
 - HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
 - JBoss Logging 3 (from http://www.jboss.org)
 - JSON in Java (from https://github.com/douglascrockford/JSON-java)
- LatencyUtils (from http://latencyutils.github.io/LatencyUtils/)
 - Microsoft Azure client library for Blob Storage (from https://github.com/Azure/azure-sdk-for-java)
 - PostgreSQL JDBC Driver
 - jersey-core-common (from https://repo1.maven.org/maven2/org/glassfish/jersey/core/jersey-common)
@@ -830,4 +835,3 @@ unknown
 The following software have components provided under the terms of this license:

 - JUnit Jupiter (Aggregator) (from https://junit.org/junit5/)
- Jakarta Activation API (from https://github.com/eclipse-ee4j/jaf, https://github.com/jakartaee/jaf-api, https://repo1.maven.org/maven2/jakarta/activation/jakarta.activation-api)
--- a/pom.xml
+++ b/pom.xml
@@ -34,6 +34,8 @@
        <log4j2.version>2.17.1</log4j2.version>
        <gson.version>2.8.9</gson.version>
        <json-smart.version>2.4.7</json-smart.version>
+        <netty.version>4.1.97.Final</netty.version>
+        <guava.version>32.1.2-jre</guava.version>
    </properties>

    <licenses>
@@ -46,6 +48,18 @@

    <dependencyManagement>
        <dependencies>
+            <dependency>
+                <groupId>io.netty</groupId>
+                <artifactId>netty-bom</artifactId>
+                <version>${netty.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+            <dependency>
+                <groupId>com.google.guava</groupId>
+                <artifactId>guava</artifactId>
+                <version>${guava.version}</version>
+            </dependency>
            <dependency>
                <groupId>com.fasterxml.jackson</groupId>
                <artifactId>jackson-bom</artifactId>
@@ -83,10 +97,6 @@
                <artifactId>os-core-common</artifactId>
                <version>${osdu.oscorecommon.version}</version>
                <exclusions>
-                    <exclusion>
-                        <groupId>io.netty</groupId>
-                        <artifactId>netty-codec</artifactId>
-                    </exclusion>
                    <exclusion>
                        <groupId>com.fasterxml.jackson.core</groupId>
                        <artifactId>jackson-databind</artifactId>

--- a/provider/register-aws/pom.xml
+++ b/provider/register-aws/pom.xml
@@ -39,6 +39,13 @@

    <dependencyManagement>
        <dependencies>
+            <dependency>
+                <groupId>io.netty</groupId>
+                <artifactId>netty-bom</artifactId>
+                <version>${netty.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
            <dependency>
                <groupId>org.opengroup.osdu</groupId>
                <artifactId>os-core-common</artifactId>

--- a/provider/register-azure/pom.xml
+++ b/provider/register-azure/pom.xml
@@ -42,6 +42,13 @@

    <dependencyManagement>
        <dependencies>
+            <dependency>
+                <groupId>io.netty</groupId>
+                <artifactId>netty-bom</artifactId>
+                <version>${netty.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
            <!-- Inherit managed dependencies from core-lib-azure -->
            <dependency>
                <groupId>org.opengroup.osdu</groupId>

--- a/provider/register-ibm/pom.xml
+++ b/provider/register-ibm/pom.xml
@@ -54,10 +54,6 @@
 		<artifactId>os-core-lib-ibm</artifactId>
 		<version>0.21.0</version>
 		<exclusions>
-			<exclusion>
-				<groupId>io.netty</groupId>
-				<artifactId>netty-codec</artifactId>
-			</exclusion>
 			<exclusion>
 					<groupId>org.springframework.security</groupId>
 					<artifactId>spring-security-core</artifactId>
@@ -75,10 +71,6 @@
 		<artifactId>jackson-dataformat-cbor</artifactId>
 		<version>${jackson-dataformat-cbor.version}</version>
 	</dependency>
-	<dependency>
-		<groupId>io.netty</groupId>
-		<artifactId>netty-codec</artifactId>
-	</dependency>
 	<dependency>
 		<groupId>org.opengroup.osdu</groupId>
 		<artifactId>os-core-common</artifactId>

--- a/register-core/pom.xml
+++ b/register-core/pom.xml
@@ -31,20 +31,12 @@
    </parent>

    <properties>
-        <netty.version>4.1.70.Final</netty.version>
        <jackson-databind.version>2.14.2</jackson-databind.version>
        <jackson.version>2.14.2</jackson.version>
    </properties>

    <dependencyManagement>
        <dependencies>
-            <dependency>
-                <groupId>io.netty</groupId>
-                <artifactId>netty-bom</artifactId>
-                <version>${netty.version}</version>
-                <type>pom</type>
-                <scope>import</scope>
-            </dependency>
            <dependency>
                <groupId>org.springframework</groupId>
                <artifactId>spring-core</artifactId>