Merge branch 'az/td-fix-json-smart' into 'master'

[#MSCOSDU-1992] fix: Remediate [json-smart,okio,reactor-netty-http] vulnerability See merge request !438

Merge branch 'az/td-fix-json-smart' into 'master'
aeefe5c1 · Thulasi Dass Subramanian · 08ef79e0 · e3ead8f5 · aeefe5c1 · aeefe5c1
Commit aeefe5c1 authored 1 year ago by Thulasi Dass Subramanian
--- a/NOTICE
+++ b/NOTICE
@@ -71,7 +71,7 @@ The following software have components provided under the terms of this license:
 - Apache Log4j JUL Adapter (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul)
 - Apache Log4j SLF4J Binding (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-slf4j-impl)
 - Apache Log4j to SLF4J Adapter (from https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-to-slf4j)
- AssertJ Core (from ${project.organization.url}#${project.artifactId})
+- AssertJ Core (from https://assertj.github.io/doc/#assertj-core)
 - Asynchronous Http Client (from https://repo1.maven.org/maven2/org/asynchttpclient/async-http-client)
 - Asynchronous Http Client Netty Utils (from https://repo1.maven.org/maven2/org/asynchttpclient/async-http-client-netty-utils)
 - AutoValue Annotations (from https://github.com/google/auto/tree/main/value, https://github.com/google/auto/tree/master/value, https://repo1.maven.org/maven2/com/google/auto/value/auto-value-annotations)
@@ -152,7 +152,7 @@ The following software have components provided under the terms of this license:
 - Java Native Access Platform (from https://github.com/java-native-access/jna)
 - JavaBeans Activation Framework (from <http://java.sun.com/javase/technologies/desktop/javabeans/jaf/index.jsp>, http://java.sun.com/javase/technologies/desktop/javabeans/jaf/index.jsp, https://repo1.maven.org/maven2/com/sun/activation/javax.activation)
 - JavaMail API jar (from https://repo1.maven.org/maven2/javax/mail/javax.mail-api)
- Javassist (from http://www.javassist.org/)
+- Javassist (from http://www.javassist.org/, https://www.javassist.org/)
 - JetBrains Java Annotations (from https://github.com/JetBrains/java-annotations)
 - Joda-Time (from http://joda-time.sourceforge.net, http://www.joda.org/joda-time/, https://www.joda.org/joda-time/)
 - KeePassJava2 :: All (from https://repo1.maven.org/maven2/org/linguafranca/pwdb/KeePassJava2)
@@ -680,7 +680,7 @@ The following software have components provided under the terms of this license:

 - Java Native Access (from https://github.com/java-native-access/jna, https://github.com/twall/jna)
 - Java Native Access Platform (from https://github.com/java-native-access/jna)
- Javassist (from http://www.javassist.org/)
+- Javassist (from http://www.javassist.org/, https://www.javassist.org/)

 ========================================================================
 MIT
@@ -732,7 +732,7 @@ The following software have components provided under the terms of this license:
 - QpidJMS Client (from https://repo1.maven.org/maven2/org/apache/qpid/qpid-jms-client)
 - SLF4J API Module (from http://www.slf4j.org)
 - Spongy Castle (from http://rtyley.github.io/spongycastle/)
- Spring Data for Azure Cosmos DB SQL API (from https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/cosmos/azure-spring-data-cosmos)
+- Spring Data for Azure Cosmos DB SQL API (from https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/cosmos/azure-spring-data-cosmos, https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/spring/azure-spring-data-cosmos)
 - ThreeTen backport (from https://github.com/ThreeTen/threetenbp, https://www.threeten.org/threetenbp)
 - adal4j (from https://github.com/AzureAD/azure-activedirectory-library-for-java)
 - jersey-container-servlet (from https://repo1.maven.org/maven2/org/glassfish/jersey/containers/jersey-container-servlet)
@@ -758,7 +758,7 @@ MPL-1.1
 ========================================================================
 The following software have components provided under the terms of this license:

- Javassist (from http://www.javassist.org/)
+- Javassist (from http://www.javassist.org/, https://www.javassist.org/)

 ========================================================================
 MPL-2.0

--- a/pom.xml
+++ b/pom.xml
@@ -33,7 +33,7 @@
        <osdu.os.core.common-version>0.25.0</osdu.os.core.common-version>
        <log4j2.version>2.17.1</log4j2.version>
        <gson.version>2.8.9</gson.version>
-        <json-smart.version>2.4.7</json-smart.version>
+        <json-smart.version>2.5.0</json-smart.version>
        <netty.version>4.1.97.Final</netty.version>
        <guava.version>32.1.2-jre</guava.version>
    </properties>

--- a/provider/register-azure/pom.xml
+++ b/provider/register-azure/pom.xml
@@ -39,7 +39,9 @@
        <jackson.version>2.14.2</jackson.version>
        <spring-webmvc.version>5.3.22</spring-webmvc.version>
        <netty.version>4.1.101.Final</netty.version>
-        <reactor-netty-http.version>1.1.13</reactor-netty-http.version>
+        <reactor-core.version>3.4.19</reactor-core.version>
+        <reactor-netty.version>1.1.14</reactor-netty.version>
+        <okhttp.version>4.12.0</okhttp.version>
    </properties>

    <dependencyManagement>
@@ -180,10 +182,38 @@
            <artifactId>oauth2-oidc-sdk</artifactId>
            <version>${oauth2-oidc-sdk.version}</version>
        </dependency>
+        <!-- reactor-netty related dependencies -->
        <dependency>
            <groupId>io.projectreactor.netty</groupId>
            <artifactId>reactor-netty-http</artifactId>
-            <version>${reactor-netty-http.version}</version>
+            <version>${reactor-netty.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.projectreactor.netty</groupId>
+            <artifactId>reactor-netty-core</artifactId>
+            <version>${reactor-netty.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.projectreactor.netty</groupId>
+            <artifactId>reactor-netty-http-brave</artifactId>
+            <version>${reactor-netty.version}</version>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.projectreactor.netty</groupId>
+            <artifactId>reactor-netty</artifactId>
+            <version>${reactor-netty.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>io.projectreactor</groupId>
+            <artifactId>reactor-core</artifactId>
+            <version>${reactor-core.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>okhttp</artifactId>
+            <version>${okhttp.version}</version>
        </dependency>

        <!-- Test Dependencies -->