[MS-39304] remediate high vulnerabilities [Core & Azure]

4f88f637 · VidyaDharani Lokam · fb68ba2e · 4f88f637 · 4f88f637 · 4f88f637
Commit 4f88f637 authored 11 months ago by VidyaDharani Lokam
--- a/NOTICE
+++ b/NOTICE
@@ -76,7 +76,7 @@ The following software have components provided under the terms of this license:
 - Byte Buddy (without dependencies) (from https://repo1.maven.org/maven2/net/bytebuddy/byte-buddy)
 - Byte Buddy Java agent (from https://repo1.maven.org/maven2/net/bytebuddy/byte-buddy-agent)
 - ClassMate (from http://github.com/cowtowncoder/java-classmate)
- Cloud Key Management Service (KMS) API v1-rev20240219-2.0.0 (from https://repo1.maven.org/maven2/com/google/apis/google-api-services-cloudkms)
+- Cloud Key Management Service (KMS) API v1-rev20240502-2.0.0 (from https://repo1.maven.org/maven2/com/google/apis/google-api-services-cloudkms)
 - Cloud Storage JSON API v1-rev20240319-2.0.0 (from https://repo1.maven.org/maven2/com/google/apis/google-api-services-storage)
 - Collections (from https://repo1.maven.org/maven2/commons-collections/commons-collections)
 - Commons Digester (from http://commons.apache.org/digester/)
@@ -211,7 +211,6 @@ The following software have components provided under the terms of this license:
 - Redisson (from http://redisson.org)
 - Retrofit (from https://github.com/square/retrofit, https://repo1.maven.org/maven2/com/squareup/retrofit2/retrofit)
 - RxJava (from https://github.com/ReactiveX/RxJava)
- ServiceLocator Default Implementation (from https://repo1.maven.org/maven2/org/glassfish/hk2/hk2-locator)
 - Simple XML (safe) (from https://github.com/dweiss/simplexml)
 - SnakeYAML (from http://code.google.com/p/snakeyaml/, http://www.snakeyaml.org, https://bitbucket.org/snakeyaml/snakeyaml)
 - Spring AOP (from http://www.springframework.org, https://github.com/spring-projects/spring-framework, https://repo1.maven.org/maven2/org/springframework/spring-aop)
@@ -386,6 +385,7 @@ The following software have components provided under the terms of this license:
 - Protocol Buffers [Util] (from https://repo1.maven.org/maven2/com/google/protobuf/protobuf-java-util)
 - RE2/J (from http://github.com/google/re2j)
 - Redisson (from http://redisson.org)
+- ServiceLocator Default Implementation (from https://repo1.maven.org/maven2/org/glassfish/hk2/hk2-locator)
 - Spring Core (from http://www.springframework.org, https://github.com/spring-projects/spring-framework, https://repo1.maven.org/maven2/org/springframework/spring-core)
 - ThreeTen backport (from https://github.com/ThreeTen/threetenbp, https://www.threeten.org/threetenbp)
 - jersey-core-common (from https://repo1.maven.org/maven2/org/glassfish/jersey/core/jersey-common)
@@ -451,7 +451,6 @@ The following software have components provided under the terms of this license:
 - Java Architecture for XML Binding (from http://jaxb.java.net/, https://repo1.maven.org/maven2/javax/xml/bind/jaxb-api)
 - JavaBeans Activation Framework (from <http://java.sun.com/javase/technologies/desktop/javabeans/jaf/index.jsp>, http://java.sun.com/javase/technologies/desktop/javabeans/jaf/index.jsp, https://repo1.maven.org/maven2/com/sun/activation/javax.activation)
 - OSGi resource locator (from https://repo1.maven.org/maven2/org/glassfish/hk2/osgi-resource-locator)
- ServiceLocator Default Implementation (from https://repo1.maven.org/maven2/org/glassfish/hk2/hk2-locator)
 - aopalliance-repackaged (from https://repo1.maven.org/maven2/org/glassfish/hk2/external/aopalliance-repackaged)
 - javax.annotation API (from http://jcp.org/en/jsr/detail?id=250)
 - javax.inject (from http://code.google.com/p/atinject/, https://repo1.maven.org/maven2/org/glassfish/hk2/external/javax.inject)
@@ -465,7 +464,6 @@ The following software have components provided under the terms of this license:
 - HK2 Implementation Utilities (from https://repo1.maven.org/maven2/org/glassfish/hk2/hk2-utils)
 - Java Architecture for XML Binding (from http://jaxb.java.net/, https://repo1.maven.org/maven2/javax/xml/bind/jaxb-api)
 - JavaBeans Activation Framework (from <http://java.sun.com/javase/technologies/desktop/javabeans/jaf/index.jsp>, http://java.sun.com/javase/technologies/desktop/javabeans/jaf/index.jsp, https://repo1.maven.org/maven2/com/sun/activation/javax.activation)
- ServiceLocator Default Implementation (from https://repo1.maven.org/maven2/org/glassfish/hk2/hk2-locator)
 - aopalliance-repackaged (from https://repo1.maven.org/maven2/org/glassfish/hk2/external/aopalliance-repackaged)
 - javax.annotation API (from http://jcp.org/en/jsr/detail?id=250)
 - javax.inject (from http://code.google.com/p/atinject/, https://repo1.maven.org/maven2/org/glassfish/hk2/external/javax.inject)
@@ -526,6 +524,7 @@ The following software have components provided under the terms of this license:
 - Jakarta Validation API (from https://beanvalidation.org)
 - Jakarta XML Binding API (from https://repo1.maven.org/maven2/jakarta/xml/bind/jakarta.xml.bind-api, https://repo1.maven.org/maven2/org/jboss/spec/javax/xml/bind/jboss-jaxb-api_2.3_spec)
 - Old JAXB Core (from <https://eclipse-ee4j.github.io/jaxb-ri/>, https://eclipse-ee4j.github.io/jaxb-ri/, https://repo1.maven.org/maven2/com/sun/xml/bind/jaxb-impl)
+- ServiceLocator Default Implementation (from https://repo1.maven.org/maven2/org/glassfish/hk2/hk2-locator)
 - jersey-core-common (from https://repo1.maven.org/maven2/org/glassfish/jersey/core/jersey-common)

 ========================================================================
@@ -740,7 +739,6 @@ cockroach
 The following software have components provided under the terms of this license:

 - HK2 Implementation Utilities (from https://repo1.maven.org/maven2/org/glassfish/hk2/hk2-utils)
- ServiceLocator Default Implementation (from https://repo1.maven.org/maven2/org/glassfish/hk2/hk2-locator)

 ========================================================================
 gpl-2.0-classpath
@@ -749,6 +747,7 @@ The following software have components provided under the terms of this license:

 - Jakarta Annotations API (from https://projects.eclipse.org/projects/ee4j.ca)
 - Jakarta Validation API (from https://beanvalidation.org)
+- ServiceLocator Default Implementation (from https://repo1.maven.org/maven2/org/glassfish/hk2/hk2-locator)

 ========================================================================
 public-domain
@@ -756,6 +755,7 @@ public-domain
 The following software have components provided under the terms of this license:

 - HdrHistogram (from http://hdrhistogram.github.io/HdrHistogram/)
+- JBoss Logging 3 (from http://www.jboss.org)
 - JSON in Java (from https://github.com/douglascrockford/JSON-java)
 - Microsoft Azure client library for Blob Storage (from https://github.com/Azure/azure-sdk-for-java)
 - PostgreSQL JDBC Driver

--- a/pom.xml
+++ b/pom.xml
@@ -29,7 +29,7 @@
        <maven.compiler.source>17</maven.compiler.source>
        <docker.image.prefix>opendes</docker.image.prefix>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
-        <os-core-common.version>0.26.0</os-core-common.version>
+        <os-core-common-spring6.version>0.26.0</os-core-common-spring6.version>
        <netty.version>4.1.51.Final</netty.version>
        <snakeyaml.version>2.0</snakeyaml.version>
        <commons-codec.version>1.14</commons-codec.version>
@@ -38,7 +38,7 @@
        <json-smart.version>2.5.0</json-smart.version>
        <jackson.version>2.16.1</jackson.version>
        <spring-framework-version>6.1.5</spring-framework-version>
-        <spring-boot.version>3.2.4</spring-boot.version>
+        <spring-boot.version>3.2.5</spring-boot.version>
        <spring-security.version>6.2.3</spring-security.version>
    </properties>

@@ -77,7 +77,7 @@
            <dependency>
                <groupId>org.opengroup.osdu</groupId>
                <artifactId>os-core-common-spring6</artifactId>
-                <version>${os-core-common.version}</version>
+                <version>${os-core-common-spring6.version}</version>
            </dependency>

            <dependency>

--- a/provider/storage-azure/pom.xml
+++ b/provider/storage-azure/pom.xml
@@ -32,15 +32,14 @@
        <java.version>17</java.version>
        <maven.compiler.target>17</maven.compiler.target>
        <maven.compiler.source>17</maven.compiler.source>
-        <osdu.corelibazure.version>0.26.0</osdu.corelibazure.version>
+        <core-lib-azure-spring6.version>0.26.0</core-lib-azure-spring6.version>
        <osdu.storage-core.version>0.27.0-SNAPSHOT</osdu.storage-core.version>
        <junit.version>4.12</junit.version>
        <mockito.version>1.10.19</mockito.version>
        <nimbus-jose-jwt-azure.version>9.30.2</nimbus-jose-jwt-azure.version>
        <azure-storage-blob.version>12.25.2</azure-storage-blob.version>
        <azure-spring-data-cosmos.version>5.9.1</azure-spring-data-cosmos.version>
-        <spring-webmvc.version>6.1.4</spring-webmvc.version>
-        <netty.version>4.1.101.Final</netty.version>
+        <netty.version>4.1.109.Final</netty.version>
        <woodstox-core.version>6.4.0</woodstox-core.version>
        <argLine>
            --add-opens=java.base/java.util=ALL-UNNAMED
@@ -49,7 +48,6 @@
            --add-opens java.base/java.text=ALL-UNNAMED
            --add-opens jdk.compiler/com.sun.tools.javac.processing=ALL-UNNAMED
        </argLine>
-        <reactor-netty.version>1.1.14</reactor-netty.version>
        <okhttp.version>4.12.0</okhttp.version>
        <okio.version>3.7.0</okio.version>
    </properties>
@@ -77,19 +75,9 @@
            <dependency>
                <groupId>org.opengroup.osdu</groupId>
                <artifactId>core-lib-azure-spring6</artifactId>
-                <version>${osdu.corelibazure.version}</version>
+                <version>${core-lib-azure-spring6.version}</version>
                <type>pom</type>
                <scope>import</scope>
-                <exclusions>
-                    <exclusion>
-                        <groupId>com.azure</groupId>
-                        <artifactId>azure-storage-blob</artifactId>
-                    </exclusion>
-                    <exclusion>
-                        <artifactId>azure-core</artifactId>
-                        <groupId>com.azure</groupId>
-                    </exclusion>
-                </exclusions>
            </dependency>
            <dependency>
                <groupId>com.azure</groupId>
@@ -142,25 +130,10 @@
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-jose</artifactId>
        </dependency>
-        <dependency>
-            <groupId>org.springframework</groupId>
-            <artifactId>spring-webmvc</artifactId>
-            <version>${spring-webmvc.version}</version>
-        </dependency>
        <dependency>
            <groupId>org.opengroup.osdu</groupId>
            <artifactId>core-lib-azure-spring6</artifactId>
-            <version>${osdu.corelibazure.version}</version>
-            <exclusions>
-                <exclusion>
-                    <groupId>com.azure</groupId>
-                    <artifactId>azure-storage-blob</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>com.azure</groupId>
-                    <artifactId>azure-core</artifactId>
-                </exclusion>
-            </exclusions>
+            <version>${core-lib-azure-spring6.version}</version>
        </dependency>
        <dependency>
            <groupId>org.slf4j</groupId>
@@ -234,11 +207,6 @@
            <artifactId>applicationinsights-runtime-attach</artifactId>
            <version>3.4.18</version>
        </dependency>
-        <dependency>
-            <groupId>io.projectreactor.netty</groupId>
-            <artifactId>reactor-netty-http</artifactId>
-            <version>${reactor-netty.version}</version>
-        </dependency>
        <dependency>
            <groupId>com.squareup.okhttp3</groupId>
            <artifactId>okhttp</artifactId>