From e892f3ce4f26ff962df0f51ac177a86f0fdf5779 Mon Sep 17 00:00:00 2001
From: Timothy Lobl <lobtimo@amazon.com>
Date: Mon, 25 Nov 2024 14:08:26 +0000
Subject: [PATCH] Resolve spring, netty, common io CVE

---
 NOTICE                       | 8 ++++----
 pom.xml                      | 6 +++---
 provider/storage-aws/pom.xml | 7 ++++++-
 3 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/NOTICE b/NOTICE
index 87ad3598f..06016b97e 100644
--- a/NOTICE
+++ b/NOTICE
@@ -69,7 +69,7 @@ The following software have components provided under the terms of this license:
 - Byte Buddy Java agent (from https://repo1.maven.org/maven2/net/bytebuddy/byte-buddy-agent)
 - ClassMate (from http://github.com/cowtowncoder/java-classmate)
 - Cloud Key Management Service (KMS) API v1-rev20240918-2.0.0 (from https://repo1.maven.org/maven2/com/google/apis/google-api-services-cloudkms)
-- Cloud Storage JSON API v1-rev20241008-2.0.0 (from https://repo1.maven.org/maven2/com/google/apis/google-api-services-storage)
+- Cloud Storage JSON API v1-rev20241113-2.0.0 (from https://repo1.maven.org/maven2/com/google/apis/google-api-services-storage)
 - Collections (from https://repo1.maven.org/maven2/commons-collections/commons-collections)
 - Commons Digester (from http://commons.apache.org/digester/)
 - Converter: Jackson (from https://github.com/square/retrofit, https://repo1.maven.org/maven2/com/squareup/retrofit2/converter-jackson)
@@ -191,7 +191,7 @@ The following software have components provided under the terms of this license:
 - Proton-J (from https://repo1.maven.org/maven2/org/apache/qpid/proton-j)
 - QpidJMS Client (from https://repo1.maven.org/maven2/org/apache/qpid/qpid-jms-client)
 - RabbitMQ Java Client (from http://www.rabbitmq.com, https://www.rabbitmq.com)
-- Redisson (from http://redisson.org)
+- Redisson (from http://redisson.org, https://redisson.pro)
 - Retrofit (from https://github.com/square/retrofit, https://repo1.maven.org/maven2/com/squareup/retrofit2/retrofit)
 - RxJava (from https://github.com/ReactiveX/RxJava)
 - Simple XML (safe) (from https://github.com/dweiss/simplexml)
@@ -363,7 +363,7 @@ The following software have components provided under the terms of this license:
 - Protocol Buffer Java API (from http://code.google.com/p/protobuf, https://repo1.maven.org/maven2/com/google/protobuf/protobuf-java)
 - Protocol Buffers [Util] (from https://repo1.maven.org/maven2/com/google/protobuf/protobuf-java-util)
 - RE2/J (from http://github.com/google/re2j)
-- Redisson (from http://redisson.org)
+- Redisson (from http://redisson.org, https://redisson.pro)
 - ReflectASM (from https://github.com/EsotericSoftware/reflectasm)
 - ServiceLocator Default Implementation (from https://repo1.maven.org/maven2/org/glassfish/hk2/hk2-locator)
 - Spring Core (from http://www.springframework.org, https://github.com/spring-projects/spring-framework, https://repo1.maven.org/maven2/org/springframework/spring-core)
@@ -397,7 +397,7 @@ The following software have components provided under the terms of this license:
 - LatencyUtils (from http://latencyutils.github.io/LatencyUtils/)
 - Netty/Common (from https://repo1.maven.org/maven2/io/netty/netty-common)
 - RabbitMQ Java Client (from http://www.rabbitmq.com, https://www.rabbitmq.com)
-- Redisson (from http://redisson.org)
+- Redisson (from http://redisson.org, https://redisson.pro)
 - jersey-core-common (from https://repo1.maven.org/maven2/org/glassfish/jersey/core/jersey-common)
 - jersey-repackaged-guava (from https://repo1.maven.org/maven2/org/glassfish/jersey/bundles/repackaged/jersey-guava)
 - reactive-streams (from http://www.reactive-streams.org/)
diff --git a/pom.xml b/pom.xml
index d128ec471..db4dd8deb 100644
--- a/pom.xml
+++ b/pom.xml
@@ -30,7 +30,7 @@
         <docker.image.prefix>opendes</docker.image.prefix>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <os-core-common.version>2.0.0</os-core-common.version>
-        <netty.version>4.1.51.Final</netty.version>
+        <netty.version>4.1.115.Final</netty.version>
         <snakeyaml.version>2.0</snakeyaml.version>
         <commons-codec.version>1.14</commons-codec.version>
         <nimbusds.version>7.9</nimbusds.version>
@@ -38,8 +38,8 @@
         <json-smart.version>2.5.0</json-smart.version>
         <jackson.version>2.16.1</jackson.version>
         <spring-framework-version>6.1.13</spring-framework-version>
-        <spring-boot.version>3.3.4</spring-boot.version>
-        <spring-security.version>6.3.1</spring-security.version>
+        <spring-boot.version>3.3.5</spring-boot.version>
+        <spring-security.version>6.3.4</spring-security.version>
     </properties>
 
     <licenses>
diff --git a/provider/storage-aws/pom.xml b/provider/storage-aws/pom.xml
index 522a48759..107c9ab20 100644
--- a/provider/storage-aws/pom.xml
+++ b/provider/storage-aws/pom.xml
@@ -44,7 +44,7 @@
         <dependency>
             <groupId>org.opengroup.osdu.core.aws</groupId>
             <artifactId>os-core-lib-aws</artifactId>
-            <version>3.0.1</version>
+            <version>3.0.2</version>
         </dependency>
          <dependency>
              <groupId>org.opengroup.osdu</groupId>
@@ -85,6 +85,11 @@
             <artifactId>spring-web</artifactId>
             <version>${spring-framework-version}</version>
         </dependency>
+        <dependency>
+            <groupId>io.netty</groupId>
+            <artifactId>netty-common</artifactId>
+            <version>4.1.115.Final</version>
+        </dependency>
 
 
         <dependency>
-- 
GitLab