NIFI-10923 This closes #6745. Upgraded Apache SSHD to 2.9.2

Signed-off-by: Joe Witt <joewitt@apache.org>
2022-12-01 12:40:54 -06:00 · 2022-12-01 12:40:54 -06:00 · 3399d09c46
parent c3b0e1a790
commit 3399d09c46
3 changed files with 17 additions and 2 deletions
--- a/nifi-nar-bundles/nifi-standard-bundle/pom.xml
+++ b/nifi-nar-bundles/nifi-standard-bundle/pom.xml
@ -35,6 +35,7 @@
    <properties>
        <yammer.metrics.version>2.2.0</yammer.metrics.version>
        <jolt.version>0.1.7</jolt.version>
+        <org.apache.sshd.version>2.9.2</org.apache.sshd.version>
    </properties>
    <dependencyManagement>
        <dependencies>
@ -303,12 +304,12 @@
            <dependency>
                <groupId>org.apache.sshd</groupId>
                <artifactId>sshd-core</artifactId>
-                <version>2.8.0</version>
+                <version>${org.apache.sshd.version}</version>
            </dependency>
            <dependency>
                <groupId>org.apache.sshd</groupId>
                <artifactId>sshd-sftp</artifactId>
-                <version>2.8.0</version>
+                <version>${org.apache.sshd.version}</version>
            </dependency>
            <dependency>
                <groupId>com.google.guava</groupId>
--- a/nifi-registry/pom.xml
+++ b/nifi-registry/pom.xml
@ -43,6 +43,7 @@
        <groovy.eclipse.compiler.version>3.4.0-01</groovy.eclipse.compiler.version>
        <jaxb.version>2.3.2</jaxb.version>
        <jgit.version>5.13.1.202206130422-r</jgit.version>
+        <org.apache.sshd.version>2.9.2</org.apache.sshd.version>
    </properties>

    <dependencyManagement>
@ -241,6 +242,17 @@
                    </exclusion>
                </exclusions>
            </dependency>
+            <!-- Override transitive SSHD version from JGit -->
+            <dependency>
+                <groupId>org.apache.sshd</groupId>
+                <artifactId>sshd-osgi</artifactId>
+                <version>${org.apache.sshd.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>org.apache.sshd</groupId>
+                <artifactId>sshd-sftp</artifactId>
+                <version>${org.apache.sshd.version}</version>
+            </dependency>
        </dependencies>
    </dependencyManagement>

--- a/pom.xml
+++ b/pom.xml
@ -970,6 +970,8 @@
                                        <exclude>org.bouncycastle:bcpkix-jdk15on</exclude>
                                        <exclude>org.bouncycastle:bcutil-jdk15on</exclude>
                                        <exclude>org.bouncycastle:bcmail-jdk15on</exclude>
+                                        <!-- Exclude SSHD 2.9.1 and earlier due to CVE-2022-45047 -->
+                                        <exclude>org.apache.sshd:*:[,2.9.1]</exclude>
                                    </excludes>
                                    <includes>
                                        <!-- Versions of JSR305 after 3.0.1 are allowed https://github.com/findbugsproject/findbugs/issues/128 -->