From b6952f124629fec201d479105d9246647788fd0a Mon Sep 17 00:00:00 2001
From: exceptionfactory <exceptionfactory@apache.org>
Date: Thu, 24 Oct 2024 16:58:07 -0500
Subject: [PATCH] NIFI-13933 Upgraded Spring Security to 6.3.4 and other
 dependencies This closes #9450

- Upgraded Spring Security from 6.3.3 to 6.3.4
- Upgraded Hadoop from 3.4.0 to 3.4.1
- Upgraded Velocity Engine Core from 2.3.0 to 2.4.1
- Upgraded Parquet Avro from 1.13.1 to 1.14.3
- Upgraded Google Libraries from 26.47.0 to 26.49.0
- Set protobuf-java to 3.25.5 for calcite-core and amazon-kinesis-client libraries
- Updated Dependency Check suppressions

Signed-off-by: Joseph Witt <joewitt@apache.org>
---
 nifi-code-coverage/pom.xml                    |  6 ++
 nifi-commons/nifi-calcite-utils/pom.xml       |  6 ++
 nifi-dependency-check-maven/suppressions.xml  | 78 +++++++------------
 .../nifi-aws-bundle/pom.xml                   |  6 ++
 .../gcp/storage/AbstractGCSTest.java          |  2 +-
 .../nifi-gcp-bundle/pom.xml                   |  2 +-
 .../nifi-parquet-processors/pom.xml           |  2 +-
 .../nifi-registry-test/pom.xml                |  7 ++
 pom.xml                                       | 11 ++-
 9 files changed, 64 insertions(+), 56 deletions(-)

diff --git a/nifi-code-coverage/pom.xml b/nifi-code-coverage/pom.xml
index 1b8c2fc49a..bbf2d810fc 100644
--- a/nifi-code-coverage/pom.xml
+++ b/nifi-code-coverage/pom.xml
@@ -113,6 +113,12 @@
                 <artifactId>apache-mime4j-core</artifactId>
                 <version>${mime4j.version}</version>
             </dependency>
+            <!-- Override protobuf-java from amazon-kinesis-client -->
+            <dependency>
+                <groupId>com.google.protobuf</groupId>
+                <artifactId>protobuf-java</artifactId>
+                <version>3.25.5</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 
diff --git a/nifi-commons/nifi-calcite-utils/pom.xml b/nifi-commons/nifi-calcite-utils/pom.xml
index fc7a69e4f6..c7c66e2ecd 100644
--- a/nifi-commons/nifi-calcite-utils/pom.xml
+++ b/nifi-commons/nifi-calcite-utils/pom.xml
@@ -65,6 +65,12 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <!-- Override protobuf-java from calcite-core -->
+        <dependency>
+            <groupId>com.google.protobuf</groupId>
+            <artifactId>protobuf-java</artifactId>
+            <version>3.25.5</version>
+        </dependency>
     </dependencies>
 
 </project>
diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml
index 19021551ee..e71529a3dc 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -19,16 +19,6 @@
         <packageUrl regex="true">^pkg:maven/org\.apache\.nifi.*$</packageUrl>
         <cpe regex="true">^cpe:.*$</cpe>
     </suppress>
-    <suppress>
-        <notes>CVE-2017-10355 does not apply to Xerces 2.12.2</notes>
-        <packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl>
-        <cve>CVE-2017-10355</cve>
-    </suppress>
-    <suppress>
-        <notes>CVE-2007-6465 applies to Ganglia Server not Ganglia client libraries</notes>
-        <packageUrl regex="true">^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$</packageUrl>
-        <cve>CVE-2007-6465</cve>
-    </suppress>
     <suppress>
         <notes>Elasticsearch Server vulnerabilities do not apply to elasticsearch-rest-client</notes>
         <packageUrl regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$</packageUrl>
@@ -44,11 +34,6 @@
         <packageUrl regex="true">^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$</packageUrl>
         <cve>CVE-2022-30187</cve>
     </suppress>
-    <suppress>
-        <notes>CVE-2010-1151 applies to mod_auth_shadow in Apache HTTP Server not the FTP server library</notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl>
-        <cve>CVE-2010-1151</cve>
-    </suppress>
     <suppress>
         <notes>CVE-2018-14335 applies to H2 running with a web server console enabled</notes>
         <packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
@@ -69,16 +54,6 @@
         <packageUrl regex="true">^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-pubsublite\-v1@.*$</packageUrl>
         <cpe>cpe:/a:grpc:grpc</cpe>
     </suppress>
-    <suppress>
-        <notes>CVE-2020-9040 applies to Couchbase Server not the client library</notes>
-        <packageUrl regex="true">^pkg:maven/com\.couchbase\.client/core\-io@.*$</packageUrl>
-        <vulnerabilityName>CVE-2020-9040</vulnerabilityName>
-    </suppress>
-    <suppress>
-        <notes>CVE-2022-41881 applies to HA Proxy components in Netty which are not used in Couchbase or other components</notes>
-        <packageUrl regex="true">^pkg:maven/io\.netty/.*$</packageUrl>
-        <cve>CVE-2022-41881</cve>
-    </suppress>
     <suppress>
         <notes>CVE-2021-34538 applies to Apache Hive server not the Storage API library</notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.hive/hive\-storage\-api@.*$</packageUrl>
@@ -94,16 +69,6 @@
         <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
         <vulnerabilityName>CVE-2023-35116</vulnerabilityName>
     </suppress>
-    <suppress>
-        <notes>CVE-2023-25194 applies to Kafka Connect workers not client libraries</notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.kafka/kafka.*?@.*$</packageUrl>
-        <cve>CVE-2023-25194</cve>
-    </suppress>
-    <suppress>
-        <notes>CVE-2023-34462 applies to Netty servers using SniHandler not Netty 4.1 shaded for Couchbase and HBase 2</notes>
-        <packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl>
-        <cve>CVE-2023-34462</cve>
-    </suppress>
     <suppress>
         <notes>The Square Wire framework is not the same as the Wire secure communication application</notes>
         <packageUrl regex="true">^pkg:maven/com\.squareup\.wire/.*$</packageUrl>
@@ -189,11 +154,6 @@
         <packageUrl regex="true">^pkg:maven/org\.apache\.hive.*$</packageUrl>
         <cve>CVE-2020-13949</cve>
     </suppress>
-    <suppress>
-        <notes>CVE-2023-44487 applies to netty-codec-http2 as a Server</notes>
-        <packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl>
-        <cve>CVE-2023-44487</cve>
-    </suppress>
     <suppress>
         <notes>Parquet MR vulnerabilities do not apply to other Parquet libraries</notes>
         <packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-(?!mr).*$</packageUrl>
@@ -234,11 +194,6 @@
         <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
         <cve>CVE-2020-7656</cve>
     </suppress>
-    <suppress>
-        <notes>jQuery vulnerability warning for historical versions</notes>
-        <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
-        <vulnerabilityName>jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates</vulnerabilityName>
-    </suppress>
     <suppress>
         <notes>CVE-2023-44487 references gRPC for Go</notes>
         <packageUrl regex="true">^pkg:maven/io\.grpc/grpc.*$</packageUrl>
@@ -254,14 +209,9 @@
         <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
         <cve>CVE-2020-8908</cve>
     </suppress>
-    <suppress>
-        <notes>CVE-2023-36052 applies to Azure CLI not Azure Java libraries</notes>
-        <packageUrl regex="true">^pkg:maven/com\.azure/.*$</packageUrl>
-        <cve>CVE-2023-36052</cve>
-    </suppress>
     <suppress>
         <notes>Findings for Apache Hadoop do not apply to the shaded Protobuf library</notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop\-shaded\-protobuf_3_21@.*$</packageUrl>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop\-shaded\-protobuf_3_25@.*$</packageUrl>
         <cpe>cpe:/a:apache:hadoop</cpe>
     </suppress>
     <suppress>
@@ -274,4 +224,30 @@
         <packageUrl regex="true">^pkg:maven/org\.threeten/threetenbp@.*$</packageUrl>
         <vulnerabilityName>CVE-2024-23082</vulnerabilityName>
     </suppress>
+    <suppress>
+        <notes>CVE-2023-7272 applies to Eclipse Parrson not javax.json</notes>
+        <packageUrl regex="true">^pkg:maven/org\.glassfish/javax\.json@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-7272</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes>CVE-2024-43591 applies to Azure CLI not azure-core-amqp</notes>
+        <packageUrl regex="true">^pkg:maven/com\.azure/.*$</packageUrl>
+        <cpe>cpe:/a:microsoft:azure_cli</cpe>
+        <cve>CVE-2024-43591</cve>
+    </suppress>
+    <suppress>
+        <notes>jquery is not used although bundled in Hadoop avro-ipc libraries</notes>
+        <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
+        <vulnerabilityName>jquery issue: 162</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes>Google OpenTelemetry shared-resourcemapping versions do not align with base OpenTelemetry versions leading to false positives</notes>
+        <packageUrl regex="true">^pkg:maven/com\.google\.cloud\.opentelemetry/.*$</packageUrl>
+        <cpe>cpe:/a:opentelemetry:opentelemetry</cpe>
+    </suppress>
+    <suppress>
+        <notes>CVE-2024-35255 is resolved in msal4j 1.15.1 and the CPE for other languages does not apply</notes>
+        <cve>CVE-2024-35255</cve>
+        <cpe>cpe:/a:microsoft:authentication_library:*:*:*:*:*:.net:*:*</cpe>
+    </suppress>
 </suppressions>
diff --git a/nifi-extension-bundles/nifi-aws-bundle/pom.xml b/nifi-extension-bundles/nifi-aws-bundle/pom.xml
index fa13da9a30..ee8e5513cd 100644
--- a/nifi-extension-bundles/nifi-aws-bundle/pom.xml
+++ b/nifi-extension-bundles/nifi-aws-bundle/pom.xml
@@ -66,6 +66,12 @@
                     </exclusion>
                 </exclusions>
             </dependency>
+            <!-- Override protobuf-java from amazon-kinesis-client -->
+            <dependency>
+                <groupId>com.google.protobuf</groupId>
+                <artifactId>protobuf-java</artifactId>
+                <version>3.25.5</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 </project>
diff --git a/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/test/java/org/apache/nifi/processors/gcp/storage/AbstractGCSTest.java b/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/test/java/org/apache/nifi/processors/gcp/storage/AbstractGCSTest.java
index 99289558de..8d57214f6f 100644
--- a/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/test/java/org/apache/nifi/processors/gcp/storage/AbstractGCSTest.java
+++ b/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/test/java/org/apache/nifi/processors/gcp/storage/AbstractGCSTest.java
@@ -45,7 +45,7 @@ import static org.mockito.Mockito.reset;
 @ExtendWith(MockitoExtension.class)
 public abstract class AbstractGCSTest {
     private static final String PROJECT_ID = System.getProperty("test.gcp.project.id", "nifi-test-gcp-project");
-    private static final String DEFAULT_STORAGE_URL = "https://storage.googleapis.com";
+    private static final String DEFAULT_STORAGE_URL = "https://storage.googleapis.com/";
     private static final Integer RETRIES = 9;
 
     static final String BUCKET = RemoteStorageHelper.generateBucketName();
diff --git a/nifi-extension-bundles/nifi-gcp-bundle/pom.xml b/nifi-extension-bundles/nifi-gcp-bundle/pom.xml
index fc5c09bc38..bcfbb57ae3 100644
--- a/nifi-extension-bundles/nifi-gcp-bundle/pom.xml
+++ b/nifi-extension-bundles/nifi-gcp-bundle/pom.xml
@@ -25,7 +25,7 @@
     <packaging>pom</packaging>
 
     <properties>
-        <google.libraries.version>26.47.0</google.libraries.version>
+        <google.libraries.version>26.49.0</google.libraries.version>
     </properties>
 
     <dependencyManagement>
diff --git a/nifi-extension-bundles/nifi-parquet-bundle/nifi-parquet-processors/pom.xml b/nifi-extension-bundles/nifi-parquet-bundle/nifi-parquet-processors/pom.xml
index 3e6d3adfcb..d2def3d699 100644
--- a/nifi-extension-bundles/nifi-parquet-bundle/nifi-parquet-processors/pom.xml
+++ b/nifi-extension-bundles/nifi-parquet-bundle/nifi-parquet-processors/pom.xml
@@ -87,7 +87,7 @@
         <dependency>
             <groupId>org.apache.parquet</groupId>
             <artifactId>parquet-avro</artifactId>
-            <version>1.13.1</version>
+            <version>1.14.3</version>
             <exclusions>
                 <exclusion>
                     <groupId>org.xerial.snappy</groupId>
diff --git a/nifi-registry/nifi-registry-core/nifi-registry-test/pom.xml b/nifi-registry/nifi-registry-core/nifi-registry-test/pom.xml
index 03a68ee334..c8a5888054 100644
--- a/nifi-registry/nifi-registry-core/nifi-registry-test/pom.xml
+++ b/nifi-registry/nifi-registry-core/nifi-registry-test/pom.xml
@@ -63,6 +63,13 @@
             <groupId>com.mysql</groupId>
             <artifactId>mysql-connector-j</artifactId>
             <version>9.1.0</version>
+            <exclusions>
+                <!-- Exclude unused protobuf-java -->
+                <exclusion>
+                    <groupId>com.google.protobuf</groupId>
+                    <artifactId>protobuf-java</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.mariadb.jdbc</groupId>
diff --git a/pom.xml b/pom.xml
index fd83d7ec5b..8cc22a16f0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -142,7 +142,7 @@
         <json.smart.version>2.5.1</json.smart.version>
         <groovy.version>4.0.23</groovy.version>
         <surefire.version>3.5.1</surefire.version>
-        <hadoop.version>3.4.0</hadoop.version>
+        <hadoop.version>3.4.1</hadoop.version>
         <ozone.version>1.2.1</ozone.version>
         <gcs.version>2.1.5</gcs.version>
         <aspectj.version>1.9.22.1</aspectj.version>
@@ -155,7 +155,7 @@
         <netty.4.version>4.1.114.Final</netty.4.version>
         <servlet-api.version>6.1.0</servlet-api.version>
         <spring.version>6.1.14</spring.version>
-        <spring.security.version>6.3.3</spring.security.version>
+        <spring.security.version>6.3.4</spring.security.version>
         <swagger.annotations.version>2.2.25</swagger.annotations.version>
         <h2.version>2.3.232</h2.version>
         <zookeeper.version>3.9.2</zookeeper.version>
@@ -163,6 +163,7 @@
         <hapi.version>2.5.1</hapi.version>
         <commons.dbcp2.version>2.12.0</commons.dbcp2.version>
         <prometheus.version>0.16.0</prometheus.version>
+        <velocity-engine-core.version>2.4.1</velocity-engine-core.version>
     </properties>
     <dependencyManagement>
         <dependencies>
@@ -559,6 +560,12 @@
                 <artifactId>zookeeper-jute</artifactId>
                 <version>${zookeeper.version}</version>
             </dependency>
+            <!-- Override velocity-engine-core 2.3 for framework and Hadoop dependencies -->
+            <dependency>
+                <groupId>org.apache.velocity</groupId>
+                <artifactId>velocity-engine-core</artifactId>
+                <version>${velocity-engine-core.version}</version>
+            </dependency>
             <!-- Managed JUnit 4 version for transitive dependencies such as OkHttp MockWebServer -->
             <dependency>
                 <groupId>junit</groupId>