From 3cc8ab0d302ab264f923667ecb67c786d8870f32 Mon Sep 17 00:00:00 2001
From: Abbas Hussain <abbas_10690@yahoo.com>
Date: Tue, 25 May 2021 16:22:26 -0700
Subject: [PATCH] [CVE] Upgrade dependencies for Azure related plugins to
 mitigate CVEs (#688) (#771)

* Update commons-io-2.4.jar to 2.7 for plugins/discovery-azure-classic module
* Remove unused jackson dependency and respective LICENSE and NOTICE
* Update guava dependency to mitigate CVE for repository-azure plugin

Signed-off-by: Abbas Hussain <abbas_10690@yahoo.com>
---
 plugins/discovery-azure-classic/build.gradle  | 30 +++++++++++++++----
 .../licenses/commons-io-2.4.jar.sha1          |  1 -
 .../licenses/commons-io-2.7.jar.sha1          |  1 +
 .../licenses/jackson-LICENSE                  |  8 -----
 .../licenses/jackson-NOTICE                   | 20 -------------
 .../licenses/jackson-core-asl-1.9.2.jar.sha1  |  1 -
 .../licenses/jackson-jaxrs-1.9.2.jar.sha1     |  1 -
 .../jackson-mapper-asl-1.9.2.jar.sha1         |  1 -
 .../licenses/jackson-xc-1.9.2.jar.sha1        |  1 -
 plugins/repository-azure/build.gradle         |  9 ++++--
 .../licenses/guava-20.0.jar.sha1              |  1 -
 .../licenses/guava-30.1.1-jre.jar.sha1        |  1 +
 12 files changed, 33 insertions(+), 42 deletions(-)
 delete mode 100644 plugins/discovery-azure-classic/licenses/commons-io-2.4.jar.sha1
 create mode 100644 plugins/discovery-azure-classic/licenses/commons-io-2.7.jar.sha1
 delete mode 100644 plugins/discovery-azure-classic/licenses/jackson-LICENSE
 delete mode 100644 plugins/discovery-azure-classic/licenses/jackson-NOTICE
 delete mode 100644 plugins/discovery-azure-classic/licenses/jackson-core-asl-1.9.2.jar.sha1
 delete mode 100644 plugins/discovery-azure-classic/licenses/jackson-jaxrs-1.9.2.jar.sha1
 delete mode 100644 plugins/discovery-azure-classic/licenses/jackson-mapper-asl-1.9.2.jar.sha1
 delete mode 100644 plugins/discovery-azure-classic/licenses/jackson-xc-1.9.2.jar.sha1
 delete mode 100644 plugins/repository-azure/licenses/guava-20.0.jar.sha1
 create mode 100644 plugins/repository-azure/licenses/guava-30.1.1-jre.jar.sha1

diff --git a/plugins/discovery-azure-classic/build.gradle b/plugins/discovery-azure-classic/build.gradle
index 854931c0b87..b340823fa24 100644
--- a/plugins/discovery-azure-classic/build.gradle
+++ b/plugins/discovery-azure-classic/build.gradle
@@ -53,7 +53,7 @@ dependencies {
   api "org.apache.logging.log4j:log4j-1.2-api:${versions.log4j}"
   api "commons-codec:commons-codec:${versions.commonscodec}"
   api "commons-lang:commons-lang:2.6"
-  api "commons-io:commons-io:2.4"
+  api "commons-io:commons-io:2.7"
   api 'javax.mail:mail:1.4.5'
   api 'javax.inject:javax.inject:1'
   api "com.sun.jersey:jersey-client:${versions.jersey}"
@@ -61,10 +61,6 @@ dependencies {
   api "com.sun.jersey:jersey-json:${versions.jersey}"
   api 'org.codehaus.jettison:jettison:1.1'
   api 'com.sun.xml.bind:jaxb-impl:2.2.3-1'
-  api 'org.codehaus.jackson:jackson-core-asl:1.9.2'
-  api 'org.codehaus.jackson:jackson-mapper-asl:1.9.2'
-  api 'org.codehaus.jackson:jackson-jaxrs:1.9.2'
-  api 'org.codehaus.jackson:jackson-xc:1.9.2'
 
   // HACK: javax.xml.bind was removed from default modules in java 9, so we pull the api in here,
   // and whitelist this hack in JarHell
@@ -124,6 +120,7 @@ tasks.named("dependencyLicenses").configure {
 
 
 tasks.named("thirdPartyAudit").configure {
+
   ignoreMissingClasses(
   'javax.servlet.ServletContextEvent',
   'javax.servlet.ServletContextListener',
@@ -156,7 +153,28 @@ tasks.named("thirdPartyAudit").configure {
   'org.osgi.framework.BundleEvent',
   'org.osgi.framework.SynchronousBundleListener',
   'com.sun.xml.fastinfoset.stax.StAXDocumentParser',
-  'com.sun.xml.fastinfoset.stax.StAXDocumentSerializer'
+  'com.sun.xml.fastinfoset.stax.StAXDocumentSerializer',
+  'org.codehaus.jackson.Base64Variant',
+  'org.codehaus.jackson.JsonEncoding',
+  'org.codehaus.jackson.JsonFactory',
+  'org.codehaus.jackson.JsonGenerator',
+  'org.codehaus.jackson.JsonGenerator$Feature',
+  'org.codehaus.jackson.JsonLocation',
+  'org.codehaus.jackson.JsonNode',
+  'org.codehaus.jackson.JsonParser',
+  'org.codehaus.jackson.JsonParser$Feature',
+  'org.codehaus.jackson.JsonParser$NumberType',
+  'org.codehaus.jackson.JsonStreamContext',
+  'org.codehaus.jackson.JsonToken',
+  'org.codehaus.jackson.ObjectCodec',
+  'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider',
+  'org.codehaus.jackson.jaxrs.JacksonJsonProvider',
+  'org.codehaus.jackson.map.JsonSerializableWithType',
+  'org.codehaus.jackson.map.JsonSerializer',
+  'org.codehaus.jackson.map.ObjectMapper',
+  'org.codehaus.jackson.map.SerializerProvider',
+  'org.codehaus.jackson.map.TypeSerializer',
+  'org.codehaus.jackson.type.TypeReference'
 )
 
 // jarhell with jdk (intentionally, because jaxb was removed from default modules in java 9)
diff --git a/plugins/discovery-azure-classic/licenses/commons-io-2.4.jar.sha1 b/plugins/discovery-azure-classic/licenses/commons-io-2.4.jar.sha1
deleted file mode 100644
index 2f5b30d0edb..00000000000
--- a/plugins/discovery-azure-classic/licenses/commons-io-2.4.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-b1b6ea3b7e4aa4f492509a4952029cd8e48019ad
\ No newline at end of file
diff --git a/plugins/discovery-azure-classic/licenses/commons-io-2.7.jar.sha1 b/plugins/discovery-azure-classic/licenses/commons-io-2.7.jar.sha1
new file mode 100644
index 00000000000..bbb1b15dd1e
--- /dev/null
+++ b/plugins/discovery-azure-classic/licenses/commons-io-2.7.jar.sha1
@@ -0,0 +1 @@
+3f2bd4ba11c4162733c13cc90ca7c7ea09967102
\ No newline at end of file
diff --git a/plugins/discovery-azure-classic/licenses/jackson-LICENSE b/plugins/discovery-azure-classic/licenses/jackson-LICENSE
deleted file mode 100644
index f5f45d26a49..00000000000
--- a/plugins/discovery-azure-classic/licenses/jackson-LICENSE
+++ /dev/null
@@ -1,8 +0,0 @@
-This copy of Jackson JSON processor streaming parser/generator is licensed under the
-Apache (Software) License, version 2.0 ("the License").
-See the License for details about distribution rights, and the
-specific rights regarding derivate works.
-
-You may obtain a copy of the License at:
-
-http://www.apache.org/licenses/LICENSE-2.0
diff --git a/plugins/discovery-azure-classic/licenses/jackson-NOTICE b/plugins/discovery-azure-classic/licenses/jackson-NOTICE
deleted file mode 100644
index 4c976b7b4cc..00000000000
--- a/plugins/discovery-azure-classic/licenses/jackson-NOTICE
+++ /dev/null
@@ -1,20 +0,0 @@
-# Jackson JSON processor
-
-Jackson is a high-performance, Free/Open Source JSON processing library.
-It was originally written by Tatu Saloranta (tatu.saloranta@iki.fi), and has
-been in development since 2007.
-It is currently developed by a community of developers, as well as supported
-commercially by FasterXML.com.
-
-## Licensing
-
-Jackson core and extension components may licensed under different licenses.
-To find the details that apply to this artifact see the accompanying LICENSE file.
-For more information, including possible other licensing options, contact
-FasterXML.com (http://fasterxml.com).
-
-## Credits
-
-A list of contributors may be found from CREDITS file, which is included
-in some artifacts (usually source distributions); but is always available
-from the source code management (SCM) system project uses.
diff --git a/plugins/discovery-azure-classic/licenses/jackson-core-asl-1.9.2.jar.sha1 b/plugins/discovery-azure-classic/licenses/jackson-core-asl-1.9.2.jar.sha1
deleted file mode 100644
index a608bd15e21..00000000000
--- a/plugins/discovery-azure-classic/licenses/jackson-core-asl-1.9.2.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-8493982bba1727106d767034bd0d8e77bc1931a9
diff --git a/plugins/discovery-azure-classic/licenses/jackson-jaxrs-1.9.2.jar.sha1 b/plugins/discovery-azure-classic/licenses/jackson-jaxrs-1.9.2.jar.sha1
deleted file mode 100644
index a3dc0aafa18..00000000000
--- a/plugins/discovery-azure-classic/licenses/jackson-jaxrs-1.9.2.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-aedf43f1d5005561e531b6bf0d067e4d20f58aba
diff --git a/plugins/discovery-azure-classic/licenses/jackson-mapper-asl-1.9.2.jar.sha1 b/plugins/discovery-azure-classic/licenses/jackson-mapper-asl-1.9.2.jar.sha1
deleted file mode 100644
index fd885047f20..00000000000
--- a/plugins/discovery-azure-classic/licenses/jackson-mapper-asl-1.9.2.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-95400a7922ce75383866eb72f6ef4a7897923945
diff --git a/plugins/discovery-azure-classic/licenses/jackson-xc-1.9.2.jar.sha1 b/plugins/discovery-azure-classic/licenses/jackson-xc-1.9.2.jar.sha1
deleted file mode 100644
index f823e612658..00000000000
--- a/plugins/discovery-azure-classic/licenses/jackson-xc-1.9.2.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-437c991a8eb2c8b69ef1dba2eba27fccb9b98448
diff --git a/plugins/repository-azure/build.gradle b/plugins/repository-azure/build.gradle
index a3a541adceb..bf12348e25e 100644
--- a/plugins/repository-azure/build.gradle
+++ b/plugins/repository-azure/build.gradle
@@ -46,7 +46,7 @@ opensearchplugin {
 dependencies {
   api 'com.microsoft.azure:azure-storage:8.6.2'
   api 'com.microsoft.azure:azure-keyvault-core:1.0.0'
-  runtimeOnly 'com.google.guava:guava:20.0'
+  runtimeOnly 'com.google.guava:guava:30.1.1-jre'
   api 'org.apache.commons:commons-lang3:3.4'
   testImplementation project(':test:fixtures:azure-fixture')
 }
@@ -69,7 +69,9 @@ thirdPartyAudit {
   ignoreMissingClasses(
     // Optional and not enabled by Elasticsearch
     'org.slf4j.Logger',
-    'org.slf4j.LoggerFactory'
+    'org.slf4j.LoggerFactory',
+    'com.google.common.util.concurrent.internal.InternalFutureFailureAccess',
+    'com.google.common.util.concurrent.internal.InternalFutures'
   )
 
   ignoreViolations(
@@ -77,6 +79,9 @@ thirdPartyAudit {
     'com.google.common.cache.Striped64',
     'com.google.common.cache.Striped64$1',
     'com.google.common.cache.Striped64$Cell',
+    'com.google.common.hash.Striped64',
+    'com.google.common.hash.Striped64$1',
+    'com.google.common.hash.Striped64$Cell',
     'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$1',
     'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$2',
     'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$3',
diff --git a/plugins/repository-azure/licenses/guava-20.0.jar.sha1 b/plugins/repository-azure/licenses/guava-20.0.jar.sha1
deleted file mode 100644
index 7b6ae09060b..00000000000
--- a/plugins/repository-azure/licenses/guava-20.0.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-89507701249388e1ed5ddcf8c41f4ce1be7831ef
\ No newline at end of file
diff --git a/plugins/repository-azure/licenses/guava-30.1.1-jre.jar.sha1 b/plugins/repository-azure/licenses/guava-30.1.1-jre.jar.sha1
new file mode 100644
index 00000000000..39e641fc783
--- /dev/null
+++ b/plugins/repository-azure/licenses/guava-30.1.1-jre.jar.sha1
@@ -0,0 +1 @@
+87e0fd1df874ea3cbe577702fe6f17068b790fd8
\ No newline at end of file