[CVE] Upgrade dependencies for Azure related plugins to mitigate CVEs (#688) (#771)

* Update commons-io-2.4.jar to 2.7 for plugins/discovery-azure-classic module
* Remove unused jackson dependency and respective LICENSE and NOTICE
* Update guava dependency to mitigate CVE for repository-azure plugin

Signed-off-by: Abbas Hussain <abbas_10690@yahoo.com>
This commit is contained in:
Abbas Hussain 2021-05-25 16:22:26 -07:00 committed by GitHub
parent 69403283bd
commit 3cc8ab0d30
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 33 additions and 42 deletions

View File

@ -53,7 +53,7 @@ dependencies {
api "org.apache.logging.log4j:log4j-1.2-api:${versions.log4j}" api "org.apache.logging.log4j:log4j-1.2-api:${versions.log4j}"
api "commons-codec:commons-codec:${versions.commonscodec}" api "commons-codec:commons-codec:${versions.commonscodec}"
api "commons-lang:commons-lang:2.6" api "commons-lang:commons-lang:2.6"
api "commons-io:commons-io:2.4" api "commons-io:commons-io:2.7"
api 'javax.mail:mail:1.4.5' api 'javax.mail:mail:1.4.5'
api 'javax.inject:javax.inject:1' api 'javax.inject:javax.inject:1'
api "com.sun.jersey:jersey-client:${versions.jersey}" api "com.sun.jersey:jersey-client:${versions.jersey}"
@ -61,10 +61,6 @@ dependencies {
api "com.sun.jersey:jersey-json:${versions.jersey}" api "com.sun.jersey:jersey-json:${versions.jersey}"
api 'org.codehaus.jettison:jettison:1.1' api 'org.codehaus.jettison:jettison:1.1'
api 'com.sun.xml.bind:jaxb-impl:2.2.3-1' api 'com.sun.xml.bind:jaxb-impl:2.2.3-1'
api 'org.codehaus.jackson:jackson-core-asl:1.9.2'
api 'org.codehaus.jackson:jackson-mapper-asl:1.9.2'
api 'org.codehaus.jackson:jackson-jaxrs:1.9.2'
api 'org.codehaus.jackson:jackson-xc:1.9.2'
// HACK: javax.xml.bind was removed from default modules in java 9, so we pull the api in here, // HACK: javax.xml.bind was removed from default modules in java 9, so we pull the api in here,
// and whitelist this hack in JarHell // and whitelist this hack in JarHell
@ -124,6 +120,7 @@ tasks.named("dependencyLicenses").configure {
tasks.named("thirdPartyAudit").configure { tasks.named("thirdPartyAudit").configure {
ignoreMissingClasses( ignoreMissingClasses(
'javax.servlet.ServletContextEvent', 'javax.servlet.ServletContextEvent',
'javax.servlet.ServletContextListener', 'javax.servlet.ServletContextListener',
@ -156,7 +153,28 @@ tasks.named("thirdPartyAudit").configure {
'org.osgi.framework.BundleEvent', 'org.osgi.framework.BundleEvent',
'org.osgi.framework.SynchronousBundleListener', 'org.osgi.framework.SynchronousBundleListener',
'com.sun.xml.fastinfoset.stax.StAXDocumentParser', 'com.sun.xml.fastinfoset.stax.StAXDocumentParser',
'com.sun.xml.fastinfoset.stax.StAXDocumentSerializer' 'com.sun.xml.fastinfoset.stax.StAXDocumentSerializer',
'org.codehaus.jackson.Base64Variant',
'org.codehaus.jackson.JsonEncoding',
'org.codehaus.jackson.JsonFactory',
'org.codehaus.jackson.JsonGenerator',
'org.codehaus.jackson.JsonGenerator$Feature',
'org.codehaus.jackson.JsonLocation',
'org.codehaus.jackson.JsonNode',
'org.codehaus.jackson.JsonParser',
'org.codehaus.jackson.JsonParser$Feature',
'org.codehaus.jackson.JsonParser$NumberType',
'org.codehaus.jackson.JsonStreamContext',
'org.codehaus.jackson.JsonToken',
'org.codehaus.jackson.ObjectCodec',
'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider',
'org.codehaus.jackson.jaxrs.JacksonJsonProvider',
'org.codehaus.jackson.map.JsonSerializableWithType',
'org.codehaus.jackson.map.JsonSerializer',
'org.codehaus.jackson.map.ObjectMapper',
'org.codehaus.jackson.map.SerializerProvider',
'org.codehaus.jackson.map.TypeSerializer',
'org.codehaus.jackson.type.TypeReference'
) )
// jarhell with jdk (intentionally, because jaxb was removed from default modules in java 9) // jarhell with jdk (intentionally, because jaxb was removed from default modules in java 9)

View File

@ -1 +0,0 @@
b1b6ea3b7e4aa4f492509a4952029cd8e48019ad

View File

@ -0,0 +1 @@
3f2bd4ba11c4162733c13cc90ca7c7ea09967102

View File

@ -1,8 +0,0 @@
This copy of Jackson JSON processor streaming parser/generator is licensed under the
Apache (Software) License, version 2.0 ("the License").
See the License for details about distribution rights, and the
specific rights regarding derivate works.
You may obtain a copy of the License at:
http://www.apache.org/licenses/LICENSE-2.0

View File

@ -1,20 +0,0 @@
# Jackson JSON processor
Jackson is a high-performance, Free/Open Source JSON processing library.
It was originally written by Tatu Saloranta (tatu.saloranta@iki.fi), and has
been in development since 2007.
It is currently developed by a community of developers, as well as supported
commercially by FasterXML.com.
## Licensing
Jackson core and extension components may licensed under different licenses.
To find the details that apply to this artifact see the accompanying LICENSE file.
For more information, including possible other licensing options, contact
FasterXML.com (http://fasterxml.com).
## Credits
A list of contributors may be found from CREDITS file, which is included
in some artifacts (usually source distributions); but is always available
from the source code management (SCM) system project uses.

View File

@ -1 +0,0 @@
8493982bba1727106d767034bd0d8e77bc1931a9

View File

@ -1 +0,0 @@
aedf43f1d5005561e531b6bf0d067e4d20f58aba

View File

@ -1 +0,0 @@
95400a7922ce75383866eb72f6ef4a7897923945

View File

@ -1 +0,0 @@
437c991a8eb2c8b69ef1dba2eba27fccb9b98448

View File

@ -46,7 +46,7 @@ opensearchplugin {
dependencies { dependencies {
api 'com.microsoft.azure:azure-storage:8.6.2' api 'com.microsoft.azure:azure-storage:8.6.2'
api 'com.microsoft.azure:azure-keyvault-core:1.0.0' api 'com.microsoft.azure:azure-keyvault-core:1.0.0'
runtimeOnly 'com.google.guava:guava:20.0' runtimeOnly 'com.google.guava:guava:30.1.1-jre'
api 'org.apache.commons:commons-lang3:3.4' api 'org.apache.commons:commons-lang3:3.4'
testImplementation project(':test:fixtures:azure-fixture') testImplementation project(':test:fixtures:azure-fixture')
} }
@ -69,7 +69,9 @@ thirdPartyAudit {
ignoreMissingClasses( ignoreMissingClasses(
// Optional and not enabled by Elasticsearch // Optional and not enabled by Elasticsearch
'org.slf4j.Logger', 'org.slf4j.Logger',
'org.slf4j.LoggerFactory' 'org.slf4j.LoggerFactory',
'com.google.common.util.concurrent.internal.InternalFutureFailureAccess',
'com.google.common.util.concurrent.internal.InternalFutures'
) )
ignoreViolations( ignoreViolations(
@ -77,6 +79,9 @@ thirdPartyAudit {
'com.google.common.cache.Striped64', 'com.google.common.cache.Striped64',
'com.google.common.cache.Striped64$1', 'com.google.common.cache.Striped64$1',
'com.google.common.cache.Striped64$Cell', 'com.google.common.cache.Striped64$Cell',
'com.google.common.hash.Striped64',
'com.google.common.hash.Striped64$1',
'com.google.common.hash.Striped64$Cell',
'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$1', 'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$1',
'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$2', 'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$2',
'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$3', 'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$3',

View File

@ -1 +0,0 @@
89507701249388e1ed5ddcf8c41f4ce1be7831ef

View File

@ -0,0 +1 @@
87e0fd1df874ea3cbe577702fe6f17068b790fd8