[CVE] Upgrade dependencies for Azure related plugins to mitigate CVEs (#688)

* Update commons-io-2.4.jar to 2.7 for plugins/discovery-azure-classic module * Remove unused jackson dependency and respective LICENSE and NOTICE * Update guava dependency to mitigate CVE for repository-azure plugin Signed-off-by: Abbas Hussain <abbas_10690@yahoo.com>
2021-05-25 14:57:36 -07:00 · 2021-05-25 14:57:36 -07:00 · 3e92821c82
parent 381b76eaa9
commit 3e92821c82
12 changed files with 33 additions and 42 deletions
--- a/plugins/discovery-azure-classic/build.gradle
+++ b/plugins/discovery-azure-classic/build.gradle
@ -53,7 +53,7 @@ dependencies {
  api "org.apache.logging.log4j:log4j-1.2-api:${versions.log4j}"
  api "commons-codec:commons-codec:${versions.commonscodec}"
  api "commons-lang:commons-lang:2.6"
-  api "commons-io:commons-io:2.4"
+  api "commons-io:commons-io:2.7"
  api 'javax.mail:mail:1.4.5'
  api 'javax.inject:javax.inject:1'
  api "com.sun.jersey:jersey-client:${versions.jersey}"
@ -61,10 +61,6 @@ dependencies {
  api "com.sun.jersey:jersey-json:${versions.jersey}"
  api 'org.codehaus.jettison:jettison:1.1'
  api 'com.sun.xml.bind:jaxb-impl:2.2.3-1'
-  api 'org.codehaus.jackson:jackson-core-asl:1.9.2'
-  api 'org.codehaus.jackson:jackson-mapper-asl:1.9.2'
-  api 'org.codehaus.jackson:jackson-jaxrs:1.9.2'
-  api 'org.codehaus.jackson:jackson-xc:1.9.2'

  // HACK: javax.xml.bind was removed from default modules in java 9, so we pull the api in here,
  // and whitelist this hack in JarHell
@ -124,6 +120,7 @@ tasks.named("dependencyLicenses").configure {


 tasks.named("thirdPartyAudit").configure {
+
  ignoreMissingClasses(
  'javax.servlet.ServletContextEvent',
  'javax.servlet.ServletContextListener',
@ -156,7 +153,28 @@ tasks.named("thirdPartyAudit").configure {
  'org.osgi.framework.BundleEvent',
  'org.osgi.framework.SynchronousBundleListener',
  'com.sun.xml.fastinfoset.stax.StAXDocumentParser',
-  'com.sun.xml.fastinfoset.stax.StAXDocumentSerializer'
+  'com.sun.xml.fastinfoset.stax.StAXDocumentSerializer',
+  'org.codehaus.jackson.Base64Variant',
+  'org.codehaus.jackson.JsonEncoding',
+  'org.codehaus.jackson.JsonFactory',
+  'org.codehaus.jackson.JsonGenerator',
+  'org.codehaus.jackson.JsonGenerator$Feature',
+  'org.codehaus.jackson.JsonLocation',
+  'org.codehaus.jackson.JsonNode',
+  'org.codehaus.jackson.JsonParser',
+  'org.codehaus.jackson.JsonParser$Feature',
+  'org.codehaus.jackson.JsonParser$NumberType',
+  'org.codehaus.jackson.JsonStreamContext',
+  'org.codehaus.jackson.JsonToken',
+  'org.codehaus.jackson.ObjectCodec',
+  'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider',
+  'org.codehaus.jackson.jaxrs.JacksonJsonProvider',
+  'org.codehaus.jackson.map.JsonSerializableWithType',
+  'org.codehaus.jackson.map.JsonSerializer',
+  'org.codehaus.jackson.map.ObjectMapper',
+  'org.codehaus.jackson.map.SerializerProvider',
+  'org.codehaus.jackson.map.TypeSerializer',
+  'org.codehaus.jackson.type.TypeReference'
 )

 // jarhell with jdk (intentionally, because jaxb was removed from default modules in java 9)
--- a/plugins/discovery-azure-classic/licenses/commons-io-2.4.jar.sha1
+++ b/plugins/discovery-azure-classic/licenses/commons-io-2.4.jar.sha1
@ -1 +0,0 @@
-b1b6ea3b7e4aa4f492509a4952029cd8e48019ad
--- a/plugins/discovery-azure-classic/licenses/commons-io-2.7.jar.sha1
+++ b/plugins/discovery-azure-classic/licenses/commons-io-2.7.jar.sha1
@ -0,0 +1 @@
+3f2bd4ba11c4162733c13cc90ca7c7ea09967102
--- a/plugins/discovery-azure-classic/licenses/jackson-LICENSE
+++ b/plugins/discovery-azure-classic/licenses/jackson-LICENSE
@ -1,8 +0,0 @@
-This copy of Jackson JSON processor streaming parser/generator is licensed under the
-Apache (Software) License, version 2.0 ("the License").
-See the License for details about distribution rights, and the
-specific rights regarding derivate works.
-
-You may obtain a copy of the License at:
-
-http://www.apache.org/licenses/LICENSE-2.0
--- a/plugins/discovery-azure-classic/licenses/jackson-NOTICE
+++ b/plugins/discovery-azure-classic/licenses/jackson-NOTICE
@ -1,20 +0,0 @@
-# Jackson JSON processor
-
-Jackson is a high-performance, Free/Open Source JSON processing library.
-It was originally written by Tatu Saloranta (tatu.saloranta@iki.fi), and has
-been in development since 2007.
-It is currently developed by a community of developers, as well as supported
-commercially by FasterXML.com.
-
-## Licensing
-
-Jackson core and extension components may licensed under different licenses.
-To find the details that apply to this artifact see the accompanying LICENSE file.
-For more information, including possible other licensing options, contact
-FasterXML.com (http://fasterxml.com).
-
-## Credits
-
-A list of contributors may be found from CREDITS file, which is included
-in some artifacts (usually source distributions); but is always available
-from the source code management (SCM) system project uses.
--- a/plugins/discovery-azure-classic/licenses/jackson-core-asl-1.9.2.jar.sha1
+++ b/plugins/discovery-azure-classic/licenses/jackson-core-asl-1.9.2.jar.sha1
@ -1 +0,0 @@
-8493982bba1727106d767034bd0d8e77bc1931a9
--- a/plugins/discovery-azure-classic/licenses/jackson-jaxrs-1.9.2.jar.sha1
+++ b/plugins/discovery-azure-classic/licenses/jackson-jaxrs-1.9.2.jar.sha1
@ -1 +0,0 @@
-aedf43f1d5005561e531b6bf0d067e4d20f58aba
--- a/plugins/discovery-azure-classic/licenses/jackson-mapper-asl-1.9.2.jar.sha1
+++ b/plugins/discovery-azure-classic/licenses/jackson-mapper-asl-1.9.2.jar.sha1
@ -1 +0,0 @@
-95400a7922ce75383866eb72f6ef4a7897923945
--- a/plugins/discovery-azure-classic/licenses/jackson-xc-1.9.2.jar.sha1
+++ b/plugins/discovery-azure-classic/licenses/jackson-xc-1.9.2.jar.sha1
@ -1 +0,0 @@
-437c991a8eb2c8b69ef1dba2eba27fccb9b98448
--- a/plugins/repository-azure/build.gradle
+++ b/plugins/repository-azure/build.gradle
@ -46,7 +46,7 @@ opensearchplugin {
 dependencies {
  api 'com.microsoft.azure:azure-storage:8.6.2'
  api 'com.microsoft.azure:azure-keyvault-core:1.0.0'
-  runtimeOnly 'com.google.guava:guava:20.0'
+  runtimeOnly 'com.google.guava:guava:30.1.1-jre'
  api 'org.apache.commons:commons-lang3:3.4'
  testImplementation project(':test:fixtures:azure-fixture')
 }
@ -69,7 +69,9 @@ thirdPartyAudit {
  ignoreMissingClasses(
    // Optional and not enabled by Elasticsearch
    'org.slf4j.Logger',
-    'org.slf4j.LoggerFactory'
+    'org.slf4j.LoggerFactory',
+    'com.google.common.util.concurrent.internal.InternalFutureFailureAccess',
+    'com.google.common.util.concurrent.internal.InternalFutures'
  )

  ignoreViolations(
@ -77,6 +79,9 @@ thirdPartyAudit {
    'com.google.common.cache.Striped64',
    'com.google.common.cache.Striped64$1',
    'com.google.common.cache.Striped64$Cell',
+    'com.google.common.hash.Striped64',
+    'com.google.common.hash.Striped64$1',
+    'com.google.common.hash.Striped64$Cell',
    'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$1',
    'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$2',
    'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$3',
--- a/plugins/repository-azure/licenses/guava-20.0.jar.sha1
+++ b/plugins/repository-azure/licenses/guava-20.0.jar.sha1
@ -1 +0,0 @@
-89507701249388e1ed5ddcf8c41f4ce1be7831ef
--- a/plugins/repository-azure/licenses/guava-30.1.1-jre.jar.sha1
+++ b/plugins/repository-azure/licenses/guava-30.1.1-jre.jar.sha1
@ -0,0 +1 @@
+87e0fd1df874ea3cbe577702fe6f17068b790fd8