[CVE] Upgrade dependencies for Azure related plugins to mitigate CVEs (#688)
* Update commons-io-2.4.jar to 2.7 for plugins/discovery-azure-classic module * Remove unused jackson dependency and respective LICENSE and NOTICE * Update guava dependency to mitigate CVE for repository-azure plugin Signed-off-by: Abbas Hussain <abbas_10690@yahoo.com>
This commit is contained in:
parent
381b76eaa9
commit
3e92821c82
|
@ -53,7 +53,7 @@ dependencies {
|
||||||
api "org.apache.logging.log4j:log4j-1.2-api:${versions.log4j}"
|
api "org.apache.logging.log4j:log4j-1.2-api:${versions.log4j}"
|
||||||
api "commons-codec:commons-codec:${versions.commonscodec}"
|
api "commons-codec:commons-codec:${versions.commonscodec}"
|
||||||
api "commons-lang:commons-lang:2.6"
|
api "commons-lang:commons-lang:2.6"
|
||||||
api "commons-io:commons-io:2.4"
|
api "commons-io:commons-io:2.7"
|
||||||
api 'javax.mail:mail:1.4.5'
|
api 'javax.mail:mail:1.4.5'
|
||||||
api 'javax.inject:javax.inject:1'
|
api 'javax.inject:javax.inject:1'
|
||||||
api "com.sun.jersey:jersey-client:${versions.jersey}"
|
api "com.sun.jersey:jersey-client:${versions.jersey}"
|
||||||
|
@ -61,10 +61,6 @@ dependencies {
|
||||||
api "com.sun.jersey:jersey-json:${versions.jersey}"
|
api "com.sun.jersey:jersey-json:${versions.jersey}"
|
||||||
api 'org.codehaus.jettison:jettison:1.1'
|
api 'org.codehaus.jettison:jettison:1.1'
|
||||||
api 'com.sun.xml.bind:jaxb-impl:2.2.3-1'
|
api 'com.sun.xml.bind:jaxb-impl:2.2.3-1'
|
||||||
api 'org.codehaus.jackson:jackson-core-asl:1.9.2'
|
|
||||||
api 'org.codehaus.jackson:jackson-mapper-asl:1.9.2'
|
|
||||||
api 'org.codehaus.jackson:jackson-jaxrs:1.9.2'
|
|
||||||
api 'org.codehaus.jackson:jackson-xc:1.9.2'
|
|
||||||
|
|
||||||
// HACK: javax.xml.bind was removed from default modules in java 9, so we pull the api in here,
|
// HACK: javax.xml.bind was removed from default modules in java 9, so we pull the api in here,
|
||||||
// and whitelist this hack in JarHell
|
// and whitelist this hack in JarHell
|
||||||
|
@ -124,6 +120,7 @@ tasks.named("dependencyLicenses").configure {
|
||||||
|
|
||||||
|
|
||||||
tasks.named("thirdPartyAudit").configure {
|
tasks.named("thirdPartyAudit").configure {
|
||||||
|
|
||||||
ignoreMissingClasses(
|
ignoreMissingClasses(
|
||||||
'javax.servlet.ServletContextEvent',
|
'javax.servlet.ServletContextEvent',
|
||||||
'javax.servlet.ServletContextListener',
|
'javax.servlet.ServletContextListener',
|
||||||
|
@ -156,7 +153,28 @@ tasks.named("thirdPartyAudit").configure {
|
||||||
'org.osgi.framework.BundleEvent',
|
'org.osgi.framework.BundleEvent',
|
||||||
'org.osgi.framework.SynchronousBundleListener',
|
'org.osgi.framework.SynchronousBundleListener',
|
||||||
'com.sun.xml.fastinfoset.stax.StAXDocumentParser',
|
'com.sun.xml.fastinfoset.stax.StAXDocumentParser',
|
||||||
'com.sun.xml.fastinfoset.stax.StAXDocumentSerializer'
|
'com.sun.xml.fastinfoset.stax.StAXDocumentSerializer',
|
||||||
|
'org.codehaus.jackson.Base64Variant',
|
||||||
|
'org.codehaus.jackson.JsonEncoding',
|
||||||
|
'org.codehaus.jackson.JsonFactory',
|
||||||
|
'org.codehaus.jackson.JsonGenerator',
|
||||||
|
'org.codehaus.jackson.JsonGenerator$Feature',
|
||||||
|
'org.codehaus.jackson.JsonLocation',
|
||||||
|
'org.codehaus.jackson.JsonNode',
|
||||||
|
'org.codehaus.jackson.JsonParser',
|
||||||
|
'org.codehaus.jackson.JsonParser$Feature',
|
||||||
|
'org.codehaus.jackson.JsonParser$NumberType',
|
||||||
|
'org.codehaus.jackson.JsonStreamContext',
|
||||||
|
'org.codehaus.jackson.JsonToken',
|
||||||
|
'org.codehaus.jackson.ObjectCodec',
|
||||||
|
'org.codehaus.jackson.jaxrs.JacksonJaxbJsonProvider',
|
||||||
|
'org.codehaus.jackson.jaxrs.JacksonJsonProvider',
|
||||||
|
'org.codehaus.jackson.map.JsonSerializableWithType',
|
||||||
|
'org.codehaus.jackson.map.JsonSerializer',
|
||||||
|
'org.codehaus.jackson.map.ObjectMapper',
|
||||||
|
'org.codehaus.jackson.map.SerializerProvider',
|
||||||
|
'org.codehaus.jackson.map.TypeSerializer',
|
||||||
|
'org.codehaus.jackson.type.TypeReference'
|
||||||
)
|
)
|
||||||
|
|
||||||
// jarhell with jdk (intentionally, because jaxb was removed from default modules in java 9)
|
// jarhell with jdk (intentionally, because jaxb was removed from default modules in java 9)
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
b1b6ea3b7e4aa4f492509a4952029cd8e48019ad
|
|
|
@ -0,0 +1 @@
|
||||||
|
3f2bd4ba11c4162733c13cc90ca7c7ea09967102
|
|
@ -1,8 +0,0 @@
|
||||||
This copy of Jackson JSON processor streaming parser/generator is licensed under the
|
|
||||||
Apache (Software) License, version 2.0 ("the License").
|
|
||||||
See the License for details about distribution rights, and the
|
|
||||||
specific rights regarding derivate works.
|
|
||||||
|
|
||||||
You may obtain a copy of the License at:
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
@ -1,20 +0,0 @@
|
||||||
# Jackson JSON processor
|
|
||||||
|
|
||||||
Jackson is a high-performance, Free/Open Source JSON processing library.
|
|
||||||
It was originally written by Tatu Saloranta (tatu.saloranta@iki.fi), and has
|
|
||||||
been in development since 2007.
|
|
||||||
It is currently developed by a community of developers, as well as supported
|
|
||||||
commercially by FasterXML.com.
|
|
||||||
|
|
||||||
## Licensing
|
|
||||||
|
|
||||||
Jackson core and extension components may licensed under different licenses.
|
|
||||||
To find the details that apply to this artifact see the accompanying LICENSE file.
|
|
||||||
For more information, including possible other licensing options, contact
|
|
||||||
FasterXML.com (http://fasterxml.com).
|
|
||||||
|
|
||||||
## Credits
|
|
||||||
|
|
||||||
A list of contributors may be found from CREDITS file, which is included
|
|
||||||
in some artifacts (usually source distributions); but is always available
|
|
||||||
from the source code management (SCM) system project uses.
|
|
|
@ -1 +0,0 @@
|
||||||
8493982bba1727106d767034bd0d8e77bc1931a9
|
|
|
@ -1 +0,0 @@
|
||||||
aedf43f1d5005561e531b6bf0d067e4d20f58aba
|
|
|
@ -1 +0,0 @@
|
||||||
95400a7922ce75383866eb72f6ef4a7897923945
|
|
|
@ -1 +0,0 @@
|
||||||
437c991a8eb2c8b69ef1dba2eba27fccb9b98448
|
|
|
@ -46,7 +46,7 @@ opensearchplugin {
|
||||||
dependencies {
|
dependencies {
|
||||||
api 'com.microsoft.azure:azure-storage:8.6.2'
|
api 'com.microsoft.azure:azure-storage:8.6.2'
|
||||||
api 'com.microsoft.azure:azure-keyvault-core:1.0.0'
|
api 'com.microsoft.azure:azure-keyvault-core:1.0.0'
|
||||||
runtimeOnly 'com.google.guava:guava:20.0'
|
runtimeOnly 'com.google.guava:guava:30.1.1-jre'
|
||||||
api 'org.apache.commons:commons-lang3:3.4'
|
api 'org.apache.commons:commons-lang3:3.4'
|
||||||
testImplementation project(':test:fixtures:azure-fixture')
|
testImplementation project(':test:fixtures:azure-fixture')
|
||||||
}
|
}
|
||||||
|
@ -69,7 +69,9 @@ thirdPartyAudit {
|
||||||
ignoreMissingClasses(
|
ignoreMissingClasses(
|
||||||
// Optional and not enabled by Elasticsearch
|
// Optional and not enabled by Elasticsearch
|
||||||
'org.slf4j.Logger',
|
'org.slf4j.Logger',
|
||||||
'org.slf4j.LoggerFactory'
|
'org.slf4j.LoggerFactory',
|
||||||
|
'com.google.common.util.concurrent.internal.InternalFutureFailureAccess',
|
||||||
|
'com.google.common.util.concurrent.internal.InternalFutures'
|
||||||
)
|
)
|
||||||
|
|
||||||
ignoreViolations(
|
ignoreViolations(
|
||||||
|
@ -77,6 +79,9 @@ thirdPartyAudit {
|
||||||
'com.google.common.cache.Striped64',
|
'com.google.common.cache.Striped64',
|
||||||
'com.google.common.cache.Striped64$1',
|
'com.google.common.cache.Striped64$1',
|
||||||
'com.google.common.cache.Striped64$Cell',
|
'com.google.common.cache.Striped64$Cell',
|
||||||
|
'com.google.common.hash.Striped64',
|
||||||
|
'com.google.common.hash.Striped64$1',
|
||||||
|
'com.google.common.hash.Striped64$Cell',
|
||||||
'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$1',
|
'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$1',
|
||||||
'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$2',
|
'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$2',
|
||||||
'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$3',
|
'com.google.common.hash.LittleEndianByteArray$UnsafeByteArray$3',
|
||||||
|
|
|
@ -1 +0,0 @@
|
||||||
89507701249388e1ed5ddcf8c41f4ce1be7831ef
|
|
|
@ -0,0 +1 @@
|
||||||
|
87e0fd1df874ea3cbe577702fe6f17068b790fd8
|
Loading…
Reference in New Issue