[CVE] Upgrade dependencies to mitigate CVEs (#657)

This PR upgrade the following dependencies to fix CVEs.

- commons-codec:1.12 (->1.13) apache/commons-codec@48b6157
- ant:1.10.8 (->1.10.9) https://ant.apache.org/security.html
- jackson-databind:2.10.4 (->2.11.0) FasterXML/jackson-databind#2589
- jackson-dataformat-cbor:2.10.4 (->2.11.0) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28491
- apache-httpclient:4.5.10 (->4.5.13) https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956
- checkstyle:8.20 (->8.29) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10782
- junit:4.12 (->4.13.1) https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp
- netty:4.1.49.Final (->4.1.59) https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2

Signed-off-by: Rabi Panda <adnapibar@gmail.com>

buildSrc/build.gradle

@@ -101,9 +101,9 @@ dependencies {
 
   api localGroovy()
 
-  api 'commons-codec:commons-codec:1.12'
+  api 'commons-codec:commons-codec:1.13'
   api 'org.apache.commons:commons-compress:1.19'
-  api 'org.apache.ant:ant:1.10.8'
+  api 'org.apache.ant:ant:1.10.9'
   api 'com.netflix.nebula:gradle-extra-configurations-plugin:3.0.3'
   api 'com.netflix.nebula:nebula-publishing-plugin:4.4.4'
   api 'com.netflix.nebula:gradle-info-plugin:7.1.3'

buildSrc/src/integTest/groovy/org/opensearch/gradle/OpenSearchTestBasePluginFuncTest.groovy

@@ -57,7 +57,7 @@ class OpenSearchTestBasePluginFuncTest extends AbstractGradleFuncTest {
             }
 
             dependencies {
-                testImplementation 'junit:junit:4.12'
+                testImplementation 'junit:junit:4.13.1'
             }
 
             tasks.named('test').configure {

buildSrc/src/main/resources/checkstyle.xml

@@ -29,15 +29,15 @@
     <property name="max" value="76"/>
   </module>
 
-  <module name="TreeWalker">
-    <!-- Its our official line length! See checkstyle_suppressions.xml for the files that don't pass this. For now we
-      suppress the check there but enforce it everywhere else. This prevents the list from getting longer even if it is
-      unfair. -->
-    <module name="LineLength">
+  <!-- Its our official line length! See checkstyle_suppressions.xml for the files that don't pass this. For now we
+    suppress the check there but enforce it everywhere else. This prevents the list from getting longer even if it is
+    unfair. -->
+  <module name="LineLength">
       <property name="max" value="140"/>
       <property name="ignorePattern" value="^ *\* *https?://[^ ]+$"/>
-    </module>
+  </module>
 
+  <module name="TreeWalker">
     <module name="AvoidStarImport" />
 
     <!-- Unused imports are forbidden -->

buildSrc/src/testKit/testingConventions/build.gradle

@@ -21,7 +21,7 @@ allprojects {
     jcenter()
   }
   dependencies {
-    testImplementation "junit:junit:4.12"
+    testImplementation "junit:junit:4.13.1"
   }
 
   ext.licenseFile = file("$buildDir/dummy/license")

buildSrc/version.properties

@@ -4,12 +4,12 @@ lucene            = 8.8.2
 bundled_jdk_vendor = adoptopenjdk
 bundled_jdk = 15.0.1+9
 
-checkstyle = 8.20
+checkstyle = 8.29
 
 # optional dependencies
 spatial4j         = 0.7
 jts               = 1.15.0
-jackson           = 2.10.4
+jackson           = 2.11.4
 snakeyaml         = 1.26
 icu4j             = 62.1
 supercsv          = 2.4.0
@@ -20,7 +20,7 @@ slf4j             = 1.6.2
 # when updating the JNA version, also update the version in buildSrc/build.gradle
 jna               = 5.5.0
 
-netty             = 4.1.49.Final
+netty             = 4.1.59.Final
 joda              = 2.10.4
 
 # when updating this version, you need to ensure compatibility with:
@@ -31,11 +31,11 @@ bouncycastle=1.64
 # test dependencies
 randomizedrunner  = 2.7.1
 junit             = 4.12
-httpclient        = 4.5.10
+httpclient        = 4.5.13
 httpcore          = 4.4.12
 httpasyncclient   = 4.1.4
 commonslogging    = 1.1.3
-commonscodec      = 1.11
+commonscodec      = 1.13
 hamcrest          = 2.1
 securemock        = 1.2
 mocksocket        = 1.2

client/rest/licenses/commons-codec-1.11.jar.sha1

@@ -1 +0,0 @@
-3acb4705652e16236558f0f4f2192cc33c3bd189

client/rest/licenses/commons-codec-1.13.jar.sha1

@@ -0,0 +1 @@
+3f18e1aa31031d89db6f01ba05d501258ce69d2c

client/rest/licenses/httpclient-4.5.10.jar.sha1

@@ -1 +0,0 @@
-7ca2e4276f4ef95e4db725a8cd4a1d1e7585b9e5

client/rest/licenses/httpclient-4.5.13.jar.sha1

@@ -0,0 +1 @@
+e5f6cae5ca7ecaac1ec2827a9e2d65ae2869cada

client/sniffer/licenses/commons-codec-1.11.jar.sha1

@@ -1 +0,0 @@
-3acb4705652e16236558f0f4f2192cc33c3bd189

client/sniffer/licenses/commons-codec-1.13.jar.sha1

@@ -0,0 +1 @@
+3f18e1aa31031d89db6f01ba05d501258ce69d2c

client/sniffer/licenses/httpclient-4.5.10.jar.sha1

@@ -1 +0,0 @@
-7ca2e4276f4ef95e4db725a8cd4a1d1e7585b9e5

client/sniffer/licenses/httpclient-4.5.13.jar.sha1

@@ -0,0 +1 @@
+e5f6cae5ca7ecaac1ec2827a9e2d65ae2869cada

client/sniffer/licenses/jackson-core-2.10.4.jar.sha1

@@ -1 +0,0 @@
-8796585e716440d6dd5128b30359932a9eb74d0d

client/sniffer/licenses/jackson-core-2.11.4.jar.sha1

@@ -0,0 +1 @@
+593f7b18bab07a76767f181e2a2336135ce82cc4

libs/x-content/licenses/jackson-core-2.10.4.jar.sha1

@@ -1 +0,0 @@
-8796585e716440d6dd5128b30359932a9eb74d0d

libs/x-content/licenses/jackson-core-2.11.4.jar.sha1

@@ -0,0 +1 @@
+593f7b18bab07a76767f181e2a2336135ce82cc4

libs/x-content/licenses/jackson-dataformat-cbor-2.10.4.jar.sha1

@@ -1 +0,0 @@
-c854bb2d46138198cb5d4aae86ef6c04b8bc1e70

libs/x-content/licenses/jackson-dataformat-cbor-2.11.4.jar.sha1

@@ -0,0 +1 @@
+67fa6a00bdc31029bf841ee97d993ef2bb530aa0

libs/x-content/licenses/jackson-dataformat-smile-2.10.4.jar.sha1

@@ -1 +0,0 @@
-c872c2e224cfdcc5481037d477f5890f05c001b4

libs/x-content/licenses/jackson-dataformat-smile-2.11.4.jar.sha1

@@ -0,0 +1 @@
+10c1faac0b0bd8545eff02599b48a149202de066

libs/x-content/licenses/jackson-dataformat-yaml-2.10.4.jar.sha1

@@ -1 +0,0 @@
-8a7f3c6b640bd89214807af6d8160b4b3b16af93

libs/x-content/licenses/jackson-dataformat-yaml-2.11.4.jar.sha1

@@ -0,0 +1 @@
+ba01014ab0228449be401975b1a7af2f3cdaf1d7

modules/ingest-geoip/licenses/jackson-annotations-2.10.4.jar.sha1

@@ -1 +0,0 @@
-6ae6028aff033f194c9710ad87c224ccaadeed6c

modules/ingest-geoip/licenses/jackson-annotations-2.11.4.jar.sha1

@@ -0,0 +1 @@
+2c3f5c079330f3a01726686a078979420f547ae4

modules/ingest-geoip/licenses/jackson-databind-2.10.4.jar.sha1

@@ -1 +0,0 @@
-76e9152e93d4cf052f93a64596f633ba5b1c8ed9

modules/ingest-geoip/licenses/jackson-databind-2.11.4.jar.sha1

@@ -0,0 +1 @@
+5d9f3d441f99d721b957e3497f0a6465c764fad4

modules/transport-netty4/licenses/netty-buffer-4.1.49.Final.jar.sha1

@@ -1 +0,0 @@
-8e819a81bca88d1e88137336f64531a53db0a4ad

modules/transport-netty4/licenses/netty-buffer-4.1.59.Final.jar.sha1

@@ -0,0 +1 @@
+a1f281008d7e9574c14d386b39b3639a240eb0d1

modules/transport-netty4/licenses/netty-codec-4.1.49.Final.jar.sha1

@@ -1 +0,0 @@
-20218de83c906348283f548c255650fd06030424

modules/transport-netty4/licenses/netty-codec-4.1.59.Final.jar.sha1

@@ -0,0 +1 @@
+5e563309b99cf55bdbecc4dab7c417a0167c31aa

modules/transport-netty4/licenses/netty-codec-http-4.1.49.Final.jar.sha1

@@ -1 +0,0 @@
-4f30dbc462b26c588dffc0eb7552caef1a0f549e

modules/transport-netty4/licenses/netty-codec-http-4.1.59.Final.jar.sha1

@@ -0,0 +1 @@
+766327d675678686a05faa446c4413d8ccb79b5c

modules/transport-netty4/licenses/netty-common-4.1.49.Final.jar.sha1

@@ -1 +0,0 @@
-927c8563a1662d869b145e70ce82ad89100f2c90

modules/transport-netty4/licenses/netty-common-4.1.59.Final.jar.sha1

@@ -0,0 +1 @@
+e8800b0c50b6743ec1c5a3713816ce58910a703a

modules/transport-netty4/licenses/netty-handler-4.1.49.Final.jar.sha1

@@ -1 +0,0 @@
-c73443adb9d085d5dc2d5b7f3bdd91d5963976f7

modules/transport-netty4/licenses/netty-handler-4.1.59.Final.jar.sha1

@@ -0,0 +1 @@
+302b4c8ca800aeddcf94401f2403114c8f5db5a5

modules/transport-netty4/licenses/netty-resolver-4.1.49.Final.jar.sha1

@@ -1 +0,0 @@
-eb81e1f0eaa99e75983bf3d28cae2b103e0f3a34

modules/transport-netty4/licenses/netty-resolver-4.1.59.Final.jar.sha1

@@ -0,0 +1 @@
+26bc136952a9f7a994dd7162f481c860275948de

modules/transport-netty4/licenses/netty-transport-4.1.49.Final.jar.sha1

@@ -1 +0,0 @@
-415ea7f326635743aec952fe2349ca45959e94a7

modules/transport-netty4/licenses/netty-transport-4.1.59.Final.jar.sha1

@@ -0,0 +1 @@
+864d20f35ce909e6a7462095cb8f91ee94d1cd4c

plugins/analysis-phonetic/licenses/commons-codec-1.11.jar.sha1

@@ -1 +0,0 @@
-3acb4705652e16236558f0f4f2192cc33c3bd189

plugins/analysis-phonetic/licenses/commons-codec-1.13.jar.sha1

@@ -0,0 +1 @@
+3f18e1aa31031d89db6f01ba05d501258ce69d2c

plugins/discovery-azure-classic/licenses/commons-codec-1.11.jar.sha1

@@ -1 +0,0 @@
-3acb4705652e16236558f0f4f2192cc33c3bd189

plugins/discovery-azure-classic/licenses/commons-codec-1.13.jar.sha1

@@ -0,0 +1 @@
+3f18e1aa31031d89db6f01ba05d501258ce69d2c

plugins/discovery-azure-classic/licenses/httpclient-4.5.10.jar.sha1

@@ -1 +0,0 @@
-7ca2e4276f4ef95e4db725a8cd4a1d1e7585b9e5

plugins/discovery-azure-classic/licenses/httpclient-4.5.13.jar.sha1

@@ -0,0 +1 @@
+e5f6cae5ca7ecaac1ec2827a9e2d65ae2869cada

plugins/discovery-ec2/licenses/commons-codec-1.11.jar.sha1

@@ -1 +0,0 @@
-3acb4705652e16236558f0f4f2192cc33c3bd189

plugins/discovery-ec2/licenses/commons-codec-1.13.jar.sha1

@@ -0,0 +1 @@
+3f18e1aa31031d89db6f01ba05d501258ce69d2c

plugins/discovery-ec2/licenses/httpclient-4.5.10.jar.sha1

@@ -1 +0,0 @@
-7ca2e4276f4ef95e4db725a8cd4a1d1e7585b9e5

plugins/discovery-ec2/licenses/httpclient-4.5.13.jar.sha1

@@ -0,0 +1 @@
+e5f6cae5ca7ecaac1ec2827a9e2d65ae2869cada

plugins/discovery-ec2/licenses/jackson-annotations-2.10.4.jar.sha1

@@ -1 +0,0 @@
-6ae6028aff033f194c9710ad87c224ccaadeed6c

plugins/discovery-ec2/licenses/jackson-annotations-2.11.4.jar.sha1

@@ -0,0 +1 @@
+2c3f5c079330f3a01726686a078979420f547ae4

plugins/discovery-ec2/licenses/jackson-databind-2.10.4.jar.sha1

@@ -1 +0,0 @@
-76e9152e93d4cf052f93a64596f633ba5b1c8ed9

plugins/discovery-ec2/licenses/jackson-databind-2.11.4.jar.sha1

@@ -0,0 +1 @@
+5d9f3d441f99d721b957e3497f0a6465c764fad4

plugins/discovery-gce/licenses/commons-codec-1.11.jar.sha1

@@ -1 +0,0 @@
-3acb4705652e16236558f0f4f2192cc33c3bd189

plugins/discovery-gce/licenses/commons-codec-1.13.jar.sha1

@@ -0,0 +1 @@
+3f18e1aa31031d89db6f01ba05d501258ce69d2c

plugins/discovery-gce/licenses/httpclient-4.5.10.jar.sha1

@@ -1 +0,0 @@
-7ca2e4276f4ef95e4db725a8cd4a1d1e7585b9e5

plugins/discovery-gce/licenses/httpclient-4.5.13.jar.sha1

@@ -0,0 +1 @@
+e5f6cae5ca7ecaac1ec2827a9e2d65ae2869cada

plugins/ingest-attachment/licenses/commons-codec-1.11.jar.sha1

@@ -1 +0,0 @@
-3acb4705652e16236558f0f4f2192cc33c3bd189

plugins/ingest-attachment/licenses/commons-codec-1.13.jar.sha1

@@ -0,0 +1 @@
+3f18e1aa31031d89db6f01ba05d501258ce69d2c

plugins/repository-gcs/licenses/commons-codec-1.11.jar.sha1

@@ -1 +0,0 @@
-3acb4705652e16236558f0f4f2192cc33c3bd189

plugins/repository-gcs/licenses/commons-codec-1.13.jar.sha1

@@ -0,0 +1 @@
+3f18e1aa31031d89db6f01ba05d501258ce69d2c

plugins/repository-hdfs/licenses/commons-codec-1.11.jar.sha1

@@ -1 +0,0 @@
-3acb4705652e16236558f0f4f2192cc33c3bd189

plugins/repository-hdfs/licenses/commons-codec-1.13.jar.sha1

@@ -0,0 +1 @@
+3f18e1aa31031d89db6f01ba05d501258ce69d2c

plugins/repository-s3/licenses/commons-codec-1.11.jar.sha1

@@ -1 +0,0 @@
-3acb4705652e16236558f0f4f2192cc33c3bd189

plugins/repository-s3/licenses/commons-codec-1.13.jar.sha1

@@ -0,0 +1 @@
+3f18e1aa31031d89db6f01ba05d501258ce69d2c

plugins/repository-s3/licenses/httpclient-4.5.10.jar.sha1

@@ -1 +0,0 @@
-7ca2e4276f4ef95e4db725a8cd4a1d1e7585b9e5

plugins/repository-s3/licenses/httpclient-4.5.13.jar.sha1

@@ -0,0 +1 @@
+e5f6cae5ca7ecaac1ec2827a9e2d65ae2869cada

plugins/repository-s3/licenses/jackson-annotations-2.10.4.jar.sha1

@@ -1 +0,0 @@
-6ae6028aff033f194c9710ad87c224ccaadeed6c

plugins/repository-s3/licenses/jackson-annotations-2.11.4.jar.sha1

@@ -0,0 +1 @@
+2c3f5c079330f3a01726686a078979420f547ae4

plugins/repository-s3/licenses/jackson-databind-2.10.4.jar.sha1

@@ -1 +0,0 @@
-76e9152e93d4cf052f93a64596f633ba5b1c8ed9

plugins/repository-s3/licenses/jackson-databind-2.11.4.jar.sha1

@@ -0,0 +1 @@
+5d9f3d441f99d721b957e3497f0a6465c764fad4

plugins/transport-nio/licenses/netty-buffer-4.1.49.Final.jar.sha1

@@ -1 +0,0 @@
-8e819a81bca88d1e88137336f64531a53db0a4ad

plugins/transport-nio/licenses/netty-buffer-4.1.59.Final.jar.sha1

@@ -0,0 +1 @@
+a1f281008d7e9574c14d386b39b3639a240eb0d1

plugins/transport-nio/licenses/netty-codec-4.1.49.Final.jar.sha1

@@ -1 +0,0 @@
-20218de83c906348283f548c255650fd06030424

plugins/transport-nio/licenses/netty-codec-4.1.59.Final.jar.sha1

@@ -0,0 +1 @@
+5e563309b99cf55bdbecc4dab7c417a0167c31aa

plugins/transport-nio/licenses/netty-codec-http-4.1.49.Final.jar.sha1

@@ -1 +0,0 @@
-4f30dbc462b26c588dffc0eb7552caef1a0f549e

plugins/transport-nio/licenses/netty-codec-http-4.1.59.Final.jar.sha1

@@ -0,0 +1 @@
+766327d675678686a05faa446c4413d8ccb79b5c

plugins/transport-nio/licenses/netty-common-4.1.49.Final.jar.sha1

@@ -1 +0,0 @@
-927c8563a1662d869b145e70ce82ad89100f2c90

plugins/transport-nio/licenses/netty-common-4.1.59.Final.jar.sha1

@@ -0,0 +1 @@
+e8800b0c50b6743ec1c5a3713816ce58910a703a

plugins/transport-nio/licenses/netty-handler-4.1.49.Final.jar.sha1

@@ -1 +0,0 @@
-c73443adb9d085d5dc2d5b7f3bdd91d5963976f7

plugins/transport-nio/licenses/netty-handler-4.1.59.Final.jar.sha1

@@ -0,0 +1 @@
+302b4c8ca800aeddcf94401f2403114c8f5db5a5

plugins/transport-nio/licenses/netty-resolver-4.1.49.Final.jar.sha1

@@ -1 +0,0 @@
-eb81e1f0eaa99e75983bf3d28cae2b103e0f3a34

plugins/transport-nio/licenses/netty-resolver-4.1.59.Final.jar.sha1

@@ -0,0 +1 @@
+26bc136952a9f7a994dd7162f481c860275948de

plugins/transport-nio/licenses/netty-transport-4.1.49.Final.jar.sha1

@@ -1 +0,0 @@
-415ea7f326635743aec952fe2349ca45959e94a7

plugins/transport-nio/licenses/netty-transport-4.1.59.Final.jar.sha1

@@ -0,0 +1 @@
+864d20f35ce909e6a7462095cb8f91ee94d1cd4c