[CVE-2020-7692] Upgrade google-oauth clients for goolge cloud plugins (#662) (#734)

For discovery-gce and repository-gcs plugins update the google-oauth-client library to version 1.31.0. See CVE details at https://nvd.nist.gov/vuln/detail/CVE-2020-7692 Signed-off-by: Rabi Panda <adnapibar@gmail.com>
2021-05-20 14:13:15 -07:00 · 2021-05-20 14:13:15 -07:00 · 79c0444058
parent 2217c11cb2
commit 79c0444058
6 changed files with 9 additions and 6 deletions
--- a/plugins/discovery-gce/build.gradle
+++ b/plugins/discovery-gce/build.gradle
@ -24,7 +24,7 @@ versions << [
 dependencies {
  api "com.google.apis:google-api-services-compute:v1-rev160-${versions.google}"
  api "com.google.api-client:google-api-client:${versions.google}"
-  api "com.google.oauth-client:google-oauth-client:${versions.google}"
+  api "com.google.oauth-client:google-oauth-client:1.31.0"
  api "com.google.http-client:google-http-client:${versions.google}"
  api "com.google.http-client:google-http-client-jackson2:${versions.google}"
  api 'com.google.code.findbugs:jsr305:1.3.9'
@ -63,5 +63,8 @@ thirdPartyAudit.ignoreMissingClasses(
  'javax.servlet.ServletContextListener',
  'org.apache.avalon.framework.logger.Logger',
  'org.apache.log.Hierarchy',
-  'org.apache.log.Logger'
+  'org.apache.log.Logger',
+  'com.google.common.collect.Multiset',
+  'com.google.common.collect.SortedMultiset',
+  'com.google.common.collect.TreeMultiset',
 )
--- a/plugins/discovery-gce/licenses/google-oauth-client-1.23.0.jar.sha1
+++ b/plugins/discovery-gce/licenses/google-oauth-client-1.23.0.jar.sha1
@ -1 +0,0 @@
-e57ea1e2220bda5a2bd24ff17860212861f3c5cf
--- a/plugins/discovery-gce/licenses/google-oauth-client-1.31.0.jar.sha1
+++ b/plugins/discovery-gce/licenses/google-oauth-client-1.31.0.jar.sha1
@ -0,0 +1 @@
+bf1cfbbaa2497d0a841ea0363df4a61170d5823b
--- a/plugins/repository-gcs/build.gradle
+++ b/plugins/repository-gcs/build.gradle
@ -68,7 +68,7 @@ dependencies {
  api 'com.google.cloud:google-cloud-core-http:1.93.3'
  api 'com.google.auth:google-auth-library-credentials:0.20.0'
  api 'com.google.auth:google-auth-library-oauth2-http:0.20.0'
-  api 'com.google.oauth-client:google-oauth-client:1.28.0'
+  api 'com.google.oauth-client:google-oauth-client:1.31.0'
  api 'com.google.api-client:google-api-client:1.30.10'
  api 'com.google.http-client:google-http-client-appengine:1.35.0'
  api 'com.google.http-client:google-http-client-jackson2:1.35.0'
@ -205,7 +205,7 @@ thirdPartyAudit {
    'org.apache.http.protocol.HttpRequestExecutor',
    // commons-logging provided dependencies
    'javax.servlet.ServletContextEvent',
-    'javax.servlet.ServletContextListener'
+    'javax.servlet.ServletContextListener',
  )
 }

--- a/plugins/repository-gcs/licenses/google-oauth-client-1.28.0.jar.sha1
+++ b/plugins/repository-gcs/licenses/google-oauth-client-1.28.0.jar.sha1
@ -1 +0,0 @@
-9a9e5d0c33b663d6475c96ce79b2949545a113af
--- a/plugins/repository-gcs/licenses/google-oauth-client-1.31.0.jar.sha1
+++ b/plugins/repository-gcs/licenses/google-oauth-client-1.31.0.jar.sha1
@ -0,0 +1 @@
+bf1cfbbaa2497d0a841ea0363df4a61170d5823b