From 79c0444058064ea3cff926224faab41ed1adb050 Mon Sep 17 00:00:00 2001
From: Rabi Panda <adnapibar@gmail.com>
Date: Thu, 20 May 2021 14:13:15 -0700
Subject: [PATCH] [CVE-2020-7692] Upgrade google-oauth clients for goolge cloud
 plugins (#662) (#734)

For discovery-gce and repository-gcs plugins update the google-oauth-client library to version 1.31.0. See CVE details at https://nvd.nist.gov/vuln/detail/CVE-2020-7692

Signed-off-by: Rabi Panda <adnapibar@gmail.com>
---
 plugins/discovery-gce/build.gradle                         | 7 +++++--
 .../licenses/google-oauth-client-1.23.0.jar.sha1           | 1 -
 .../licenses/google-oauth-client-1.31.0.jar.sha1           | 1 +
 plugins/repository-gcs/build.gradle                        | 4 ++--
 .../licenses/google-oauth-client-1.28.0.jar.sha1           | 1 -
 .../licenses/google-oauth-client-1.31.0.jar.sha1           | 1 +
 6 files changed, 9 insertions(+), 6 deletions(-)
 delete mode 100644 plugins/discovery-gce/licenses/google-oauth-client-1.23.0.jar.sha1
 create mode 100644 plugins/discovery-gce/licenses/google-oauth-client-1.31.0.jar.sha1
 delete mode 100644 plugins/repository-gcs/licenses/google-oauth-client-1.28.0.jar.sha1
 create mode 100644 plugins/repository-gcs/licenses/google-oauth-client-1.31.0.jar.sha1

diff --git a/plugins/discovery-gce/build.gradle b/plugins/discovery-gce/build.gradle
index 836c296c16c..0075b35a00e 100644
--- a/plugins/discovery-gce/build.gradle
+++ b/plugins/discovery-gce/build.gradle
@@ -24,7 +24,7 @@ versions << [
 dependencies {
   api "com.google.apis:google-api-services-compute:v1-rev160-${versions.google}"
   api "com.google.api-client:google-api-client:${versions.google}"
-  api "com.google.oauth-client:google-oauth-client:${versions.google}"
+  api "com.google.oauth-client:google-oauth-client:1.31.0"
   api "com.google.http-client:google-http-client:${versions.google}"
   api "com.google.http-client:google-http-client-jackson2:${versions.google}"
   api 'com.google.code.findbugs:jsr305:1.3.9'
@@ -63,5 +63,8 @@ thirdPartyAudit.ignoreMissingClasses(
   'javax.servlet.ServletContextListener',
   'org.apache.avalon.framework.logger.Logger',
   'org.apache.log.Hierarchy',
-  'org.apache.log.Logger'
+  'org.apache.log.Logger',
+  'com.google.common.collect.Multiset',
+  'com.google.common.collect.SortedMultiset',
+  'com.google.common.collect.TreeMultiset',
 )
diff --git a/plugins/discovery-gce/licenses/google-oauth-client-1.23.0.jar.sha1 b/plugins/discovery-gce/licenses/google-oauth-client-1.23.0.jar.sha1
deleted file mode 100644
index 036812b88b5..00000000000
--- a/plugins/discovery-gce/licenses/google-oauth-client-1.23.0.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-e57ea1e2220bda5a2bd24ff17860212861f3c5cf
\ No newline at end of file
diff --git a/plugins/discovery-gce/licenses/google-oauth-client-1.31.0.jar.sha1 b/plugins/discovery-gce/licenses/google-oauth-client-1.31.0.jar.sha1
new file mode 100644
index 00000000000..942dbb5d167
--- /dev/null
+++ b/plugins/discovery-gce/licenses/google-oauth-client-1.31.0.jar.sha1
@@ -0,0 +1 @@
+bf1cfbbaa2497d0a841ea0363df4a61170d5823b
\ No newline at end of file
diff --git a/plugins/repository-gcs/build.gradle b/plugins/repository-gcs/build.gradle
index ffc0c8c4bb6..1ab14f03693 100644
--- a/plugins/repository-gcs/build.gradle
+++ b/plugins/repository-gcs/build.gradle
@@ -68,7 +68,7 @@ dependencies {
   api 'com.google.cloud:google-cloud-core-http:1.93.3'
   api 'com.google.auth:google-auth-library-credentials:0.20.0'
   api 'com.google.auth:google-auth-library-oauth2-http:0.20.0'
-  api 'com.google.oauth-client:google-oauth-client:1.28.0'
+  api 'com.google.oauth-client:google-oauth-client:1.31.0'
   api 'com.google.api-client:google-api-client:1.30.10'
   api 'com.google.http-client:google-http-client-appengine:1.35.0'
   api 'com.google.http-client:google-http-client-jackson2:1.35.0'
@@ -205,7 +205,7 @@ thirdPartyAudit {
     'org.apache.http.protocol.HttpRequestExecutor',
     // commons-logging provided dependencies
     'javax.servlet.ServletContextEvent',
-    'javax.servlet.ServletContextListener'
+    'javax.servlet.ServletContextListener',
   )
 }
 
diff --git a/plugins/repository-gcs/licenses/google-oauth-client-1.28.0.jar.sha1 b/plugins/repository-gcs/licenses/google-oauth-client-1.28.0.jar.sha1
deleted file mode 100644
index 474df6e0265..00000000000
--- a/plugins/repository-gcs/licenses/google-oauth-client-1.28.0.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-9a9e5d0c33b663d6475c96ce79b2949545a113af
\ No newline at end of file
diff --git a/plugins/repository-gcs/licenses/google-oauth-client-1.31.0.jar.sha1 b/plugins/repository-gcs/licenses/google-oauth-client-1.31.0.jar.sha1
new file mode 100644
index 00000000000..942dbb5d167
--- /dev/null
+++ b/plugins/repository-gcs/licenses/google-oauth-client-1.31.0.jar.sha1
@@ -0,0 +1 @@
+bf1cfbbaa2497d0a841ea0363df4a61170d5823b
\ No newline at end of file