Updates transitive dependencies to resolve CVE-2023-51775, CVE-2024-2…

…3944, CVE-2023-52428. Move some constraints such that they are only in the projects needing them. Resolves opensearch-project#4282, opensearch-project#4290, opensearch-project#4296. Signed-off-by: David Venable <dlv@amazon.com>
dlvenable · Mar 21, 2024 · 80b1cf0 · 80b1cf0
1 parent 5596c57
commit 80b1cf0
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 15 deletions.
diff --git a/build.gradle b/build.gradle
@@ -146,12 +146,6 @@ subprojects {
                 }
                 because 'the build fails if the Log4j API is not update along with log4j-core'
             }
-            implementation('org.apache.zookeeper:zookeeper') {
-                version {
-                    require '3.7.2'
-                }
-                because 'Fixes CVE-2023-44981'
-            }
             implementation('com.google.code.gson:gson') {
                 version {
                     require '2.8.9'
@@ -224,12 +218,6 @@ subprojects {
                 }
                 because 'Fixes CVE-2023-51074 from transitive dependencies'
             }
-            implementation('org.bitbucket.b_c:jose4j') {
-                version {
-                    require '0.9.3'
-                }
-                because 'CVE from transitive dependencies'
-            }
             implementation('org.scala-lang:scala-library') {
                 version {
                     require '2.13.12'

diff --git a/data-prepper-plugins/kafka-plugins/build.gradle b/data-prepper-plugins/kafka-plugins/build.gradle
@@ -88,6 +88,12 @@ dependencies {
             }
             because 'Fixes SNYK-JAVA-ORGMOZILLA-1314295.'
         }
+        implementation('org.bitbucket.b_c:jose4j') {
+            version {
+                require '0.9.4'
+            }
+            because 'Fixes CVE-2023-51775 and other CVEs from transitive dependencies'
+        }
     }
 }
 

diff --git a/data-prepper-plugins/parquet-codecs/build.gradle b/data-prepper-plugins/parquet-codecs/build.gradle
@@ -22,7 +22,13 @@ dependencies {
             version {
                 require '9.37.1'
             }
-            because 'Fixes CVE-2021-31684 and CVE-2023-1370 by using a newer shaded version of json-smart.'
+            because 'Fixes CVE-2023-52428, CVE-2021-31684 and CVE-2023-1370 by using a newer shaded version of json-smart.'
+        }
+        implementation('org.apache.zookeeper:zookeeper') {
+            version {
+                require '3.8.4'
+            }
+            because 'Fixes CVE-2024-23944, CVE-2023-44981'
         }
     }
 }

diff --git a/data-prepper-plugins/s3-sink/build.gradle b/data-prepper-plugins/s3-sink/build.gradle
@@ -33,9 +33,9 @@ dependencies {
     constraints {
         implementation('com.nimbusds:nimbus-jose-jwt') {
             version {
-                require '9.37.1'
+                require '9.37.2'
             }
-            because 'Fixes CVE-2021-31684 and CVE-2023-1370 by using a newer shaded version of json-smart.'
+            because 'Fixes CVE-2023-52428, CVE-2021-31684 and CVE-2023-1370 by using a newer shaded version of json-smart.'
         }
     }
 }