Resolves transitive dependencies for 2.7.0 (#4308)

Updates transitive dependencies to resolve CVE-2023-51775, CVE-2024-23944, CVE-2023-52428. Move some constraints such that they are only in the projects needing them. Resolves #4282, #4290, #4296. Signed-off-by: David Venable <dlv@amazon.com>
opensearch-project · Mar 21, 2024 · 507b2ed · 507b2ed
1 parent 2a02080
commit 507b2ed
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 11 deletions.
diff --git a/build.gradle b/build.gradle
@@ -148,9 +148,9 @@ subprojects {
             }
             implementation('org.apache.zookeeper:zookeeper') {
                 version {
-                    require '3.7.2'
+                    require '3.8.4'
                 }
-                because 'Fixes CVE-2023-44981'
+                because 'Fixes CVE-2024-23944, CVE-2023-44981'
             }
             implementation('com.google.code.gson:gson') {
                 version {
@@ -224,12 +224,6 @@ subprojects {
                 }
                 because 'Fixes CVE-2023-51074 from transitive dependencies'
             }
-            implementation('org.bitbucket.b_c:jose4j') {
-                version {
-                    require '0.9.3'
-                }
-                because 'CVE from transitive dependencies'
-            }
             implementation('org.scala-lang:scala-library') {
                 version {
                     require '2.13.12'

diff --git a/data-prepper-plugins/kafka-plugins/build.gradle b/data-prepper-plugins/kafka-plugins/build.gradle
@@ -88,6 +88,12 @@ dependencies {
             }
             because 'Fixes SNYK-JAVA-ORGMOZILLA-1314295.'
         }
+        implementation('org.bitbucket.b_c:jose4j') {
+            version {
+                require '0.9.4'
+            }
+            because 'Fixes CVE-2023-51775 and other CVEs from transitive dependencies'
+        }
     }
 }
 

diff --git a/data-prepper-plugins/parquet-codecs/build.gradle b/data-prepper-plugins/parquet-codecs/build.gradle
@@ -22,7 +22,7 @@ dependencies {
             version {
                 require '9.37.1'
             }
-            because 'Fixes CVE-2021-31684 and CVE-2023-1370 by using a newer shaded version of json-smart.'
+            because 'Fixes CVE-2023-52428, CVE-2021-31684 and CVE-2023-1370 by using a newer shaded version of json-smart.'
         }
     }
 }

diff --git a/data-prepper-plugins/s3-sink/build.gradle b/data-prepper-plugins/s3-sink/build.gradle
@@ -33,9 +33,9 @@ dependencies {
     constraints {
         implementation('com.nimbusds:nimbus-jose-jwt') {
             version {
-                require '9.37.1'
+                require '9.37.2'
             }
-            because 'Fixes CVE-2021-31684 and CVE-2023-1370 by using a newer shaded version of json-smart.'
+            because 'Fixes CVE-2023-52428, CVE-2021-31684 and CVE-2023-1370 by using a newer shaded version of json-smart.'
         }
     }
 }