From 80b1cf0b989834fc268ea2ea9f34a039c0541e76 Mon Sep 17 00:00:00 2001
From: David Venable <dlv@amazon.com>
Date: Thu, 21 Mar 2024 09:39:42 -0500
Subject: [PATCH 1/2] Updates transitive dependencies to resolve
 CVE-2023-51775, CVE-2024-23944, CVE-2023-52428. Move some constraints such
 that they are only in the projects needing them. Resolves #4282, #4290,
 #4296.

Signed-off-by: David Venable <dlv@amazon.com>
---
 build.gradle                                     | 12 ------------
 data-prepper-plugins/kafka-plugins/build.gradle  |  6 ++++++
 data-prepper-plugins/parquet-codecs/build.gradle |  8 +++++++-
 data-prepper-plugins/s3-sink/build.gradle        |  4 ++--
 4 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/build.gradle b/build.gradle
index 8b885061f7..b961c9a44b 100644
--- a/build.gradle
+++ b/build.gradle
@@ -146,12 +146,6 @@ subprojects {
                 }
                 because 'the build fails if the Log4j API is not update along with log4j-core'
             }
-            implementation('org.apache.zookeeper:zookeeper') {
-                version {
-                    require '3.7.2'
-                }
-                because 'Fixes CVE-2023-44981'
-            }
             implementation('com.google.code.gson:gson') {
                 version {
                     require '2.8.9'
@@ -224,12 +218,6 @@ subprojects {
                 }
                 because 'Fixes CVE-2023-51074 from transitive dependencies'
             }
-            implementation('org.bitbucket.b_c:jose4j') {
-                version {
-                    require '0.9.3'
-                }
-                because 'CVE from transitive dependencies'
-            }
             implementation('org.scala-lang:scala-library') {
                 version {
                     require '2.13.12'
diff --git a/data-prepper-plugins/kafka-plugins/build.gradle b/data-prepper-plugins/kafka-plugins/build.gradle
index 8a9e202260..3fb9ab5080 100644
--- a/data-prepper-plugins/kafka-plugins/build.gradle
+++ b/data-prepper-plugins/kafka-plugins/build.gradle
@@ -88,6 +88,12 @@ dependencies {
             }
             because 'Fixes SNYK-JAVA-ORGMOZILLA-1314295.'
         }
+        implementation('org.bitbucket.b_c:jose4j') {
+            version {
+                require '0.9.4'
+            }
+            because 'Fixes CVE-2023-51775 and other CVEs from transitive dependencies'
+        }
     }
 }
 
diff --git a/data-prepper-plugins/parquet-codecs/build.gradle b/data-prepper-plugins/parquet-codecs/build.gradle
index 44a17fdaca..d35c73cdd3 100644
--- a/data-prepper-plugins/parquet-codecs/build.gradle
+++ b/data-prepper-plugins/parquet-codecs/build.gradle
@@ -22,7 +22,13 @@ dependencies {
             version {
                 require '9.37.1'
             }
-            because 'Fixes CVE-2021-31684 and CVE-2023-1370 by using a newer shaded version of json-smart.'
+            because 'Fixes CVE-2023-52428, CVE-2021-31684 and CVE-2023-1370 by using a newer shaded version of json-smart.'
+        }
+        implementation('org.apache.zookeeper:zookeeper') {
+            version {
+                require '3.8.4'
+            }
+            because 'Fixes CVE-2024-23944, CVE-2023-44981'
         }
     }
 }
diff --git a/data-prepper-plugins/s3-sink/build.gradle b/data-prepper-plugins/s3-sink/build.gradle
index 30b47c8100..1565049c64 100644
--- a/data-prepper-plugins/s3-sink/build.gradle
+++ b/data-prepper-plugins/s3-sink/build.gradle
@@ -33,9 +33,9 @@ dependencies {
     constraints {
         implementation('com.nimbusds:nimbus-jose-jwt') {
             version {
-                require '9.37.1'
+                require '9.37.2'
             }
-            because 'Fixes CVE-2021-31684 and CVE-2023-1370 by using a newer shaded version of json-smart.'
+            because 'Fixes CVE-2023-52428, CVE-2021-31684 and CVE-2023-1370 by using a newer shaded version of json-smart.'
         }
     }
 }

From 05ab26b576bee23bd0b679793d4dfbe2ef3f87fc Mon Sep 17 00:00:00 2001
From: David Venable <dlv@amazon.com>
Date: Thu, 21 Mar 2024 11:27:26 -0500
Subject: [PATCH 2/2] Zookeeper is still used in multiple projects, so move the
 constraint back to the root.

Signed-off-by: David Venable <dlv@amazon.com>
---
 build.gradle                                     | 6 ++++++
 data-prepper-plugins/parquet-codecs/build.gradle | 6 ------
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/build.gradle b/build.gradle
index b961c9a44b..7c2b1f164f 100644
--- a/build.gradle
+++ b/build.gradle
@@ -146,6 +146,12 @@ subprojects {
                 }
                 because 'the build fails if the Log4j API is not update along with log4j-core'
             }
+            implementation('org.apache.zookeeper:zookeeper') {
+                version {
+                    require '3.8.4'
+                }
+                because 'Fixes CVE-2024-23944, CVE-2023-44981'
+            }
             implementation('com.google.code.gson:gson') {
                 version {
                     require '2.8.9'
diff --git a/data-prepper-plugins/parquet-codecs/build.gradle b/data-prepper-plugins/parquet-codecs/build.gradle
index d35c73cdd3..074eef4a04 100644
--- a/data-prepper-plugins/parquet-codecs/build.gradle
+++ b/data-prepper-plugins/parquet-codecs/build.gradle
@@ -24,12 +24,6 @@ dependencies {
             }
             because 'Fixes CVE-2023-52428, CVE-2021-31684 and CVE-2023-1370 by using a newer shaded version of json-smart.'
         }
-        implementation('org.apache.zookeeper:zookeeper') {
-            version {
-                require '3.8.4'
-            }
-            because 'Fixes CVE-2024-23944, CVE-2023-44981'
-        }
     }
 }