CVE fixes (opensearch-project#3385)

* CVE fixes
CVE-2022-36944, WS-2023-0116, CVE-2021-39194, CVE-2023-3635, CVE-2023-36479, CVE-2023-40167

Signed-off-by: Asif Sohail Mohammed <[email protected]>

* Fix WS-2023-0236

Signed-off-by: Asif Sohail Mohammed <[email protected]>

---------

Signed-off-by: Asif Sohail Mohammed <[email protected]>
(cherry picked from commit 5fdf95f)

build.gradle

@@ -89,6 +89,7 @@ subprojects {
     }
     dependencies {
         implementation platform('com.fasterxml.jackson:jackson-bom:2.15.0')
+        implementation platform('org.eclipse.jetty:jetty-bom:11.0.16')
         implementation platform('io.micrometer:micrometer-bom:1.10.5')
         implementation libs.guava.core
         implementation libs.slf4j.api
@@ -141,33 +142,45 @@ subprojects {
             }
             implementation('net.minidev:json-smart') {
                 version {
-                    require '2.4.11'
+                    require '2.5.0'
                 }
                 because 'CVE from transitive dependencies'
             }
-            implementation('org.eclipse.jetty:jetty-http') {
+            implementation('org.jetbrains.kotlin:kotlin-stdlib') {
                 version {
-                    require '11.0.15'
+                    require '1.8.21'
                 }
                 because 'CVE from transitive dependencies'
             }
-            implementation('org.eclipse.jetty:jetty-server') {
+            implementation('org.xerial.snappy:snappy-java') {
                 version {
-                    require '11.0.15'
+                    require '1.1.10.1'
+                }
+                because 'Fixes CVE-2023-35165, CVE-2023-34455, CVE-2023-34453, CVE-2023-34454, CVE-2023-2976'
+            }
+            implementation('com.squareup.okio:okio-jvm') {
+                version {
+                    require '3.5.0'
                 }
                 because 'CVE from transitive dependencies'
             }
-            implementation('org.jetbrains.kotlin:kotlin-stdlib') {
+            implementation('com.charleskorn.kaml:kaml') {
                 version {
-                    require '1.8.21'
+                    require '0.55.0'
                 }
                 because 'CVE from transitive dependencies'
             }
-            implementation('org.xerial.snappy:snappy-java') {
+            implementation('org.bitbucket.b_c:jose4j') {
                 version {
-                    require '1.1.10.1'
+                    require '0.9.3'
                 }
-                because 'Fixes CVE-2023-35165, CVE-2023-34455, CVE-2023-34453, CVE-2023-34454, CVE-2023-2976'
+                because 'CVE from transitive dependencies'
+            }
+            implementation('org.scala-lang:scala-library') {
+                version {
+                    require '2.13.12'
+                }
+                because 'CVE from transitive dependencies'
             }
         }
     }

data-prepper-plugins/parquet-codecs/build.gradle

@@ -7,8 +7,8 @@ dependencies {
     implementation project(':data-prepper-api')
     implementation project(':data-prepper-plugins:common')
     implementation 'org.apache.avro:avro:1.11.0'
-    implementation 'org.apache.hadoop:hadoop-common:3.3.5'
-    implementation('org.apache.hadoop:hadoop-mapreduce-client-core:3.3.5') {
+    implementation libs.hadoop.common
+    implementation(libs.hadoop.mapreduce) {
         exclude group: 'org.apache.hadoop', module: 'hadoop-hdfs-client'
     }
     implementation 'org.apache.parquet:parquet-avro:1.13.1'

data-prepper-plugins/s3-sink/build.gradle

@@ -19,7 +19,7 @@ dependencies {
     implementation 'org.jetbrains.kotlin:kotlin-stdlib:1.8.21'
     implementation project(':data-prepper-plugins:avro-codecs')
     implementation 'org.apache.avro:avro:1.11.1'
-    implementation 'org.apache.hadoop:hadoop-common:3.3.6'
+    implementation libs.hadoop.common
     implementation 'org.apache.parquet:parquet-avro:1.13.1'
     implementation 'software.amazon.awssdk:apache-client'
     implementation 'org.jetbrains.kotlin:kotlin-stdlib-common:1.8.21'

data-prepper-plugins/s3-source/build.gradle

@@ -47,19 +47,11 @@ dependencies {
     testImplementation project(':data-prepper-core')
     testImplementation project(':data-prepper-plugins:parquet-codecs')
     testImplementation 'org.apache.avro:avro:1.11.0'
-    testImplementation 'org.apache.hadoop:hadoop-common:3.3.5'
+    testImplementation testLibs.hadoop.common
     testImplementation 'org.apache.parquet:parquet-avro:1.13.1'
     testImplementation 'org.apache.parquet:parquet-column:1.13.1'
     testImplementation 'org.apache.parquet:parquet-common:1.13.1'
     testImplementation 'org.apache.parquet:parquet-hadoop:1.13.1'
-    constraints {
-        testImplementation('org.eclipse.jetty:jetty-bom') {
-            version {
-                require '11.0.14'
-            }
-            because 'Fixes CVE-2023-26048'
-        }
-    }
 }
 
 test {

settings.gradle

@@ -21,7 +21,7 @@ dependencyResolutionManagement {
             library('armeria-core', 'com.linecorp.armeria', 'armeria').versionRef('armeria')
             library('armeria-grpc', 'com.linecorp.armeria', 'armeria-grpc').versionRef('armeria')
             library('armeria-junit', 'com.linecorp.armeria', 'armeria-junit5').versionRef('armeria')
-            version('protobuf', '3.21.11')
+            version('protobuf', '3.24.3')
             library('protobuf-core', 'com.google.protobuf', 'protobuf-java').versionRef('protobuf')
             library('protobuf-util', 'com.google.protobuf', 'protobuf-java-util').versionRef('protobuf')
             version('opentelemetry', '0.16.0-alpha')
@@ -37,12 +37,15 @@ dependencyResolutionManagement {
             version('bouncycastle', '1.76')
             library('bouncycastle-bcprov', 'org.bouncycastle', 'bcprov-jdk18on').versionRef('bouncycastle')
             library('bouncycastle-bcpkix', 'org.bouncycastle', 'bcpkix-jdk18on').versionRef('bouncycastle')
-            version('guava', '32.0.1-jre')
+            version('guava', '32.1.2-jre')
             library('guava-core', 'com.google.guava', 'guava').versionRef('guava')
             library('commons-lang3', 'org.apache.commons', 'commons-lang3').version('3.13.0')
             library('commons-io', 'commons-io', 'commons-io').version('2.13.0')
             library('commons-codec', 'commons-codec', 'commons-codec').version('1.16.0')
             library('commons-compress', 'org.apache.commons', 'commons-compress').version('1.24.0')
+            version('hadoop', '3.3.6')
+            library('hadoop-common', 'org.apache.hadoop', 'hadoop-common').versionRef('hadoop')
+            library('hadoop-mapreduce', 'org.apache.hadoop', 'hadoop-mapreduce-client-core').versionRef('hadoop')
         }
         testLibs {
             version('junit', '5.8.2')
@@ -51,6 +54,7 @@ dependencyResolutionManagement {
             version('awaitility', '4.2.0')
             version('spring', '5.3.28')
             version('slf4j', '2.0.6')
+            version('hadoop', '3.3.6')
             library('junit-core', 'org.junit.jupiter', 'junit-jupiter').versionRef('junit')
             library('junit-params', 'org.junit.jupiter', 'junit-jupiter-params').versionRef('junit')
             library('junit-engine', 'org.junit.jupiter', 'junit-jupiter-engine').versionRef('junit')
@@ -64,6 +68,7 @@ dependencyResolutionManagement {
             library('awaitility', 'org.awaitility', 'awaitility').versionRef('awaitility')
             library('spring-test', 'org.springframework', 'spring-test').versionRef('spring')
             library('slf4j-simple', 'org.slf4j', 'slf4j-simple').versionRef('slf4j')
+            library('hadoop-common', 'org.apache.hadoop', 'hadoop-common').versionRef('hadoop')
         }
     }
 }