This is an automated email from the ASF dual-hosted git repository. pvillard pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push: new 0e1ae2bd6f NIFI-12276 Addressed Dependency Check Findings 0e1ae2bd6f is described below commit 0e1ae2bd6fcbcb9ce11c0bfc66f5f0d05952fe45 Author: exceptionfactory <exceptionfact...@apache.org> AuthorDate: Wed Oct 25 15:02:47 2023 -0500 NIFI-12276 Addressed Dependency Check Findings - Added dependency-check GitHub workflow - Upgraded Janino Commons Compiler from 3.1.9 to 3.1.10 - Upgraded Azure SDK BOM from 1.2.16 to 1.2.17 - Upgraded GCP SDK BOM from 26.17.0 to 26.25.0 - Upgraded AWS SDK from 1.12.550 to 1.12.573 - Upgraded Hazelcast from 5.3.2 to 5.3.5 - Upgraded Jersey from 2.40 to 2.41 - Upgraded Camel Salesforce from 3.14.5 to 3.14.9 - Unified ZooKeeper versioning on 3.9.1 - Applied Groovy 2.4.21 to Hive 3 and Iceberg components - Applied gRPC version 1.59.0 to Asana components - Applied Jettison 1.5.4 to Atlas and Hive 3 components - Managed JUnit 4 version to 4.13.2 for MockWebServer - Excluded HBase libraries from Hive 3 following Iceberg approach - Excluded Htrace from HBase components - Upgraded OWASP Dependency Check from 8.4.0 to 8.4.2 - Removed non-applicable dependency check suppressions - Added dependency check suppressions for non-applicable findings Signed-off-by: Pierre Villard <pierre.villard...@gmail.com> This closes #7948. --- .github/workflows/dependency-check.yml | 70 +++++ README.md | 1 + minifi/minifi-c2/minifi-c2-assembly/pom.xml | 7 + minifi/pom.xml | 12 + nifi-commons/nifi-calcite-utils/pom.xml | 16 + .../nifi-property-protection-azure/pom.xml | 2 +- nifi-commons/nifi-property-protection-gcp/pom.xml | 2 +- nifi-dependency-check-maven/suppressions.xml | 345 ++++++++++++++++----- nifi-nar-bundles/nifi-accumulo-bundle/pom.xml | 12 - nifi-nar-bundles/nifi-asana-bundle/pom.xml | 6 + nifi-nar-bundles/nifi-atlas-bundle/pom.xml | 6 + nifi-nar-bundles/nifi-azure-bundle/pom.xml | 2 +- nifi-nar-bundles/nifi-box-bundle/pom.xml | 11 + nifi-nar-bundles/nifi-framework-bundle/pom.xml | 5 - nifi-nar-bundles/nifi-gcp-bundle/pom.xml | 2 +- .../nifi-graph-test-clients/pom.xml | 7 + .../nifi-hazelcast-services/pom.xml | 15 +- .../nifi-hive-bundle/nifi-hive-test-utils/pom.xml | 6 + .../nifi-hive-bundle/nifi-hive3-processors/pom.xml | 21 ++ nifi-nar-bundles/nifi-hive-bundle/pom.xml | 29 +- .../nifi-iceberg-processors/pom.xml | 8 + nifi-nar-bundles/nifi-iceberg-bundle/pom.xml | 18 +- nifi-nar-bundles/nifi-ranger-bundle/pom.xml | 12 +- .../nifi-salesforce-processors/pom.xml | 2 +- nifi-nar-bundles/nifi-spark-bundle/pom.xml | 12 - nifi-nar-bundles/nifi-sql-reporting-bundle/pom.xml | 11 + nifi-nar-bundles/nifi-standard-bundle/pom.xml | 11 + .../nifi-hbase_2-client-service/pom.xml | 4 + .../nifi-hbase_2-client-service-bundle/pom.xml | 12 - .../nifi-registry-ranger/pom.xml | 6 - pom.xml | 22 +- 31 files changed, 516 insertions(+), 179 deletions(-) diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml new file mode 100644 index 0000000000..1829c157ad --- /dev/null +++ b/.github/workflows/dependency-check.yml @@ -0,0 +1,70 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +name: dependency-check + +on: + schedule: + - cron: "0 3 * * *" + push: + paths: + - '**/pom.xml' + pull_request: + paths: + - '**/pom.xml' + +env: + DEFAULT_MAVEN_OPTS: >- + -Dorg.slf4j.simpleLogger.defaultLogLevel=WARN + -Daether.connector.http.retryHandler.count=5 + -Daether.connector.http.connectionMaxTtl=30 + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + build: + timeout-minutes: 30 + runs-on: ubuntu-latest + name: Dependency Check + steps: + - name: Checkout Code + uses: actions/checkout@v4 + - name: Set up Java Zulu 21 + uses: actions/setup-java@v3 + with: + distribution: 'zulu' + java-version: 21 + cache: 'maven' + - name: Run Dependency Check + env: + MAVEN_OPTS: >- + ${{ env.DEFAULT_MAVEN_OPTS }} + run: > + ./mvnw + --no-transfer-progress + --activate-profiles dependency-check + validate + - name: Upload Report + uses: actions/upload-artifact@v3 + with: + name: dependency-check-report + path: | + target/dependency-check-report.html + retention-days: 7 diff --git a/README.md b/README.md index 7dd6d29605..99a82f0449 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ [![system-tests](https://github.com/apache/nifi/workflows/system-tests/badge.svg)](https://github.com/apache/nifi/actions/workflows/system-tests.yml) [![integration-tests](https://github.com/apache/nifi/actions/workflows/integration-tests.yml/badge.svg)](https://github.com/apache/nifi/actions/workflows/integration-tests.yml) [![docker-tests](https://github.com/apache/nifi/actions/workflows/docker-tests.yml/badge.svg)](https://github.com/apache/nifi/actions/workflows/docker-tests.yml) +[![dependency-check](https://github.com/apache/nifi/workflows/dependency-check/badge.svg)](https://github.com/apache/nifi/actions/workflows/dependency-check.yml) [![Docker pulls](https://img.shields.io/docker/pulls/apache/nifi.svg)](https://hub.docker.com/r/apache/nifi/) [![Version](https://img.shields.io/maven-central/v/org.apache.nifi/nifi-utils.svg)](https://nifi.apache.org/download.html) [![Slack](https://img.shields.io/badge/chat-on%20Slack-brightgreen.svg)](https://s.apache.org/nifi-community-slack) diff --git a/minifi/minifi-c2/minifi-c2-assembly/pom.xml b/minifi/minifi-c2/minifi-c2-assembly/pom.xml index 2e47aeeb87..b4da037915 100644 --- a/minifi/minifi-c2/minifi-c2-assembly/pom.xml +++ b/minifi/minifi-c2/minifi-c2-assembly/pom.xml @@ -155,6 +155,13 @@ limitations under the License. <dependency> <groupId>org.glassfish.jersey.containers</groupId> <artifactId>jersey-container-jetty-http</artifactId> + <exclusions> + <!-- jetty-continuation is not included in Jetty 10 --> + <exclusion> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-continuation</artifactId> + </exclusion> + </exclusions> </dependency> <dependency> <groupId>org.glassfish.jersey.containers</groupId> diff --git a/minifi/pom.xml b/minifi/pom.xml index ad9ff08f71..e927eae4d2 100644 --- a/minifi/pom.xml +++ b/minifi/pom.xml @@ -451,6 +451,18 @@ limitations under the License. <artifactId>guava</artifactId> <version>32.1.2-jre</version> </dependency> + + <!-- Override Commons Compiler 3.1.9 from calcite-core --> + <dependency> + <groupId>org.codehaus.janino</groupId> + <artifactId>commons-compiler</artifactId> + <version>3.1.10</version> + </dependency> + <dependency> + <groupId>org.codehaus.janino</groupId> + <artifactId>janino</artifactId> + <version>3.1.10</version> + </dependency> </dependencies> </dependencyManagement> </project> diff --git a/nifi-commons/nifi-calcite-utils/pom.xml b/nifi-commons/nifi-calcite-utils/pom.xml index d0a50f5758..833090ec58 100644 --- a/nifi-commons/nifi-calcite-utils/pom.xml +++ b/nifi-commons/nifi-calcite-utils/pom.xml @@ -25,6 +25,22 @@ <artifactId>nifi-calcite-utils</artifactId> <name>nifi-calcite-utils</name> + <dependencyManagement> + <dependencies> + <!-- Override Commons Compiler 3.1.9 from calcite-core --> + <dependency> + <groupId>org.codehaus.janino</groupId> + <artifactId>commons-compiler</artifactId> + <version>3.1.10</version> + </dependency> + <dependency> + <groupId>org.codehaus.janino</groupId> + <artifactId>janino</artifactId> + <version>3.1.10</version> + </dependency> + </dependencies> + </dependencyManagement> + <dependencies> <dependency> <groupId>org.apache.nifi</groupId> diff --git a/nifi-commons/nifi-property-protection-azure/pom.xml b/nifi-commons/nifi-property-protection-azure/pom.xml index 253526fbf1..6647442064 100644 --- a/nifi-commons/nifi-property-protection-azure/pom.xml +++ b/nifi-commons/nifi-property-protection-azure/pom.xml @@ -26,7 +26,7 @@ <dependency> <groupId>com.azure</groupId> <artifactId>azure-sdk-bom</artifactId> - <version>1.2.16</version> + <version>1.2.17</version> <scope>import</scope> <type>pom</type> </dependency> diff --git a/nifi-commons/nifi-property-protection-gcp/pom.xml b/nifi-commons/nifi-property-protection-gcp/pom.xml index 55c422712f..cde1db53d7 100644 --- a/nifi-commons/nifi-property-protection-gcp/pom.xml +++ b/nifi-commons/nifi-property-protection-gcp/pom.xml @@ -22,7 +22,7 @@ </parent> <artifactId>nifi-property-protection-gcp</artifactId> <properties> - <gcp.sdk.version>26.17.0</gcp.sdk.version> + <gcp.sdk.version>26.25.0</gcp.sdk.version> <guava.version>32.1.2-jre</guava.version> </properties> <dependencyManagement> diff --git a/nifi-dependency-check-maven/suppressions.xml b/nifi-dependency-check-maven/suppressions.xml index e4e0cdac1d..4aabb50d94 100644 --- a/nifi-dependency-check-maven/suppressions.xml +++ b/nifi-dependency-check-maven/suppressions.xml @@ -34,36 +34,6 @@ <packageUrl regex="true">^pkg:maven/org\.springframework\.security/spring\-security\-crypto@.*$</packageUrl> <vulnerabilityName>CVE-2020-5408</vulnerabilityName> </suppress> - <suppress> - <notes>Apache Hive vulnerabilities do not apply to Flume Hive Sink</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-hive\-sink@.*$</packageUrl> - <cpe>cpe:/a:apache:hive</cpe> - </suppress> - <suppress> - <notes>Apache Kafka vulnerabilities do not apply to Flume Kafka Sink</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-kafka\-sink@.*$</packageUrl> - <cpe>cpe:/a:apache:kafka</cpe> - </suppress> - <suppress> - <notes>Apache Kafka vulnerabilities do not apply to Flume Kafka Source</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sources/flume\-kafka\-source@.*$</packageUrl> - <cpe>cpe:/a:apache:kafka</cpe> - </suppress> - <suppress> - <notes>Apache Kafka vulnerabilities do not apply to Flume Shared Kafka</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-shared/flume\-shared\-kafka@.*$</packageUrl> - <cpe>cpe:/a:apache:kafka</cpe> - </suppress> - <suppress> - <notes>Apache HBase vulnerabilities do not apply to Flume HBase Sink</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-hbase\-sink@.*$</packageUrl> - <cpe>cpe:/a:apache:hbase</cpe> - </suppress> - <suppress> - <notes>Apache Solr vulnerabilities do not apply to Flume Solr Sink</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.flume\.flume\-ng\-sinks/flume\-ng\-morphline\-solr\-sink@.*$</packageUrl> - <cpe>cpe:/a:apache:solr</cpe> - </suppress> <suppress> <notes>CVE-2017-10355 does not apply to Xerces 2.12.2</notes> <packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl> @@ -74,26 +44,11 @@ <packageUrl regex="true">^pkg:maven/org\.apache\.calcite\/calcite-druid@.*$</packageUrl> <cve>CVE-2020-13955</cve> </suppress> - <suppress> - <notes>CVE-2018-8025 applies to HBase Server not HBase Client</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-client@.*$</packageUrl> - <cve>CVE-2018-8025</cve> - </suppress> - <suppress> - <notes>CVE-2019-0212 applies to HBase Server not HBase Client</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-client@.*$</packageUrl> - <cve>CVE-2019-0212</cve> - </suppress> <suppress> <notes>CVE-2007-6465 applies to Ganglia Server not Ganglia client libraries</notes> <packageUrl regex="true">^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$</packageUrl> <cve>CVE-2007-6465</cve> </suppress> - <suppress> - <notes>CVE-2021-43045 applies to the Apache Avro .NET SDK and not to the Java SDK</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.avro/avro@.*$</packageUrl> - <cve>CVE-2021-43045</cve> - </suppress> <suppress> <notes>CVE-2022-31159 applies to AWS S3 library not the SWF libraries</notes> <packageUrl regex="true">^pkg:maven/com\.amazonaws/aws\-java\-sdk\-swf\-libraries@.*$</packageUrl> @@ -114,16 +69,6 @@ <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@7.*$</packageUrl> <cpe regex="true">^cpe:/a:elastic.*$</cpe> </suppress> - <suppress> - <notes>Elasticsearch Server CVE-2020-7009 does not apply to elasticsearch client libraries</notes> - <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl> - <cve>CVE-2020-7009</cve> - </suppress> - <suppress> - <notes>Elasticsearch Server CVE-2020-7014 does not apply to elasticsearch client libraries</notes> - <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch.*$</packageUrl> - <cve>CVE-2020-7014</cve> - </suppress> <suppress> <notes>CVE-2021-22145 applies to Elasticsearch Server not client libraries</notes> <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@.*$</packageUrl> @@ -154,11 +99,6 @@ <packageUrl regex="true">^pkg:maven/org\.apache\.calcite/calcite\-druid@.*$</packageUrl> <cve>CVE-2022-39135</cve> </suppress> - <suppress> - <notes>CVE-2018-1000873 applies to Jackson Java 8 Time modules not Jackson Annotations</notes> - <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-annotations@.*$</packageUrl> - <cve>CVE-2018-1000873</cve> - </suppress> <suppress> <notes>CVE-2010-1151 applies to mod_auth_shadow in Apache HTTP Server not the FTP server library</notes> <packageUrl regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl> @@ -204,31 +144,11 @@ <packageUrl regex="true">^pkg:maven/org\.apache\.hive/hive\-storage\-api@.*$</packageUrl> <cve>CVE-2021-34538</cve> </suppress> - <suppress> - <notes>CVE-2018-8025 applies to HBase server not the shaded libraries</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.hbase\.thirdparty/hbase\-shaded\-.*$</packageUrl> - <cve>CVE-2018-8025</cve> - </suppress> - <suppress> - <notes>CVE-2018-8025 applies to HBase Server not HBase libraries</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-.*$</packageUrl> - <cve>CVE-2018-8025</cve> - </suppress> - <suppress> - <notes>CVE-2019-0212 applies to HBase Server not HBase libraries</notes> - <packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-.*$</packageUrl> - <cve>CVE-2019-0212</cve> - </suppress> <suppress> <notes>Hadoop vulnerabilities do not apply to HBase Hadoop2 compatibility library</notes> <packageUrl regex="true">^pkg:maven/org\.apache\.hbase/hbase\-hadoop2\-compat@.*$</packageUrl> <cpe>cpe:/a:apache:hadoop</cpe> </suppress> - <suppress> - <notes>CVE-2022-45688 applies to hutools-json not org.json</notes> - <packageUrl regex="true">^pkg:maven/org\.json/json@.*$</packageUrl> - <cve>CVE-2022-45688</cve> - </suppress> <suppress> <notes>The Jackson maintainers dispute the applicability of CVE-2023-35116 based on cyclic nature of reported concern</notes> <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl> @@ -259,4 +179,269 @@ <packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl> <cve>CVE-2022-41915</cve> </suppress> + <suppress> + <notes>CVE-2023-34462 applies to Netty servers using SniHandler not Netty 4.1 shaded for Couchbase and HBase 2</notes> + <packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl> + <cve>CVE-2023-34462</cve> + </suppress> + <suppress> + <notes>The Square Wire framework is not the same as the Wire secure communication application</notes> + <packageUrl regex="true">^pkg:maven/com\.squareup\.wire/.*$</packageUrl> + <cpe>cpe:/a:wire:wire</cpe> + </suppress> + <suppress> + <notes>CVE-2023-44487 applies to Solr Server not Solr client libraries</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.solr/solr\-solrj@.*$</packageUrl> + <cve>CVE-2023-44487</cve> + </suppress> + <suppress> + <notes>Quartz maintainers dispute CVE-2023-39017 because it requires code injection from external users</notes> + <packageUrl regex="true">^pkg:maven/org\.quartz\-scheduler/quartz@.*$</packageUrl> + <cve>CVE-2023-39017</cve> + </suppress> + <suppress> + <notes>Avro project vulnerabilities do not apply to Parquet Avro</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-avro@.*$</packageUrl> + <cpe>cpe:/a:avro_project:avro</cpe> + </suppress> + <suppress> + <notes>CVE-2023-4759 is resolved in 6.7.0 which is already upgraded in nifi-registry</notes> + <packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/.*$</packageUrl> + <cve>CVE-2023-4759</cve> + </suppress> + <suppress> + <notes>CVE-2023-4586 is resolved in Netty 4.1.100 which is already upgraded</notes> + <packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl> + <cve>CVE-2023-4586</cve> + </suppress> + <suppress> + <notes>CVE-2023-35887 applies to MINA SSHD not MINA core libraries</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.mina/mina\-core@.*$</packageUrl> + <cve>CVE-2023-35887</cve> + </suppress> + <suppress> + <notes>CVE-2016-5397 applies to Apache Thrift Go not Java</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl> + <cve>CVE-2016-5397</cve> + </suppress> + <suppress> + <notes>CVE-2019-0210 applies to Apache Thrift Go server not Java</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl> + <cve>CVE-2019-0210</cve> + </suppress> + <suppress> + <notes>CVE-2018-11798 applies Apache Thrift Node.js not Java</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl> + <cve>CVE-2018-11798</cve> + </suppress> + <suppress> + <notes>CVE-2019-11939 applies to Thrift Servers in Go not Java</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl> + <cve>CVE-2019-11939</cve> + </suppress> + <suppress> + <notes>CVE-2019-3552 applies to Thrift Servers in CPP not Java</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl> + <cve>CVE-2019-3552</cve> + </suppress> + <suppress> + <notes>CVE-2019-3553 applies to Thrift Servers in CPP not Java</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl> + <cve>CVE-2019-3553</cve> + </suppress> + <suppress> + <notes>CVE-2019-3558 applies to Thrift Servers in Python not Java</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl> + <cve>CVE-2019-3558</cve> + </suppress> + <suppress> + <notes>CVE-2019-3564 applies to Thrift Servers in Go not Java</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl> + <cve>CVE-2019-3564</cve> + </suppress> + <suppress> + <notes>CVE-2019-3565 applies to Thrift Servers in CPP not Java</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl> + <cve>CVE-2019-3565</cve> + </suppress> + <suppress> + <notes>CVE-2021-24028 applies to Facebook Thrift CPP</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl> + <cve>CVE-2021-24028</cve> + </suppress> + <suppress> + <notes>CVE-2019-11938 applies to Facebook Thrift Servers</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl> + <cve>CVE-2019-11938</cve> + </suppress> + <suppress> + <notes>CVE-2019-3559 applies to Facebook Thrift Servers</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl> + <cve>CVE-2019-3559</cve> + </suppress> + <suppress> + <notes>CVE-2023-36479 was resolved in Jetty 10.0.16</notes> + <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\-servlets@.*$</packageUrl> + <vulnerabilityName>CVE-2023-36479</vulnerabilityName> + </suppress> + <suppress> + <notes>The jetty-servlet-api is versioned according to the Java Servlet API version not the Jetty version</notes> + <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty\-servlet\-api@.*$</packageUrl> + <cpe>cpe:/a:eclipse:jetty</cpe> + </suppress> + <suppress> + <notes>CVE-2023-31419 applies to Elasticsearch Server not client libraries</notes> + <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@.*$</packageUrl> + <vulnerabilityName>CVE-2023-31419</vulnerabilityName> + </suppress> + <suppress> + <notes>CVE-2023-37475 applies to Hamba Avro in Go not Apache Avro for Java</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.avro/.*$</packageUrl> + <cve>CVE-2023-37475</cve> + </suppress> + <suppress> + <notes>CVE-2023-45860 is resolved in Hazelcast 5.3.5</notes> + <packageUrl regex="true">^pkg:maven/com\.hazelcast/hazelcast@.*$</packageUrl> + <vulnerabilityName>CVE-2023-45860</vulnerabilityName> + </suppress> + <suppress> + <notes>CVE-2023-36414 applies to Azure Identity for .NET not Java</notes> + <packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@.*$</packageUrl> + <cve>CVE-2023-36414</cve> + </suppress> + <suppress> + <notes>CVE-2023-36415 applies to Azure Identity for Python not Java</notes> + <packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@.*$</packageUrl> + <cve>CVE-2023-36415</cve> + </suppress> + <suppress> + <notes>CVE-2020-13949 applies to Thrift and not to Hive</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.hive.*$</packageUrl> + <cve>CVE-2020-13949</cve> + </suppress> + <suppress> + <notes>CVE-2023-44487 applies to netty-codec-http2 as a Server</notes> + <packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl> + <cve>CVE-2023-44487</cve> + </suppress> + <suppress> + <notes>Parquet MR vulnerabilities do not apply to other Parquet libraries</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-(?!mr).*$</packageUrl> + <cpe>cpe:/a:apache:parquet-mr</cpe> + </suppress> + <suppress> + <notes>Apache Hadoop vulnerabilities do not apply to Parquet Hadoop Bundle library</notes> + <packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-hadoop\-bundle@.*$</packageUrl> + <cpe>cpe:/a:apache:hadoop</cpe> + </suppress> + <suppress> + <notes>CVE-2017-7525 applies to Jackson 2 not Jackson 1</notes> + <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@.*$</packageUrl> + <vulnerabilityName>CVE-2017-7525</vulnerabilityName> + </suppress> + <suppress> + <notes>CVE-2019-11358 applies to bundled copies of jQuery not used in the project</notes> + <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl> + <cve>CVE-2019-11358</cve> + </suppress> + <suppress> + <notes>CVE-2020-11022 applies to bundled copies of jQuery not used in the project</notes> + <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl> + <cve>CVE-2020-11022</cve> + </suppress> + <suppress> + <notes>CVE-2020-11023 applies to bundled copies of jQuery not used in the project</notes> + <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl> + <cve>CVE-2020-11023</cve> + </suppress> + <suppress> + <notes>CVE-2020-23064 applies to bundled copies of jQuery not used in the project</notes> + <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl> + <cve>CVE-2020-23064</cve> + </suppress> + <suppress> + <notes>CVE-2011-4969 applies to bundled copies of jQUery not used in the project</notes> + <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl> + <cve>CVE-2011-4969</cve> + </suppress> + <suppress> + <notes>CVE-2012-6708 applies to bundled copies of jQUery not used in the project</notes> + <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl> + <cve>CVE-2012-6708</cve> + </suppress> + <suppress> + <notes>CVE-2015-9251 applies to bundled copies of jQUery not used in the project</notes> + <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl> + <cve>CVE-2015-9251</cve> + </suppress> + <suppress> + <notes>CVE-2020-7656 applies to bundled copies of jQUery not used in the project</notes> + <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl> + <cve>CVE-2020-7656</cve> + </suppress> + <suppress> + <notes>jQuery vulnerability warning for historical versions</notes> + <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl> + <vulnerabilityName>jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates</vulnerabilityName> + </suppress> + <suppress> + <notes>CVE-2020-28458 applies to bundled copies of jQuery datatables not used in the project</notes> + <packageUrl regex="true">^pkg:javascript/jquery\.datatables@.*$</packageUrl> + <cve>CVE-2020-28458</cve> + </suppress> + <suppress> + <notes>CVE-2021-23445 applies to bundled copies of jQuery datatables not used in the project</notes> + <packageUrl regex="true">^pkg:javascript/jquery\.datatables@.*$</packageUrl> + <cve>CVE-2021-23445</cve> + </suppress> + <suppress> + <notes>CVE-2023-44487 references gRPC for Go</notes> + <packageUrl regex="true">^pkg:maven/io\.grpc/grpc.*$</packageUrl> + <cve>CVE-2023-44487</cve> + </suppress> + <suppress> + <notes>Guava temporary directory file creation is not used</notes> + <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl> + <cve>CVE-2023-2976</cve> + </suppress> + <suppress> + <notes>Guava temporary directory file creation is not used</notes> + <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl> + <cve>CVE-2020-8908</cve> + </suppress> + <suppress> + <notes>CVE-2021-44521 applies to Apache Cassandra Server</notes> + <packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$</packageUrl> + <cve>CVE-2021-44521</cve> + </suppress> + <suppress> + <notes>CVE-2020-17516 applies to Apache Cassandra Server</notes> + <packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$</packageUrl> + <cve>CVE-2020-17516</cve> + </suppress> + <suppress> + <notes>CVE-2019-2684 applies to Apache Cassandra Server</notes> + <packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$</packageUrl> + <cve>CVE-2019-2684</cve> + </suppress> + <suppress> + <notes>CVE-2020-13946 applies to Apache Cassandra Server</notes> + <packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$</packageUrl> + <cve>CVE-2020-13946</cve> + </suppress> + <suppress> + <notes>CVE-2019-10172 applies to Jackson 1 XmlMapper not JSON mapper used in Ranger plugins</notes> + <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@.*$</packageUrl> + <cve>CVE-2019-10172</cve> + </suppress> + <suppress> + <notes>Bundled versions of jQuery DataTables are not used</notes> + <packageUrl regex="true">^pkg:javascript/jquery\.datatables@.*$</packageUrl> + <vulnerabilityName>prototype pollution</vulnerabilityName> + </suppress> + <suppress> + <notes>Bundled versions of jQuery DataTables are not used</notes> + <packageUrl regex="true">^pkg:javascript/jquery\.datatables@.*$</packageUrl> + <vulnerabilityName>possible XSS</vulnerabilityName> + </suppress> </suppressions> diff --git a/nifi-nar-bundles/nifi-accumulo-bundle/pom.xml b/nifi-nar-bundles/nifi-accumulo-bundle/pom.xml index 2e77646a81..9183e65560 100644 --- a/nifi-nar-bundles/nifi-accumulo-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-accumulo-bundle/pom.xml @@ -59,18 +59,6 @@ <artifactId>hadoop-client-runtime</artifactId> <version>${hadoop.version}</version> </dependency> - <!-- Override ZooKeeper from accumulo-core --> - <dependency> - <groupId>org.apache.zookeeper</groupId> - <artifactId>zookeeper</artifactId> - <version>${zookeeper.version}</version> - <exclusions> - <exclusion> - <groupId>ch.qos.logback</groupId> - <artifactId>logback-classic</artifactId> - </exclusion> - </exclusions> - </dependency> <dependency> <groupId>org.apache.accumulo</groupId> <artifactId>accumulo-core</artifactId> diff --git a/nifi-nar-bundles/nifi-asana-bundle/pom.xml b/nifi-nar-bundles/nifi-asana-bundle/pom.xml index 2bb6bf792c..33a62e8d03 100644 --- a/nifi-nar-bundles/nifi-asana-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-asana-bundle/pom.xml @@ -67,6 +67,12 @@ </exclusion> </exclusions> </dependency> + <!-- Override grpc-context from Asana --> + <dependency> + <groupId>io.grpc</groupId> + <artifactId>grpc-context</artifactId> + <version>1.59.0</version> + </dependency> </dependencies> </dependencyManagement> </project> diff --git a/nifi-nar-bundles/nifi-atlas-bundle/pom.xml b/nifi-nar-bundles/nifi-atlas-bundle/pom.xml index a85cd1cf83..0fcc26de40 100644 --- a/nifi-nar-bundles/nifi-atlas-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-atlas-bundle/pom.xml @@ -117,6 +117,12 @@ <artifactId>guava</artifactId> <version>${guava.version}</version> </dependency> + <!-- Override Jettison from Atlas --> + <dependency> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + <version>1.5.4</version> + </dependency> </dependencies> </dependencyManagement> </project> diff --git a/nifi-nar-bundles/nifi-azure-bundle/pom.xml b/nifi-nar-bundles/nifi-azure-bundle/pom.xml index 1a4a497285..7edc596db1 100644 --- a/nifi-nar-bundles/nifi-azure-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-azure-bundle/pom.xml @@ -27,7 +27,7 @@ <packaging>pom</packaging> <properties> - <azure.sdk.bom.version>1.2.16</azure.sdk.bom.version> + <azure.sdk.bom.version>1.2.17</azure.sdk.bom.version> <msal4j.version>1.13.10</msal4j.version> <qpid.proton.version>0.34.1</qpid.proton.version> </properties> diff --git a/nifi-nar-bundles/nifi-box-bundle/pom.xml b/nifi-nar-bundles/nifi-box-bundle/pom.xml index c4d161b4f1..9a9378082f 100644 --- a/nifi-nar-bundles/nifi-box-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-box-bundle/pom.xml @@ -34,4 +34,15 @@ <module>nifi-box-services-api</module> <module>nifi-box-services-nar</module> </modules> + + <dependencyManagement> + <dependencies> + <!-- Override jose4j 0.9.0 from box-java-sdk --> + <dependency> + <groupId>org.bitbucket.b_c</groupId> + <artifactId>jose4j</artifactId> + <version>0.9.3</version> + </dependency> + </dependencies> + </dependencyManagement> </project> diff --git a/nifi-nar-bundles/nifi-framework-bundle/pom.xml b/nifi-nar-bundles/nifi-framework-bundle/pom.xml index 97fbd03c19..6f29f7117b 100644 --- a/nifi-nar-bundles/nifi-framework-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-framework-bundle/pom.xml @@ -475,11 +475,6 @@ <artifactId>metrics-core</artifactId> <version>4.2.19</version> </dependency> - <dependency> - <groupId>org.apache.zookeeper</groupId> - <artifactId>zookeeper</artifactId> - <version>${zookeeper.version}</version> - </dependency> <dependency> <groupId>org.apache.curator</groupId> <artifactId>curator-framework</artifactId> diff --git a/nifi-nar-bundles/nifi-gcp-bundle/pom.xml b/nifi-nar-bundles/nifi-gcp-bundle/pom.xml index aa6366fe25..5ef800b8ff 100644 --- a/nifi-nar-bundles/nifi-gcp-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-gcp-bundle/pom.xml @@ -27,7 +27,7 @@ <packaging>pom</packaging> <properties> - <google.libraries.version>26.22.0</google.libraries.version> + <google.libraries.version>26.25.0</google.libraries.version> </properties> <dependencyManagement> diff --git a/nifi-nar-bundles/nifi-graph-bundle/nifi-graph-test-clients/pom.xml b/nifi-nar-bundles/nifi-graph-bundle/nifi-graph-test-clients/pom.xml index 73f9e392a6..b486344678 100644 --- a/nifi-nar-bundles/nifi-graph-bundle/nifi-graph-test-clients/pom.xml +++ b/nifi-nar-bundles/nifi-graph-bundle/nifi-graph-test-clients/pom.xml @@ -28,6 +28,7 @@ <gremlin.version>3.7.0</gremlin.version> <janusgraph.version>0.6.3</janusgraph.version> <guava.version>32.1.2-jre</guava.version> + <amqp-client.version>5.19.0</amqp-client.version> </properties> <dependencyManagement> <dependencies> @@ -54,6 +55,12 @@ <artifactId>guava</artifactId> <version>${guava.version}</version> </dependency> + <!-- Override AMQP Client from JanusGraph --> + <dependency> + <groupId>com.rabbitmq</groupId> + <artifactId>amqp-client</artifactId> + <version>${amqp-client.version}</version> + </dependency> </dependencies> </dependencyManagement> <dependencies> diff --git a/nifi-nar-bundles/nifi-hazelcast-bundle/nifi-hazelcast-services/pom.xml b/nifi-nar-bundles/nifi-hazelcast-bundle/nifi-hazelcast-services/pom.xml index e44d3e3e02..3aa75f404f 100644 --- a/nifi-nar-bundles/nifi-hazelcast-bundle/nifi-hazelcast-services/pom.xml +++ b/nifi-nar-bundles/nifi-hazelcast-bundle/nifi-hazelcast-services/pom.xml @@ -26,41 +26,28 @@ <packaging>jar</packaging> <dependencies> - <!-- Internal dependencies --> - <dependency> <groupId>org.apache.nifi</groupId> <artifactId>nifi-hazelcast-services-api</artifactId> <version>2.0.0-SNAPSHOT</version> <scope>provided</scope> </dependency> - <dependency> <groupId>org.apache.nifi</groupId> <artifactId>nifi-utils</artifactId> - <version>2.0.0-SNAPSHOT</version> </dependency> - <dependency> <groupId>org.apache.nifi</groupId> <artifactId>nifi-distributed-cache-client-service-api</artifactId> </dependency> - - <!-- External dependencies --> - <dependency> <groupId>com.hazelcast</groupId> <artifactId>hazelcast</artifactId> - <version>5.3.2</version> + <version>5.3.5</version> </dependency> - - <!-- Test dependencies --> - <dependency> <groupId>org.apache.nifi</groupId> <artifactId>nifi-mock</artifactId> - <version>2.0.0-SNAPSHOT</version> - <scope>test</scope> </dependency> </dependencies> </project> diff --git a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml index a3d7014abc..677498bc8d 100644 --- a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml +++ b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml @@ -99,6 +99,12 @@ <artifactId>guava</artifactId> <version>32.1.2-jre</version> </dependency> + <!-- Override Jettison from Hive --> + <dependency> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + <version>1.5.4</version> + </dependency> </dependencies> </dependencyManagement> <dependencies> diff --git a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml index d142166ff3..e65295356f 100644 --- a/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml +++ b/nifi-nar-bundles/nifi-hive-bundle/nifi-hive3-processors/pom.xml @@ -144,6 +144,27 @@ <groupId>org.eclipse.jetty.websocket</groupId> <artifactId>websocket-client</artifactId> </exclusion> + <!-- Exclude HBase --> + <exclusion> + <groupId>org.apache.hbase</groupId> + <artifactId>hbase-common</artifactId> + </exclusion> + <exclusion> + <groupId>org.apache.hbase</groupId> + <artifactId>hbase-client</artifactId> + </exclusion> + <exclusion> + <groupId>org.apache.hbase</groupId> + <artifactId>hbase-mapreduce</artifactId> + </exclusion> + <exclusion> + <groupId>org.apache.hbase</groupId> + <artifactId>hbase-hadoop2-compat</artifactId> + </exclusion> + <exclusion> + <groupId>org.apache.hbase</groupId> + <artifactId>hbase-hadoop-compat</artifactId> + </exclusion> </exclusions> </dependency> <dependency> diff --git a/nifi-nar-bundles/nifi-hive-bundle/pom.xml b/nifi-nar-bundles/nifi-hive-bundle/pom.xml index eec3bc6f31..a365a77157 100644 --- a/nifi-nar-bundles/nifi-hive-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-hive-bundle/pom.xml @@ -58,6 +58,17 @@ <artifactId>calcite-core</artifactId> <version>${calcite.version}</version> </dependency> + <!-- Override Commons Compiler 3.1.9 from calcite-core --> + <dependency> + <groupId>org.codehaus.janino</groupId> + <artifactId>commons-compiler</artifactId> + <version>3.1.10</version> + </dependency> + <dependency> + <groupId>org.codehaus.janino</groupId> + <artifactId>janino</artifactId> + <version>3.1.10</version> + </dependency> <!-- Override Apache Calcite Avatica subproject version for Hive 3 --> <dependency> <groupId>org.apache.calcite.avatica</groupId> @@ -76,18 +87,6 @@ <artifactId>derby</artifactId> <version>${derby.version}</version> </dependency> - <!-- Override zookeeper --> - <dependency> - <groupId>org.apache.zookeeper</groupId> - <artifactId>zookeeper</artifactId> - <version>${zookeeper.version}</version> - <exclusions> - <exclusion> - <groupId>ch.qos.logback</groupId> - <artifactId>logback-classic</artifactId> - </exclusion> - </exclusions> - </dependency> <!-- Override ant --> <dependency> <groupId>org.apache.ant</groupId> @@ -105,6 +104,12 @@ <artifactId>nimbus-jose-jwt</artifactId> <version>9.33</version> </dependency> + <!-- Override Groovy from hive-exec --> + <dependency> + <groupId>org.codehaus.groovy</groupId> + <artifactId>groovy-all</artifactId> + <version>2.4.21</version> + </dependency> </dependencies> </dependencyManagement> diff --git a/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml b/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml index 522d9f1b79..26dc70ff81 100644 --- a/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml +++ b/nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml @@ -186,6 +186,14 @@ <groupId>org.apache.hbase</groupId> <artifactId>hbase-client</artifactId> </exclusion> + <exclusion> + <groupId>org.apache.hbase</groupId> + <artifactId>hbase-mapreduce</artifactId> + </exclusion> + <exclusion> + <groupId>org.apache.hbase</groupId> + <artifactId>hbase-hadoop2-compat</artifactId> + </exclusion> <exclusion> <groupId>co.cask.tephra</groupId> <artifactId>tephra-api</artifactId> diff --git a/nifi-nar-bundles/nifi-iceberg-bundle/pom.xml b/nifi-nar-bundles/nifi-iceberg-bundle/pom.xml index feb62c3e26..39840a4d82 100644 --- a/nifi-nar-bundles/nifi-iceberg-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-iceberg-bundle/pom.xml @@ -64,18 +64,6 @@ <artifactId>derby</artifactId> <version>${derby.version}</version> </dependency> - <!-- Override zookeeper --> - <dependency> - <groupId>org.apache.zookeeper</groupId> - <artifactId>zookeeper</artifactId> - <version>${zookeeper.version}</version> - <exclusions> - <exclusion> - <groupId>ch.qos.logback</groupId> - <artifactId>logback-classic</artifactId> - </exclusion> - </exclusions> - </dependency> <!-- Override ant --> <dependency> <groupId>org.apache.ant</groupId> @@ -116,6 +104,12 @@ <artifactId>guava</artifactId> <version>32.1.2-jre</version> </dependency> + <!-- Override Groovy from hive-exec --> + <dependency> + <groupId>org.codehaus.groovy</groupId> + <artifactId>groovy-all</artifactId> + <version>2.4.21</version> + </dependency> </dependencies> </dependencyManagement> </project> diff --git a/nifi-nar-bundles/nifi-ranger-bundle/pom.xml b/nifi-nar-bundles/nifi-ranger-bundle/pom.xml index 7298a5458d..1cc559785f 100644 --- a/nifi-nar-bundles/nifi-ranger-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-ranger-bundle/pom.xml @@ -37,12 +37,6 @@ <dependencyManagement> <dependencies> - <!-- Override zookeeper --> - <dependency> - <groupId>org.apache.zookeeper</groupId> - <artifactId>zookeeper</artifactId> - <version>${zookeeper.version}</version> - </dependency> <!-- Override commons-beanutils --> <dependency> <groupId>commons-beanutils</groupId> @@ -96,6 +90,12 @@ <artifactId>guava</artifactId> <version>32.1.2-jre</version> </dependency> + <!-- Override Jettison from Ranger --> + <dependency> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + <version>1.5.4</version> + </dependency> </dependencies> </dependencyManagement> </project> diff --git a/nifi-nar-bundles/nifi-salesforce-bundle/nifi-salesforce-processors/pom.xml b/nifi-nar-bundles/nifi-salesforce-bundle/nifi-salesforce-processors/pom.xml index ac1210211b..d239568355 100644 --- a/nifi-nar-bundles/nifi-salesforce-bundle/nifi-salesforce-processors/pom.xml +++ b/nifi-nar-bundles/nifi-salesforce-bundle/nifi-salesforce-processors/pom.xml @@ -49,7 +49,7 @@ <dependency> <groupId>org.apache.camel</groupId> <artifactId>camel-salesforce</artifactId> - <version>3.14.5</version> + <version>3.14.9</version> <exclusions> <exclusion> <groupId>*</groupId> diff --git a/nifi-nar-bundles/nifi-spark-bundle/pom.xml b/nifi-nar-bundles/nifi-spark-bundle/pom.xml index 324214b04b..1c2cf7089b 100644 --- a/nifi-nar-bundles/nifi-spark-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-spark-bundle/pom.xml @@ -65,18 +65,6 @@ <artifactId>nimbus-jose-jwt</artifactId> <version>9.33</version> </dependency> - <!-- Override zookeeper --> - <dependency> - <groupId>org.apache.zookeeper</groupId> - <artifactId>zookeeper</artifactId> - <version>${zookeeper.version}</version> - <exclusions> - <exclusion> - <groupId>ch.qos.logback</groupId> - <artifactId>logback-classic</artifactId> - </exclusion> - </exclusions> - </dependency> </dependencies> </dependencyManagement> diff --git a/nifi-nar-bundles/nifi-sql-reporting-bundle/pom.xml b/nifi-nar-bundles/nifi-sql-reporting-bundle/pom.xml index 08360e830f..f405f42bc6 100644 --- a/nifi-nar-bundles/nifi-sql-reporting-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-sql-reporting-bundle/pom.xml @@ -41,6 +41,17 @@ <artifactId>guava</artifactId> <version>${guava.version}</version> </dependency> + <!-- Override Commons Compiler 3.1.9 from calcite-core --> + <dependency> + <groupId>org.codehaus.janino</groupId> + <artifactId>commons-compiler</artifactId> + <version>3.1.10</version> + </dependency> + <dependency> + <groupId>org.codehaus.janino</groupId> + <artifactId>janino</artifactId> + <version>3.1.10</version> + </dependency> </dependencies> </dependencyManagement> </project> diff --git a/nifi-nar-bundles/nifi-standard-bundle/pom.xml b/nifi-nar-bundles/nifi-standard-bundle/pom.xml index 9dcbcf2f64..bc090c6efe 100644 --- a/nifi-nar-bundles/nifi-standard-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-standard-bundle/pom.xml @@ -274,6 +274,17 @@ </exclusion> </exclusions> </dependency> + <!-- Override Commons Compiler 3.1.9 from calcite-core --> + <dependency> + <groupId>org.codehaus.janino</groupId> + <artifactId>commons-compiler</artifactId> + <version>3.1.10</version> + </dependency> + <dependency> + <groupId>org.codehaus.janino</groupId> + <artifactId>janino</artifactId> + <version>3.1.10</version> + </dependency> <dependency> <groupId>org.apache.sshd</groupId> <artifactId>sshd-core</artifactId> diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/nifi-hbase_2-client-service/pom.xml b/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/nifi-hbase_2-client-service/pom.xml index 256164380b..ae1dae946a 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/nifi-hbase_2-client-service/pom.xml +++ b/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/nifi-hbase_2-client-service/pom.xml @@ -113,6 +113,10 @@ <groupId>jdk.tools</groupId> <artifactId>jdk.tools</artifactId> </exclusion> + <exclusion> + <groupId>org.apache.htrace</groupId> + <artifactId>htrace-core4</artifactId> + </exclusion> </exclusions> </dependency> <dependency> diff --git a/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/pom.xml b/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/pom.xml index b9fa810df4..3dae76fc5a 100644 --- a/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/pom.xml +++ b/nifi-nar-bundles/nifi-standard-services/nifi-hbase_2-client-service-bundle/pom.xml @@ -62,18 +62,6 @@ <artifactId>commons-beanutils</artifactId> <version>1.9.4</version> </dependency> - <!-- Override zookeeper --> - <dependency> - <groupId>org.apache.zookeeper</groupId> - <artifactId>zookeeper</artifactId> - <version>${zookeeper.version}</version> - <exclusions> - <exclusion> - <groupId>ch.qos.logback</groupId> - <artifactId>logback-classic</artifactId> - </exclusion> - </exclusions> - </dependency> <!-- Override nimbus-jose-jwt 9.8.1 from hadoop-auth --> <dependency> <groupId>com.nimbusds</groupId> diff --git a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml index 9f3351e696..8f5b872243 100644 --- a/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml +++ b/nifi-registry/nifi-registry-extensions/nifi-registry-ranger/pom.xml @@ -48,12 +48,6 @@ <artifactId>jetty-webapp</artifactId> <version>${jetty.version}</version> </dependency> - <!-- Override zookeeper --> - <dependency> - <groupId>org.apache.zookeeper</groupId> - <artifactId>zookeeper</artifactId> - <version>${zookeeper.version}</version> - </dependency> <!-- Override SolrJ 8.6.3 from Ranger --> <dependency> <groupId>org.apache.solr</groupId> diff --git a/pom.xml b/pom.xml index e21dcfb6a9..7f37c85447 100644 --- a/pom.xml +++ b/pom.xml @@ -106,7 +106,7 @@ <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding> <inceptionYear>2014</inceptionYear> - <com.amazonaws.version>1.12.550</com.amazonaws.version> + <com.amazonaws.version>1.12.573</com.amazonaws.version> <software.amazon.awssdk.version>2.20.148</software.amazon.awssdk.version> <gson.version>2.10.1</gson.version> <io.fabric8.kubernetes.client.version>6.8.1</io.fabric8.kubernetes.client.version> @@ -140,7 +140,7 @@ <ozone.version>1.2.1</ozone.version> <gcs.version>2.1.5</gcs.version> <aspectj.version>1.9.20.1</aspectj.version> - <jersey.bom.version>2.40</jersey.bom.version> + <jersey.bom.version>2.41</jersey.bom.version> <log4j2.version>2.20.0</log4j2.version> <logback.version>1.3.11</logback.version> <mockito.version>5.5.0</mockito.version> @@ -706,6 +706,22 @@ <artifactId>caffeine</artifactId> <version>${caffeine.version}</version> </dependency> + <dependency> + <groupId>org.apache.zookeeper</groupId> + <artifactId>zookeeper</artifactId> + <version>${zookeeper.version}</version> + </dependency> + <dependency> + <groupId>org.apache.zookeeper</groupId> + <artifactId>zookeeper-jute</artifactId> + <version>${zookeeper.version}</version> + </dependency> + <!-- Managed JUnit 4 version for transitive dependencies such as OkHttp MockWebServer --> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <version>4.13.2</version> + </dependency> </dependencies> </dependencyManagement> @@ -1259,7 +1275,7 @@ <plugin> <groupId>org.owasp</groupId> <artifactId>dependency-check-maven</artifactId> - <version>8.4.0</version> + <version>8.4.2</version> <executions> <execution> <inherited>false</inherited>