This is an automated email from the ASF dual-hosted git repository.
joewitt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git
The following commit(s) were added to refs/heads/main by this push:
new b6952f1246 NIFI-13933 Upgraded Spring Security to 6.3.4 and other
dependencies This closes #9450
b6952f1246 is described below
commit b6952f124629fec201d479105d9246647788fd0a
Author: exceptionfactory <[email protected]>
AuthorDate: Thu Oct 24 16:58:07 2024 -0500
NIFI-13933 Upgraded Spring Security to 6.3.4 and other dependencies
This closes #9450
- Upgraded Spring Security from 6.3.3 to 6.3.4
- Upgraded Hadoop from 3.4.0 to 3.4.1
- Upgraded Velocity Engine Core from 2.3.0 to 2.4.1
- Upgraded Parquet Avro from 1.13.1 to 1.14.3
- Upgraded Google Libraries from 26.47.0 to 26.49.0
- Set protobuf-java to 3.25.5 for calcite-core and amazon-kinesis-client
libraries
- Updated Dependency Check suppressions
Signed-off-by: Joseph Witt <[email protected]>
---
nifi-code-coverage/pom.xml | 6 ++
nifi-commons/nifi-calcite-utils/pom.xml | 6 ++
nifi-dependency-check-maven/suppressions.xml | 78 ++++++++--------------
nifi-extension-bundles/nifi-aws-bundle/pom.xml | 6 ++
.../processors/gcp/storage/AbstractGCSTest.java | 2 +-
nifi-extension-bundles/nifi-gcp-bundle/pom.xml | 2 +-
.../nifi-parquet-processors/pom.xml | 2 +-
.../nifi-registry-core/nifi-registry-test/pom.xml | 7 ++
pom.xml | 11 ++-
9 files changed, 64 insertions(+), 56 deletions(-)
diff --git a/nifi-code-coverage/pom.xml b/nifi-code-coverage/pom.xml
index 1b8c2fc49a..bbf2d810fc 100644
--- a/nifi-code-coverage/pom.xml
+++ b/nifi-code-coverage/pom.xml
@@ -113,6 +113,12 @@
<artifactId>apache-mime4j-core</artifactId>
<version>${mime4j.version}</version>
</dependency>
+ <!-- Override protobuf-java from amazon-kinesis-client -->
+ <dependency>
+ <groupId>com.google.protobuf</groupId>
+ <artifactId>protobuf-java</artifactId>
+ <version>3.25.5</version>
+ </dependency>
</dependencies>
</dependencyManagement>
diff --git a/nifi-commons/nifi-calcite-utils/pom.xml
b/nifi-commons/nifi-calcite-utils/pom.xml
index fc7a69e4f6..c7c66e2ecd 100644
--- a/nifi-commons/nifi-calcite-utils/pom.xml
+++ b/nifi-commons/nifi-calcite-utils/pom.xml
@@ -65,6 +65,12 @@
</exclusion>
</exclusions>
</dependency>
+ <!-- Override protobuf-java from calcite-core -->
+ <dependency>
+ <groupId>com.google.protobuf</groupId>
+ <artifactId>protobuf-java</artifactId>
+ <version>3.25.5</version>
+ </dependency>
</dependencies>
</project>
diff --git a/nifi-dependency-check-maven/suppressions.xml
b/nifi-dependency-check-maven/suppressions.xml
index 19021551ee..e71529a3dc 100644
--- a/nifi-dependency-check-maven/suppressions.xml
+++ b/nifi-dependency-check-maven/suppressions.xml
@@ -19,16 +19,6 @@
<packageUrl regex="true">^pkg:maven/org\.apache\.nifi.*$</packageUrl>
<cpe regex="true">^cpe:.*$</cpe>
</suppress>
- <suppress>
- <notes>CVE-2017-10355 does not apply to Xerces 2.12.2</notes>
- <packageUrl regex="true">^pkg:maven/xerces/xercesImpl@.*$</packageUrl>
- <cve>CVE-2017-10355</cve>
- </suppress>
- <suppress>
- <notes>CVE-2007-6465 applies to Ganglia Server not Ganglia client
libraries</notes>
- <packageUrl
regex="true">^pkg:maven/com\.yammer\.metrics/metrics\-ganglia@.*$</packageUrl>
- <cve>CVE-2007-6465</cve>
- </suppress>
<suppress>
<notes>Elasticsearch Server vulnerabilities do not apply to
elasticsearch-rest-client</notes>
<packageUrl
regex="true">^pkg:maven/org\.elasticsearch\.client/elasticsearch\-.*?\-client@.*$</packageUrl>
@@ -44,11 +34,6 @@
<packageUrl
regex="true">^pkg:maven/com\.azure/azure\-messaging\-eventhubs\-checkpointstore\-blob@.*$</packageUrl>
<cve>CVE-2022-30187</cve>
</suppress>
- <suppress>
- <notes>CVE-2010-1151 applies to mod_auth_shadow in Apache HTTP Server
not the FTP server library</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.ftpserver/.*$</packageUrl>
- <cve>CVE-2010-1151</cve>
- </suppress>
<suppress>
<notes>CVE-2018-14335 applies to H2 running with a web server console
enabled</notes>
<packageUrl regex="true">^pkg:maven/com\.h2database/h2@.*$</packageUrl>
@@ -69,16 +54,6 @@
<packageUrl
regex="true">^pkg:maven/com\.google\.api\.grpc/grpc\-google\-cloud\-pubsublite\-v1@.*$</packageUrl>
<cpe>cpe:/a:grpc:grpc</cpe>
</suppress>
- <suppress>
- <notes>CVE-2020-9040 applies to Couchbase Server not the client
library</notes>
- <packageUrl
regex="true">^pkg:maven/com\.couchbase\.client/core\-io@.*$</packageUrl>
- <vulnerabilityName>CVE-2020-9040</vulnerabilityName>
- </suppress>
- <suppress>
- <notes>CVE-2022-41881 applies to HA Proxy components in Netty which
are not used in Couchbase or other components</notes>
- <packageUrl regex="true">^pkg:maven/io\.netty/.*$</packageUrl>
- <cve>CVE-2022-41881</cve>
- </suppress>
<suppress>
<notes>CVE-2021-34538 applies to Apache Hive server not the Storage
API library</notes>
<packageUrl
regex="true">^pkg:maven/org\.apache\.hive/hive\-storage\-api@.*$</packageUrl>
@@ -94,16 +69,6 @@
<packageUrl
regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<vulnerabilityName>CVE-2023-35116</vulnerabilityName>
</suppress>
- <suppress>
- <notes>CVE-2023-25194 applies to Kafka Connect workers not client
libraries</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.kafka/kafka.*?@.*$</packageUrl>
- <cve>CVE-2023-25194</cve>
- </suppress>
- <suppress>
- <notes>CVE-2023-34462 applies to Netty servers using SniHandler not
Netty 4.1 shaded for Couchbase and HBase 2</notes>
- <packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl>
- <cve>CVE-2023-34462</cve>
- </suppress>
<suppress>
<notes>The Square Wire framework is not the same as the Wire secure
communication application</notes>
<packageUrl
regex="true">^pkg:maven/com\.squareup\.wire/.*$</packageUrl>
@@ -189,11 +154,6 @@
<packageUrl regex="true">^pkg:maven/org\.apache\.hive.*$</packageUrl>
<cve>CVE-2020-13949</cve>
</suppress>
- <suppress>
- <notes>CVE-2023-44487 applies to netty-codec-http2 as a Server</notes>
- <packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl>
- <cve>CVE-2023-44487</cve>
- </suppress>
<suppress>
<notes>Parquet MR vulnerabilities do not apply to other Parquet
libraries</notes>
<packageUrl
regex="true">^pkg:maven/org\.apache\.parquet/parquet\-(?!mr).*$</packageUrl>
@@ -234,11 +194,6 @@
<packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
<cve>CVE-2020-7656</cve>
</suppress>
- <suppress>
- <notes>jQuery vulnerability warning for historical versions</notes>
- <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
- <vulnerabilityName>jQuery 1.x and 2.x are End-of-Life and no longer
receiving security updates</vulnerabilityName>
- </suppress>
<suppress>
<notes>CVE-2023-44487 references gRPC for Go</notes>
<packageUrl regex="true">^pkg:maven/io\.grpc/grpc.*$</packageUrl>
@@ -254,14 +209,9 @@
<packageUrl
regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
<cve>CVE-2020-8908</cve>
</suppress>
- <suppress>
- <notes>CVE-2023-36052 applies to Azure CLI not Azure Java
libraries</notes>
- <packageUrl regex="true">^pkg:maven/com\.azure/.*$</packageUrl>
- <cve>CVE-2023-36052</cve>
- </suppress>
<suppress>
<notes>Findings for Apache Hadoop do not apply to the shaded Protobuf
library</notes>
- <packageUrl
regex="true">^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop\-shaded\-protobuf_3_21@.*$</packageUrl>
+ <packageUrl
regex="true">^pkg:maven/org\.apache\.hadoop\.thirdparty/hadoop\-shaded\-protobuf_3_25@.*$</packageUrl>
<cpe>cpe:/a:apache:hadoop</cpe>
</suppress>
<suppress>
@@ -274,4 +224,30 @@
<packageUrl
regex="true">^pkg:maven/org\.threeten/threetenbp@.*$</packageUrl>
<vulnerabilityName>CVE-2024-23082</vulnerabilityName>
</suppress>
+ <suppress>
+ <notes>CVE-2023-7272 applies to Eclipse Parrson not javax.json</notes>
+ <packageUrl
regex="true">^pkg:maven/org\.glassfish/javax\.json@.*$</packageUrl>
+ <vulnerabilityName>CVE-2023-7272</vulnerabilityName>
+ </suppress>
+ <suppress>
+ <notes>CVE-2024-43591 applies to Azure CLI not azure-core-amqp</notes>
+ <packageUrl regex="true">^pkg:maven/com\.azure/.*$</packageUrl>
+ <cpe>cpe:/a:microsoft:azure_cli</cpe>
+ <cve>CVE-2024-43591</cve>
+ </suppress>
+ <suppress>
+ <notes>jquery is not used although bundled in Hadoop avro-ipc
libraries</notes>
+ <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
+ <vulnerabilityName>jquery issue: 162</vulnerabilityName>
+ </suppress>
+ <suppress>
+ <notes>Google OpenTelemetry shared-resourcemapping versions do not
align with base OpenTelemetry versions leading to false positives</notes>
+ <packageUrl
regex="true">^pkg:maven/com\.google\.cloud\.opentelemetry/.*$</packageUrl>
+ <cpe>cpe:/a:opentelemetry:opentelemetry</cpe>
+ </suppress>
+ <suppress>
+ <notes>CVE-2024-35255 is resolved in msal4j 1.15.1 and the CPE for
other languages does not apply</notes>
+ <cve>CVE-2024-35255</cve>
+ <cpe>cpe:/a:microsoft:authentication_library:*:*:*:*:*:.net:*:*</cpe>
+ </suppress>
</suppressions>
diff --git a/nifi-extension-bundles/nifi-aws-bundle/pom.xml
b/nifi-extension-bundles/nifi-aws-bundle/pom.xml
index fa13da9a30..ee8e5513cd 100644
--- a/nifi-extension-bundles/nifi-aws-bundle/pom.xml
+++ b/nifi-extension-bundles/nifi-aws-bundle/pom.xml
@@ -66,6 +66,12 @@
</exclusion>
</exclusions>
</dependency>
+ <!-- Override protobuf-java from amazon-kinesis-client -->
+ <dependency>
+ <groupId>com.google.protobuf</groupId>
+ <artifactId>protobuf-java</artifactId>
+ <version>3.25.5</version>
+ </dependency>
</dependencies>
</dependencyManagement>
</project>
diff --git
a/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/test/java/org/apache/nifi/processors/gcp/storage/AbstractGCSTest.java
b/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/test/java/org/apache/nifi/processors/gcp/storage/AbstractGCSTest.java
index 99289558de..8d57214f6f 100644
---
a/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/test/java/org/apache/nifi/processors/gcp/storage/AbstractGCSTest.java
+++
b/nifi-extension-bundles/nifi-gcp-bundle/nifi-gcp-processors/src/test/java/org/apache/nifi/processors/gcp/storage/AbstractGCSTest.java
@@ -45,7 +45,7 @@ import static org.mockito.Mockito.reset;
@ExtendWith(MockitoExtension.class)
public abstract class AbstractGCSTest {
private static final String PROJECT_ID =
System.getProperty("test.gcp.project.id", "nifi-test-gcp-project");
- private static final String DEFAULT_STORAGE_URL =
"https://storage.googleapis.com";;
+ private static final String DEFAULT_STORAGE_URL =
"https://storage.googleapis.com/";;
private static final Integer RETRIES = 9;
static final String BUCKET = RemoteStorageHelper.generateBucketName();
diff --git a/nifi-extension-bundles/nifi-gcp-bundle/pom.xml
b/nifi-extension-bundles/nifi-gcp-bundle/pom.xml
index fc5c09bc38..bcfbb57ae3 100644
--- a/nifi-extension-bundles/nifi-gcp-bundle/pom.xml
+++ b/nifi-extension-bundles/nifi-gcp-bundle/pom.xml
@@ -25,7 +25,7 @@
<packaging>pom</packaging>
<properties>
- <google.libraries.version>26.47.0</google.libraries.version>
+ <google.libraries.version>26.49.0</google.libraries.version>
</properties>
<dependencyManagement>
diff --git
a/nifi-extension-bundles/nifi-parquet-bundle/nifi-parquet-processors/pom.xml
b/nifi-extension-bundles/nifi-parquet-bundle/nifi-parquet-processors/pom.xml
index 3e6d3adfcb..d2def3d699 100644
--- a/nifi-extension-bundles/nifi-parquet-bundle/nifi-parquet-processors/pom.xml
+++ b/nifi-extension-bundles/nifi-parquet-bundle/nifi-parquet-processors/pom.xml
@@ -87,7 +87,7 @@
<dependency>
<groupId>org.apache.parquet</groupId>
<artifactId>parquet-avro</artifactId>
- <version>1.13.1</version>
+ <version>1.14.3</version>
<exclusions>
<exclusion>
<groupId>org.xerial.snappy</groupId>
diff --git a/nifi-registry/nifi-registry-core/nifi-registry-test/pom.xml
b/nifi-registry/nifi-registry-core/nifi-registry-test/pom.xml
index 03a68ee334..c8a5888054 100644
--- a/nifi-registry/nifi-registry-core/nifi-registry-test/pom.xml
+++ b/nifi-registry/nifi-registry-core/nifi-registry-test/pom.xml
@@ -63,6 +63,13 @@
<groupId>com.mysql</groupId>
<artifactId>mysql-connector-j</artifactId>
<version>9.1.0</version>
+ <exclusions>
+ <!-- Exclude unused protobuf-java -->
+ <exclusion>
+ <groupId>com.google.protobuf</groupId>
+ <artifactId>protobuf-java</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<dependency>
<groupId>org.mariadb.jdbc</groupId>
diff --git a/pom.xml b/pom.xml
index fd83d7ec5b..8cc22a16f0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -142,7 +142,7 @@
<json.smart.version>2.5.1</json.smart.version>
<groovy.version>4.0.23</groovy.version>
<surefire.version>3.5.1</surefire.version>
- <hadoop.version>3.4.0</hadoop.version>
+ <hadoop.version>3.4.1</hadoop.version>
<ozone.version>1.2.1</ozone.version>
<gcs.version>2.1.5</gcs.version>
<aspectj.version>1.9.22.1</aspectj.version>
@@ -155,7 +155,7 @@
<netty.4.version>4.1.114.Final</netty.4.version>
<servlet-api.version>6.1.0</servlet-api.version>
<spring.version>6.1.14</spring.version>
- <spring.security.version>6.3.3</spring.security.version>
+ <spring.security.version>6.3.4</spring.security.version>
<swagger.annotations.version>2.2.25</swagger.annotations.version>
<h2.version>2.3.232</h2.version>
<zookeeper.version>3.9.2</zookeeper.version>
@@ -163,6 +163,7 @@
<hapi.version>2.5.1</hapi.version>
<commons.dbcp2.version>2.12.0</commons.dbcp2.version>
<prometheus.version>0.16.0</prometheus.version>
+ <velocity-engine-core.version>2.4.1</velocity-engine-core.version>
</properties>
<dependencyManagement>
<dependencies>
@@ -559,6 +560,12 @@
<artifactId>zookeeper-jute</artifactId>
<version>${zookeeper.version}</version>
</dependency>
+ <!-- Override velocity-engine-core 2.3 for framework and Hadoop
dependencies -->
+ <dependency>
+ <groupId>org.apache.velocity</groupId>
+ <artifactId>velocity-engine-core</artifactId>
+ <version>${velocity-engine-core.version}</version>
+ </dependency>
<!-- Managed JUnit 4 version for transitive dependencies such as
OkHttp MockWebServer -->
<dependency>
<groupId>junit</groupId>
