(pekko-management) branch main updated: update wiremock transitive dependencies due to CVEs (#208)

Mon, 22 Apr 2024 05:50:49 -0700 

This is an automated email from the ASF dual-hosted git repository.

fanningpj pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/pekko-management.git


The following commit(s) were added to refs/heads/main by this push:
     new 7ed2b5b3 update wiremock transitive dependencies due to CVEs (#208)
7ed2b5b3 is described below

commit 7ed2b5b3be0d9ad6fb664e1f5a31c5ac9c21a2c5
Author: PJ Fanning <[email protected]>
AuthorDate: Mon Apr 22 14:49:47 2024 +0200

    update wiremock transitive dependencies due to CVEs (#208)
    
    * update wiremock transitive dependencies due to CVEs
    
    Update Dependencies.scala
    
    Update Dependencies.scala
    
    Update Dependencies.scala
    
    * Update Dependencies.scala
---
 project/Dependencies.scala | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/project/Dependencies.scala b/project/Dependencies.scala
index bd2154a1..485a6cca 100644
--- a/project/Dependencies.scala
+++ b/project/Dependencies.scala
@@ -25,6 +25,7 @@ object Dependencies {
   val scalaTestPlusJUnitVersion = scalaTestVersion + ".0"
 
   val awsSdkVersion = "1.12.705"
+  val guavaVersion = "33.1.0-jre"
   val jacksonVersion = "2.16.2"
 
   val log4j2Version = "2.23.1"
@@ -39,7 +40,30 @@ object Dependencies {
     "com.fasterxml.jackson.datatype" % "jackson-datatype-guava" % 
jacksonVersion,
     "com.fasterxml.jackson.datatype" % "jackson-datatype-jdk8" % 
jacksonVersion,
     // Specifying guava dependency because older transitive dependency has 
security vulnerability
-    "com.google.guava" % "guava" % "33.1.0-jre")
+    "com.google.guava" % "guava" % guavaVersion)
+
+  // wiremock has very outdated, CVE vulnerable dependencies
+  private val jettyVersion = "9.4.54.v20240208"
+  private val wireMockDependencies = Seq(
+    "com.github.tomakehurst" % "wiremock-jre8" % "2.35.2" % Test,
+    "org.eclipse.jetty" % "jetty-server" % jettyVersion % Test,
+    "org.eclipse.jetty" % "jetty-servlet" % jettyVersion % Test,
+    "org.eclipse.jetty" % "jetty-servlets" % jettyVersion % Test,
+    "org.eclipse.jetty" % "jetty-webapp" % jettyVersion % Test,
+    "org.eclipse.jetty" % "jetty-proxy" % jettyVersion % Test,
+    "org.eclipse.jetty" % "jetty-alpn-server" % jettyVersion % Test,
+    "org.eclipse.jetty" % "jetty-alpn-java-server" % jettyVersion % Test,
+    "org.eclipse.jetty" % "jetty-alpn-openjdk8-server" % jettyVersion % Test,
+    "org.eclipse.jetty" % "jetty-alpn-java-client" % jettyVersion % Test,
+    "org.eclipse.jetty" % "jetty-alpn-openjdk8-client" % jettyVersion % Test,
+    "org.eclipse.jetty.http2" % "http2-server" % jettyVersion % Test,
+    "com.google.guava" % "guava" % guavaVersion % Test,
+    "com.fasterxml.jackson.core" % "jackson-core" % jacksonVersion % Test,
+    "com.fasterxml.jackson.core" % "jackson-annotations" % jacksonVersion % 
Test,
+    "com.fasterxml.jackson.core" % "jackson-databind" % jacksonVersion % Test,
+    "commons-io" % "commons-io" % "2.16.1" % Test,
+    "commons-fileupload" % "commons-fileupload" % "1.5" % Test,
+    "com.jayway.jsonpath" % "json-path" % "2.9.0" % Test)
 
   val discoveryConsul = Seq(
     "org.apache.pekko" %% "pekko-actor" % pekkoVersion,
@@ -155,10 +179,10 @@ object Dependencies {
     "org.apache.pekko" %% "pekko-http" % pekkoHttpVersion,
     "org.apache.pekko" %% "pekko-slf4j" % pekkoVersion,
     "org.apache.pekko" %% "pekko-http-spray-json" % pekkoHttpVersion,
-    "com.github.tomakehurst" % "wiremock-jre8" % "2.35.2" % Test,
     "org.scalatest" %% "scalatest" % scalaTestVersion % "it,test",
     "org.scalatestplus" %% "junit-4-13" % scalaTestPlusJUnitVersion % 
"it,test",
-    "org.apache.pekko" %% "pekko-testkit" % pekkoVersion % "it,test")
+    "org.apache.pekko" %% "pekko-testkit" % pekkoVersion % "it,test") ++
+    wireMockDependencies
 
   val leaseKubernetesTest = Seq(
     "org.scalatest" %% "scalatest" % scalaTestVersion)


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to