[pulsar] branch master updated: [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and fix test dependency leak (#10147)

Thu, 15 Apr 2021 05:52:14 -0700 

This is an automated email from the ASF dual-hosted git repository.

eolivelli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new 9d3cbef  [Security] Upgrade junit version to 4.13.1 to resolve 
CVE-2020-15250 and fix test dependency leak (#10147)
9d3cbef is described below

commit 9d3cbef9b011f5985b5f91a22dc5afc2cf92e439
Author: Lari Hotari <[email protected]>
AuthorDate: Thu Apr 15 15:51:24 2021 +0300

    [Security] Upgrade junit version to 4.13.1 to resolve CVE-2020-15250 and 
fix test dependency leak (#10147)
---
 buildtools/pom.xml                                 |  5 ++++
 distribution/server/licenses/LICENSE-Hamcrest.txt  | 27 ----------------------
 distribution/server/src/assemble/LICENSE.bin.txt   |  8 +++----
 managed-ledger/pom.xml                             |  1 -
 pom.xml                                            | 11 +++++++++
 .../bookkeeper-storage/pom.xml                     |  1 -
 6 files changed, 19 insertions(+), 34 deletions(-)

diff --git a/buildtools/pom.xml b/buildtools/pom.xml
index 66ae0d6..23476fa 100644
--- a/buildtools/pom.xml
+++ b/buildtools/pom.xml
@@ -65,6 +65,11 @@
       <version>${testng.version}</version>
     </dependency>
     <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.13.1</version>
+    </dependency>
+    <dependency>
       <groupId>org.apache.logging.log4j</groupId>
       <artifactId>log4j-api</artifactId>
     </dependency>
diff --git a/distribution/server/licenses/LICENSE-Hamcrest.txt 
b/distribution/server/licenses/LICENSE-Hamcrest.txt
deleted file mode 100644
index 4933bda..0000000
--- a/distribution/server/licenses/LICENSE-Hamcrest.txt
+++ /dev/null
@@ -1,27 +0,0 @@
-BSD License
-
-Copyright (c) 2000-2015 www.hamcrest.org
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
-
-Redistributions of source code must retain the above copyright notice, this 
list of
-conditions and the following disclaimer. Redistributions in binary form must 
reproduce
-the above copyright notice, this list of conditions and the following 
disclaimer in
-the documentation and/or other materials provided with the distribution.
-
-Neither the name of Hamcrest nor the names of its contributors may be used to 
endorse
-or promote products derived from this software without specific prior written
-permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 
AND ANY
-EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 
WARRANTIES
-OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO 
EVENT
-SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
-INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 
LIMITED
-TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 
PROFITS; OR
-BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER 
IN
-CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 
ARISING IN ANY
-WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
-DAMAGE.
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt 
b/distribution/server/src/assemble/LICENSE.bin.txt
index 3b39002..81c547d 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -465,14 +465,13 @@ The Apache Software License, Version 2.0
     - io.grpc-grpc-protobuf-1.33.0.jar
     - io.grpc-grpc-protobuf-lite-1.33.0.jar
     - io.grpc-grpc-stub-1.33.0.jar
-    - io.grpc-grpc-testing-1.33.0.jar
     - io.grpc-grpc-alts-1.33.0.jar
     - io.grpc-grpc-api-1.33.0.jar
     - io.grpc-grpc-grpclb-1.33.0.jar
     - io.grpc-grpc-netty-shaded-1.33.0.jar
     - io.grpc-grpc-services-1.33.0.jar
     - io.grpc-grpc-xds-1.33.0.jar
-  * Perfmark 
+  * Perfmark
     - io.perfmark-perfmark-api-0.19.0.jar
   * OpenCensus
     - io.opencensus-opencensus-api-0.18.0.jar
@@ -517,7 +516,7 @@ The Apache Software License, Version 2.0
     - io.vertx-vertx-web-3.5.3.jar
   * Apache ZooKeeper
     - org.apache.zookeeper-zookeeper-jute-3.6.2.jar
-  * Snappy Java  
+  * Snappy Java
     - org.xerial.snappy-snappy-java-1.1.7.jar
   * Google HTTP Client
     - com.google.http-client-google-http-client-jackson2-1.34.0.jar
@@ -531,7 +530,6 @@ BSD 3-clause "New" or "Revised" License
     - com.google.auth-google-auth-library-oauth2-http-0.20.0.jar -- 
licenses/LICENSE-google-auth-library.txt
  * LevelDB -- (included in org.rocksdb.*.jar) -- licenses/LICENSE-LevelDB.txt
  * JSR305 -- com.google.code.findbugs-jsr305-3.0.2.jar -- 
licenses/LICENSE-JSR305.txt
- * JavaHamcrest -- org.hamcrest-hamcrest-core-1.3.jar -- 
licenses/LICENSE-Hamcrest.txt
 
 BSD 2-Clause License
  * HdrHistogram -- org.hdrhistogram-HdrHistogram-2.1.9.jar -- 
licenses/LICENSE-HdrHistogram.txt
@@ -578,7 +576,7 @@ CDDL-1.1 -- licenses/LICENSE-CDDL-1.1.txt
  * Mimepull -- org.jvnet.mimepull-mimepull-1.9.13.jar
 
 Eclipse Distribution License 1.0 -- licenses/LICENSE-EDL-1.0.txt
- * Jakarta Activation 
+ * Jakarta Activation
    - jakarta.activation-jakarta.activation-api-1.2.1.jar
  * Jakarta XML Binding -- jakarta.xml.bind-jakarta.xml.bind-api-2.3.2.jar
 
diff --git a/managed-ledger/pom.xml b/managed-ledger/pom.xml
index 3a692dd..c62631e 100644
--- a/managed-ledger/pom.xml
+++ b/managed-ledger/pom.xml
@@ -101,7 +101,6 @@
     <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>
-      <version>4.12</version>
       <scope>test</scope>
     </dependency>
 
diff --git a/pom.xml b/pom.xml
index a706fd6..d7b5b72 100644
--- a/pom.xml
+++ b/pom.xml
@@ -199,6 +199,7 @@ flexible messaging model and an intuitive client 
API.</description>
     <testcontainers.version>1.15.1</testcontainers.version>
     <kerby.version>1.1.1</kerby.version>
     <testng.version>7.3.0</testng.version>
+    <junit4.version>4.13.1</junit4.version>
     <mockito.version>3.8.0</mockito.version>
     <powermock.version>2.0.9</powermock.version>
     <javassist.version>3.25.0-GA</javassist.version>
@@ -268,6 +269,12 @@ flexible messaging model and an intuitive client 
API.</description>
       </dependency>
 
       <dependency>
+        <groupId>junit</groupId>
+        <artifactId>junit</artifactId>
+        <version>${junit4.version}</version>
+      </dependency>
+
+      <dependency>
         <groupId>org.awaitility</groupId>
         <artifactId>awaitility</artifactId>
         <version>${awaitility.version}</version>
@@ -419,6 +426,10 @@ flexible messaging model and an intuitive client 
API.</description>
             <groupId>io.grpc</groupId>
             <artifactId>grpc-all</artifactId>
           </exclusion>
+          <exclusion>
+            <groupId>io.grpc</groupId>
+            <artifactId>grpc-testing</artifactId>
+          </exclusion>
         </exclusions>
       </dependency>
 
diff --git a/pulsar-package-management/bookkeeper-storage/pom.xml 
b/pulsar-package-management/bookkeeper-storage/pom.xml
index 67958d7..66ad96e 100644
--- a/pulsar-package-management/bookkeeper-storage/pom.xml
+++ b/pulsar-package-management/bookkeeper-storage/pom.xml
@@ -87,7 +87,6 @@
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
-            <version>4.12</version>
             <scope>test</scope>
         </dependency>
     </dependencies>

Reply via email to