Change in asterixdb[stabilization-667a908755]: [NO ISSUE][*DB]: Update smart-json to avoid CVE-2023-1370

AsterixDB Code Review Sun, 21 May 2023 18:47:52 -0700

>From Hussain Towaileb <[email protected]>:

Hussain Towaileb has uploaded this change for review. ( 
https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17548 )



Change subject: [NO ISSUE][*DB]: Update smart-json to avoid CVE-2023-1370
......................................................................

[NO ISSUE][*DB]: Update smart-json to avoid CVE-2023-1370

Change-Id: I6cceff58ae80042c1421de4acb97dbfa3549168a
---
M asterixdb/asterix-external-data/pom.xml
M asterixdb/asterix-server/pom.xml
M asterixdb/pom.xml
M hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml
M asterixdb/src/main/appended-resources/supplemental-models.xml
M hyracks-fullstack/pom.xml
6 files changed, 54 insertions(+), 8 deletions(-)



  git pull ssh://asterix-gerrit.ics.uci.edu:29418/asterixdb 
refs/changes/48/17548/1

diff --git a/asterixdb/asterix-external-data/pom.xml 
b/asterixdb/asterix-external-data/pom.xml
index 068e294..f8a4401 100644
--- a/asterixdb/asterix-external-data/pom.xml
+++ b/asterixdb/asterix-external-data/pom.xml
@@ -546,6 +546,11 @@
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-util-ajax</artifactId>
     </dependency>
+    <!-- Manually included to avoid CVE-2023-1370 -->
+    <dependency>
+      <groupId>net.minidev</groupId>
+      <artifactId>json-smart</artifactId>
+    </dependency>
   </dependencies>
   <!-- apply patch for HADOOP-17225 to workaround CVE-2019-10172 -->
   <repositories>
diff --git a/asterixdb/asterix-server/pom.xml b/asterixdb/asterix-server/pom.xml
index fb1c2f1..2ab0e5f 100644
--- a/asterixdb/asterix-server/pom.xml
+++ b/asterixdb/asterix-server/pom.xml
@@ -309,7 +309,7 @@
               
<url>https://raw.githubusercontent.com/codehaus/stax/master/dev/ASF2.0.txt</url>
             </override>
             <override>
-              <gav>org.ow2.asm:asm:9.1</gav>
+              <gav>org.ow2.asm:asm:9.3</gav>
               
<url>https://raw.githubusercontent.com/llbit/ow2-asm/master/LICENSE.txt</url>
             </override>
             <override>
diff --git a/asterixdb/pom.xml b/asterixdb/pom.xml
index 45f1986..435ee0c 100644
--- a/asterixdb/pom.xml
+++ b/asterixdb/pom.xml
@@ -1020,6 +1020,10 @@
         <version>${hadoop.version}</version>
         <exclusions>
           <exclusion>
+            <groupId>net.minidev</groupId>
+            <artifactId>json-smart</artifactId>
+          </exclusion>
+          <exclusion>
             <groupId>com.nimbusds</groupId>
             <artifactId>nimbus-jose-jwt</artifactId>
           </exclusion>
@@ -1112,6 +1116,10 @@
         <classifier>tests</classifier>
         <exclusions>
           <exclusion>
+            <groupId>net.minidev</groupId>
+            <artifactId>json-smart</artifactId>
+          </exclusion>
+          <exclusion>
             <groupId>com.nimbusds</groupId>
             <artifactId>nimbus-jose-jwt</artifactId>
           </exclusion>
@@ -1645,6 +1653,10 @@
         <version>1.4.1</version>
         <exclusions>
           <exclusion>
+            <groupId>net.minidev</groupId>
+            <artifactId>json-smart</artifactId>
+          </exclusion>
+          <exclusion>
             <groupId>io.netty</groupId>
             <artifactId>netty-handler</artifactId>
           </exclusion>
@@ -2003,6 +2015,12 @@
         <artifactId>jetty-util-ajax</artifactId>
         <version>9.4.48.v20220622</version>
       </dependency>
+      <!-- Manually included to avoid CVE-2023-1370 -->
+      <dependency>
+        <groupId>net.minidev</groupId>
+        <artifactId>json-smart</artifactId>
+        <version>2.4.11</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>

diff --git a/asterixdb/src/main/appended-resources/supplemental-models.xml 
b/asterixdb/src/main/appended-resources/supplemental-models.xml
index 18508ef6..1a97cbf 100644
--- a/asterixdb/src/main/appended-resources/supplemental-models.xml
+++ b/asterixdb/src/main/appended-resources/supplemental-models.xml
@@ -1090,8 +1090,8 @@
       <groupId>net.minidev</groupId>
       <artifactId>json-smart</artifactId>
       <properties>
-        
<license.ignoreMissingEmbeddedLicense>2.4.7</license.ignoreMissingEmbeddedLicense>
-        
<license.ignoreMissingEmbeddedNotice>2.4.7</license.ignoreMissingEmbeddedNotice>
+        
<license.ignoreMissingEmbeddedLicense>2.4.11</license.ignoreMissingEmbeddedLicense>
+        
<license.ignoreMissingEmbeddedNotice>2.4.11</license.ignoreMissingEmbeddedNotice>
       </properties>
     </project>
   </supplement>
@@ -1102,8 +1102,8 @@
       <groupId>net.minidev</groupId>
       <artifactId>accessors-smart</artifactId>
       <properties>
-        
<license.ignoreMissingEmbeddedLicense>2.4.7</license.ignoreMissingEmbeddedLicense>
-        
<license.ignoreMissingEmbeddedNotice>2.4.7</license.ignoreMissingEmbeddedNotice>
+        
<license.ignoreMissingEmbeddedLicense>2.4.11</license.ignoreMissingEmbeddedLicense>
+        
<license.ignoreMissingEmbeddedNotice>2.4.11</license.ignoreMissingEmbeddedNotice>
       </properties>
     </project>
   </supplement>
@@ -1113,9 +1113,9 @@
       <groupId>org.ow2.asm</groupId>
       <artifactId>asm</artifactId>
       <properties>
-        
<license.ignoreMissingEmbeddedLicense>9.1</license.ignoreMissingEmbeddedLicense>
-        
<license.ignoreMissingEmbeddedNotice>9.1</license.ignoreMissingEmbeddedNotice>
-        <license.ignoreLicenseOverride>9.1</license.ignoreLicenseOverride>
+        
<license.ignoreMissingEmbeddedLicense>9.3</license.ignoreMissingEmbeddedLicense>
+        
<license.ignoreMissingEmbeddedNotice>9.3</license.ignoreMissingEmbeddedNotice>
+        <license.ignoreLicenseOverride>9.3</license.ignoreLicenseOverride>
       </properties>
     </project>
   </supplement>
diff --git a/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml 
b/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml
index b16904d..816746c 100644
--- a/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml
+++ b/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml
@@ -183,6 +183,10 @@
       <scope>test</scope>
       <exclusions>
         <exclusion>
+          <groupId>net.minidev</groupId>
+          <artifactId>json-smart</artifactId>
+        </exclusion>
+        <exclusion>
           <groupId>log4j</groupId>
           <artifactId>log4j</artifactId>
         </exclusion>
diff --git a/hyracks-fullstack/pom.xml b/hyracks-fullstack/pom.xml
index 69a8279..9ef0212 100644
--- a/hyracks-fullstack/pom.xml
+++ b/hyracks-fullstack/pom.xml
@@ -156,6 +156,10 @@
         <version>${hadoop.version}</version>
         <exclusions>
           <exclusion>
+            <groupId>net.minidev</groupId>
+            <artifactId>json-smart</artifactId>
+          </exclusion>
+          <exclusion>
             <groupId>com.nimbusds</groupId>
             <artifactId>nimbus-jose-jwt</artifactId>
           </exclusion>
@@ -472,6 +476,12 @@
         <artifactId>jetty-util-ajax</artifactId>
         <version>9.4.48.v20220622</version>
       </dependency>
+      <!-- Manually included to avoid CVE-2023-1370 -->
+      <dependency>
+        <groupId>net.minidev</groupId>
+        <artifactId>json-smart</artifactId>
+        <version>2.4.11</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
   <build>

--
To view, visit https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17548
To unsubscribe, or for help writing mail filters, visit 
https://asterix-gerrit.ics.uci.edu/settings

Gerrit-Project: asterixdb
Gerrit-Branch: stabilization-667a908755
Gerrit-Change-Id: I6cceff58ae80042c1421de4acb97dbfa3549168a
Gerrit-Change-Number: 17548
Gerrit-PatchSet: 1
Gerrit-Owner: Hussain Towaileb <[email protected]>
Gerrit-MessageType: newchange

Change in asterixdb[stabilization-667a908755]: [NO ISSUE][*DB]: Update smart-json to avoid CVE-2023-1370

Reply via email to