>From Hussain Towaileb <[email protected]>: Hussain Towaileb has submitted this change. ( https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17548 )
Change subject: [NO ISSUE][*DB]: Update smart-json to avoid encountered CVE ...................................................................... [NO ISSUE][*DB]: Update smart-json to avoid encountered CVE Details: - This change updates smart-json to avoid CVE-2023-1370: json-smart 2.4.7 -> 2.4.11 Change-Id: I6cceff58ae80042c1421de4acb97dbfa3549168a Reviewed-on: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17548 Integration-Tests: Jenkins <[email protected]> Tested-by: Jenkins <[email protected]> Reviewed-by: Hussain Towaileb <[email protected]> Reviewed-by: Michael Blow <[email protected]> --- M asterixdb/asterix-external-data/pom.xml M asterixdb/asterix-server/pom.xml M asterixdb/pom.xml M hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml M asterixdb/src/main/appended-resources/supplemental-models.xml M hyracks-fullstack/pom.xml 6 files changed, 57 insertions(+), 8 deletions(-) Approvals: Michael Blow: Looks good to me, approved Hussain Towaileb: Looks good to me, but someone else must approve Jenkins: Verified; Verified diff --git a/asterixdb/asterix-external-data/pom.xml b/asterixdb/asterix-external-data/pom.xml index 068e294..f8a4401 100644 --- a/asterixdb/asterix-external-data/pom.xml +++ b/asterixdb/asterix-external-data/pom.xml @@ -546,6 +546,11 @@ <groupId>org.eclipse.jetty</groupId> <artifactId>jetty-util-ajax</artifactId> </dependency> + <!-- Manually included to avoid CVE-2023-1370 --> + <dependency> + <groupId>net.minidev</groupId> + <artifactId>json-smart</artifactId> + </dependency> </dependencies> <!-- apply patch for HADOOP-17225 to workaround CVE-2019-10172 --> <repositories> diff --git a/asterixdb/asterix-server/pom.xml b/asterixdb/asterix-server/pom.xml index fb1c2f1..2ab0e5f 100644 --- a/asterixdb/asterix-server/pom.xml +++ b/asterixdb/asterix-server/pom.xml @@ -309,7 +309,7 @@ <url>https://raw.githubusercontent.com/codehaus/stax/master/dev/ASF2.0.txt</url> </override> <override> - <gav>org.ow2.asm:asm:9.1</gav> + <gav>org.ow2.asm:asm:9.3</gav> <url>https://raw.githubusercontent.com/llbit/ow2-asm/master/LICENSE.txt</url> </override> <override> diff --git a/asterixdb/pom.xml b/asterixdb/pom.xml index 45f1986..3610b19 100644 --- a/asterixdb/pom.xml +++ b/asterixdb/pom.xml @@ -1020,6 +1020,10 @@ <version>${hadoop.version}</version> <exclusions> <exclusion> + <groupId>net.minidev</groupId> + <artifactId>json-smart</artifactId> + </exclusion> + <exclusion> <groupId>com.nimbusds</groupId> <artifactId>nimbus-jose-jwt</artifactId> </exclusion> @@ -1112,6 +1116,10 @@ <classifier>tests</classifier> <exclusions> <exclusion> + <groupId>net.minidev</groupId> + <artifactId>json-smart</artifactId> + </exclusion> + <exclusion> <groupId>com.nimbusds</groupId> <artifactId>nimbus-jose-jwt</artifactId> </exclusion> @@ -1645,6 +1653,10 @@ <version>1.4.1</version> <exclusions> <exclusion> + <groupId>net.minidev</groupId> + <artifactId>json-smart</artifactId> + </exclusion> + <exclusion> <groupId>io.netty</groupId> <artifactId>netty-handler</artifactId> </exclusion> diff --git a/asterixdb/src/main/appended-resources/supplemental-models.xml b/asterixdb/src/main/appended-resources/supplemental-models.xml index 18508ef6..1a97cbf 100644 --- a/asterixdb/src/main/appended-resources/supplemental-models.xml +++ b/asterixdb/src/main/appended-resources/supplemental-models.xml @@ -1090,8 +1090,8 @@ <groupId>net.minidev</groupId> <artifactId>json-smart</artifactId> <properties> - <license.ignoreMissingEmbeddedLicense>2.4.7</license.ignoreMissingEmbeddedLicense> - <license.ignoreMissingEmbeddedNotice>2.4.7</license.ignoreMissingEmbeddedNotice> + <license.ignoreMissingEmbeddedLicense>2.4.11</license.ignoreMissingEmbeddedLicense> + <license.ignoreMissingEmbeddedNotice>2.4.11</license.ignoreMissingEmbeddedNotice> </properties> </project> </supplement> @@ -1102,8 +1102,8 @@ <groupId>net.minidev</groupId> <artifactId>accessors-smart</artifactId> <properties> - <license.ignoreMissingEmbeddedLicense>2.4.7</license.ignoreMissingEmbeddedLicense> - <license.ignoreMissingEmbeddedNotice>2.4.7</license.ignoreMissingEmbeddedNotice> + <license.ignoreMissingEmbeddedLicense>2.4.11</license.ignoreMissingEmbeddedLicense> + <license.ignoreMissingEmbeddedNotice>2.4.11</license.ignoreMissingEmbeddedNotice> </properties> </project> </supplement> @@ -1113,9 +1113,9 @@ <groupId>org.ow2.asm</groupId> <artifactId>asm</artifactId> <properties> - <license.ignoreMissingEmbeddedLicense>9.1</license.ignoreMissingEmbeddedLicense> - <license.ignoreMissingEmbeddedNotice>9.1</license.ignoreMissingEmbeddedNotice> - <license.ignoreLicenseOverride>9.1</license.ignoreLicenseOverride> + <license.ignoreMissingEmbeddedLicense>9.3</license.ignoreMissingEmbeddedLicense> + <license.ignoreMissingEmbeddedNotice>9.3</license.ignoreMissingEmbeddedNotice> + <license.ignoreLicenseOverride>9.3</license.ignoreLicenseOverride> </properties> </project> </supplement> diff --git a/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml b/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml index b16904d..816746c 100644 --- a/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml +++ b/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml @@ -183,6 +183,10 @@ <scope>test</scope> <exclusions> <exclusion> + <groupId>net.minidev</groupId> + <artifactId>json-smart</artifactId> + </exclusion> + <exclusion> <groupId>log4j</groupId> <artifactId>log4j</artifactId> </exclusion> diff --git a/hyracks-fullstack/pom.xml b/hyracks-fullstack/pom.xml index 69a8279..9ef0212 100644 --- a/hyracks-fullstack/pom.xml +++ b/hyracks-fullstack/pom.xml @@ -156,6 +156,10 @@ <version>${hadoop.version}</version> <exclusions> <exclusion> + <groupId>net.minidev</groupId> + <artifactId>json-smart</artifactId> + </exclusion> + <exclusion> <groupId>com.nimbusds</groupId> <artifactId>nimbus-jose-jwt</artifactId> </exclusion> @@ -472,6 +476,12 @@ <artifactId>jetty-util-ajax</artifactId> <version>9.4.48.v20220622</version> </dependency> + <!-- Manually included to avoid CVE-2023-1370 --> + <dependency> + <groupId>net.minidev</groupId> + <artifactId>json-smart</artifactId> + <version>2.4.11</version> + </dependency> </dependencies> </dependencyManagement> <build> -- To view, visit https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17548 To unsubscribe, or for help writing mail filters, visit https://asterix-gerrit.ics.uci.edu/settings Gerrit-Project: asterixdb Gerrit-Branch: stabilization-667a908755 Gerrit-Change-Id: I6cceff58ae80042c1421de4acb97dbfa3549168a Gerrit-Change-Number: 17548 Gerrit-PatchSet: 4 Gerrit-Owner: Hussain Towaileb <[email protected]> Gerrit-Reviewer: Anon. E. Moose #1000171 Gerrit-Reviewer: Hussain Towaileb <[email protected]> Gerrit-Reviewer: Jenkins <[email protected]> Gerrit-Reviewer: Michael Blow <[email protected]> Gerrit-MessageType: merged
