This is an automated email from the ASF dual-hosted git repository.
mblow pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/asterixdb.git
commit f000fb57dce2d0ed79ec1ea32f251747c6d0f5bf
Author: Michael Blow <mb...@apache.org>
AuthorDate: Wed Oct 4 19:27:28 2023 -0400
[NO ISSUE][MISC] override org.codehaus.jettison:jettison to avoid CVEs
Change-Id: Ida41aaddb65405516c3baeea9de4bbf21a0f0e41
Reviewed-on: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17842
Integration-Tests: Jenkins <jenk...@fulliautomatix.ics.uci.edu>
Reviewed-by: Michael Blow <mb...@apache.org>
Reviewed-by: Hussain Towaileb <hussai...@gmail.com>
Tested-by: Michael Blow <mb...@apache.org>
---
asterixdb/asterix-external-data/pom.xml | 5 +++++
asterixdb/pom.xml | 9 +++++++++
asterixdb/src/main/appended-resources/supplemental-models.xml | 11 +++++++++++
3 files changed, 25 insertions(+)
diff --git a/asterixdb/asterix-external-data/pom.xml
b/asterixdb/asterix-external-data/pom.xml
index de14287a8c..fbb1751746 100644
--- a/asterixdb/asterix-external-data/pom.xml
+++ b/asterixdb/asterix-external-data/pom.xml
@@ -546,6 +546,11 @@
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
</dependency>
+ <!-- Manually overridden to avoid CVE-2023-1436, CVE-2022-45693,
CVE-2022-45685, CVE-2022-40150, CVE-2022-40149 -->
+ <dependency>
+ <groupId>org.codehaus.jettison</groupId>
+ <artifactId>jettison</artifactId>
+ </dependency>
</dependencies>
<!-- apply patch for HADOOP-17225 to workaround CVE-2019-10172 -->
<repositories>
diff --git a/asterixdb/pom.xml b/asterixdb/pom.xml
index b2d8831763..dee21dcf13 100644
--- a/asterixdb/pom.xml
+++ b/asterixdb/pom.xml
@@ -1016,6 +1016,10 @@
<artifactId>hadoop-common</artifactId>
<version>${hadoop.version}</version>
<exclusions>
+ <exclusion>
+ <groupId>org.codehaus.jettison</groupId>
+ <artifactId>jettison</artifactId>
+ </exclusion>
<exclusion>
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
@@ -1959,6 +1963,11 @@
<version>${hadoop.version}</version>
</dependency>
<!-- Hadoop Azure end -->
+ <dependency>
+ <groupId>org.codehaus.jettison</groupId>
+ <artifactId>jettison</artifactId>
+ <version>1.5.4</version>
+ </dependency>
</dependencies>
</dependencyManagement>
diff --git a/asterixdb/src/main/appended-resources/supplemental-models.xml
b/asterixdb/src/main/appended-resources/supplemental-models.xml
index e31de235a0..877a843a44 100644
--- a/asterixdb/src/main/appended-resources/supplemental-models.xml
+++ b/asterixdb/src/main/appended-resources/supplemental-models.xml
@@ -2104,4 +2104,15 @@
</properties>
</project>
</supplement>
+
+ <!-- Contains embedded LICENSE but missing NOTICE -->
+ <supplement>
+ <project>
+ <groupId>org.codehaus.jettison</groupId>
+ <artifactId>jettison</artifactId>
+ <properties>
+
<license.ignoreMissingEmbeddedNotice>1.5.4</license.ignoreMissingEmbeddedNotice>
+ </properties>
+ </project>
+ </supplement>
</supplementalDataModels>
