This is an automated email from the ASF dual-hosted git repository. mblow pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/asterixdb.git
commit f000fb57dce2d0ed79ec1ea32f251747c6d0f5bf Author: Michael Blow <mb...@apache.org> AuthorDate: Wed Oct 4 19:27:28 2023 -0400 [NO ISSUE][MISC] override org.codehaus.jettison:jettison to avoid CVEs Change-Id: Ida41aaddb65405516c3baeea9de4bbf21a0f0e41 Reviewed-on: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17842 Integration-Tests: Jenkins <jenk...@fulliautomatix.ics.uci.edu> Reviewed-by: Michael Blow <mb...@apache.org> Reviewed-by: Hussain Towaileb <hussai...@gmail.com> Tested-by: Michael Blow <mb...@apache.org> --- asterixdb/asterix-external-data/pom.xml | 5 +++++ asterixdb/pom.xml | 9 +++++++++ asterixdb/src/main/appended-resources/supplemental-models.xml | 11 +++++++++++ 3 files changed, 25 insertions(+) diff --git a/asterixdb/asterix-external-data/pom.xml b/asterixdb/asterix-external-data/pom.xml index de14287a8c..fbb1751746 100644 --- a/asterixdb/asterix-external-data/pom.xml +++ b/asterixdb/asterix-external-data/pom.xml @@ -546,6 +546,11 @@ <groupId>net.minidev</groupId> <artifactId>json-smart</artifactId> </dependency> + <!-- Manually overridden to avoid CVE-2023-1436, CVE-2022-45693, CVE-2022-45685, CVE-2022-40150, CVE-2022-40149 --> + <dependency> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + </dependency> </dependencies> <!-- apply patch for HADOOP-17225 to workaround CVE-2019-10172 --> <repositories> diff --git a/asterixdb/pom.xml b/asterixdb/pom.xml index b2d8831763..dee21dcf13 100644 --- a/asterixdb/pom.xml +++ b/asterixdb/pom.xml @@ -1016,6 +1016,10 @@ <artifactId>hadoop-common</artifactId> <version>${hadoop.version}</version> <exclusions> + <exclusion> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + </exclusion> <exclusion> <groupId>net.minidev</groupId> <artifactId>json-smart</artifactId> @@ -1959,6 +1963,11 @@ <version>${hadoop.version}</version> </dependency> <!-- Hadoop Azure end --> + <dependency> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + <version>1.5.4</version> + </dependency> </dependencies> </dependencyManagement> diff --git a/asterixdb/src/main/appended-resources/supplemental-models.xml b/asterixdb/src/main/appended-resources/supplemental-models.xml index e31de235a0..877a843a44 100644 --- a/asterixdb/src/main/appended-resources/supplemental-models.xml +++ b/asterixdb/src/main/appended-resources/supplemental-models.xml @@ -2104,4 +2104,15 @@ </properties> </project> </supplement> + + <!-- Contains embedded LICENSE but missing NOTICE --> + <supplement> + <project> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + <properties> + <license.ignoreMissingEmbeddedNotice>1.5.4</license.ignoreMissingEmbeddedNotice> + </properties> + </project> + </supplement> </supplementalDataModels>