[hbase] branch branch-2.4 updated: HBASE-28089 Upgrade BouncyCastle to fix CVE-2023-33201 (#5423)

Sat, 23 Sep 2023 10:22:46 -0700 

This is an automated email from the ASF dual-hosted git repository.

nihaljain pushed a commit to branch branch-2.4
in repository https://gitbox.apache.org/repos/asf/hbase.git


The following commit(s) were added to refs/heads/branch-2.4 by this push:
     new a9e4c7b27db HBASE-28089 Upgrade BouncyCastle to fix CVE-2023-33201 
(#5423)
a9e4c7b27db is described below

commit a9e4c7b27dbd6725c3543ea24570bf3d83571431
Author: Nihal Jain <[email protected]>
AuthorDate: Sat Sep 23 22:52:27 2023 +0530

    HBASE-28089 Upgrade BouncyCastle to fix CVE-2023-33201 (#5423)
    
    - Upgrades to v1.76, i.e. the latest version
    - Replaces *-jdk15on with *-jdk18on
    - Excludes *-jdk15on, *-jdk15 from everywhere else, to avoid conflicts with 
*-jdk18on
    - Add bcprov-jdk18on to hbase-mapreduce as  few tests need this dependency
    
    Signed-off-by: Duo Zhang <[email protected]>
---
 hbase-asyncfs/pom.xml                              |  2 +-
 hbase-endpoint/pom.xml                             |  2 +-
 hbase-examples/pom.xml                             |  2 +-
 hbase-http/pom.xml                                 |  2 +-
 hbase-mapreduce/pom.xml                            |  5 ++++
 .../src/main/resources/supplemental-models.xml     |  4 +--
 hbase-rest/pom.xml                                 |  2 +-
 hbase-server/pom.xml                               |  2 +-
 pom.xml                                            | 33 ++++++++++++++++++++--
 9 files changed, 44 insertions(+), 10 deletions(-)

diff --git a/hbase-asyncfs/pom.xml b/hbase-asyncfs/pom.xml
index 6d124854b52..4c24b64a08d 100644
--- a/hbase-asyncfs/pom.xml
+++ b/hbase-asyncfs/pom.xml
@@ -75,7 +75,7 @@
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
-      <artifactId>bcprov-jdk15on</artifactId>
+      <artifactId>bcprov-jdk18on</artifactId>
       <scope>test</scope>
     </dependency>
     <dependency>
diff --git a/hbase-endpoint/pom.xml b/hbase-endpoint/pom.xml
index badd1a36eb8..e4326049a31 100644
--- a/hbase-endpoint/pom.xml
+++ b/hbase-endpoint/pom.xml
@@ -111,7 +111,7 @@
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
-      <artifactId>bcprov-jdk15on</artifactId>
+      <artifactId>bcprov-jdk18on</artifactId>
       <scope>test</scope>
     </dependency>
     <dependency>
diff --git a/hbase-examples/pom.xml b/hbase-examples/pom.xml
index 5a65fc4a6f0..6a8dd2d9745 100644
--- a/hbase-examples/pom.xml
+++ b/hbase-examples/pom.xml
@@ -156,7 +156,7 @@
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
-      <artifactId>bcprov-jdk15on</artifactId>
+      <artifactId>bcprov-jdk18on</artifactId>
       <scope>test</scope>
     </dependency>
     <dependency>
diff --git a/hbase-http/pom.xml b/hbase-http/pom.xml
index 546ebd69f02..8f8e52d7353 100644
--- a/hbase-http/pom.xml
+++ b/hbase-http/pom.xml
@@ -94,7 +94,7 @@
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
-      <artifactId>bcprov-jdk15on</artifactId>
+      <artifactId>bcprov-jdk18on</artifactId>
       <scope>test</scope>
     </dependency>
     <dependency>
diff --git a/hbase-mapreduce/pom.xml b/hbase-mapreduce/pom.xml
index f3befbe62fe..deed5f7de36 100644
--- a/hbase-mapreduce/pom.xml
+++ b/hbase-mapreduce/pom.xml
@@ -356,6 +356,11 @@
           <artifactId>javax.ws.rs-api</artifactId>
           <scope>test</scope>
         </dependency>
+        <dependency>
+          <groupId>org.bouncycastle</groupId>
+          <artifactId>bcprov-jdk18on</artifactId>
+          <scope>test</scope>
+        </dependency>
       </dependencies>
 
     </profile>
diff --git a/hbase-resource-bundle/src/main/resources/supplemental-models.xml 
b/hbase-resource-bundle/src/main/resources/supplemental-models.xml
index 21ada4c9d9a..6a36b86dbc7 100644
--- a/hbase-resource-bundle/src/main/resources/supplemental-models.xml
+++ b/hbase-resource-bundle/src/main/resources/supplemental-models.xml
@@ -1316,10 +1316,10 @@ under the License.
   <supplement>
     <project>
       <groupId>org.bouncycastle</groupId>
-      <artifactId>bcpkix-jdk15on</artifactId>
+      <artifactId>bcpkix-jdk18on</artifactId>
 
       <licenses>
-        <!-- bcpkix-jdk15on is licensed under the Bouncy Castle License, which 
is equivalent to the MIT License -->
+        <!-- bcpkix-jdk18on is licensed under the Bouncy Castle License, which 
is equivalent to the MIT License -->
         <license>
           <name>MIT License</name>
           <url>http://www.opensource.org/licenses/mit-license.php</url>
diff --git a/hbase-rest/pom.xml b/hbase-rest/pom.xml
index 1cdfba4a096..2a295d3cd5a 100644
--- a/hbase-rest/pom.xml
+++ b/hbase-rest/pom.xml
@@ -236,7 +236,7 @@
     <!--Test-->
     <dependency>
       <groupId>org.bouncycastle</groupId>
-      <artifactId>bcprov-jdk15on</artifactId>
+      <artifactId>bcprov-jdk18on</artifactId>
       <scope>test</scope>
     </dependency>
     <dependency>
diff --git a/hbase-server/pom.xml b/hbase-server/pom.xml
index 4362d002a41..3487b0b5d10 100644
--- a/hbase-server/pom.xml
+++ b/hbase-server/pom.xml
@@ -251,7 +251,7 @@
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
-      <artifactId>bcprov-jdk15on</artifactId>
+      <artifactId>bcprov-jdk18on</artifactId>
       <scope>test</scope>
     </dependency>
     <dependency>
diff --git a/pom.xml b/pom.xml
index f64e3cd09bb..002f2f690fd 100755
--- a/pom.xml
+++ b/pom.xml
@@ -599,7 +599,7 @@
     <joni.version>2.1.31</joni.version>
     <jcodings.version>1.0.55</jcodings.version>
     <spy.version>2.12.2</spy.version>
-    <bouncycastle.version>1.70</bouncycastle.version>
+    <bouncycastle.version>1.76</bouncycastle.version>
     <skyscreamer.version>1.5.1</skyscreamer.version>
     <kerby.version>1.0.1</kerby.version>
     <commons-crypto.version>1.0.0</commons-crypto.version>
@@ -1301,7 +1301,7 @@
       </dependency>
       <dependency>
         <groupId>org.bouncycastle</groupId>
-        <artifactId>bcprov-jdk15on</artifactId>
+        <artifactId>bcprov-jdk18on</artifactId>
         <version>${bouncycastle.version}</version>
         <scope>test</scope>
       </dependency>
@@ -1968,6 +1968,23 @@
               </rules>
             </configuration>
           </execution>
+          <execution>
+            <id>banned-bouncycastle-jdk15on</id>
+            <goals>
+              <goal>enforce</goal>
+            </goals>
+            <configuration>
+              <rules>
+                <bannedDependencies>
+                  <excludes>
+                    <exclude>org.bouncycastle:*-jdk15on</exclude>
+                  </excludes>
+                  <message>Use org.bouncycastle:*-jdk18on instead</message>
+                  <searchTransitive>true</searchTransitive>
+                </bannedDependencies>
+              </rules>
+            </configuration>
+          </execution>
           <execution>
             <id>check-aggregate-license</id>
             <goals>
@@ -3523,6 +3540,10 @@
                 <groupId>log4j</groupId>
                 <artifactId>log4j</artifactId>
               </exclusion>
+              <exclusion>
+                <groupId>bouncycastle</groupId>
+                <artifactId>bcprov-jdk15</artifactId>
+              </exclusion>
             </exclusions>
           </dependency>
           <dependency>
@@ -4091,6 +4112,14 @@
                 <groupId>log4j</groupId>
                 <artifactId>log4j</artifactId>
               </exclusion>
+              <exclusion>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bcprov-jdk15on</artifactId>
+              </exclusion>
+              <exclusion>
+                <groupId>org.bouncycastle</groupId>
+                <artifactId>bcpkix-jdk15on</artifactId>
+              </exclusion>
             </exclusions>
           </dependency>
           <dependency>

Reply via email to