This is an automated email from the ASF dual-hosted git repository.
bdoyle pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/openwhisk.git
The following commit(s) were added to refs/heads/master by this push:
new 65a0132e7 dependency updates for cve patches (part 3) (#5383)
65a0132e7 is described below
commit 65a0132e73b41528dcf5b2817a55a579f7900433
Author: Brendan Doyle <[email protected]>
AuthorDate: Wed Feb 22 17:51:42 2023 -0800
dependency updates for cve patches (part 3) (#5383)
* more dependency vulns
* remove zinc upgrade for now
* fix build attempt
* apply avro pin everywhere
* another build fix
* changes
* revert
* override scoverage versions
* revert swagger bump
* cleanup
---------
Co-authored-by: Brendan Doyle <[email protected]>
---
common/scala/build.gradle | 49 ++++++++++++++++++++++++--------
core/monitoring/user-events/build.gradle | 8 +++++-
core/standalone/build.gradle | 8 +++++-
settings.gradle | 4 +++
tests/build.gradle | 20 +++++++++++--
5 files changed, 72 insertions(+), 17 deletions(-)
diff --git a/common/scala/build.gradle b/common/scala/build.gradle
index b937ccf4c..96401b43c 100644
--- a/common/scala/build.gradle
+++ b/common/scala/build.gradle
@@ -28,6 +28,11 @@ apply from: '../../gradle/docker.gradle'
project.archivesBaseName = "openwhisk-common"
+scoverage {
+ scoverageVersion.set("${gradle.scala.scoverageVersion}")
+ scoverageScalaVersion.set("${gradle.scala.scoverageScalaVersion}")
+}
+
dependencies {
api "org.scala-lang:scala-library:${gradle.scala.version}"
@@ -88,11 +93,7 @@ dependencies {
api "io.reactivex:rxjava:1.3.8"
api "io.reactivex:rxjava-reactive-streams:1.2.1"
- api "com.microsoft.azure:azure-cosmosdb:2.6.2"
- api
"com.sksamuel.elastic4s:elastic4s-http_${gradle.scala.depVersion}:6.7.4"
- //for mongo
- api "org.mongodb.scala:mongo-scala-driver_${gradle.scala.depVersion}:2.7.0"
api
("com.lightbend.akka:akka-stream-alpakka-s3_${gradle.scala.depVersion}:1.1.2") {
exclude group: 'org.apache.httpcomponents' //Not used as alpakka uses
akka-http
@@ -105,14 +106,38 @@ dependencies {
exclude group: "com.azure", module: "azure-core-test"
}
- compile "io.netty:netty-buffer:${gradle.netty.version}"
- compile "io.netty:netty-handler:${gradle.netty.version}"
- compile "io.netty:netty-handler-proxy:${gradle.netty.version}"
- compile "io.netty:netty-codec-socks:${gradle.netty.version}"
- compile "io.netty:netty-codec-http:${gradle.netty.version}"
- compile "io.netty:netty-codec-http2:${gradle.netty.version}"
- compile "io.netty:netty-transport-native-epoll:${gradle.netty.version}"
- compile
"io.netty:netty-transport-native-unix-common:${gradle.netty.version}"
+ api "com.microsoft.azure:azure-cosmosdb"
+ constraints {
+ api("com.microsoft.azure:azure-cosmosdb:2.6.2")
+ implementation("com.fasterxml.jackson.core:jackson-core:2.14.2") {
+ because "cannot upgrade azure-cosmosdb to new major version to
remediate vulns w/o breaking change"
+ }
+ }
+
+ api "com.sksamuel.elastic4s:elastic4s-http_${gradle.scala.depVersion}"
+ constraints {
+
api("com.sksamuel.elastic4s:elastic4s-http_${gradle.scala.depVersion}:6.7.8")
+
implementation("org.elasticsearch.client:elasticsearch-rest-client:6.8.23") {
+ because "cannot upgrade elastic4s to remediate vuln without
performing major version rest client upgrade"
+ }
+ }
+ //for mongo
+ api "org.mongodb.scala:mongo-scala-driver_${gradle.scala.depVersion}"
+ constraints {
+
api("org.mongodb.scala:mongo-scala-driver_${gradle.scala.depVersion}:2.7.0")
+ implementation("org.mongodb:mongodb-driver-async:3.12.1") {
+ because "cannot upgrade major mongo scala driver to remediate vuln
w/o code changes"
+ }
+ }
+
+ api "io.netty:netty-buffer:${gradle.netty.version}"
+ api "io.netty:netty-handler:${gradle.netty.version}"
+ api "io.netty:netty-handler-proxy:${gradle.netty.version}"
+ api "io.netty:netty-codec-socks:${gradle.netty.version}"
+ api "io.netty:netty-codec-http:${gradle.netty.version}"
+ api "io.netty:netty-codec-http2:${gradle.netty.version}"
+ api "io.netty:netty-transport-native-epoll:${gradle.netty.version}"
+ api "io.netty:netty-transport-native-unix-common:${gradle.netty.version}"
}
configurations {
diff --git a/core/monitoring/user-events/build.gradle
b/core/monitoring/user-events/build.gradle
index f5a4ae130..145b704ef 100644
--- a/core/monitoring/user-events/build.gradle
+++ b/core/monitoring/user-events/build.gradle
@@ -40,7 +40,13 @@ dependencies {
testImplementation "junit:junit:4.11"
testImplementation
"org.scalatest:scalatest_${gradle.scala.depVersion}:3.0.8"
- testImplementation
"io.github.embeddedkafka:embedded-kafka_${gradle.scala.depVersion}:2.4.0"
+ testImplementation
"io.github.embeddedkafka:embedded-kafka_${gradle.scala.depVersion}"
+ constraints {
+
testImplementation("io.github.embeddedkafka:embedded-kafka_${gradle.scala.depVersion}:2.4.0")
+ testImplementation('org.apache.avro:avro:1.11.1') {
+ because 'embeddedkafka dependency cannot be upgraded currently and
avro in embedded kafka 2.4.0 has vulns'
+ }
+ }
testImplementation
"com.typesafe.akka:akka-stream-kafka-testkit_${gradle.scala.depVersion}:${gradle.akka_kafka.version}"
testImplementation
"com.typesafe.akka:akka-testkit_${gradle.scala.depVersion}:${gradle.akka.version}"
testImplementation
"com.typesafe.akka:akka-stream-testkit_${gradle.scala.depVersion}:${gradle.akka.version}"
diff --git a/core/standalone/build.gradle b/core/standalone/build.gradle
index ef4baae8d..a8f81fd37 100644
--- a/core/standalone/build.gradle
+++ b/core/standalone/build.gradle
@@ -164,7 +164,13 @@ dependencies {
implementation project(':tools:admin')
implementation "org.rogach:scallop_${gradle.scala.depVersion}:3.3.2"
- implementation
"io.github.embeddedkafka:embedded-kafka_${gradle.scala.depVersion}:2.4.0"
+ implementation
"io.github.embeddedkafka:embedded-kafka_${gradle.scala.depVersion}"
+ constraints {
+
implementation("io.github.embeddedkafka:embedded-kafka_${gradle.scala.depVersion}:2.4.0")
+ implementation('org.apache.avro:avro:1.11.1') {
+ because 'embeddedkafka dependency cannot be upgraded currently and
avro in embedded kafka 2.4.0 has vulns'
+ }
+ }
implementation "org.scala-lang:scala-reflect:${gradle.scala.version}"
implementation "ch.megard:akka-http-cors_${gradle.scala.depVersion}:0.4.2"
diff --git a/settings.gradle b/settings.gradle
index 70a3fd0eb..0ba8ae6be 100644
--- a/settings.gradle
+++ b/settings.gradle
@@ -55,6 +55,8 @@ if (scalaVersion == '2.12') {
gradle.ext.scala = [
version : '2.12.10',
depVersion : '2.12',
+ scoverageScalaVersion : '2.12.15',
+ scoverageVersion : '1.4.11',
compileFlags: ['-feature', '-unchecked', '-deprecation',
'-Xfatal-warnings', '-Ywarn-unused-import']
]
} else {
@@ -62,6 +64,8 @@ if (scalaVersion == '2.12') {
gradle.ext.scala = [
version : '2.13.1',
depVersion : '2.13',
+ scoverageScalaVersion : '2.13.1',
+ scoverageVersion : '1.4.11',
// We can't use fatal warnings yet because there are deprecated
things in 2.13 that are not fixable
// in 2.12.
compileFlags: ['-feature', '-unchecked', '-deprecation']
diff --git a/tests/build.gradle b/tests/build.gradle
index 116f148a1..c542ff8da 100644
--- a/tests/build.gradle
+++ b/tests/build.gradle
@@ -224,9 +224,23 @@ dependencies {
implementation "com.github.java-json-tools:json-schema-validator:2.2.8"
implementation "org.mockito:mockito-core:2.27.0"
implementation "io.opentracing:opentracing-mock:0.31.0"
- implementation "org.apache.curator:curator-test:${gradle.curator.version}"
- implementation "com.atlassian.oai:swagger-request-validator-core:1.4.5"
- implementation
"io.github.embeddedkafka:embedded-kafka_${gradle.scala.depVersion}:2.4.0"
+ implementation
("org.apache.curator:curator-test:${gradle.curator.version}") {
+ exclude group: 'log4j'
+ }
+ implementation "com.atlassian.oai:swagger-request-validator-core"
+ constraints {
+
implementation("com.atlassian.oai:swagger-request-validator-core:1.4.5")
+ implementation("org.slf4j:slf4j-ext:1.7.36") {
+ because 'swagger-request-validator-core cannot be upgraded to 2.x
where vuln is remediated'
+ }
+ }
+ implementation
"io.github.embeddedkafka:embedded-kafka_${gradle.scala.depVersion}"
+ constraints {
+
implementation("io.github.embeddedkafka:embedded-kafka_${gradle.scala.depVersion}:2.4.0")
+ implementation('org.apache.avro:avro:1.11.1') {
+ because 'embeddedkafka dependency cannot be upgraded currently and
avro in embedded kafka 2.4.0 has vulns'
+ }
+ }
implementation
"com.typesafe.akka:akka-stream-kafka-testkit_${gradle.scala.depVersion}:${gradle.akka_kafka.version}"
implementation
"com.typesafe.akka:akka-stream-testkit_${gradle.scala.depVersion}:${gradle.akka.version}"
implementation
"io.fabric8:kubernetes-server-mock:${gradle.kube_client.version}"
