>From Michael Blow <[email protected]>: Michael Blow has submitted this change. ( https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17842 )
Change subject: [NO ISSUE][MISC] override org.codehaus.jettison:jettison to avoid CVEs ...................................................................... [NO ISSUE][MISC] override org.codehaus.jettison:jettison to avoid CVEs Change-Id: Ida41aaddb65405516c3baeea9de4bbf21a0f0e41 Reviewed-on: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17842 Integration-Tests: Jenkins <[email protected]> Reviewed-by: Michael Blow <[email protected]> Reviewed-by: Hussain Towaileb <[email protected]> Tested-by: Michael Blow <[email protected]> --- M asterixdb/asterix-external-data/pom.xml M asterixdb/pom.xml M asterixdb/src/main/appended-resources/supplemental-models.xml 3 files changed, 39 insertions(+), 0 deletions(-) Approvals: Michael Blow: Looks good to me, but someone else must approve; Verified Hussain Towaileb: Looks good to me, approved Jenkins: Verified diff --git a/asterixdb/asterix-external-data/pom.xml b/asterixdb/asterix-external-data/pom.xml index de14287..fbb1751 100644 --- a/asterixdb/asterix-external-data/pom.xml +++ b/asterixdb/asterix-external-data/pom.xml @@ -546,6 +546,11 @@ <groupId>net.minidev</groupId> <artifactId>json-smart</artifactId> </dependency> + <!-- Manually overridden to avoid CVE-2023-1436, CVE-2022-45693, CVE-2022-45685, CVE-2022-40150, CVE-2022-40149 --> + <dependency> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + </dependency> </dependencies> <!-- apply patch for HADOOP-17225 to workaround CVE-2019-10172 --> <repositories> diff --git a/asterixdb/pom.xml b/asterixdb/pom.xml index b2d8831..dee21dc 100644 --- a/asterixdb/pom.xml +++ b/asterixdb/pom.xml @@ -1017,6 +1017,10 @@ <version>${hadoop.version}</version> <exclusions> <exclusion> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + </exclusion> + <exclusion> <groupId>net.minidev</groupId> <artifactId>json-smart</artifactId> </exclusion> @@ -1959,6 +1963,11 @@ <version>${hadoop.version}</version> </dependency> <!-- Hadoop Azure end --> + <dependency> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + <version>1.5.4</version> + </dependency> </dependencies> </dependencyManagement> diff --git a/asterixdb/src/main/appended-resources/supplemental-models.xml b/asterixdb/src/main/appended-resources/supplemental-models.xml index e31de23..877a843 100644 --- a/asterixdb/src/main/appended-resources/supplemental-models.xml +++ b/asterixdb/src/main/appended-resources/supplemental-models.xml @@ -2104,4 +2104,15 @@ </properties> </project> </supplement> + + <!-- Contains embedded LICENSE but missing NOTICE --> + <supplement> + <project> + <groupId>org.codehaus.jettison</groupId> + <artifactId>jettison</artifactId> + <properties> + <license.ignoreMissingEmbeddedNotice>1.5.4</license.ignoreMissingEmbeddedNotice> + </properties> + </project> + </supplement> </supplementalDataModels> -- To view, visit https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17842 To unsubscribe, or for help writing mail filters, visit https://asterix-gerrit.ics.uci.edu/settings Gerrit-Project: asterixdb Gerrit-Branch: stabilization-667a908755 Gerrit-Change-Id: Ida41aaddb65405516c3baeea9de4bbf21a0f0e41 Gerrit-Change-Number: 17842 Gerrit-PatchSet: 3 Gerrit-Owner: Michael Blow <[email protected]> Gerrit-Reviewer: Hussain Towaileb <[email protected]> Gerrit-Reviewer: Jenkins <[email protected]> Gerrit-Reviewer: Michael Blow <[email protected]> Gerrit-MessageType: merged
