Updates the opensearch-java client to 2.8.1 and opensearch to 1.3.13.…

… This includes a transitive dependency update to parsson to resolve CVE-2023-4043. Update required version of org.json library to resolve CVE-2023-5072. Require a Zookeeper version which resolves CVE-2023-44981. Require a transitive Scala library to resolve CVE-2023-46122. Resolves opensearch-project#3588, opensearch-project#3522, opensearch-project#3491, opensearch-project#3547 Signed-off-by: David Venable <[email protected]>
dlvenable · Nov 21, 2023 · 79cda55 · 79cda55
1 parent 30d88f9
commit 79cda55
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 4 deletions.
diff --git a/build.gradle b/build.gradle
@@ -116,6 +116,12 @@ subprojects {
                 }
                 because 'the build fails if the Log4j API is not update along with log4j-core'
             }
+            implementation('org.apache.zookeeper:zookeeper') {
+                version {
+                    require '3.7.2'
+                }
+                because 'Fixes CVE-2023-44981'
+            }
             implementation('com.google.code.gson:gson') {
                 version {
                     require '2.8.9'
@@ -196,9 +202,9 @@ subprojects {
             }
             implementation('org.json:json') {
                 version {
-                    require '20230618'
+                    require '20231013'
                 }
-                because 'CVE from transitive dependencies'
+                because 'CVE-2023-5072, CVE from transitive dependencies'
             }
         }
     }

diff --git a/performance-test/build.gradle b/performance-test/build.gradle
@@ -22,6 +22,15 @@ dependencies {
     gatlingImplementation 'software.amazon.awssdk:auth:2.20.67'
     implementation 'com.fasterxml.jackson.core:jackson-core'
     testRuntimeOnly testLibs.junit.engine
+
+    constraints {
+        zinc('org.scala-sbt:io_2.13') {
+            version {
+                require '1.9.7'
+            }
+            because 'Fixes CVE-2023-46122'
+        }
+    }
 }
 
 test {

diff --git a/settings.gradle b/settings.gradle
@@ -26,9 +26,9 @@ dependencyResolutionManagement {
             library('protobuf-util', 'com.google.protobuf', 'protobuf-java-util').versionRef('protobuf')
             version('opentelemetry', '0.16.0-alpha')
             library('opentelemetry-proto', 'io.opentelemetry.proto', 'opentelemetry-proto').versionRef('opentelemetry')
-            version('opensearchJava', '2.5.0')
+            version('opensearchJava', '2.8.1')
             library('opensearch-java', 'org.opensearch.client', 'opensearch-java').versionRef('opensearchJava')
-            version('opensearch', '1.3.8')
+            version('opensearch', '1.3.13')
             library('opensearch-client', 'org.opensearch.client', 'opensearch-rest-client').versionRef('opensearch')
             library('opensearch-rhlc', 'org.opensearch.client', 'opensearch-rest-high-level-client').versionRef('opensearch')
             version('spring', '5.3.28')