From 79cda5572c195521935ef79b71cab50a9efacfe7 Mon Sep 17 00:00:00 2001 From: David Venable Date: Tue, 21 Nov 2023 11:24:08 -0600 Subject: [PATCH] Updates the opensearch-java client to 2.8.1 and opensearch to 1.3.13. This includes a transitive dependency update to parsson to resolve CVE-2023-4043. Update required version of org.json library to resolve CVE-2023-5072. Require a Zookeeper version which resolves CVE-2023-44981. Require a transitive Scala library to resolve CVE-2023-46122. Resolves #3588, #3522, #3491, #3547 Signed-off-by: David Venable --- build.gradle | 10 ++++++++-- performance-test/build.gradle | 9 +++++++++ settings.gradle | 4 ++-- 3 files changed, 19 insertions(+), 4 deletions(-) diff --git a/build.gradle b/build.gradle index 39f6886e44..0ac5e77554 100644 --- a/build.gradle +++ b/build.gradle @@ -116,6 +116,12 @@ subprojects { } because 'the build fails if the Log4j API is not update along with log4j-core' } + implementation('org.apache.zookeeper:zookeeper') { + version { + require '3.7.2' + } + because 'Fixes CVE-2023-44981' + } implementation('com.google.code.gson:gson') { version { require '2.8.9' @@ -196,9 +202,9 @@ subprojects { } implementation('org.json:json') { version { - require '20230618' + require '20231013' } - because 'CVE from transitive dependencies' + because 'CVE-2023-5072, CVE from transitive dependencies' } } } diff --git a/performance-test/build.gradle b/performance-test/build.gradle index b5ffad15f1..36a74db08a 100644 --- a/performance-test/build.gradle +++ b/performance-test/build.gradle @@ -22,6 +22,15 @@ dependencies { gatlingImplementation 'software.amazon.awssdk:auth:2.20.67' implementation 'com.fasterxml.jackson.core:jackson-core' testRuntimeOnly testLibs.junit.engine + + constraints { + zinc('org.scala-sbt:io_2.13') { + version { + require '1.9.7' + } + because 'Fixes CVE-2023-46122' + } + } } test { diff --git a/settings.gradle b/settings.gradle index b674d1689d..2e115a34a2 100644 --- a/settings.gradle +++ b/settings.gradle @@ -26,9 +26,9 @@ dependencyResolutionManagement { library('protobuf-util', 'com.google.protobuf', 'protobuf-java-util').versionRef('protobuf') version('opentelemetry', '0.16.0-alpha') library('opentelemetry-proto', 'io.opentelemetry.proto', 'opentelemetry-proto').versionRef('opentelemetry') - version('opensearchJava', '2.5.0') + version('opensearchJava', '2.8.1') library('opensearch-java', 'org.opensearch.client', 'opensearch-java').versionRef('opensearchJava') - version('opensearch', '1.3.8') + version('opensearch', '1.3.13') library('opensearch-client', 'org.opensearch.client', 'opensearch-rest-client').versionRef('opensearch') library('opensearch-rhlc', 'org.opensearch.client', 'opensearch-rest-high-level-client').versionRef('opensearch') version('spring', '5.3.28')