Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(dependencies): Upgrade com.nimbusds:nimbus-jose-jwt to resolve CVE #892

Merged
merged 1 commit into from
Aug 30, 2021

Conversation

j-sandy
Copy link
Contributor

@j-sandy j-sandy commented Aug 30, 2021

CVE-2019-17195
com.nimbusds:nimbus-jose-jwt is introduced transitively by oracle-sdk, azure-client-auth. Affected spinnaker components are cloudriver, halyard and gate.

CVE-2019-17195
Introduced transitively by oracle-sdk, azure-client-auth
@j-sandy
Copy link
Contributor Author

j-sandy commented Aug 30, 2021

After implementing nimbus-jose-jwt cve fix, clouddriver dependency insight:

$.\gradlew clouddriver-web:dI --dependency com.nimbusds:nimbus-jose-jwt --configuration runtimeClasspath

> Task :clouddriver-web:dependencyInsight
com.nimbusds:nimbus-jose-jwt:7.9
   variant "runtime" [
      org.gradle.status                  = release (not requested)
      org.gradle.usage                   = java-runtime
      org.gradle.libraryelements         = jar
      org.gradle.category                = library

      Requested attributes not found in the selected variant:
         org.gradle.dependency.bundling     = external
         org.jetbrains.kotlin.platform.type = jvm
         org.gradle.jvm.version             = 11
   ]
   Selection reasons:
      - By constraint
      - By conflict resolution : between versions 7.9 and 6.5.1

com.nimbusds:nimbus-jose-jwt:7.9
\--- io.spinnaker.kork:kork-bom:nimbus-jose-jwt-cve-fix-SNAPSHOT
     +--- runtimeClasspath
     +--- project :clouddriver-kubernetes
     |    \--- runtimeClasspath
     +--- project :clouddriver-ecs
     |    \--- runtimeClasspath
     +--- project :clouddriver-lambda
     |    \--- runtimeClasspath
     +--- project :clouddriver-appengine
     |    \--- runtimeClasspath
     +--- project :clouddriver-cloudfoundry
     |    \--- runtimeClasspath
     +--- project :clouddriver-google
     |    \--- runtimeClasspath
     +--- project :clouddriver-artifacts
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes (*)
     |    +--- project :clouddriver-ecs (*)
     |    +--- project :clouddriver-lambda (*)
     |    +--- project :clouddriver-appengine (*)
     |    +--- project :clouddriver-cloudfoundry (*)
     |    \--- project :clouddriver-google (*)
     +--- project :clouddriver-elasticsearch
     |    \--- runtimeClasspath
     +--- project :clouddriver-sql-mysql
     |    \--- runtimeClasspath
     +--- project :clouddriver-sql-postgres
     |    \--- runtimeClasspath
     +--- project :cats:cats-sql
     |    +--- project :clouddriver-sql-mysql (*)
     |    \--- project :clouddriver-sql-postgres (*)
     +--- project :clouddriver-sql
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-sql-mysql (*)
     |    +--- project :clouddriver-sql-postgres (*)
     |    \--- project :cats:cats-sql (*)
     +--- project :clouddriver-tencentcloud
     |    \--- runtimeClasspath
     +--- project :clouddriver-titus
     |    \--- runtimeClasspath
     +--- project :clouddriver-aws
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-ecs (*)
     |    +--- project :clouddriver-lambda (*)
     |    \--- project :clouddriver-titus (*)
     +--- project :clouddriver-eureka
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-tencentcloud (*)
     |    +--- project :clouddriver-titus (*)
     |    \--- project :clouddriver-aws (*)
     +--- project :clouddriver-oracle
     |    \--- runtimeClasspath
     +--- project :clouddriver-azure
     |    \--- runtimeClasspath
     +--- project :clouddriver-consul
     |    +--- runtimeClasspath
     |    \--- project :clouddriver-google (*)
     +--- project :clouddriver-huaweicloud
     |    \--- runtimeClasspath
     +--- project :clouddriver-yandex
     |    \--- runtimeClasspath
     +--- project :clouddriver-docker
     |    +--- runtimeClasspath
     |    \--- project :clouddriver-cloudfoundry (*)
     +--- project :clouddriver-core
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes (*)
     |    +--- project :clouddriver-ecs (*)
     |    +--- project :clouddriver-lambda (*)
     |    +--- project :clouddriver-appengine (*)
     |    +--- project :clouddriver-cloudfoundry (*)
     |    +--- project :clouddriver-google (*)
     |    +--- project :clouddriver-artifacts (*)
     |    +--- project :clouddriver-elasticsearch (*)
     |    +--- project :cats:cats-sql (*)
     |    +--- project :clouddriver-sql (*)
     |    +--- project :clouddriver-tencentcloud (*)
     |    +--- project :clouddriver-titus (*)
     |    +--- project :clouddriver-aws (*)
     |    +--- project :clouddriver-eureka (*)
     |    +--- project :clouddriver-oracle (*)
     |    +--- project :clouddriver-azure (*)
     |    +--- project :clouddriver-consul (*)
     |    +--- project :clouddriver-huaweicloud (*)
     |    +--- project :clouddriver-yandex (*)
     |    \--- project :clouddriver-docker (*)
     +--- project :clouddriver-security
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes (*)
     |    +--- project :clouddriver-ecs (*)
     |    +--- project :clouddriver-lambda (*)
     |    +--- project :clouddriver-appengine (*)
     |    +--- project :clouddriver-cloudfoundry (*)
     |    +--- project :clouddriver-google (*)
     |    +--- project :clouddriver-elasticsearch (*)
     |    +--- project :cats:cats-sql (*)
     |    +--- project :clouddriver-tencentcloud (*)
     |    +--- project :clouddriver-titus (*)
     |    +--- project :clouddriver-aws (*)
     |    +--- project :clouddriver-oracle (*)
     |    +--- project :clouddriver-azure (*)
     |    +--- project :clouddriver-huaweicloud (*)
     |    +--- project :clouddriver-yandex (*)
     |    +--- project :clouddriver-docker (*)
     |    \--- project :clouddriver-core (*)
     +--- project :cats:cats-redis
     |    +--- project :cats:cats-sql (*)
     |    \--- project :clouddriver-core (*)
     +--- project :cats:cats-core
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes (*)
     |    +--- project :clouddriver-ecs (*)
     |    +--- project :clouddriver-lambda (*)
     |    +--- project :clouddriver-appengine (*)
     |    +--- project :clouddriver-cloudfoundry (*)
     |    +--- project :clouddriver-google (*)
     |    +--- project :cats:cats-sql (*)
     |    +--- project :clouddriver-sql (*)
     |    +--- project :clouddriver-tencentcloud (*)
     |    +--- project :clouddriver-titus (*)
     |    +--- project :clouddriver-aws (*)
     |    +--- project :clouddriver-eureka (*)
     |    +--- project :clouddriver-oracle (*)
     |    +--- project :clouddriver-azure (*)
     |    +--- project :clouddriver-huaweicloud (*)
     |    +--- project :clouddriver-yandex (*)
     |    +--- project :clouddriver-docker (*)
     |    +--- project :clouddriver-core (*)
     |    +--- project :clouddriver-security (*)
     |    \--- project :cats:cats-redis (*)
     +--- project :clouddriver-api
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes (*)
     |    +--- project :clouddriver-ecs (*)
     |    +--- project :clouddriver-lambda (*)
     |    +--- project :clouddriver-appengine (*)
     |    +--- project :clouddriver-cloudfoundry (*)
     |    +--- project :clouddriver-google (*)
     |    +--- project :clouddriver-artifacts (*)
     |    +--- project :clouddriver-elasticsearch (*)
     |    +--- project :cats:cats-sql (*)
     |    +--- project :clouddriver-sql (*)
     |    +--- project :clouddriver-tencentcloud (*)
     |    +--- project :clouddriver-titus (*)
     |    +--- project :clouddriver-aws (*)
     |    +--- project :clouddriver-eureka (*)
     |    +--- project :clouddriver-oracle (*)
     |    +--- project :clouddriver-azure (*)
     |    +--- project :clouddriver-huaweicloud (*)
     |    +--- project :clouddriver-yandex (*)
     |    +--- project :clouddriver-docker (*)
     |    +--- project :clouddriver-core (*)
     |    +--- project :clouddriver-security (*)
     |    +--- project :cats:cats-redis (*)
     |    \--- project :cats:cats-core (*)
     +--- project :clouddriver-google-common
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-appengine (*)
     |    \--- project :clouddriver-google (*)
     +--- project :clouddriver-configserver
     |    +--- runtimeClasspath
     |    \--- project :clouddriver-kubernetes (*)
     +--- project :clouddriver-saga
     |    +--- project :clouddriver-titus (*)
     |    +--- project :clouddriver-aws (*)
     |    \--- project :clouddriver-core (*)
     \--- project :clouddriver-event
          +--- project :clouddriver-sql (*)
          \--- project :clouddriver-saga (*)

com.nimbusds:nimbus-jose-jwt:6.5.1 -> 7.9
\--- com.oracle.oci.sdk:oci-java-sdk-common:1.5.17
     +--- io.spinnaker.kork:kork-bom:nimbus-jose-jwt-cve-fix-SNAPSHOT
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-ecs
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-lambda
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-appengine
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-cloudfoundry
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-google
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-artifacts
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-kubernetes (*)
     |    |    +--- project :clouddriver-ecs (*)
     |    |    +--- project :clouddriver-lambda (*)
     |    |    +--- project :clouddriver-appengine (*)
     |    |    +--- project :clouddriver-cloudfoundry (*)
     |    |    \--- project :clouddriver-google (*)
     |    +--- project :clouddriver-elasticsearch
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-sql-mysql
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-sql-postgres
     |    |    \--- runtimeClasspath
     |    +--- project :cats:cats-sql
     |    |    +--- project :clouddriver-sql-mysql (*)
     |    |    \--- project :clouddriver-sql-postgres (*)
     |    +--- project :clouddriver-sql
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-sql-mysql (*)
     |    |    +--- project :clouddriver-sql-postgres (*)
     |    |    \--- project :cats:cats-sql (*)
     |    +--- project :clouddriver-tencentcloud
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-titus
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-aws
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-ecs (*)
     |    |    +--- project :clouddriver-lambda (*)
     |    |    \--- project :clouddriver-titus (*)
     |    +--- project :clouddriver-eureka
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-tencentcloud (*)
     |    |    +--- project :clouddriver-titus (*)
     |    |    \--- project :clouddriver-aws (*)
     |    +--- project :clouddriver-oracle
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-azure
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-consul
     |    |    +--- runtimeClasspath
     |    |    \--- project :clouddriver-google (*)
     |    +--- project :clouddriver-huaweicloud
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-yandex
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-docker
     |    |    +--- runtimeClasspath
     |    |    \--- project :clouddriver-cloudfoundry (*)
     |    +--- project :clouddriver-core
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-kubernetes (*)
     |    |    +--- project :clouddriver-ecs (*)
     |    |    +--- project :clouddriver-lambda (*)
     |    |    +--- project :clouddriver-appengine (*)
     |    |    +--- project :clouddriver-cloudfoundry (*)
     |    |    +--- project :clouddriver-google (*)
     |    |    +--- project :clouddriver-artifacts (*)
     |    |    +--- project :clouddriver-elasticsearch (*)
     |    |    +--- project :cats:cats-sql (*)
     |    |    +--- project :clouddriver-sql (*)
     |    |    +--- project :clouddriver-tencentcloud (*)
     |    |    +--- project :clouddriver-titus (*)
     |    |    +--- project :clouddriver-aws (*)
     |    |    +--- project :clouddriver-eureka (*)
     |    |    +--- project :clouddriver-oracle (*)
     |    |    +--- project :clouddriver-azure (*)
     |    |    +--- project :clouddriver-consul (*)
     |    |    +--- project :clouddriver-huaweicloud (*)
     |    |    +--- project :clouddriver-yandex (*)
     |    |    \--- project :clouddriver-docker (*)
     |    +--- project :clouddriver-security
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-kubernetes (*)
     |    |    +--- project :clouddriver-ecs (*)
     |    |    +--- project :clouddriver-lambda (*)
     |    |    +--- project :clouddriver-appengine (*)
     |    |    +--- project :clouddriver-cloudfoundry (*)
     |    |    +--- project :clouddriver-google (*)
     |    |    +--- project :clouddriver-elasticsearch (*)
     |    |    +--- project :cats:cats-sql (*)
     |    |    +--- project :clouddriver-tencentcloud (*)
     |    |    +--- project :clouddriver-titus (*)
     |    |    +--- project :clouddriver-aws (*)
     |    |    +--- project :clouddriver-oracle (*)
     |    |    +--- project :clouddriver-azure (*)
     |    |    +--- project :clouddriver-huaweicloud (*)
     |    |    +--- project :clouddriver-yandex (*)
     |    |    +--- project :clouddriver-docker (*)
     |    |    \--- project :clouddriver-core (*)
     |    +--- project :cats:cats-redis
     |    |    +--- project :cats:cats-sql (*)
     |    |    \--- project :clouddriver-core (*)
     |    +--- project :cats:cats-core
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-kubernetes (*)
     |    |    +--- project :clouddriver-ecs (*)
     |    |    +--- project :clouddriver-lambda (*)
     |    |    +--- project :clouddriver-appengine (*)
     |    |    +--- project :clouddriver-cloudfoundry (*)
     |    |    +--- project :clouddriver-google (*)
     |    |    +--- project :cats:cats-sql (*)
     |    |    +--- project :clouddriver-sql (*)
     |    |    +--- project :clouddriver-tencentcloud (*)
     |    |    +--- project :clouddriver-titus (*)
     |    |    +--- project :clouddriver-aws (*)
     |    |    +--- project :clouddriver-eureka (*)
     |    |    +--- project :clouddriver-oracle (*)
     |    |    +--- project :clouddriver-azure (*)
     |    |    +--- project :clouddriver-huaweicloud (*)
     |    |    +--- project :clouddriver-yandex (*)
     |    |    +--- project :clouddriver-docker (*)
     |    |    +--- project :clouddriver-core (*)
     |    |    +--- project :clouddriver-security (*)
     |    |    \--- project :cats:cats-redis (*)
     |    +--- project :clouddriver-api
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-kubernetes (*)
     |    |    +--- project :clouddriver-ecs (*)
     |    |    +--- project :clouddriver-lambda (*)
     |    |    +--- project :clouddriver-appengine (*)
     |    |    +--- project :clouddriver-cloudfoundry (*)
     |    |    +--- project :clouddriver-google (*)
     |    |    +--- project :clouddriver-artifacts (*)
     |    |    +--- project :clouddriver-elasticsearch (*)
     |    |    +--- project :cats:cats-sql (*)
     |    |    +--- project :clouddriver-sql (*)
     |    |    +--- project :clouddriver-tencentcloud (*)
     |    |    +--- project :clouddriver-titus (*)
     |    |    +--- project :clouddriver-aws (*)
     |    |    +--- project :clouddriver-eureka (*)
     |    |    +--- project :clouddriver-oracle (*)
     |    |    +--- project :clouddriver-azure (*)
     |    |    +--- project :clouddriver-huaweicloud (*)
     |    |    +--- project :clouddriver-yandex (*)
     |    |    +--- project :clouddriver-docker (*)
     |    |    +--- project :clouddriver-core (*)
     |    |    +--- project :clouddriver-security (*)
     |    |    +--- project :cats:cats-redis (*)
     |    |    \--- project :cats:cats-core (*)
     |    +--- project :clouddriver-google-common
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-appengine (*)
     |    |    \--- project :clouddriver-google (*)
     |    +--- project :clouddriver-configserver
     |    |    +--- runtimeClasspath
     |    |    \--- project :clouddriver-kubernetes (*)
     |    +--- project :clouddriver-saga
     |    |    +--- project :clouddriver-titus (*)
     |    |    +--- project :clouddriver-aws (*)
     |    |    \--- project :clouddriver-core (*)
     |    \--- project :clouddriver-event
     |         +--- project :clouddriver-sql (*)
     |         \--- project :clouddriver-saga (*)
     +--- com.oracle.oci.sdk:oci-java-sdk-core:1.5.17
     |    +--- project :clouddriver-artifacts (requested com.oracle.oci.sdk:oci-java-sdk-core) (*)
     |    +--- project :clouddriver-oracle (requested com.oracle.oci.sdk:oci-java-sdk-core) (*)
     |    \--- io.spinnaker.kork:kork-bom:nimbus-jose-jwt-cve-fix-SNAPSHOT (*)
     +--- com.oracle.oci.sdk:oci-java-sdk-identity:1.5.17
     |    +--- project :clouddriver-oracle (requested com.oracle.oci.sdk:oci-java-sdk-identity) (*)
     |    \--- io.spinnaker.kork:kork-bom:nimbus-jose-jwt-cve-fix-SNAPSHOT (*)
     +--- com.oracle.oci.sdk:oci-java-sdk-loadbalancer:1.5.17
     |    +--- project :clouddriver-oracle (requested com.oracle.oci.sdk:oci-java-sdk-loadbalancer) (*)
     |    \--- io.spinnaker.kork:kork-bom:nimbus-jose-jwt-cve-fix-SNAPSHOT (*)
     +--- com.oracle.oci.sdk:oci-java-sdk-workrequests:1.5.17
     |    +--- io.spinnaker.kork:kork-bom:nimbus-jose-jwt-cve-fix-SNAPSHOT (*)
     |    \--- com.oracle.oci.sdk:oci-java-sdk-core:1.5.17 (*)
     +--- com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions:1.5.17
     |    \--- com.oracle.oci.sdk:oci-java-sdk-objectstorage:1.5.17
     |         +--- project :clouddriver-oracle (requested com.oracle.oci.sdk:oci-java-sdk-objectstorage) (*)
     |         \--- io.spinnaker.kork:kork-bom:nimbus-jose-jwt-cve-fix-SNAPSHOT (*)
     \--- com.oracle.oci.sdk:oci-java-sdk-objectstorage-generated:1.5.17
          +--- com.oracle.oci.sdk:oci-java-sdk-objectstorage:1.5.17 (*)
          \--- com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions:1.5.17 (*)

com.nimbusds:nimbus-jose-jwt:[6.0.1,) -> 7.9
\--- com.nimbusds:oauth2-oidc-sdk:6.5
     \--- com.microsoft.azure:adal4j:1.6.4
          +--- project :clouddriver-azure (requested com.microsoft.azure:adal4j:1.6.3)
          |    \--- runtimeClasspath
          \--- com.microsoft.azure:azure-client-authentication:1.7.0
               \--- com.microsoft.azure:azure:1.35.0
                    \--- project :clouddriver-azure (*)

@j-sandy
Copy link
Contributor Author

j-sandy commented Aug 30, 2021

After implementing nimbus-jose-jwt cve fix, halyard dependency insight:

$.\gradlew halyard-web:dI --dependency com.nimbusds:nimbus-jose-jwt --configuration runtimeClasspath

> Task :halyard-web:dependencyInsight
com.nimbusds:nimbus-jose-jwt:7.9
   variant "runtime" [
      org.gradle.status              = release (not requested)
      org.gradle.usage               = java-runtime
      org.gradle.libraryelements     = jar
      org.gradle.category            = library

      Requested attributes not found in the selected variant:
         org.gradle.dependency.bundling = external
         org.gradle.jvm.version         = 11
   ]
   Selection reasons:
      - By constraint
      - By conflict resolution : between versions 7.9 and 6.5.1

com.nimbusds:nimbus-jose-jwt:7.9
\--- io.spinnaker.kork:kork-bom:nimbus-jose-jwt-cve-fix-SNAPSHOT
     +--- runtimeClasspath
     +--- project :halyard-cli
     |    \--- runtimeClasspath
     +--- project :halyard-deploy
     |    +--- runtimeClasspath
     |    \--- project :halyard-cli (*)
     +--- project :halyard-backup
     |    +--- runtimeClasspath
     |    \--- project :halyard-deploy (*)
     +--- project :halyard-config
     |    +--- runtimeClasspath
     |    +--- project :halyard-cli (*)
     |    +--- project :halyard-deploy (*)
     |    \--- project :halyard-backup (*)
     +--- project :halyard-core
     |    +--- runtimeClasspath
     |    +--- project :halyard-cli (*)
     |    +--- project :halyard-deploy (*)
     |    +--- project :halyard-backup (*)
     |    \--- project :halyard-config (*)
     \--- project :halyard-proto
          +--- runtimeClasspath
          \--- project :halyard-cli (*)

com.nimbusds:nimbus-jose-jwt:6.5.1 -> 7.9
\--- com.oracle.oci.sdk:oci-java-sdk-common:1.5.17
     +--- io.spinnaker.kork:kork-bom:nimbus-jose-jwt-cve-fix-SNAPSHOT
     |    +--- runtimeClasspath
     |    +--- project :halyard-cli
     |    |    \--- runtimeClasspath
     |    +--- project :halyard-deploy
     |    |    +--- runtimeClasspath
     |    |    \--- project :halyard-cli (*)
     |    +--- project :halyard-backup
     |    |    +--- runtimeClasspath
     |    |    \--- project :halyard-deploy (*)
     |    +--- project :halyard-config
     |    |    +--- runtimeClasspath
     |    |    +--- project :halyard-cli (*)
     |    |    +--- project :halyard-deploy (*)
     |    |    \--- project :halyard-backup (*)
     |    +--- project :halyard-core
     |    |    +--- runtimeClasspath
     |    |    +--- project :halyard-cli (*)
     |    |    +--- project :halyard-deploy (*)
     |    |    +--- project :halyard-backup (*)
     |    |    \--- project :halyard-config (*)
     |    \--- project :halyard-proto
     |         +--- runtimeClasspath
     |         \--- project :halyard-cli (*)
     +--- com.oracle.oci.sdk:oci-java-sdk-core:1.5.17
     |    +--- io.spinnaker.kork:kork-bom:nimbus-jose-jwt-cve-fix-SNAPSHOT (*)
     |    \--- io.spinnaker.clouddriver:clouddriver-artifacts:5.75.0
     |         +--- io.spinnaker.clouddriver:clouddriver-google:5.75.0
     |         |    +--- project :halyard-deploy (*)
     |         |    \--- project :halyard-config (*)
     |         +--- io.spinnaker.clouddriver:clouddriver-appengine:5.75.0
     |         |    \--- project :halyard-config (*)
     |         \--- io.spinnaker.clouddriver:clouddriver-cloudfoundry:5.75.0
     |              \--- project :halyard-config (*)
     \--- com.oracle.oci.sdk:oci-java-sdk-workrequests:1.5.17
          +--- io.spinnaker.kork:kork-bom:nimbus-jose-jwt-cve-fix-SNAPSHOT (*)
          \--- com.oracle.oci.sdk:oci-java-sdk-core:1.5.17 (*)

com.nimbusds:nimbus-jose-jwt:[6.0.1,) -> 7.9
\--- com.nimbusds:oauth2-oidc-sdk:6.5
     \--- com.microsoft.azure:adal4j:1.6.4
          +--- project :halyard-config (requested com.microsoft.azure:adal4j:1.6.3)
          |    +--- runtimeClasspath
          |    +--- project :halyard-cli
          |    |    \--- runtimeClasspath
          |    +--- project :halyard-deploy
          |    |    +--- runtimeClasspath
          |    |    \--- project :halyard-cli (*)
          |    \--- project :halyard-backup
          |         +--- runtimeClasspath
          |         \--- project :halyard-deploy (*)
          +--- io.spinnaker.clouddriver:clouddriver-azure:5.75.0 (requested com.microsoft.azure:adal4j:1.6.3)
          |    \--- project :halyard-config (*)
          \--- com.microsoft.azure:azure-client-authentication:1.7.0
               \--- com.microsoft.azure:azure:1.35.0
                    +--- project :halyard-config (requested com.microsoft.azure:azure:1.19.0) (*)
                    \--- io.spinnaker.clouddriver:clouddriver-azure:5.75.0 (*)

@j-sandy
Copy link
Contributor Author

j-sandy commented Aug 30, 2021

After implementing nimbus-jose-jwt cve fix, gate dependency insight:

$.\gradlew gate-web:dI --dependency com.nimbusds:nimbus-jose-jwt --configuration runtimeClasspath

> Task :gate-web:dependencyInsight
com.nimbusds:nimbus-jose-jwt:7.9
   variant "runtime" [
      org.gradle.status              = release (not requested)
      org.gradle.usage               = java-runtime
      org.gradle.libraryelements     = jar
      org.gradle.category            = library

      Requested attributes not found in the selected variant:
         org.gradle.dependency.bundling = external
         org.gradle.jvm.version         = 11
   ]
   Selection reasons:
      - By constraint
      - By conflict resolution : between versions 7.9 and 5.2

com.nimbusds:nimbus-jose-jwt:7.9
\--- io.spinnaker.kork:kork-bom:nimbus-jose-jwt-cve-fix-SNAPSHOT
     +--- runtimeClasspath
     +--- project :gate-proxy
     |    \--- runtimeClasspath
     +--- project :gate-plugins
     |    \--- runtimeClasspath
     +--- project :gate-api
     |    +--- runtimeClasspath
     |    +--- project :gate-proxy (*)
     |    \--- project :gate-plugins (*)
     +--- project :gate-integrations-gremlin
     |    \--- runtimeClasspath
     +--- project :gate-basic
     |    \--- runtimeClasspath
     +--- project :gate-iap
     |    \--- runtimeClasspath
     +--- project :gate-ldap
     |    \--- runtimeClasspath
     +--- project :gate-oauth2
     |    \--- runtimeClasspath
     +--- project :gate-saml
     |    \--- runtimeClasspath
     +--- project :gate-x509
     |    \--- runtimeClasspath
     \--- project :gate-core
          +--- runtimeClasspath
          +--- project :gate-proxy (*)
          +--- project :gate-plugins (*)
          +--- project :gate-integrations-gremlin (*)
          +--- project :gate-basic (*)
          +--- project :gate-iap (*)
          +--- project :gate-ldap (*)
          +--- project :gate-oauth2 (*)
          +--- project :gate-saml (*)
          \--- project :gate-x509 (*)

com.nimbusds:nimbus-jose-jwt:5.2 -> 7.9
\--- project :gate-iap
     \--- runtimeClasspath

@dbyron-sf dbyron-sf added the ready to merge Approved and ready for merge label Aug 30, 2021
@mergify mergify bot merged commit 6e7f64e into spinnaker:master Aug 30, 2021
@mergify mergify bot added the auto merged label Aug 30, 2021
@j-sandy j-sandy deleted the nimbus-jose-jwt-cve-fix branch August 31, 2021 05:03
@link108
Copy link
Member

link108 commented Oct 26, 2021

@Mergifyio backport release-1.27.x

mergify bot pushed a commit that referenced this pull request Oct 26, 2021
…CVE (#892)

CVE-2019-17195
Introduced transitively by oracle-sdk, azure-client-auth

Co-authored-by: j-sandy <jsandy>
(cherry picked from commit 6e7f64e)
@mergify
Copy link
Contributor

mergify bot commented Oct 26, 2021

backport release-1.27.x

✅ Backports have been created

link108 added a commit that referenced this pull request Oct 26, 2021
…CVE (backport #892) (#902)

Co-authored-by: j-sandy <jsandy>
Co-authored-by: Sandesh <[email protected]>
Co-authored-by: Cameron Motevasselani <[email protected]>
ylebedeva pushed a commit to ylebedeva/kork that referenced this pull request May 3, 2022
…CVE (spinnaker#892)

CVE-2019-17195
Introduced transitively by oracle-sdk, azure-client-auth

Co-authored-by: j-sandy <jsandy>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants