From 353dcaeb05f8b75fa74d92e2ae8415ab018bc68e Mon Sep 17 00:00:00 2001 From: Daniel Widdis Date: Wed, 22 Nov 2023 13:59:53 -0800 Subject: [PATCH] Fix build, update CVE-affected versions (#1102) * Fix build, update CVE-affected versions Signed-off-by: Daniel Widdis * Spotless depends on CVE-impacted eclipse dependency, now needs JDK17+ Signed-off-by: Daniel Widdis --------- Signed-off-by: Daniel Widdis --- build.gradle | 14 +++++++++----- dataGeneration/requirements.txt | 2 +- .../java/test/org/opensearch/ad/util/FakeNode.java | 3 ++- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/build.gradle b/build.gradle index 62f8c2f21..3c6dd9300 100644 --- a/build.gradle +++ b/build.gradle @@ -117,7 +117,7 @@ dependencies { compileOnly "org.opensearch:opensearch-job-scheduler-spi:${job_scheduler_version}" implementation "org.opensearch:common-utils:${common_utils_version}" implementation "org.opensearch.client:opensearch-rest-client:${opensearch_version}" - compileOnly group: 'com.google.guava', name: 'guava', version:'32.1.2-jre' + compileOnly group: 'com.google.guava', name: 'guava', version:'32.1.3-jre' compileOnly group: 'com.google.guava', name: 'failureaccess', version:'1.0.1' implementation group: 'org.javassist', name: 'javassist', version:'3.28.0-GA' implementation group: 'org.apache.commons', name: 'commons-math3', version: '3.6.1' @@ -131,8 +131,8 @@ dependencies { implementation 'software.amazon.randomcutforest:randomcutforest-core:3.8.0' // we inherit jackson-core from opensearch core - implementation "com.fasterxml.jackson.core:jackson-databind:2.14.1" - implementation "com.fasterxml.jackson.core:jackson-annotations:2.14.1" + implementation "com.fasterxml.jackson.core:jackson-databind:2.16.0" + implementation "com.fasterxml.jackson.core:jackson-annotations:2.16.0" // used for serializing/deserializing rcf models. implementation group: 'io.protostuff', name: 'protostuff-core', version: '1.8.0' @@ -157,8 +157,8 @@ dependencies { testCompileOnly 'org.apiguardian:apiguardian-api:1.1.2' // jupiter is required to run unit tests not inherited from OpenSearchTestCase (e.g., PreviousValueImputerTests) testImplementation 'org.junit.jupiter:junit-jupiter-api:5.10.0' - testImplementation 'org.junit.jupiter:junit-jupiter-params:5.9.2' - testImplementation 'org.junit.jupiter:junit-jupiter-engine:5.9.2' + testImplementation 'org.junit.jupiter:junit-jupiter-params:5.10.0' + testImplementation 'org.junit.jupiter:junit-jupiter-engine:5.10.0' testImplementation "org.opensearch:opensearch-core:${opensearch_version}" testRuntimeOnly("org.junit.platform:junit-platform-launcher:1.10.0") testCompileOnly 'junit:junit:4.13.2' @@ -222,6 +222,10 @@ configurations.all { force "net.bytebuddy:byte-buddy-agent:1.14.9" force "com.google.code.gson:gson:2.8.9" force "junit:junit:4.13.2" + + force "com.google.guava:guava:32.1.3-jre" // CVE for 31.1 + force "com.fasterxml.jackson.core:jackson-core:2.16.0" // CVE for 2.14.1 + force "org.eclipse.platform:org.eclipse.core.runtime:3.29.0" // CVE for < 3.29.0 } } diff --git a/dataGeneration/requirements.txt b/dataGeneration/requirements.txt index 79cb0e9e8..0661a296d 100644 --- a/dataGeneration/requirements.txt +++ b/dataGeneration/requirements.txt @@ -2,4 +2,4 @@ numpy==1.23.0 opensearch_py==2.0.0 retry==0.9.2 scipy==1.10.0 -urllib3==1.26.17 +urllib3==1.26.18 diff --git a/src/test/java/test/org/opensearch/ad/util/FakeNode.java b/src/test/java/test/org/opensearch/ad/util/FakeNode.java index 1bb59184a..1fc43e62d 100644 --- a/src/test/java/test/org/opensearch/ad/util/FakeNode.java +++ b/src/test/java/test/org/opensearch/ad/util/FakeNode.java @@ -80,7 +80,8 @@ public FakeNode( new NetworkService(Collections.emptyList()), PageCacheRecycler.NON_RECYCLING_INSTANCE, new NamedWriteableRegistry(ClusterModule.getNamedWriteables()), - new NoneCircuitBreakerService() + new NoneCircuitBreakerService(), + NoopTracer.INSTANCE ) { @Override public TransportAddress[] addressesFromString(String address) {