Fix CVEs (opensearch-project#96)

GumpacG · web-flow · commit d01e4eb41e47 · 2023-06-27T16:17:37.000-07:00
* Removed h2 as a dependency as it is not used and introduces a CVE (#6) Signed-off-by: Guian Gumpac <guian.gumpac@improving.com> * Fixed CVE with suggested update Signed-off-by: Guian Gumpac <guian.gumpac@improving.com> * Added to release notes Signed-off-by: Guian Gumpac <guian.gumpac@improving.com> * Use CodeQL version before breaking change Signed-off-by: Guian Gumpac <guian.gumpac@improving.com> * Added comment for codeql breaking change context Signed-off-by: Guian Gumpac <guian.gumpac@improving.com> --------- Signed-off-by: Guian Gumpac <guian.gumpac@improving.com>
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -32,6 +32,9 @@ jobs:
       uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
+        # using v2.13.3 due to a breaking change in codeql https://github.com/github/codeql/issues/13541
+        tools: 'https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.13.3/codeql-bundle-linux64.tar.gz'
+
     - name: Autobuild
       uses: github/codeql-action/autobuild@v2
     - name: Perform CodeQL Analysis
diff --git a/build.gradle b/build.gradle
@@ -59,7 +59,7 @@ dependencies {
     testImplementation('org.eclipse.jetty:jetty-server:11.0.14')
 
     // Enforce wiremock to use latest guava and json-smart
-    testImplementation('com.google.guava:guava:31.1-jre')
+    testImplementation('com.google.guava:guava:32.0.1-jre')
     testImplementation('net.minidev:json-smart:2.4.9')
 
     testRuntimeOnly('org.slf4j:slf4j-simple:1.7.25') // capture WireMock logging
@@ -69,7 +69,6 @@ dependencies {
         include '*.jar'
         builtBy 'compileJdbc'
     }
-    testImplementation group: 'com.h2database', name: 'h2', version: '2.1.210'
     testImplementation group: 'org.xerial', name: 'sqlite-jdbc', version: '3.41.2.2'
     testImplementation group: 'com.google.code.gson', name: 'gson', version: '2.8.9'
 }
diff --git a/release-notes/opensearch-jdbc-release-notes-1.4.0.0.md b/release-notes/opensearch-jdbc-release-notes-1.4.0.0.md
@@ -21,3 +21,4 @@ connector-release-notes-1.0.0.0.md).
 * Bump version to 1.4. ([#86](https://github.com/opensearch-project/sql-jdbc/pull/86))
 * Update CI workflows. ([#87](https://github.com/opensearch-project/sql-jdbc/pull/87))
 * Update release notes. ([#88](https://github.com/opensearch-project/sql-jdbc/pull/88))
+* Fix H2 and guava CVEs. ([#96](https://github.com/opensearch-project/sql-jdbc/pull/96))

Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ dependencies {`
`59`	`59`	`testImplementation('org.eclipse.jetty:jetty-server:11.0.14')`
`60`	`60`
`61`	`61`	`// Enforce wiremock to use latest guava and json-smart`
`62`		`- testImplementation('com.google.guava:guava:31.1-jre')`
	`62`	`+ testImplementation('com.google.guava:guava:32.0.1-jre')`
`63`	`63`	`testImplementation('net.minidev:json-smart:2.4.9')`
`64`	`64`
`65`	`65`	`testRuntimeOnly('org.slf4j:slf4j-simple:1.7.25') // capture WireMock logging`
`@@ -69,7 +69,6 @@ dependencies {`
`69`	`69`	`include '*.jar'`
`70`	`70`	`builtBy 'compileJdbc'`
`71`	`71`	`}`
`72`		`- testImplementation group: 'com.h2database', name: 'h2', version: '2.1.210'`
`73`	`72`	`testImplementation group: 'org.xerial', name: 'sqlite-jdbc', version: '3.41.2.2'`
`74`	`73`	`testImplementation group: 'com.google.code.gson', name: 'gson', version: '2.8.9'`
`75`	`74`	`}`