Merge 2bad0e7 into 8054f3b

Author: bdoyle0182

common/scala/build.gradle

@@ -28,6 +28,11 @@ apply from: '../../gradle/docker.gradle'
 
 project.archivesBaseName = "openwhisk-common"
 
+scoverage {
+    scoverageVersion.set("${gradle.scala.scoverageVersion}")
+    scoverageScalaVersion.set("${gradle.scala.scoverageScalaVersion}")
+}
+
 dependencies {
     api "org.scala-lang:scala-library:${gradle.scala.version}"
 
@@ -88,11 +93,7 @@ dependencies {
 
     api "io.reactivex:rxjava:1.3.8"
     api "io.reactivex:rxjava-reactive-streams:1.2.1"
-    api "com.microsoft.azure:azure-cosmosdb:2.6.2"
 
-    api "com.sksamuel.elastic4s:elastic4s-http_${gradle.scala.depVersion}:6.7.4"
-    //for mongo
-    api "org.mongodb.scala:mongo-scala-driver_${gradle.scala.depVersion}:2.7.0"
 
     api ("com.lightbend.akka:akka-stream-alpakka-s3_${gradle.scala.depVersion}:1.1.2") {
         exclude group: 'org.apache.httpcomponents' //Not used as alpakka uses akka-http
@@ -105,14 +106,38 @@ dependencies {
         exclude group: "com.azure", module: "azure-core-test"
     }
 
-    compile "io.netty:netty-buffer:${gradle.netty.version}"
-    compile "io.netty:netty-handler:${gradle.netty.version}"
-    compile "io.netty:netty-handler-proxy:${gradle.netty.version}"
-    compile "io.netty:netty-codec-socks:${gradle.netty.version}"
-    compile "io.netty:netty-codec-http:${gradle.netty.version}"
-    compile "io.netty:netty-codec-http2:${gradle.netty.version}"
-    compile "io.netty:netty-transport-native-epoll:${gradle.netty.version}"
-    compile "io.netty:netty-transport-native-unix-common:${gradle.netty.version}"
+    api "com.microsoft.azure:azure-cosmosdb"
+    constraints {
+        api("com.microsoft.azure:azure-cosmosdb:2.6.2")
+        implementation("com.fasterxml.jackson.core:jackson-core:2.14.2") {
+            because "cannot upgrade azure-cosmosdb to new major version to remediate vulns w/o breaking change"
+        }
+    }
+
+    api "com.sksamuel.elastic4s:elastic4s-http_${gradle.scala.depVersion}"
+    constraints {
+        api("com.sksamuel.elastic4s:elastic4s-http_${gradle.scala.depVersion}:6.7.8")
+        implementation("org.elasticsearch.client:elasticsearch-rest-client:6.8.23") {
+            because "cannot upgrade elastic4s to remediate vuln without performing major version rest client upgrade"
+        }
+    }
+    //for mongo
+    api "org.mongodb.scala:mongo-scala-driver_${gradle.scala.depVersion}"
+    constraints {
+        api("org.mongodb.scala:mongo-scala-driver_${gradle.scala.depVersion}:2.7.0")
+        implementation("org.mongodb:mongodb-driver-async:3.12.1") {
+            because "cannot upgrade major mongo scala driver to remediate vuln w/o code changes"
+        }
+    }
+
+    api "io.netty:netty-buffer:${gradle.netty.version}"
+    api "io.netty:netty-handler:${gradle.netty.version}"
+    api "io.netty:netty-handler-proxy:${gradle.netty.version}"
+    api "io.netty:netty-codec-socks:${gradle.netty.version}"
+    api "io.netty:netty-codec-http:${gradle.netty.version}"
+    api "io.netty:netty-codec-http2:${gradle.netty.version}"
+    api "io.netty:netty-transport-native-epoll:${gradle.netty.version}"
+    api "io.netty:netty-transport-native-unix-common:${gradle.netty.version}"
 }
 
 configurations {

core/monitoring/user-events/build.gradle

@@ -40,7 +40,13 @@ dependencies {
 
     testImplementation "junit:junit:4.11"
     testImplementation "org.scalatest:scalatest_${gradle.scala.depVersion}:3.0.8"
-    testImplementation "io.github.embeddedkafka:embedded-kafka_${gradle.scala.depVersion}:2.4.0"
+    testImplementation "io.github.embeddedkafka:embedded-kafka_${gradle.scala.depVersion}"
+    constraints {
+        testImplementation("io.github.embeddedkafka:embedded-kafka_${gradle.scala.depVersion}:2.4.0")
+        testImplementation('org.apache.avro:avro:1.11.1') {
+            because 'embeddedkafka dependency cannot be upgraded currently and avro in embedded kafka 2.4.0 has vulns'
+        }
+    }
     testImplementation "com.typesafe.akka:akka-stream-kafka-testkit_${gradle.scala.depVersion}:${gradle.akka_kafka.version}"
     testImplementation "com.typesafe.akka:akka-testkit_${gradle.scala.depVersion}:${gradle.akka.version}"
     testImplementation "com.typesafe.akka:akka-stream-testkit_${gradle.scala.depVersion}:${gradle.akka.version}"

core/standalone/build.gradle

@@ -164,7 +164,13 @@ dependencies {
     implementation project(':tools:admin')
     implementation "org.rogach:scallop_${gradle.scala.depVersion}:3.3.2"
 
-    implementation "io.github.embeddedkafka:embedded-kafka_${gradle.scala.depVersion}:2.4.0"
+    implementation "io.github.embeddedkafka:embedded-kafka_${gradle.scala.depVersion}"
+    constraints {
+        implementation("io.github.embeddedkafka:embedded-kafka_${gradle.scala.depVersion}:2.4.0")
+        implementation('org.apache.avro:avro:1.11.1') {
+            because 'embeddedkafka dependency cannot be upgraded currently and avro in embedded kafka 2.4.0 has vulns'
+        }
+    }
     implementation "org.scala-lang:scala-reflect:${gradle.scala.version}"
     implementation "ch.megard:akka-http-cors_${gradle.scala.depVersion}:0.4.2"
 

settings.gradle

@@ -55,13 +55,17 @@ if (scalaVersion == '2.12') {
     gradle.ext.scala = [
             version     : '2.12.10',
             depVersion  : '2.12',
+            scoverageScalaVersion : '2.12.15',
+            scoverageVersion : '1.4.11',
             compileFlags: ['-feature', '-unchecked', '-deprecation', '-Xfatal-warnings', '-Ywarn-unused-import']
     ]
 } else {
     println("Build using Scala 2.13")
     gradle.ext.scala = [
             version     : '2.13.1',
             depVersion  : '2.13',
+            scoverageScalaVersion : '2.13.1',
+            scoverageVersion : '1.4.11',
             // We can't use fatal warnings yet because there are deprecated things in 2.13 that are not fixable
             // in 2.12.
             compileFlags: ['-feature', '-unchecked', '-deprecation']

tests/build.gradle

@@ -224,9 +224,23 @@ dependencies {
     implementation "com.github.java-json-tools:json-schema-validator:2.2.8"
     implementation "org.mockito:mockito-core:2.27.0"
     implementation "io.opentracing:opentracing-mock:0.31.0"
-    implementation "org.apache.curator:curator-test:${gradle.curator.version}"
-    implementation "com.atlassian.oai:swagger-request-validator-core:1.4.5"
-    implementation "io.github.embeddedkafka:embedded-kafka_${gradle.scala.depVersion}:2.4.0"
+    implementation ("org.apache.curator:curator-test:${gradle.curator.version}") {
+        exclude group: 'log4j'
+    }
+    implementation "com.atlassian.oai:swagger-request-validator-core"
+    constraints {
+        implementation("com.atlassian.oai:swagger-request-validator-core:1.4.5")
+        implementation("org.slf4j:slf4j-ext:1.7.36") {
+            because 'swagger-request-validator-core cannot be upgraded to 2.x where vuln is remediated'
+        }
+    }
+    implementation "io.github.embeddedkafka:embedded-kafka_${gradle.scala.depVersion}"
+    constraints {
+        implementation("io.github.embeddedkafka:embedded-kafka_${gradle.scala.depVersion}:2.4.0")
+        implementation('org.apache.avro:avro:1.11.1') {
+            because 'embeddedkafka dependency cannot be upgraded currently and avro in embedded kafka 2.4.0 has vulns'
+        }
+    }
     implementation "com.typesafe.akka:akka-stream-kafka-testkit_${gradle.scala.depVersion}:${gradle.akka_kafka.version}"
     implementation "com.typesafe.akka:akka-stream-testkit_${gradle.scala.depVersion}:${gradle.akka.version}"
     implementation "io.fabric8:kubernetes-server-mock:${gradle.kube_client.version}"