diff --git a/common/build.gradle b/common/build.gradle index 0849fae080..2b3f09a883 100644 --- a/common/build.gradle +++ b/common/build.gradle @@ -9,7 +9,8 @@ repositories { dependencies { compile "org.antlr:antlr4-runtime:4.7.1" - compile group: 'com.google.guava', name: 'guava', version: '23.0' + // https://github.com/google/guava/wiki/CVE-2018-10237 + compile group: 'com.google.guava', name: 'guava', version: '29.0-jre' testCompile group: 'junit', name: 'junit', version: '4.12' } diff --git a/core/build.gradle b/core/build.gradle index acea197aec..53a66c1c10 100644 --- a/core/build.gradle +++ b/core/build.gradle @@ -9,7 +9,8 @@ repositories { } dependencies { - compile group: 'com.google.guava', name: 'guava', version: '23.0' + // https://github.com/google/guava/wiki/CVE-2018-10237 + compile group: 'com.google.guava', name: 'guava', version: '29.0-jre' compile group: 'org.springframework', name: 'spring-context', version: '5.2.5.RELEASE' compile group: 'org.springframework', name: 'spring-beans', version: '5.2.5.RELEASE' compile group: 'org.apache.commons', name: 'commons-lang3', version: '3.10' diff --git a/elasticsearch/build.gradle b/elasticsearch/build.gradle index 109c96fbc9..9adb955957 100644 --- a/elasticsearch/build.gradle +++ b/elasticsearch/build.gradle @@ -11,15 +11,16 @@ repositories { dependencies { compile project(':core') compile group: 'org.elasticsearch', name: 'elasticsearch', version: "${es_version}" - compile group: 'org.elasticsearch.client', name: 'elasticsearch-rest-high-level-client', version: "${es_version}" compile "io.github.resilience4j:resilience4j-retry:1.5.0" compile group: 'com.fasterxml.jackson.core', name: 'jackson-core', version: '2.10.4' compile group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.10.4' + compileOnly group: 'org.elasticsearch.client', name: 'elasticsearch-rest-high-level-client', version: "${es_version}" testImplementation('org.junit.jupiter:junit-jupiter:5.6.2') testCompile group: 'org.hamcrest', name: 'hamcrest-library', version: '2.1' testCompile group: 'org.mockito', name: 'mockito-core', version: '3.3.3' testCompile group: 'org.mockito', name: 'mockito-junit-jupiter', version: '3.3.3' + testCompile group: 'org.elasticsearch.client', name: 'elasticsearch-rest-high-level-client', version: "${es_version}" } test { diff --git a/integ-test/build.gradle b/integ-test/build.gradle index 73422f4435..be53aebc0b 100644 --- a/integ-test/build.gradle +++ b/integ-test/build.gradle @@ -23,6 +23,8 @@ repositories { configurations.all { exclude group: "commons-logging", module: "commons-logging" + // enforce 1.1.3, https://www.whitesourcesoftware.com/vulnerability-database/WS-2019-0379 + resolutionStrategy.force 'commons-codec:commons-codec:1.13' } dependencies { diff --git a/legacy/build.gradle b/legacy/build.gradle index 192d718cf9..5e43ac29c1 100644 --- a/legacy/build.gradle +++ b/legacy/build.gradle @@ -60,7 +60,13 @@ dependencies { compile group: 'org.locationtech.spatial4j', name: 'spatial4j', version:'0.7' compile group: "org.elasticsearch.plugin", name: 'parent-join-client', version: "${es_version}" compile group: "org.elasticsearch.plugin", name: 'reindex-client', version: "${es_version}" - compile group: 'com.google.guava', name: 'guava', version:'23.0' + constraints { + implementation('commons-codec:commons-codec:1.13') { + because 'https://www.whitesourcesoftware.com/vulnerability-database/WS-2019-0379' + } + } + // https://github.com/google/guava/wiki/CVE-2018-10237 + implementation group: 'com.google.guava', name: 'guava', version: '29.0-jre' compile group: 'org.json', name: 'json', version:'20180813' compile group: 'org.apache.commons', name: 'commons-lang3', version: '3.10' compile group: 'org.elasticsearch', name: 'elasticsearch', version: "${es_version}" diff --git a/plugin/build.gradle b/plugin/build.gradle index 71430b95de..3ba7d4081a 100644 --- a/plugin/build.gradle +++ b/plugin/build.gradle @@ -31,6 +31,8 @@ thirdPartyAudit.enabled = false configurations.all { // conflict with spring-jcl exclude group: "commons-logging", module: "commons-logging" + // enforce 1.1.3, https://www.whitesourcesoftware.com/vulnerability-database/WS-2019-0379 + resolutionStrategy.force 'commons-codec:commons-codec:1.13' } dependencies { diff --git a/ppl/build.gradle b/ppl/build.gradle index 3818d805f4..6f55868cc2 100644 --- a/ppl/build.gradle +++ b/ppl/build.gradle @@ -25,7 +25,8 @@ dependencies { antlr "org.antlr:antlr4:4.7.1" compile "org.antlr:antlr4-runtime:4.7.1" - compile group: 'com.google.guava', name: 'guava', version: '23.0' + // https://github.com/google/guava/wiki/CVE-2018-10237 + compile group: 'com.google.guava', name: 'guava', version: '29.0-jre' compile group: 'org.elasticsearch', name: 'elasticsearch-x-content', version: "${es_version}" compile group: 'org.json', name: 'json', version: '20180813' compile group: 'org.springframework', name: 'spring-context', version: '5.2.5.RELEASE' diff --git a/protocol/build.gradle b/protocol/build.gradle index 8a90dea360..db00d7f8f0 100644 --- a/protocol/build.gradle +++ b/protocol/build.gradle @@ -9,7 +9,8 @@ repositories { } dependencies { - compile group: 'com.google.guava', name: 'guava', version: '23.0' + // https://github.com/google/guava/wiki/CVE-2018-10237 + compile group: 'com.google.guava', name: 'guava', version: '29.0-jre' compile group: 'org.json', name: 'json', version: '20180813' //TODO: change to other JSON lib? compile project(':core') diff --git a/sql/build.gradle b/sql/build.gradle index 56b18c010e..0443ba57c5 100644 --- a/sql/build.gradle +++ b/sql/build.gradle @@ -25,7 +25,8 @@ dependencies { antlr "org.antlr:antlr4:4.7.1" compile "org.antlr:antlr4-runtime:4.7.1" - compile group: 'com.google.guava', name: 'guava', version:'23.0' + // https://github.com/google/guava/wiki/CVE-2018-10237 + implementation group: 'com.google.guava', name: 'guava', version: '29.0-jre' compile group: 'org.json', name: 'json', version:'20180813' compile group: 'org.springframework', name: 'spring-context', version: '5.2.5.RELEASE' compile group: 'org.springframework', name: 'spring-beans', version: '5.2.5.RELEASE'