opendistro-for-elasticsearch · penghuo · Jul 28, 2020 · Jul 28, 2020
diff --git a/common/build.gradle b/common/build.gradle
@@ -9,7 +9,8 @@ repositories {
 
 dependencies {
     compile "org.antlr:antlr4-runtime:4.7.1"
-    compile group: 'com.google.guava', name: 'guava', version: '23.0'
+    // https://github.com/google/guava/wiki/CVE-2018-10237
+    compile group: 'com.google.guava', name: 'guava', version: '29.0-jre'
 
     testCompile group: 'junit', name: 'junit', version: '4.12'
 }
diff --git a/core/build.gradle b/core/build.gradle
@@ -9,7 +9,8 @@ repositories {
 }
 
 dependencies {
-    compile group: 'com.google.guava', name: 'guava', version: '23.0'
+    // https://github.com/google/guava/wiki/CVE-2018-10237
+    compile group: 'com.google.guava', name: 'guava', version: '29.0-jre'
     compile group: 'org.springframework', name: 'spring-context', version: '5.2.5.RELEASE'
     compile group: 'org.springframework', name: 'spring-beans', version: '5.2.5.RELEASE'
     compile group: 'org.apache.commons', name: 'commons-lang3', version: '3.10'

diff --git a/elasticsearch/build.gradle b/elasticsearch/build.gradle
@@ -11,15 +11,16 @@ repositories {
 dependencies {
     compile project(':core')
     compile group: 'org.elasticsearch', name: 'elasticsearch', version: "${es_version}"
-    compile group: 'org.elasticsearch.client', name: 'elasticsearch-rest-high-level-client', version: "${es_version}"
     compile "io.github.resilience4j:resilience4j-retry:1.5.0"
     compile group: 'com.fasterxml.jackson.core', name: 'jackson-core', version: '2.10.4'
     compile group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.10.4'
+    compileOnly group: 'org.elasticsearch.client', name: 'elasticsearch-rest-high-level-client', version: "${es_version}"
 
     testImplementation('org.junit.jupiter:junit-jupiter:5.6.2')
     testCompile group: 'org.hamcrest', name: 'hamcrest-library', version: '2.1'
     testCompile group: 'org.mockito', name: 'mockito-core', version: '3.3.3'
     testCompile group: 'org.mockito', name: 'mockito-junit-jupiter', version: '3.3.3'
+    testCompile group: 'org.elasticsearch.client', name: 'elasticsearch-rest-high-level-client', version: "${es_version}"
 }
 
 test {

diff --git a/integ-test/build.gradle b/integ-test/build.gradle
@@ -23,6 +23,8 @@ repositories {
 
 configurations.all {
     exclude group: "commons-logging", module: "commons-logging"
+    // enforce 1.1.3, https://www.whitesourcesoftware.com/vulnerability-database/WS-2019-0379
+    resolutionStrategy.force 'commons-codec:commons-codec:1.13'
 }
 
 dependencies {

diff --git a/legacy/build.gradle b/legacy/build.gradle
@@ -60,7 +60,13 @@ dependencies {
     compile group: 'org.locationtech.spatial4j', name: 'spatial4j', version:'0.7'
     compile group: "org.elasticsearch.plugin", name: 'parent-join-client', version: "${es_version}"
     compile group: "org.elasticsearch.plugin", name: 'reindex-client', version: "${es_version}"
-    compile group: 'com.google.guava', name: 'guava', version:'23.0'
+    constraints {
+        implementation('commons-codec:commons-codec:1.13') {
+            because 'https://www.whitesourcesoftware.com/vulnerability-database/WS-2019-0379'
+        }
+    }
+    // https://github.com/google/guava/wiki/CVE-2018-10237
+    implementation group: 'com.google.guava', name: 'guava', version: '29.0-jre'
     compile group: 'org.json', name: 'json', version:'20180813'
     compile group: 'org.apache.commons', name: 'commons-lang3', version: '3.10'
     compile group: 'org.elasticsearch', name: 'elasticsearch', version: "${es_version}"

diff --git a/plugin/build.gradle b/plugin/build.gradle
@@ -31,6 +31,8 @@ thirdPartyAudit.enabled = false
 configurations.all {
     // conflict with spring-jcl
     exclude group: "commons-logging", module: "commons-logging"
+    // enforce 1.1.3, https://www.whitesourcesoftware.com/vulnerability-database/WS-2019-0379
+    resolutionStrategy.force 'commons-codec:commons-codec:1.13'
 }
 
 dependencies {

diff --git a/ppl/build.gradle b/ppl/build.gradle
@@ -25,7 +25,8 @@ dependencies {
     antlr "org.antlr:antlr4:4.7.1"
 
     compile "org.antlr:antlr4-runtime:4.7.1"
-    compile group: 'com.google.guava', name: 'guava', version: '23.0'
+    // https://github.com/google/guava/wiki/CVE-2018-10237
+    compile group: 'com.google.guava', name: 'guava', version: '29.0-jre'
     compile group: 'org.elasticsearch', name: 'elasticsearch-x-content', version: "${es_version}"
     compile group: 'org.json', name: 'json', version: '20180813'
     compile group: 'org.springframework', name: 'spring-context', version: '5.2.5.RELEASE'

diff --git a/protocol/build.gradle b/protocol/build.gradle
@@ -9,7 +9,8 @@ repositories {
 }
 
 dependencies {
-    compile group: 'com.google.guava', name: 'guava', version: '23.0'
+    // https://github.com/google/guava/wiki/CVE-2018-10237
+    compile group: 'com.google.guava', name: 'guava', version: '29.0-jre'
     compile group: 'org.json', name: 'json', version: '20180813' //TODO: change to other JSON lib?
     compile project(':core')
 

diff --git a/sql/build.gradle b/sql/build.gradle
@@ -25,7 +25,8 @@ dependencies {
     antlr "org.antlr:antlr4:4.7.1"
 
     compile "org.antlr:antlr4-runtime:4.7.1"
-    compile group: 'com.google.guava', name: 'guava', version:'23.0'
+    // https://github.com/google/guava/wiki/CVE-2018-10237
+    implementation group: 'com.google.guava', name: 'guava', version: '29.0-jre'
     compile group: 'org.json', name: 'json', version:'20180813'
     compile group: 'org.springframework', name: 'spring-context', version: '5.2.5.RELEASE'
     compile group: 'org.springframework', name: 'spring-beans', version: '5.2.5.RELEASE'