You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@asterixdb.apache.org by mb...@apache.org on 2023/06/14 01:18:38 UTC
[asterixdb] 01/14: [NO ISSUE][*DB]: Update smart-json to avoid encountered CVE
This is an automated email from the ASF dual-hosted git repository.
mblow pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/asterixdb.git
commit aedda3544b52a3b3baebbab24e63d6273c0bbc59
Author: Hussain Towaileb <Hu...@couchbase.com>
AuthorDate: Mon May 22 04:45:42 2023 +0300
[NO ISSUE][*DB]: Update smart-json to avoid encountered CVE
Details:
- This change updates smart-json to avoid CVE-2023-1370:
json-smart 2.4.7 -> 2.4.11
Change-Id: I6cceff58ae80042c1421de4acb97dbfa3549168a
Reviewed-on: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17548
Integration-Tests: Jenkins <je...@fulliautomatix.ics.uci.edu>
Tested-by: Jenkins <je...@fulliautomatix.ics.uci.edu>
Reviewed-by: Hussain Towaileb <hu...@gmail.com>
Reviewed-by: Michael Blow <mb...@apache.org>
---
asterixdb/asterix-external-data/pom.xml | 5 +++++
asterixdb/asterix-server/pom.xml | 2 +-
asterixdb/pom.xml | 12 ++++++++++++
.../src/main/appended-resources/supplemental-models.xml | 14 +++++++-------
hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml | 4 ++++
hyracks-fullstack/pom.xml | 10 ++++++++++
6 files changed, 39 insertions(+), 8 deletions(-)
diff --git a/asterixdb/asterix-external-data/pom.xml b/asterixdb/asterix-external-data/pom.xml
index 068e294fec..f8a4401186 100644
--- a/asterixdb/asterix-external-data/pom.xml
+++ b/asterixdb/asterix-external-data/pom.xml
@@ -546,6 +546,11 @@
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-util-ajax</artifactId>
</dependency>
+ <!-- Manually included to avoid CVE-2023-1370 -->
+ <dependency>
+ <groupId>net.minidev</groupId>
+ <artifactId>json-smart</artifactId>
+ </dependency>
</dependencies>
<!-- apply patch for HADOOP-17225 to workaround CVE-2019-10172 -->
<repositories>
diff --git a/asterixdb/asterix-server/pom.xml b/asterixdb/asterix-server/pom.xml
index fb1c2f16cc..2ab0e5f2a2 100644
--- a/asterixdb/asterix-server/pom.xml
+++ b/asterixdb/asterix-server/pom.xml
@@ -309,7 +309,7 @@
<url>https://raw.githubusercontent.com/codehaus/stax/master/dev/ASF2.0.txt</url>
</override>
<override>
- <gav>org.ow2.asm:asm:9.1</gav>
+ <gav>org.ow2.asm:asm:9.3</gav>
<url>https://raw.githubusercontent.com/llbit/ow2-asm/master/LICENSE.txt</url>
</override>
<override>
diff --git a/asterixdb/pom.xml b/asterixdb/pom.xml
index 45f1986569..3610b19ee9 100644
--- a/asterixdb/pom.xml
+++ b/asterixdb/pom.xml
@@ -1019,6 +1019,10 @@
<artifactId>hadoop-common</artifactId>
<version>${hadoop.version}</version>
<exclusions>
+ <exclusion>
+ <groupId>net.minidev</groupId>
+ <artifactId>json-smart</artifactId>
+ </exclusion>
<exclusion>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
@@ -1111,6 +1115,10 @@
<version>${hadoop.version}</version>
<classifier>tests</classifier>
<exclusions>
+ <exclusion>
+ <groupId>net.minidev</groupId>
+ <artifactId>json-smart</artifactId>
+ </exclusion>
<exclusion>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
@@ -1644,6 +1652,10 @@
<artifactId>azure-identity</artifactId>
<version>1.4.1</version>
<exclusions>
+ <exclusion>
+ <groupId>net.minidev</groupId>
+ <artifactId>json-smart</artifactId>
+ </exclusion>
<exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-handler</artifactId>
diff --git a/asterixdb/src/main/appended-resources/supplemental-models.xml b/asterixdb/src/main/appended-resources/supplemental-models.xml
index 18508ef66a..1a97cbfef9 100644
--- a/asterixdb/src/main/appended-resources/supplemental-models.xml
+++ b/asterixdb/src/main/appended-resources/supplemental-models.xml
@@ -1090,8 +1090,8 @@
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
<properties>
- <license.ignoreMissingEmbeddedLicense>2.4.7</license.ignoreMissingEmbeddedLicense>
- <license.ignoreMissingEmbeddedNotice>2.4.7</license.ignoreMissingEmbeddedNotice>
+ <license.ignoreMissingEmbeddedLicense>2.4.11</license.ignoreMissingEmbeddedLicense>
+ <license.ignoreMissingEmbeddedNotice>2.4.11</license.ignoreMissingEmbeddedNotice>
</properties>
</project>
</supplement>
@@ -1102,8 +1102,8 @@
<groupId>net.minidev</groupId>
<artifactId>accessors-smart</artifactId>
<properties>
- <license.ignoreMissingEmbeddedLicense>2.4.7</license.ignoreMissingEmbeddedLicense>
- <license.ignoreMissingEmbeddedNotice>2.4.7</license.ignoreMissingEmbeddedNotice>
+ <license.ignoreMissingEmbeddedLicense>2.4.11</license.ignoreMissingEmbeddedLicense>
+ <license.ignoreMissingEmbeddedNotice>2.4.11</license.ignoreMissingEmbeddedNotice>
</properties>
</project>
</supplement>
@@ -1113,9 +1113,9 @@
<groupId>org.ow2.asm</groupId>
<artifactId>asm</artifactId>
<properties>
- <license.ignoreMissingEmbeddedLicense>9.1</license.ignoreMissingEmbeddedLicense>
- <license.ignoreMissingEmbeddedNotice>9.1</license.ignoreMissingEmbeddedNotice>
- <license.ignoreLicenseOverride>9.1</license.ignoreLicenseOverride>
+ <license.ignoreMissingEmbeddedLicense>9.3</license.ignoreMissingEmbeddedLicense>
+ <license.ignoreMissingEmbeddedNotice>9.3</license.ignoreMissingEmbeddedNotice>
+ <license.ignoreLicenseOverride>9.3</license.ignoreLicenseOverride>
</properties>
</project>
</supplement>
diff --git a/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml b/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml
index b16904df1c..816746cfca 100644
--- a/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml
+++ b/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml
@@ -182,6 +182,10 @@
<classifier>tests</classifier>
<scope>test</scope>
<exclusions>
+ <exclusion>
+ <groupId>net.minidev</groupId>
+ <artifactId>json-smart</artifactId>
+ </exclusion>
<exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
diff --git a/hyracks-fullstack/pom.xml b/hyracks-fullstack/pom.xml
index 69a82799b5..9ef0212060 100644
--- a/hyracks-fullstack/pom.xml
+++ b/hyracks-fullstack/pom.xml
@@ -155,6 +155,10 @@
<artifactId>hadoop-common</artifactId>
<version>${hadoop.version}</version>
<exclusions>
+ <exclusion>
+ <groupId>net.minidev</groupId>
+ <artifactId>json-smart</artifactId>
+ </exclusion>
<exclusion>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
@@ -472,6 +476,12 @@
<artifactId>jetty-util-ajax</artifactId>
<version>9.4.48.v20220622</version>
</dependency>
+ <!-- Manually included to avoid CVE-2023-1370 -->
+ <dependency>
+ <groupId>net.minidev</groupId>
+ <artifactId>json-smart</artifactId>
+ <version>2.4.11</version>
+ </dependency>
</dependencies>
</dependencyManagement>
<build>