Upgrade deps to address security vulnerabilities

aws · May 18, 2022 · e1fe990 · e1fe990
1 parent cde8703
commit e1fe990
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -32,6 +32,13 @@ An uber jar containing the library and all its relocated dependencies except the
 The generated uber jar file can also be found at: `build/libs/`. At runtime, the uber jar expects to find the kafka
  client library and the `sl4j-api` library on the classpath. 
 
+## Validating secure dependencies
+To ensure no security vulnerabilities in the dependency libraries, run the following.
+
+ `gradle dependencyCheckAnalyze`
+
+If the above reports any vulnerabilities, upgrade dependencies to use the respective latest versions.
+
 ## Using the Amazon MSK Library for IAM Authentication
 The recommended way to use this library is to consume it from maven central while building a Kafka client application.
 
@@ -469,6 +476,17 @@ public static String UriEncode(CharSequence input, boolean encodeSlash) {
 
 ## Release Notes
 
+### Release 1.1.4
+
+- Update dependencies to address the following security vulnerabilities.
+  * CVE-2021-37136
+  * CVE-2021-37137
+  * CVE-2022-24823
+  * CVE-2021-43797
+  * CVE-2021-38153
+  * CVE-2020-36518
+- Specifically, build and test against Kafka 2.8.
+
 ### Release 1.1.3
 
 - Add retries if loading credential fails with client side errors.

diff --git a/build.gradle b/build.gradle
@@ -4,7 +4,7 @@ plugins {
     id 'com.github.johnrengelman.shadow' version '6.1.0'
     id 'maven-publish'
     id 'signing'
-    id 'org.owasp.dependencycheck' version '6.1.6'
+    id 'org.owasp.dependencycheck' version '7.1.0.1'
 }
 
 
@@ -39,16 +39,16 @@ version = readVersion()
 group "software.amazon.msk"
 
 dependencies {
-    compileOnly('org.apache.kafka:kafka-clients:2.4.1')
+    compileOnly('org.apache.kafka:kafka-clients:2.8.1')
     // aws sdk imports.
     implementation(platform('com.amazonaws:aws-java-sdk-bom:1.11.986'))
     implementation('com.amazonaws:aws-java-sdk-core')
     implementation('com.amazonaws:aws-java-sdk-sts')
-    implementation(platform('software.amazon.awssdk:bom:2.16.74'))
+    implementation(platform('software.amazon.awssdk:bom:2.17.192'))
     implementation('software.amazon.awssdk:auth')
     implementation('software.amazon.awssdk:sso')
     implementation('software.amazon.awssdk:sts')
-    implementation('com.fasterxml.jackson.core:jackson-databind:2.12.2')
+    implementation('com.fasterxml.jackson.core:jackson-databind:2.13.3')
     implementation('org.slf4j:slf4j-api:1.7.25')
 
     runtimeOnly('software.amazon.awssdk:apache-client')