From 83b21b021c818b2dffb9821db061c2ae6bdfefc5 Mon Sep 17 00:00:00 2001
From: david-leifker <114954101+david-leifker@users.noreply.github.com>
Date: Thu, 1 Dec 2022 16:43:15 -0600
Subject: [PATCH] fix(security): security version updates (#6602)

---
 build.gradle                                  | 28 ++++++++++++-------
 buildSrc/build.gradle                         |  4 +--
 datahub-frontend/play.gradle                  |  2 +-
 datahub-ranger-plugin/build.gradle            | 12 ++++++++
 entity-registry/build.gradle                  |  5 ++++
 metadata-io/build.gradle                      |  3 ++
 .../auth-ranger-impl/build.gradle             | 12 ++++++++
 7 files changed, 53 insertions(+), 13 deletions(-)

diff --git a/build.gradle b/build.gradle
index 74146515850a0..b57419e285a38 100644
--- a/build.gradle
+++ b/build.gradle
@@ -8,6 +8,8 @@ buildscript {
   ext.neo4jVersion = '4.4.9'
   ext.graphQLJavaVersion = '19.0'
   ext.testContainersVersion = '1.17.4'
+  ext.jacksonVersion = '2.13.4'
+  ext.jettyVersion = '9.4.46.v20220331'
   apply from: './repositories.gradle'
   buildscript.repositories.addAll(project.repositories)
   dependencies {
@@ -57,6 +59,7 @@ project.ext.externalDependency = [
     'commonsCli': 'commons-cli:commons-cli:1.5.0',
     'commonsIo': 'commons-io:commons-io:2.4',
     'commonsLang': 'commons-lang:commons-lang:2.6',
+    'commonsText': 'org.apache.commons:commons-text:1.10.0',
     'commonsCollections': 'commons-collections:commons-collections:3.2.2',
     'data' : 'com.linkedin.pegasus:data:' + pegasusVersion,
     'datastaxOssNativeProtocol': 'com.datastax.oss:native-protocol:1.5.1',
@@ -75,7 +78,7 @@ project.ext.externalDependency = [
     'gson': 'com.google.code.gson:gson:2.8.9',
     'guice': 'com.google.inject:guice:4.2.2',
     'guava': 'com.google.guava:guava:27.0.1-jre',
-    'h2': 'com.h2database:h2:2.1.210',
+    'h2': 'com.h2database:h2:2.1.214',
     'hadoopClient': 'org.apache.hadoop:hadoop-client:3.2.1',
     'hadoopCommon':'org.apache.hadoop:hadoop-common:2.7.2',
     'hadoopMapreduceClient':'org.apache.hadoop:hadoop-mapreduce-client-core:2.7.2',
@@ -84,15 +87,18 @@ project.ext.externalDependency = [
     'httpClient': 'org.apache.httpcomponents:httpclient:4.5.9',
     'httpAsyncClient': 'org.apache.httpcomponents:httpasyncclient:4.1.5',
     'iStackCommons': 'com.sun.istack:istack-commons-runtime:4.0.1',
-    'jacksonCore': 'com.fasterxml.jackson.core:jackson-core:2.13.2',
-    'jacksonDataBind': 'com.fasterxml.jackson.core:jackson-databind:2.13.2.2',
-    'jacksonDataFormatYaml': 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.13.2',
+    'jacksonCore': "com.fasterxml.jackson.core:jackson-core:$jacksonVersion",
+    'jacksonDataBind': "com.fasterxml.jackson.core:jackson-databind:$jacksonVersion.2",
+    'jacksonDataFormatYaml': "com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:$jacksonVersion",
+    'woodstoxCore': 'com.fasterxml.woodstox:woodstox-core:6.4.0',
     'javatuples': 'org.javatuples:javatuples:1.2',
     'javaxInject' : 'javax.inject:javax.inject:1',
     'javaxValidation' : 'javax.validation:validation-api:2.0.1.Final',
     'jerseyCore': 'org.glassfish.jersey.core:jersey-client:2.25.1',
     'jerseyGuava': 'org.glassfish.jersey.bundles.repackaged:jersey-guava:2.25.1',
-    'jettyJaas': 'org.eclipse.jetty:jetty-jaas:9.4.46.v20220331',
+    'jettyJaas': "org.eclipse.jetty:jetty-jaas:$jettyVersion",
+    'jettyClient': "org.eclipse.jetty:jetty-client:$jettyVersion",
+    'jettison': 'org.codehaus.jettison:jettison:1.5.2',
     'jgrapht': 'org.jgrapht:jgrapht-core:1.5.1',
     'jna': 'net.java.dev.jna:jna:5.12.1',
     'jsonPatch': 'com.github.java-json-tools:json-patch:1.13',
@@ -136,14 +142,15 @@ project.ext.externalDependency = [
     'playTest': 'com.typesafe.play:play-test_2.12:2.7.6',
     'pac4j': 'org.pac4j:pac4j-oidc:3.6.0',
     'playPac4j': 'org.pac4j:play-pac4j_2.12:8.0.2',
-    'postgresql': 'org.postgresql:postgresql:42.3.3',
-    'protobuf': 'com.google.protobuf:protobuf-java:3.19.3',
+    'postgresql': 'org.postgresql:postgresql:42.3.8',
+    'protobuf': 'com.google.protobuf:protobuf-java:3.19.6',
     'rangerCommons': 'org.apache.ranger:ranger-plugins-common:2.3.0',
     'reflections': 'org.reflections:reflections:0.9.9',
     'resilience4j': 'io.github.resilience4j:resilience4j-retry:1.7.1',
     'rythmEngine': 'org.rythmengine:rythm-engine:1.3.0',
     'servletApi': 'javax.servlet:javax.servlet-api:3.1.0',
-    'shiroCore': 'org.apache.shiro:shiro-core:1.8.0',
+    'shiroCore': 'org.apache.shiro:shiro-core:1.10.0',
+    'snakeYaml': 'org.yaml:snakeyaml:1.33',
     'sparkSql' : 'org.apache.spark:spark-sql_2.11:2.4.8',
     'sparkHive' : 'org.apache.spark:spark-hive_2.11:2.4.8',
     'springBeans': "org.springframework:spring-beans:$springVersion",
@@ -184,6 +191,7 @@ configure(subprojects.findAll {! it.name.startsWith('spark-lineage') }) {
 
   configurations.all {
     exclude group: "io.netty", module: "netty"
+    exclude group: "log4j", module: "log4j"
     exclude group: "org.springframework.boot", module: "spring-boot-starter-logging"
     exclude group: "ch.qos.logback", module: "logback-classic"
     exclude group: "org.apache.logging.log4j", module: "log4j-to-slf4j"
@@ -219,8 +227,8 @@ subprojects {
         implementation('org.apache.commons:commons-compress:1.21')
         implementation('org.apache.velocity:velocity-engine-core:2.3')
         implementation('org.hibernate:hibernate-validator:6.0.20.Final')
-        implementation('com.fasterxml.jackson.core:jackson-databind:2.13.2.2')
-        implementation('com.fasterxml.jackson.core:jackson-dataformat-cbor:2.13.2')
+        implementation("com.fasterxml.jackson.core:jackson-databind:$jacksonVersion.2")
+        implementation("com.fasterxml.jackson.core:jackson-dataformat-cbor:$jacksonVersion")
       }
     }
 
diff --git a/buildSrc/build.gradle b/buildSrc/build.gradle
index 2d94fd876c31f..b240501b49b07 100644
--- a/buildSrc/build.gradle
+++ b/buildSrc/build.gradle
@@ -10,7 +10,7 @@ dependencies {
     exclude group: 'com.google.guava', module: 'guava'
   }
   compile 'com.google.guava:guava:27.0.1-jre'
-  compile 'com.fasterxml.jackson.core:jackson-databind:2.9.10.7'
-  compile 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.8.11'
+  compile 'com.fasterxml.jackson.core:jackson-databind:2.13.4.2'
+  compile 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.13.4'
   compile 'commons-io:commons-io:2.11.0'
 }
\ No newline at end of file
diff --git a/datahub-frontend/play.gradle b/datahub-frontend/play.gradle
index fb08cbddc1b07..579449e9e39b1 100644
--- a/datahub-frontend/play.gradle
+++ b/datahub-frontend/play.gradle
@@ -17,7 +17,7 @@ dependencies {
 
   constraints {
     play('org.springframework:spring-core:5.2.3.RELEASE')
-    play('com.fasterxml.jackson.core:jackson-databind:2.9.10.4')
+    play(externalDependency.jacksonDataBind)
     play('com.nimbusds:nimbus-jose-jwt:7.9')
     play('com.typesafe.akka:akka-actor_2.12:2.5.16')
     play('net.minidev:json-smart:2.4.1')
diff --git a/datahub-ranger-plugin/build.gradle b/datahub-ranger-plugin/build.gradle
index 810b1a1991c9f..b3277a664af22 100644
--- a/datahub-ranger-plugin/build.gradle
+++ b/datahub-ranger-plugin/build.gradle
@@ -30,6 +30,18 @@ dependencies {
     implementation externalDependency.hadoopCommon3
     implementation externalDependency.log4jApi
 
+    constraints {
+        implementation(externalDependency.woodstoxCore) {
+            because("previous versions are vulnerable to CVE-2022-40151 CVE-2022-40152")
+        }
+        implementation(externalDependency.jettyClient) {
+            because("previous versions are vulnerable to CVE-2021-28165")
+        }
+        implementation(externalDependency.jettison) {
+            because("previous versions are vulnerable to CVE-2022-40149 CVE-2022-40150")
+        }
+    }
+
     testCompile externalDependency.testng
 }
 
diff --git a/entity-registry/build.gradle b/entity-registry/build.gradle
index 9a77f76cd7bad..3594e0440f63d 100644
--- a/entity-registry/build.gradle
+++ b/entity-registry/build.gradle
@@ -10,6 +10,11 @@ dependencies {
   compile externalDependency.jacksonDataFormatYaml
   compile externalDependency.reflections
   compile externalDependency.jsonPatch
+  constraints {
+    implementation(externalDependency.snakeYaml) {
+      because("previous versions are vulnerable to CVE-2022-25857")
+    }
+  }
   dataModel project(':li-utils')
   annotationProcessor externalDependency.lombok
 
diff --git a/metadata-io/build.gradle b/metadata-io/build.gradle
index 0a7924f002091..0ebee67656752 100644
--- a/metadata-io/build.gradle
+++ b/metadata-io/build.gradle
@@ -66,6 +66,9 @@ dependencies {
     implementation(externalDependency.log4jApi) {
         because("previous versions are vulnerable to CVE-2021-45105")
     }
+    implementation(externalDependency.commonsText) {
+      because("previous versions are vulnerable to CVE-2022-42889")
+    }
   }
 }
 
diff --git a/metadata-service/auth-ranger-impl/build.gradle b/metadata-service/auth-ranger-impl/build.gradle
index 7abb9e78ac055..8d13106bc6657 100644
--- a/metadata-service/auth-ranger-impl/build.gradle
+++ b/metadata-service/auth-ranger-impl/build.gradle
@@ -13,6 +13,18 @@ dependencies {
     }
     implementation externalDependency.hadoopCommon3
 
+    constraints {
+        implementation(externalDependency.woodstoxCore) {
+            because("previous versions are vulnerable to CVE-2022-40151 CVE-2022-40152")
+        }
+        implementation(externalDependency.jettyClient) {
+            because("previous versions are vulnerable to CVE-2021-28165")
+        }
+        implementation(externalDependency.jettison) {
+            because("previous versions are vulnerable to CVE-2022-40149 CVE-2022-40150")
+        }
+    }
+
     implementation 'org.apache.logging.log4j:log4j-1.2-api:2.17.1'
     implementation 'rome:rome:1.0'
     runtimeOnly externalDependency.jna