From ef00950e461fe769af3dc430948056f92417682a Mon Sep 17 00:00:00 2001 From: Joshua Tokle Date: Wed, 19 May 2021 08:17:22 -0700 Subject: [PATCH 1/3] Upgrade Jackson version to 2.11.4 Upgrade Jackson version to 2.11.4 to match OpenSearch core. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28491 --- build.gradle | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/build.gradle b/build.gradle index 8dfb92bb..bbb7b195 100644 --- a/build.gradle +++ b/build.gradle @@ -222,6 +222,8 @@ dependencies { compile files("${System.properties['java.home']}/../lib/tools.jar") } + def jacksonVersion = "2.11.4" + configurations { // jarHell reports class name conflicts between securemock and mockito-core // has to disable one of them. @@ -232,11 +234,6 @@ dependencies { configurations.all { resolutionStrategy { - force 'com.fasterxml.jackson.core:jackson-databind:2.10.5.1' - force 'com.fasterxml.jackson.core:jackson-core:2.10.5' - force 'com.fasterxml.jackson.dataformat:jackson-dataformat-smile:2.10.5' - force 'com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.10.5' - force 'com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.10.5' force 'junit:junit:4.13.1' } } @@ -249,9 +246,9 @@ dependencies { compile 'org.bouncycastle:bcprov-jdk15on:1.68' compile 'org.bouncycastle:bcpkix-jdk15on:1.68' compile 'com.amazon.opensearch:performanceanalyzer-rca:1.0.0.0-beta1' - compile 'com.fasterxml.jackson.core:jackson-annotations:2.10.5' - compile 'com.fasterxml.jackson.core:jackson-databind:2.10.5.1' - compile 'com.fasterxml.jackson.module:jackson-module-paranamer:2.10.5' + compile "com.fasterxml.jackson.core:jackson-annotations:${jacksonVersion}" + compile "com.fasterxml.jackson.core:jackson-databind:${jacksonVersion}" + compile "com.fasterxml.jackson.module:jackson-module-paranamer:${jacksonVersion}" compile(group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.11.1') { force = 'true' } From 9bf76e1cd3194fd2f2e24d4618dd79d7379c600e Mon Sep 17 00:00:00 2001 From: Joshua Tokle Date: Wed, 19 May 2021 12:42:35 -0700 Subject: [PATCH 2/3] Force resolution of new Jackson versions --- build.gradle | 3 +++ 1 file changed, 3 insertions(+) diff --git a/build.gradle b/build.gradle index bbb7b195..2fc366de 100644 --- a/build.gradle +++ b/build.gradle @@ -235,6 +235,9 @@ dependencies { configurations.all { resolutionStrategy { force 'junit:junit:4.13.1' + force "com.fasterxml.jackson.core:jackson-annotations:${jacksonVersion}" + force "com.fasterxml.jackson.core:jackson-databind:${jacksonVersion}" + force "com.fasterxml.jackson.module:jackson-module-paranamer:${jacksonVersion}" } } From deaf4bffd1559f893a7ce95fa4dadd3ca899859b Mon Sep 17 00:00:00 2001 From: Joshua Tokle Date: Wed, 19 May 2021 12:54:19 -0700 Subject: [PATCH 3/3] Add jackson-core to force-resolved dependencies --- build.gradle | 1 + 1 file changed, 1 insertion(+) diff --git a/build.gradle b/build.gradle index 2fc366de..bf2bc500 100644 --- a/build.gradle +++ b/build.gradle @@ -236,6 +236,7 @@ dependencies { resolutionStrategy { force 'junit:junit:4.13.1' force "com.fasterxml.jackson.core:jackson-annotations:${jacksonVersion}" + force "com.fasterxml.jackson.core:jackson-core:${jacksonVersion}" force "com.fasterxml.jackson.core:jackson-databind:${jacksonVersion}" force "com.fasterxml.jackson.module:jackson-module-paranamer:${jacksonVersion}" }