[1.3] Update guava to address CVE-2023-2976 (#3060)

### Description Update guava to address [CVE-2023-2976](https://www.cve.org/CVERecord?id=CVE-2023-2976). Seems like this has been resolved for 2.x so this PR is for the 1.3 branch. ### Issues Resolved #2940 ### Check List - [ ] ~~New functionality includes testing~~ - [ ] ~~New functionality has been documented~~ - [x] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin). --------- Signed-off-by: Josh Aguilar <[email protected]> Signed-off-by: Stephen Crawford <[email protected]> Co-authored-by: Stephen Crawford <[email protected]>
opensearch-project · Jul 31, 2023 · eb9f698 · eb9f698
1 parent 6283345
commit eb9f698
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 8 deletions.
diff --git a/build.gradle b/build.gradle
@@ -84,7 +84,7 @@ configurations.all {
         force "org.apache.commons:commons-lang3:3.4"
         force "org.springframework:spring-core:5.3.28"
         force "org.springframework:spring-expression:5.3.28"
-        force "com.google.guava:guava:30.0-jre"
+        force "com.google.guava:guava:32.1.1-jre"
         force "com.fasterxml.woodstox:woodstox-core:6.4.0"
         force "org.scala-lang:scala-library:2.13.9"
         force "org.apache.bcel:bcel:6.6.0" // This line should be removed once Spotbugs is upgraded to 4.7.4
@@ -102,7 +102,7 @@ dependencies {
     implementation 'jakarta.annotation:jakarta.annotation-api:1.3.5'
     implementation "org.opensearch.plugin:transport-netty4-client:${opensearch_version}"
     implementation "org.opensearch.client:opensearch-rest-high-level-client:${opensearch_version}"
-    implementation 'com.google.guava:guava:30.0-jre'
+    implementation 'com.google.guava:guava:32.1.1-jre'
     implementation 'org.greenrobot:eventbus:3.2.0'
     implementation 'commons-cli:commons-cli:1.3.1'
     implementation 'org.bouncycastle:bcprov-jdk15to18:1.75'
@@ -417,4 +417,4 @@ task updateVersion {
         }
         ant.replaceregexp(file:'build.gradle', match: '"opensearch.version", "\\d.*"', replace: '"opensearch.version", "' + newVersion.tokenize('-')[0] + '-SNAPSHOT"', flags:'g', byline:true)
     }
-} 
+}
diff --git a/src/test/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticatorTest.java b/src/test/java/com/amazon/dlic/auth/http/jwt/HTTPJwtAuthenticatorTest.java
@@ -19,6 +19,7 @@
 import io.jsonwebtoken.Jwts;
 import io.jsonwebtoken.SignatureAlgorithm;
 
+import java.lang.reflect.Field;
 import java.nio.charset.StandardCharsets;
 import java.security.KeyPair;
 import java.security.KeyPairGenerator;
@@ -36,7 +37,6 @@
 import org.junit.Assert;
 import org.junit.Test;
 import org.mockito.Mockito;
-import org.mockito.internal.util.reflection.FieldSetter;
 
 import org.opensearch.security.user.AuthCredentials;
 import org.opensearch.security.util.FakeRestRequest;
@@ -192,14 +192,17 @@ public void testBasicAuthHeader() throws Exception {
         Settings settings = Settings.builder().put("signing_key", BaseEncoding.base64().encode(secretKey)).build();
         HTTPJwtAuthenticator jwtAuth = new HTTPJwtAuthenticator(settings, null);
         JwtParser jwtParser = Mockito.spy(JwtParser.class);
-        FieldSetter.setField(jwtAuth, HTTPJwtAuthenticator.class.getDeclaredField("jwtParser"), jwtParser);
+
+        Field jwtParserField = HTTPJwtAuthenticator.class.getDeclaredField("jwtParser");
+        jwtParserField.setAccessible(true);
+        jwtParserField.set(jwtAuth, jwtParser);
 
         String basicAuth = BaseEncoding.base64().encode("user:password".getBytes(StandardCharsets.UTF_8));
         Map<String, String> headers = Collections.singletonMap(HttpHeaders.AUTHORIZATION, "Basic " + basicAuth);
 
         AuthCredentials creds = jwtAuth.extractCredentials(new FakeRestRequest(headers, Collections.emptyMap()), null);
         Assert.assertNull(creds);
-        Mockito.verifyZeroInteractions(jwtParser);
+        Mockito.verifyNoInteractions(jwtParser);
     }
 
     @Test

diff --git a/src/test/java/org/opensearch/security/ssl/util/SSLConnectionTestUtilTests.java b/src/test/java/org/opensearch/security/ssl/util/SSLConnectionTestUtilTests.java
@@ -90,7 +90,7 @@ public void testConnectionSSLNotAvailableIOException() throws Exception {
         SSLConnectionTestResult result = connectionTestUtil.testConnection();
 
         verifyClientHelloSend();
-        Mockito.verifyZeroInteractions(inputStreamReader);
+        Mockito.verifyNoMoreInteractions(inputStreamReader);
         verifyOpenSearchPingSend();
         Mockito.verify(socket, Mockito.times(2)).close();
         Assert.assertEquals("Unexpected result for testConnection invocation", SSLConnectionTestResult.SSL_NOT_AVAILABLE, result);
@@ -152,7 +152,7 @@ public void testConnectionOpenSearchPingFailedIOException() throws Exception {
 
         verifyClientHelloSend();
         verifyOpenSearchPingSend();
-        Mockito.verifyZeroInteractions(inputStream);
+        Mockito.verifyNoInteractions(inputStream);
         Mockito.verify(socket, Mockito.times(2)).close();
         Assert.assertEquals("Unexpected result for testConnection invocation", SSLConnectionTestResult.OPENSEARCH_PING_FAILED, result);
     }