Skip to content

Commit

Permalink
NIFI-12393 Upgraded OWASP Check from 8.4.2 to 8.4.3
Browse files Browse the repository at this point in the history 
- Upgraded Azure SDK BOM from 1.2.17 to 1.2.18
- Upgraded Reactor Netty HTTP from 1.0.34 to 1.0.39 for Azure Identity
- Upgraded MSAL4J from 1.13.10 to 1.14.0
- Upgraded Box Java SDK from 4.4.0 to 4.6.1
- Relocated Apache Ant managed versions to bundle parent modules
- Added okio-fakefilesystem to managed dependencies
- Suppressed vulnerability for Picocli misidentified as LINE library
- Added managed dependencies to nifi-code-coverage to avoid false positives due to different parent modules

Signed-off-by: Pierre Villard <[email protected]>

This closes apache#8054.
  • Loading branch information
@exceptionfactory @pvillard31
exceptionfactory authored and pvillard31 committed Nov 21, 2023
1 parent 89aef60 commit e5e76d0
Show file tree
Hide file tree
Showing 14 changed files with 145 additions and 48 deletions.
85 changes: 85 additions & 0 deletions nifi-code-coverage/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,91 @@
<packaging>pom</packaging>
<description>Apache NiFi reporting module for aggregating code coverage information</description>

<properties>
<ant.version>1.10.14</ant.version>
<calcite.avatica.version>1.6.0</calcite.avatica.version>
<avatica.version>1.23.0</avatica.version>
</properties>

<!-- Managed Dependency Versions for referenced modules required based on different parent bundle project -->
<dependencyManagement>
<dependencies>
<!-- Apache Derby referenced in Hive and tests -->
<dependency>
<groupId>org.apache.derby</groupId>
<artifactId>derbynet</artifactId>
<version>${derby.version}</version>
</dependency>
<dependency>
<groupId>org.apache.derby</groupId>
<artifactId>derbytools</artifactId>
<version>${derby.version}</version>
</dependency>
<dependency>
<groupId>org.apache.derby</groupId>
<artifactId>derbyclient</artifactId>
<version>${derby.version}</version>
</dependency>
<!-- Apache Ant referenced in Groovy and Hive -->
<dependency>
<groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId>
<version>${ant.version}</version>
</dependency>
<dependency>
<groupId>org.apache.ant</groupId>
<artifactId>ant-antlr</artifactId>
<version>${ant.version}</version>
</dependency>
<!-- Calcite Avatica referenced in Hive -->
<dependency>
<groupId>org.apache.calcite</groupId>
<artifactId>calcite-avatica</artifactId>
<version>${calcite.avatica.version}</version>
</dependency>
<dependency>
<groupId>org.apache.calcite.avatica</groupId>
<artifactId>avatica</artifactId>
<version>${avatica.version}</version>
</dependency>
<!-- Commons Compiler 3.1.9 from calcite-core -->
<dependency>
<groupId>org.codehaus.janino</groupId>
<artifactId>commons-compiler</artifactId>
<version>3.1.10</version>
</dependency>
<dependency>
<groupId>org.codehaus.janino</groupId>
<artifactId>janino</artifactId>
<version>3.1.10</version>
</dependency>
<!-- XML Security from spring-security-saml2-service-provider -->
<dependency>
<groupId>org.apache.santuario</groupId>
<artifactId>xmlsec</artifactId>
<version>2.3.4</version>
<exclusions>
<exclusion>
<groupId>com.fasterxml.woodstox</groupId>
<artifactId>woodstox-core</artifactId>
</exclusion>
</exclusions>
</dependency>
<!-- Reactor Netty client 1.0.34 from Azure Identity -->
<dependency>
<groupId>io.projectreactor.netty</groupId>
<artifactId>reactor-netty-http</artifactId>
<version>1.0.39</version>
</dependency>
<!-- core-io from Couchbase -->
<dependency>
<groupId>com.couchbase.client</groupId>
<artifactId>core-io</artifactId>
<version>1.7.24</version>
</dependency>
</dependencies>
</dependencyManagement>

<dependencies>
<!-- Command and Control modules -->
<dependency>
Expand Down
2 changes: 1 addition & 1 deletion nifi-commons/nifi-property-protection-azure/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-sdk-bom</artifactId>
<version>1.2.17</version>
<version>1.2.18</version>
<scope>import</scope>
<type>pom</type>
</dependency>
Expand Down
5 changes: 5 additions & 0 deletions nifi-dependency-check-maven/suppressions.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -439,4 +439,9 @@
<packageUrl regex="true">^pkg:javascript/jquery\.datatables@.*$</packageUrl>
<vulnerabilityName>possible XSS</vulnerabilityName>
</suppress>
<suppress>
<notes>Picocli misidentified as LINE library from Android so CVE-2015-0897 does not apply</notes>
<packageUrl regex="true">^pkg:maven/info\.picocli/picocli@.*$</packageUrl>
<cve>CVE-2015-0897</cve>
</suppress>
</suppressions>
10 changes: 8 additions & 2 deletions nifi-nar-bundles/nifi-azure-bundle/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,8 @@
<packaging>pom</packaging>

<properties>
<azure.sdk.bom.version>1.2.17</azure.sdk.bom.version>
<msal4j.version>1.13.10</msal4j.version>
<azure.sdk.bom.version>1.2.18</azure.sdk.bom.version>
<msal4j.version>1.14.0</msal4j.version>
<qpid.proton.version>0.34.1</qpid.proton.version>
</properties>

Expand Down Expand Up @@ -68,6 +68,12 @@
<artifactId>nimbus-jose-jwt</artifactId>
<version>9.33</version>
</dependency>
<!-- Override Reactor Netty client 1.0.34 from Azure Identity -->
<dependency>
<groupId>io.projectreactor.netty</groupId>
<artifactId>reactor-netty-http</artifactId>
<version>1.0.39</version>
</dependency>
</dependencies>
</dependencyManagement>
</project>
2 changes: 1 addition & 1 deletion nifi-nar-bundles/nifi-box-bundle/nifi-box-services-api/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
<dependency>
<groupId>com.box</groupId>
<artifactId>box-java-sdk</artifactId>
<version>4.4.0</version>
<version>4.6.1</version>
<exclusions>
<exclusion>
<groupId>org.bouncycastle</groupId>
Expand Down
11 changes: 0 additions & 11 deletions nifi-nar-bundles/nifi-box-bundle/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,15 +34,4 @@
<module>nifi-box-services-api</module>
<module>nifi-box-services-nar</module>
</modules>

<dependencyManagement>
<dependencies>
<!-- Override jose4j 0.9.0 from box-java-sdk -->
<dependency>
<groupId>org.bitbucket.b_c</groupId>
<artifactId>jose4j</artifactId>
<version>0.9.3</version>
</dependency>
</dependencies>
</dependencyManagement>
</project>
15 changes: 0 additions & 15 deletions nifi-nar-bundles/nifi-groovyx-bundle/nifi-groovyx-nar/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,6 @@

<artifactId>nifi-groovyx-nar</artifactId>
<packaging>nar</packaging>
<properties>
<ant.version>1.10.14</ant.version>
</properties>

<dependencies>
<dependency>
Expand Down Expand Up @@ -60,18 +57,6 @@
</exclusion>
</exclusions>
</dependency>
<dependency>
<!-- Override ant from groovy-ant -->
<groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId>
<version>${ant.version}</version>
</dependency>
<dependency>
<!-- Override ant from groovy-ant -->
<groupId>org.apache.ant</groupId>
<artifactId>ant-antlr</artifactId>
<version>${ant.version}</version>
</dependency>
</dependencies>
</project>

16 changes: 16 additions & 0 deletions nifi-nar-bundles/nifi-groovyx-bundle/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@
<packaging>pom</packaging>
<description>NiFi Groovy Extended Processor</description>

<properties>
<ant.version>1.10.14</ant.version>
</properties>

<modules>
<module>nifi-groovyx-processors</module>
<module>nifi-groovyx-nar</module>
Expand All @@ -44,6 +48,18 @@
<type>pom</type>
<scope>provided</scope>
</dependency>
<dependency>
<!-- Override ant from groovy-ant -->
<groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId>
<version>${ant.version}</version>
</dependency>
<dependency>
<!-- Override ant from groovy-ant -->
<groupId>org.apache.ant</groupId>
<artifactId>ant-antlr</artifactId>
<version>${ant.version}</version>
</dependency>
</dependencies>
</dependencyManagement>
</project>
5 changes: 5 additions & 0 deletions nifi-nar-bundles/nifi-hive-bundle/nifi-hive-test-utils/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,11 @@
<artifactId>derbytools</artifactId>
<version>${derby.version}</version>
</dependency>
<dependency>
<groupId>org.apache.derby</groupId>
<artifactId>derby</artifactId>
<version>${derby.version}</version>
</dependency>
<dependency>
<groupId>org.apache.hive.hcatalog</groupId>
<artifactId>hive-hcatalog-server-extensions</artifactId>
Expand Down
2 changes: 1 addition & 1 deletion nifi-nar-bundles/nifi-hive-bundle/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,7 @@
<dependency>
<groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId>
<version>1.10.13</version>
<version>1.10.14</version>
</dependency>
<dependency>
<groupId>org.apache.parquet</groupId>
Expand Down
2 changes: 1 addition & 1 deletion nifi-nar-bundles/nifi-iceberg-bundle/nifi-iceberg-processors/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,7 +132,7 @@
<artifactId>bcprov-jdk15on</artifactId>
</exclusion>
<exclusion>
<groupId>org.apache.groovy</groupId>
<groupId>org.codehaus.groovy</groupId>
<artifactId>groovy-all</artifactId>
</exclusion>
<exclusion>
Expand Down
15 changes: 0 additions & 15 deletions nifi-nar-bundles/nifi-scripting-bundle/nifi-scripting-nar/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,6 @@

<artifactId>nifi-scripting-nar</artifactId>
<packaging>nar</packaging>
<properties>
<ant.version>1.10.14</ant.version>
</properties>

<dependencies>
<dependency>
Expand Down Expand Up @@ -77,17 +74,5 @@
</exclusion>
</exclusions>
</dependency>
<dependency>
<!-- Override ant from groovy-ant -->
<groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId>
<version>${ant.version}</version>
</dependency>
<dependency>
<!-- Override ant from groovy-ant -->
<groupId>org.apache.ant</groupId>
<artifactId>ant-antlr</artifactId>
<version>${ant.version}</version>
</dependency>
</dependencies>
</project>
16 changes: 16 additions & 0 deletions nifi-nar-bundles/nifi-scripting-bundle/pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,10 @@
<artifactId>nifi-scripting-bundle</artifactId>
<packaging>pom</packaging>

<properties>
<ant.version>1.10.14</ant.version>
</properties>

<modules>
<module>nifi-scripting-processors</module>
<module>nifi-scripting-nar</module>
Expand Down Expand Up @@ -73,6 +77,18 @@
<type>pom</type>
<scope>provided</scope>
</dependency>
<dependency>
<!-- Override ant from groovy-ant -->
<groupId>org.apache.ant</groupId>
<artifactId>ant</artifactId>
<version>${ant.version}</version>
</dependency>
<dependency>
<!-- Override ant from groovy-ant -->
<groupId>org.apache.ant</groupId>
<artifactId>ant-antlr</artifactId>
<version>${ant.version}</version>
</dependency>
</dependencies>
</dependencyManagement>
</project>
7 changes: 6 additions & 1 deletion pom.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -664,6 +664,11 @@
<artifactId>okio</artifactId>
<version>${okio.version}</version>
</dependency>
<dependency>
<groupId>com.squareup.okio</groupId>
<artifactId>okio-fakefilesystem</artifactId>
<version>${okio.version}</version>
</dependency>
<dependency>
<groupId>org.jetbrains.kotlin</groupId>
<artifactId>kotlin-bom</artifactId>
Expand Down Expand Up @@ -1281,7 +1286,7 @@
<plugin>
<groupId>org.owasp</groupId>
<artifactId>dependency-check-maven</artifactId>
<version>8.4.2</version>
<version>8.4.3</version>
<executions>
<execution>
<inherited>false</inherited>
Expand Down

0 comments on commit e5e76d0

Please sign in to comment.