fix CVE-2023-2976 and upgrade guava to be consistent (#2009) (#2013)

Signed-off-by: Xun Zhang <xunzh@amazon.com>
opensearch-project · Feb 5, 2024 · f64255c · f64255c
1 parent 90cb31a
commit f64255c
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 5 deletions.
diff --git a/build.gradle b/build.gradle
@@ -64,6 +64,11 @@ subprojects {
     configurations {
         testImplementation.extendsFrom compileOnly
     }
+
+    configurations.all {
+        // Force spotless depending on newer version of guava due to CVE-2023-2976. Remove after spotless upgrades.
+        resolutionStrategy.force "com.google.guava:guava:32.1.2-jre"
+    }
 }
 
 ext {

diff --git a/memory/build.gradle b/memory/build.gradle
@@ -28,7 +28,7 @@ dependencies {
     implementation group: 'org.opensearch', name: 'opensearch', version: "${opensearch_version}"
     implementation group: 'org.apache.httpcomponents.core5', name: 'httpcore5', version: '5.2.1'
     implementation "org.opensearch:common-utils:${common_utils_version}"
-    implementation group: 'com.google.guava', name: 'guava', version: '32.0.1-jre'
+    implementation group: 'com.google.guava', name: 'guava', version: '32.1.2-jre'
     testImplementation (group: 'junit', name: 'junit', version: '4.13.2') {
         exclude module : 'hamcrest'
         exclude module : 'hamcrest-core'

diff --git a/ml-algorithms/build.gradle b/ml-algorithms/build.gradle
@@ -42,7 +42,7 @@ dependencies {
     implementation group: 'io.protostuff', name: 'protostuff-collectionschema', version: '1.8.0'
     testImplementation group: 'junit', name: 'junit', version: '4.13.2'
     testImplementation group: 'org.mockito', name: 'mockito-core', version: '5.7.0'
-    implementation group: 'com.google.guava', name: 'guava', version: '32.0.1-jre'
+    implementation group: 'com.google.guava', name: 'guava', version: '32.1.2-jre'
     implementation group: 'com.google.code.gson', name: 'gson', version: '2.10.1'
     implementation platform("ai.djl:bom:0.21.0")
     implementation group: 'ai.djl.pytorch', name: 'pytorch-model-zoo', version: '0.21.0'

diff --git a/plugin/build.gradle b/plugin/build.gradle
@@ -57,7 +57,7 @@ dependencies {
     implementation "org.opensearch:common-utils:${common_utils_version}"
     implementation("com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}")
     implementation("com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}")
-    implementation group: 'com.google.guava', name: 'guava', version: '32.0.1-jre'
+    implementation group: 'com.google.guava', name: 'guava', version: '32.1.2-jre'
     implementation group: 'com.google.code.gson', name: 'gson', version: '2.10.1'
     implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.10'
     implementation group: 'org.apache.commons', name: 'commons-math3', version: '3.6.1'

diff --git a/search-processors/build.gradle b/search-processors/build.gradle
@@ -35,8 +35,8 @@ dependencies {
     implementation project(':opensearch-ml-memory')
     implementation group: 'org.opensearch', name: 'common-utils', version: "${common_utils_version}"
     // https://mvnrepository.com/artifact/org.apache.httpcomponents.core5/httpcore5
-    implementation group: 'org.apache.httpcomponents.core5', name: 'httpcore5', version: '5.2.1'
-    implementation("com.google.guava:guava:32.0.1-jre")
+    implementation group: 'org.apache.httpcomponents.core5', name: 'httpcore5', version: '5.2.2'
+    implementation group: 'com.google.guava', name: 'guava', version: '32.1.2-jre'
     implementation group: 'org.json', name: 'json', version: '20231013'
     implementation group: 'org.apache.commons', name: 'commons-text', version: '1.10.0'
     testImplementation "org.opensearch.test:framework:${opensearch_version}"