From f64255cd48985248e7602e99568847d49b1dbb86 Mon Sep 17 00:00:00 2001 From: Xun Zhang Date: Mon, 5 Feb 2024 14:07:26 -0800 Subject: [PATCH] fix CVE-2023-2976 and upgrade guava to be consistent (#2009) (#2013) Signed-off-by: Xun Zhang --- build.gradle | 5 +++++ memory/build.gradle | 2 +- ml-algorithms/build.gradle | 2 +- plugin/build.gradle | 2 +- search-processors/build.gradle | 4 ++-- 5 files changed, 10 insertions(+), 5 deletions(-) diff --git a/build.gradle b/build.gradle index 3f8dd812a7..467d853383 100644 --- a/build.gradle +++ b/build.gradle @@ -64,6 +64,11 @@ subprojects { configurations { testImplementation.extendsFrom compileOnly } + + configurations.all { + // Force spotless depending on newer version of guava due to CVE-2023-2976. Remove after spotless upgrades. + resolutionStrategy.force "com.google.guava:guava:32.1.2-jre" + } } ext { diff --git a/memory/build.gradle b/memory/build.gradle index eb9763b272..67f87a1aa5 100644 --- a/memory/build.gradle +++ b/memory/build.gradle @@ -28,7 +28,7 @@ dependencies { implementation group: 'org.opensearch', name: 'opensearch', version: "${opensearch_version}" implementation group: 'org.apache.httpcomponents.core5', name: 'httpcore5', version: '5.2.1' implementation "org.opensearch:common-utils:${common_utils_version}" - implementation group: 'com.google.guava', name: 'guava', version: '32.0.1-jre' + implementation group: 'com.google.guava', name: 'guava', version: '32.1.2-jre' testImplementation (group: 'junit', name: 'junit', version: '4.13.2') { exclude module : 'hamcrest' exclude module : 'hamcrest-core' diff --git a/ml-algorithms/build.gradle b/ml-algorithms/build.gradle index bb2559b0c5..7d1b4b2ac0 100644 --- a/ml-algorithms/build.gradle +++ b/ml-algorithms/build.gradle @@ -42,7 +42,7 @@ dependencies { implementation group: 'io.protostuff', name: 'protostuff-collectionschema', version: '1.8.0' testImplementation group: 'junit', name: 'junit', version: '4.13.2' testImplementation group: 'org.mockito', name: 'mockito-core', version: '5.7.0' - implementation group: 'com.google.guava', name: 'guava', version: '32.0.1-jre' + implementation group: 'com.google.guava', name: 'guava', version: '32.1.2-jre' implementation group: 'com.google.code.gson', name: 'gson', version: '2.10.1' implementation platform("ai.djl:bom:0.21.0") implementation group: 'ai.djl.pytorch', name: 'pytorch-model-zoo', version: '0.21.0' diff --git a/plugin/build.gradle b/plugin/build.gradle index 67c2640e58..9fd9a4e6ed 100644 --- a/plugin/build.gradle +++ b/plugin/build.gradle @@ -57,7 +57,7 @@ dependencies { implementation "org.opensearch:common-utils:${common_utils_version}" implementation("com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}") implementation("com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}") - implementation group: 'com.google.guava', name: 'guava', version: '32.0.1-jre' + implementation group: 'com.google.guava', name: 'guava', version: '32.1.2-jre' implementation group: 'com.google.code.gson', name: 'gson', version: '2.10.1' implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.10' implementation group: 'org.apache.commons', name: 'commons-math3', version: '3.6.1' diff --git a/search-processors/build.gradle b/search-processors/build.gradle index 394b45c9f2..cbb7e045bc 100644 --- a/search-processors/build.gradle +++ b/search-processors/build.gradle @@ -35,8 +35,8 @@ dependencies { implementation project(':opensearch-ml-memory') implementation group: 'org.opensearch', name: 'common-utils', version: "${common_utils_version}" // https://mvnrepository.com/artifact/org.apache.httpcomponents.core5/httpcore5 - implementation group: 'org.apache.httpcomponents.core5', name: 'httpcore5', version: '5.2.1' - implementation("com.google.guava:guava:32.0.1-jre") + implementation group: 'org.apache.httpcomponents.core5', name: 'httpcore5', version: '5.2.2' + implementation group: 'com.google.guava', name: 'guava', version: '32.1.2-jre' implementation group: 'org.json', name: 'json', version: '20231013' implementation group: 'org.apache.commons', name: 'commons-text', version: '1.10.0' testImplementation "org.opensearch.test:framework:${opensearch_version}"