Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): use version 2.7.1 of jinjava #1152

Merged
merged 3 commits into from
Feb 20, 2024
Merged

chore(deps): use version 2.7.1 of jinjava #1152

merged 3 commits into from
Feb 20, 2024

Conversation

dbyron-sf
Copy link
Contributor

Here are snippets from $ ./gradlew orca-web:dependencies

before:

|    |    \--- com.hubspot.jinjava:jinjava:2.5.2
|    |         +--- org.slf4j:slf4j-api:1.7.21 -> 1.7.36
|    |         +--- com.google.guava:guava:22.0 -> 30.0-jre
|    |         |    +--- com.google.guava:failureaccess:1.0.1
|    |         |    +--- com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
|    |         |    +--- com.google.code.findbugs:jsr305:3.0.2
|    |         |    +--- org.checkerframework:checker-qual:3.5.0 -> 3.19.0
|    |         |    +--- com.google.errorprone:error_prone_annotations:2.3.4 -> 2.10.0
|    |         |    \--- com.google.j2objc:j2objc-annotations:1.3
|    |         +--- org.javassist:javassist:3.24.1-GA
|    |         +--- org.jsoup:jsoup:1.10.3
|    |         +--- com.google.re2j:re2j:1.2
|    |         +--- org.apache.commons:commons-lang3:3.5 -> 3.12.0
|    |         +--- commons-net:commons-net:3.3
|    |         +--- com.google.code.findbugs:annotations:3.0.1
|    |         +--- com.fasterxml.jackson.core:jackson-databind:2.7.9.5 -> 2.12.7.1 (*)
|    |         +--- com.fasterxml.jackson.core:jackson-core:2.7.9 -> 2.12.7 (*)
|    |         \--- ch.obermuhlner:big-math:2.0.0

after:

|    |    \--- com.hubspot.jinjava:jinjava:2.7.1
|    |         +--- org.slf4j:slf4j-api:1.7.25 -> 1.7.36
|    |         +--- com.google.guava:guava:31.1-jre -> 30.0-jre
|    |         |    +--- com.google.guava:failureaccess:1.0.1
|    |         |    +--- com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
|    |         |    +--- com.google.code.findbugs:jsr305:3.0.2
|    |         |    +--- org.checkerframework:checker-qual:3.5.0 -> 3.19.0
|    |         |    +--- com.google.errorprone:error_prone_annotations:2.3.4 -> 2.10.0
|    |         |    \--- com.google.j2objc:j2objc-annotations:1.3
|    |         +--- org.javassist:javassist:3.24.1-GA
|    |         +--- com.google.re2j:re2j:1.2
|    |         +--- org.apache.commons:commons-lang3:3.9 -> 3.12.0
|    |         +--- commons-net:commons-net:3.9.0
|    |         +--- com.googlecode.java-ipv6:java-ipv6:0.17
|    |         +--- com.google.code.findbugs:annotations:3.0.1
|    |         +--- com.fasterxml.jackson.core:jackson-annotations:2.14.0 -> 2.12.7 (*)
|    |         +--- com.fasterxml.jackson.core:jackson-databind:2.14.0 -> 2.12.7.1 (*)
|    |         +--- com.fasterxml.jackson.core:jackson-core:2.14.0 -> 2.12.7 (*)
|    |         +--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.14.0 -> 2.12.7
|    |         |    +--- com.fasterxml.jackson.core:jackson-databind:2.12.7 -> 2.12.7.1 (*)
|    |         |    +--- org.yaml:snakeyaml:1.27
|    |         |    +--- com.fasterxml.jackson.core:jackson-core:2.12.7 (*)
|    |         |    \--- com.fasterxml.jackson:jackson-bom:2.12.7 (*)
|    |         \--- ch.obermuhlner:big-math:2.0.0

Note the following CVE exposure before this PR:

After this PR, all these are resolved. jinjava 2.7.1 brings in commons-net 3.9 and jsoup 1.15.3, though jsoup is shaded. See
https://github.com/HubSpot/jinjava/blob/jinjava-2.7.1/pom.xml#L34 and https://github.com/HubSpot/jinjava/blob/jinjava-2.7.1/pom.xml#L240.

Use version 2.7.1 of jinjava since it's the first version that fixes HubSpot/jinjava#429 via HubSpot/jinjava#1008.

@dbyron-sf
chore(deps): use version 2.7.1 of jinjava
d4796f2 
Here are snippets from $ ./gradlew orca-web:dependencies

before:

|    |    \--- com.hubspot.jinjava:jinjava:2.5.2
|    |         +--- org.slf4j:slf4j-api:1.7.21 -> 1.7.36
|    |         +--- com.google.guava:guava:22.0 -> 30.0-jre
|    |         |    +--- com.google.guava:failureaccess:1.0.1
|    |         |    +--- com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
|    |         |    +--- com.google.code.findbugs:jsr305:3.0.2
|    |         |    +--- org.checkerframework:checker-qual:3.5.0 -> 3.19.0
|    |         |    +--- com.google.errorprone:error_prone_annotations:2.3.4 -> 2.10.0
|    |         |    \--- com.google.j2objc:j2objc-annotations:1.3
|    |         +--- org.javassist:javassist:3.24.1-GA
|    |         +--- org.jsoup:jsoup:1.10.3
|    |         +--- com.google.re2j:re2j:1.2
|    |         +--- org.apache.commons:commons-lang3:3.5 -> 3.12.0
|    |         +--- commons-net:commons-net:3.3
|    |         +--- com.google.code.findbugs:annotations:3.0.1
|    |         +--- com.fasterxml.jackson.core:jackson-databind:2.7.9.5 -> 2.12.7.1 (*)
|    |         +--- com.fasterxml.jackson.core:jackson-core:2.7.9 -> 2.12.7 (*)
|    |         \--- ch.obermuhlner:big-math:2.0.0

after:

|    |    \--- com.hubspot.jinjava:jinjava:2.7.1
|    |         +--- org.slf4j:slf4j-api:1.7.25 -> 1.7.36
|    |         +--- com.google.guava:guava:31.1-jre -> 30.0-jre
|    |         |    +--- com.google.guava:failureaccess:1.0.1
|    |         |    +--- com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
|    |         |    +--- com.google.code.findbugs:jsr305:3.0.2
|    |         |    +--- org.checkerframework:checker-qual:3.5.0 -> 3.19.0
|    |         |    +--- com.google.errorprone:error_prone_annotations:2.3.4 -> 2.10.0
|    |         |    \--- com.google.j2objc:j2objc-annotations:1.3
|    |         +--- org.javassist:javassist:3.24.1-GA
|    |         +--- com.google.re2j:re2j:1.2
|    |         +--- org.apache.commons:commons-lang3:3.9 -> 3.12.0
|    |         +--- commons-net:commons-net:3.9.0
|    |         +--- com.googlecode.java-ipv6:java-ipv6:0.17
|    |         +--- com.google.code.findbugs:annotations:3.0.1
|    |         +--- com.fasterxml.jackson.core:jackson-annotations:2.14.0 -> 2.12.7 (*)
|    |         +--- com.fasterxml.jackson.core:jackson-databind:2.14.0 -> 2.12.7.1 (*)
|    |         +--- com.fasterxml.jackson.core:jackson-core:2.14.0 -> 2.12.7 (*)
|    |         +--- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.14.0 -> 2.12.7
|    |         |    +--- com.fasterxml.jackson.core:jackson-databind:2.12.7 -> 2.12.7.1 (*)
|    |         |    +--- org.yaml:snakeyaml:1.27
|    |         |    +--- com.fasterxml.jackson.core:jackson-core:2.12.7 (*)
|    |         |    \--- com.fasterxml.jackson:jackson-bom:2.12.7 (*)
|    |         \--- ch.obermuhlner:big-math:2.0.0

Note the following CVE exposure before this PR:

- jinjava 2.5.2
  - CVE-2020-12668, fixed in 2.5.3
  - sonatype-2021-0948, fixed in 2.5.10
- commons-net 3.3
  - CVE-2021-37533, fixed in 3.9
- jsoup 1.10.3
  - CVE-2021-37714, fixed in 1.14.2
  - CVE-2022-36033, fixed in 1.15.3

After this PR, all these are resolved.  jinjava 2.7.1 brings in commons-net 3.9 and jsoup
1.15.3, though jsoup is shaded.  See
https://github.com/HubSpot/jinjava/blob/jinjava-2.7.1/pom.xml#L34 and
https://github.com/HubSpot/jinjava/blob/jinjava-2.7.1/pom.xml#L240.

Use version 2.7.1 of jinjava since it's the first version that fixes HubSpot/jinjava#429 via HubSpot/jinjava#1008.
@dbyron-sf dbyron-sf added the ready to merge Approved and ready for merge label Feb 20, 2024
@mergify mergify bot added the auto merged label Feb 20, 2024
@mergify mergify bot merged commit eba9e74 into spinnaker:master Feb 20, 2024
5 checks passed
@dbyron-sf dbyron-sf deleted the jinjava-jsoup-commons-net branch February 20, 2024 06:19
@dbyron-sf dbyron-sf mentioned this pull request Feb 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonmcintosh jasonmcintosh jasonmcintosh approved these changes

Assignees
No one assigned
Labels
auto merged ready to merge Approved and ready for merge target-release/1.34
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

DefaultFilter stringifies null
3 participants
@dbyron-sf @jasonmcintosh @spinnakerbot