[NO ISSUE][*DB]: Update smart-json to avoid encountered CVE
Details:
- This change updates smart-json to avoid CVE-2023-1370:
json-smart 2.4.7 -> 2.4.11
Change-Id: I6cceff58ae80042c1421de4acb97dbfa3549168a
Reviewed-on: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17548
Integration-Tests: Jenkins <jenkins@fulliautomatix.ics.uci.edu>
Tested-by: Jenkins <jenkins@fulliautomatix.ics.uci.edu>
Reviewed-by: Hussain Towaileb <hussainht@gmail.com>
Reviewed-by: Michael Blow <mblow@apache.org>
diff --git a/asterixdb/asterix-external-data/pom.xml b/asterixdb/asterix-external-data/pom.xml
index 068e294..f8a4401 100644
--- a/asterixdb/asterix-external-data/pom.xml
+++ b/asterixdb/asterix-external-data/pom.xml
@@ -546,6 +546,11 @@
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-util-ajax</artifactId>
</dependency>
+ <!-- Manually included to avoid CVE-2023-1370 -->
+ <dependency>
+ <groupId>net.minidev</groupId>
+ <artifactId>json-smart</artifactId>
+ </dependency>
</dependencies>
<!-- apply patch for HADOOP-17225 to workaround CVE-2019-10172 -->
<repositories>
diff --git a/asterixdb/asterix-server/pom.xml b/asterixdb/asterix-server/pom.xml
index fb1c2f1..2ab0e5f 100644
--- a/asterixdb/asterix-server/pom.xml
+++ b/asterixdb/asterix-server/pom.xml
@@ -309,7 +309,7 @@
<url>https://raw.githubusercontent.com/codehaus/stax/master/dev/ASF2.0.txt</url>
</override>
<override>
- <gav>org.ow2.asm:asm:9.1</gav>
+ <gav>org.ow2.asm:asm:9.3</gav>
<url>https://raw.githubusercontent.com/llbit/ow2-asm/master/LICENSE.txt</url>
</override>
<override>
diff --git a/asterixdb/pom.xml b/asterixdb/pom.xml
index 45f1986..3610b19 100644
--- a/asterixdb/pom.xml
+++ b/asterixdb/pom.xml
@@ -1020,6 +1020,10 @@
<version>${hadoop.version}</version>
<exclusions>
<exclusion>
+ <groupId>net.minidev</groupId>
+ <artifactId>json-smart</artifactId>
+ </exclusion>
+ <exclusion>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
</exclusion>
@@ -1112,6 +1116,10 @@
<classifier>tests</classifier>
<exclusions>
<exclusion>
+ <groupId>net.minidev</groupId>
+ <artifactId>json-smart</artifactId>
+ </exclusion>
+ <exclusion>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
</exclusion>
@@ -1645,6 +1653,10 @@
<version>1.4.1</version>
<exclusions>
<exclusion>
+ <groupId>net.minidev</groupId>
+ <artifactId>json-smart</artifactId>
+ </exclusion>
+ <exclusion>
<groupId>io.netty</groupId>
<artifactId>netty-handler</artifactId>
</exclusion>
diff --git a/asterixdb/src/main/appended-resources/supplemental-models.xml b/asterixdb/src/main/appended-resources/supplemental-models.xml
index 18508ef6..1a97cbf 100644
--- a/asterixdb/src/main/appended-resources/supplemental-models.xml
+++ b/asterixdb/src/main/appended-resources/supplemental-models.xml
@@ -1090,8 +1090,8 @@
<groupId>net.minidev</groupId>
<artifactId>json-smart</artifactId>
<properties>
- <license.ignoreMissingEmbeddedLicense>2.4.7</license.ignoreMissingEmbeddedLicense>
- <license.ignoreMissingEmbeddedNotice>2.4.7</license.ignoreMissingEmbeddedNotice>
+ <license.ignoreMissingEmbeddedLicense>2.4.11</license.ignoreMissingEmbeddedLicense>
+ <license.ignoreMissingEmbeddedNotice>2.4.11</license.ignoreMissingEmbeddedNotice>
</properties>
</project>
</supplement>
@@ -1102,8 +1102,8 @@
<groupId>net.minidev</groupId>
<artifactId>accessors-smart</artifactId>
<properties>
- <license.ignoreMissingEmbeddedLicense>2.4.7</license.ignoreMissingEmbeddedLicense>
- <license.ignoreMissingEmbeddedNotice>2.4.7</license.ignoreMissingEmbeddedNotice>
+ <license.ignoreMissingEmbeddedLicense>2.4.11</license.ignoreMissingEmbeddedLicense>
+ <license.ignoreMissingEmbeddedNotice>2.4.11</license.ignoreMissingEmbeddedNotice>
</properties>
</project>
</supplement>
@@ -1113,9 +1113,9 @@
<groupId>org.ow2.asm</groupId>
<artifactId>asm</artifactId>
<properties>
- <license.ignoreMissingEmbeddedLicense>9.1</license.ignoreMissingEmbeddedLicense>
- <license.ignoreMissingEmbeddedNotice>9.1</license.ignoreMissingEmbeddedNotice>
- <license.ignoreLicenseOverride>9.1</license.ignoreLicenseOverride>
+ <license.ignoreMissingEmbeddedLicense>9.3</license.ignoreMissingEmbeddedLicense>
+ <license.ignoreMissingEmbeddedNotice>9.3</license.ignoreMissingEmbeddedNotice>
+ <license.ignoreLicenseOverride>9.3</license.ignoreLicenseOverride>
</properties>
</project>
</supplement>
diff --git a/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml b/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml
index b16904d..816746c 100644
--- a/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml
+++ b/hyracks-fullstack/hyracks/hyracks-hdfs/pom.xml
@@ -183,6 +183,10 @@
<scope>test</scope>
<exclusions>
<exclusion>
+ <groupId>net.minidev</groupId>
+ <artifactId>json-smart</artifactId>
+ </exclusion>
+ <exclusion>
<groupId>log4j</groupId>
<artifactId>log4j</artifactId>
</exclusion>
diff --git a/hyracks-fullstack/pom.xml b/hyracks-fullstack/pom.xml
index 69a8279..9ef0212 100644
--- a/hyracks-fullstack/pom.xml
+++ b/hyracks-fullstack/pom.xml
@@ -156,6 +156,10 @@
<version>${hadoop.version}</version>
<exclusions>
<exclusion>
+ <groupId>net.minidev</groupId>
+ <artifactId>json-smart</artifactId>
+ </exclusion>
+ <exclusion>
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
</exclusion>
@@ -472,6 +476,12 @@
<artifactId>jetty-util-ajax</artifactId>
<version>9.4.48.v20220622</version>
</dependency>
+ <!-- Manually included to avoid CVE-2023-1370 -->
+ <dependency>
+ <groupId>net.minidev</groupId>
+ <artifactId>json-smart</artifactId>
+ <version>2.4.11</version>
+ </dependency>
</dependencies>
</dependencyManagement>
<build>