[NO ISSUE][MISC] override org.codehaus.jettison:jettison to avoid CVEs Change-Id: Ida41aaddb65405516c3baeea9de4bbf21a0f0e41 Reviewed-on: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/17842 Integration-Tests: Jenkins <jenkins@fulliautomatix.ics.uci.edu> Reviewed-by: Michael Blow <mblow@apache.org> Reviewed-by: Hussain Towaileb <hussainht@gmail.com> Tested-by: Michael Blow <mblow@apache.org>

commit: f000fb57dce2d0ed79ec1ea32f251747c6d0f5bf [log] [tgz]
author: Michael Blow <mblow@apache.org> Wed Oct 04 19:27:28 2023 -0400
committer: Michael Blow <mblow@apache.org> Thu Oct 05 15:01:28 2023 +0000
tree: 8f4e1adfbdc3e9e36ff233aae8b681fcc42219f2
parent: aa0f6c780cdcfbbaee9fbf71d02c246da107fbed [diff]
diff --git a/asterixdb/asterix-external-data/pom.xml b/asterixdb/asterix-external-data/pom.xml
index de14287..fbb1751 100644
--- a/asterixdb/asterix-external-data/pom.xml
+++ b/asterixdb/asterix-external-data/pom.xml

@@ -546,6 +546,11 @@
       <groupId>net.minidev</groupId>
       <artifactId>json-smart</artifactId>
     </dependency>
+    <!-- Manually overridden to avoid CVE-2023-1436, CVE-2022-45693, CVE-2022-45685, CVE-2022-40150, CVE-2022-40149 -->
+    <dependency>
+      <groupId>org.codehaus.jettison</groupId>
+      <artifactId>jettison</artifactId>
+    </dependency>
   </dependencies>
   <!-- apply patch for HADOOP-17225 to workaround CVE-2019-10172 -->
   <repositories>

diff --git a/asterixdb/pom.xml b/asterixdb/pom.xml
index b2d8831..dee21dc 100644
--- a/asterixdb/pom.xml
+++ b/asterixdb/pom.xml

@@ -1017,6 +1017,10 @@
         <version>${hadoop.version}</version>
         <exclusions>
           <exclusion>
+            <groupId>org.codehaus.jettison</groupId>
+            <artifactId>jettison</artifactId>
+          </exclusion>
+          <exclusion>
             <groupId>net.minidev</groupId>
             <artifactId>json-smart</artifactId>
           </exclusion>
@@ -1959,6 +1963,11 @@
         <version>${hadoop.version}</version>
       </dependency>
       <!-- Hadoop Azure end -->
+      <dependency>
+        <groupId>org.codehaus.jettison</groupId>
+        <artifactId>jettison</artifactId>
+        <version>1.5.4</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 

diff --git a/asterixdb/src/main/appended-resources/supplemental-models.xml b/asterixdb/src/main/appended-resources/supplemental-models.xml
index e31de23..877a843 100644
--- a/asterixdb/src/main/appended-resources/supplemental-models.xml
+++ b/asterixdb/src/main/appended-resources/supplemental-models.xml

@@ -2104,4 +2104,15 @@
       </properties>
     </project>
   </supplement>
+
+  <!-- Contains embedded LICENSE but missing NOTICE -->
+  <supplement>
+    <project>
+      <groupId>org.codehaus.jettison</groupId>
+      <artifactId>jettison</artifactId>
+      <properties>
+        <license.ignoreMissingEmbeddedNotice>1.5.4</license.ignoreMissingEmbeddedNotice>
+      </properties>
+    </project>
+  </supplement>
 </supplementalDataModels>
commit	f000fb57dce2d0ed79ec1ea32f251747c6d0f5bf	[log] [tgz]
author	Michael Blow <mblow@apache.org>	Wed Oct 04 19:27:28 2023 -0400
committer	Michael Blow <mblow@apache.org>	Thu Oct 05 15:01:28 2023 +0000
tree	8f4e1adfbdc3e9e36ff233aae8b681fcc42219f2
parent	aa0f6c780cdcfbbaee9fbf71d02c246da107fbed [diff]