Merge pull request #293 from okhasawn/mend-fixes

MIGRATIONS-1296 - Fix mend security issues
opensearch-project · Sep 6, 2023 · bcc4998 · bcc4998
2 parents d5444e5 + a708c59
commit bcc4998
Show file tree

Hide file tree

Showing 5 changed files with 50 additions and 16 deletions.
diff --git a/TrafficCapture/buildSrc/src/main/groovy/org/opensearch/migrations/common/CommonUtils.groovy b/TrafficCapture/buildSrc/src/main/groovy/org/opensearch/migrations/common/CommonUtils.groovy
@@ -75,7 +75,7 @@ class CommonConfigurations {
     static void applyCommonConfigurations(Project project) {
         project.configurations.all {
             resolutionStrategy.dependencySubstitution {
-                substitute module('org.apache.xmlgraphics:batik-codec') using module('org.apache.xmlgraphics:batik-all:1.15')
+                substitute module('org.apache.xmlgraphics:batik-codec') using module('org.apache.xmlgraphics:batik-all:1.17')
             }
         }
     }

diff --git a/TrafficCapture/captureKafkaOffloader/build.gradle b/TrafficCapture/captureKafkaOffloader/build.gradle
@@ -13,8 +13,8 @@ dependencies {
     implementation project(':captureOffloader')
     implementation 'org.projectlombok:lombok:1.18.26'
     implementation 'com.google.protobuf:protobuf-java:3.22.2'
-    implementation 'org.apache.kafka:kafka-clients:3.5.0'
-    implementation 'software.amazon.msk:aws-msk-iam-auth:1.1.7'
+    implementation 'org.apache.kafka:kafka-clients:3.5.1'
+    implementation 'software.amazon.msk:aws-msk-iam-auth:1.1.9'
     implementation 'org.slf4j:slf4j-api:2.0.7'
     testImplementation project(':captureProtobufs')
     testImplementation 'org.mockito:mockito-core:4.6.1'

diff --git a/TrafficCapture/testUtilities/build.gradle b/TrafficCapture/testUtilities/build.gradle
@@ -29,7 +29,7 @@ spotbugs {
 }
 
 checkstyle {
-    toolVersion = '10.9.3'
+    toolVersion = '10.12.3'
     configFile = new File(rootDir, 'config/checkstyle/checkstyle.xml')
     System.setProperty('checkstyle.cache.file', String.format('%s/%s',
             buildDir, 'checkstyle.cachefile'))
@@ -40,12 +40,14 @@ repositories {
 }
 
 dependencies {
+    spotbugs 'com.github.spotbugs:spotbugs:4.7.3'
+
     implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.15.0'
     implementation group: 'com.google.guava', name: 'guava', version: '32.0.1-jre'
     implementation group: 'io.netty', name: 'netty-all', version: '4.1.89.Final'
     implementation group: 'org.apache.httpcomponents.client5', name: 'httpclient5', version: '5.2.1'
-    implementation group: 'org.bouncycastle', name: 'bcprov-jdk15on', version: '1.68'
-    implementation group: 'org.bouncycastle', name: 'bcpkix-jdk15on', version: '1.68'
+    implementation group: 'org.bouncycastle', name: 'bcprov-jdk18on', version: '1.74'
+    implementation group: 'org.bouncycastle', name: 'bcpkix-jdk18on', version: '1.74'
     implementation group: 'org.projectlombok', name: 'lombok', version: '1.18.22'
     implementation group: 'org.slf4j', name: 'slf4j-api', version: '2.0.7'
 

diff --git a/TrafficCapture/trafficReplayer/build.gradle b/TrafficCapture/trafficReplayer/build.gradle
@@ -19,7 +19,7 @@ buildscript {
 plugins {
     id 'org.opensearch.migrations.java-application-conventions'
     id "com.github.spotbugs" version "4.7.3"
-//    id 'checkstyle'
+    id 'checkstyle'
     id 'org.owasp.dependencycheck' version '8.2.1'
     id "io.freefair.lombok" version "8.0.1"
 }
@@ -28,18 +28,20 @@ spotbugs {
     includeFilter = new File(rootDir, 'config/spotbugs/spotbugs-include.xml')
 }
 
-//checkstyle {
-//    toolVersion = '10.9.3'
-//    configFile = new File(rootDir, 'config/checkstyle/checkstyle.xml')
-//    System.setProperty('checkstyle.cache.file', String.format('%s/%s',
-//            buildDir, 'checkstyle.cachefile'))
-//}
+checkstyle {
+    toolVersion = '10.12.3'
+    configFile = new File(rootDir, 'config/checkstyle/checkstyle.xml')
+    System.setProperty('checkstyle.cache.file', String.format('%s/%s',
+            buildDir, 'checkstyle.cachefile'))
+}
 
 repositories {
     mavenCentral()
 }
 
 dependencies {
+    spotbugs 'com.github.spotbugs:spotbugs:4.7.3'
+
     implementation project(':captureProtobufs')
 
     implementation 'software.amazon.awssdk:sdk-core:2.20.102'
@@ -55,19 +57,49 @@ dependencies {
     implementation group: 'org.json', name: 'json', version: '20230227'
     implementation group: 'org.projectlombok', name: 'lombok', version: '1.18.22'
 
-    implementation group: 'org.apache.kafka', name: 'kafka-clients', version: '3.5.0'
+    implementation group: 'org.apache.kafka', name: 'kafka-clients', version: '3.5.1'
     implementation group: 'org.apache.logging.log4j', name: 'log4j-api', version: '2.20.0'
     implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version: '2.20.0'
     implementation group: 'org.apache.logging.log4j', name: 'log4j-slf4j2-impl', version: '2.20.0'
     implementation group: 'org.slf4j', name: 'slf4j-api', version: '2.0.7'
-    implementation group: 'software.amazon.msk', name: 'aws-msk-iam-auth', version: '1.1.7'
+    implementation group: 'software.amazon.msk', name: 'aws-msk-iam-auth', version: '1.1.9'
 
     testImplementation project(':testUtilities')
     testImplementation group: 'org.apache.httpcomponents.client5', name: 'httpclient5', version: '5.2.1'
     testImplementation 'org.mockito:mockito-core:4.6.1'
     testImplementation 'org.mockito:mockito-junit-jupiter:4.6.1'
 }
 
+def isRequestedVersionOlder(String requested, String target) {
+    def requestedParts = requested.split('\\.')*.toInteger()
+    def targetParts = target.split('\\.')*.toInteger()
+
+    for (int i = 0; i < 3; i++) {
+        if (requestedParts[i] < targetParts[i]) {
+            return false
+        } else if (requestedParts[i] > targetParts[i]) {
+            return true
+        }
+    }
+}
+
+configurations.all {
+    resolutionStrategy.eachDependency { DependencyResolveDetails details ->
+        if (details.requested.group == 'org.apache.commons' && details.requested.name == 'commons-text') {
+            def targetVersion = '1.10.0'
+            if (isRequestedVersionOlder(details.requested.version, targetVersion) != true) {
+                details.useVersion targetVersion
+            }
+        }
+        if (details.requested.group == 'org.apache.bcel' && details.requested.name == 'bcel') {
+            def targetVersion = '6.7.0'
+            if (isRequestedVersionOlder(details.requested.version, targetVersion) != true) {
+                details.useVersion targetVersion
+            }
+        }
+    }
+}
+
 application {
     mainClass = 'org.opensearch.migrations.replay.TrafficReplayer'
 }

diff --git a/test/requirements.txt b/test/requirements.txt
@@ -1,4 +1,4 @@
-certifi==2023.5.7
+certifi==2023.7.22
 charset-normalizer==3.1.0
 idna==3.4
 iniconfig==2.0.0