Updating dependencies (guava and what brought in older guava) to get …

…rid of the guava-related CVE-2018-10237 and CVE-2020-8908 (apache#13716) * Updating dependencies (guava and what brought in older guava) to get rid of the guava-related CVE-2018-10237 and CVE-2020-8908 * testng 7.5 isn't compatible with current powermock powermock/powermock#1118 * Upgraded canal to 1.1.5, excluded logback, and upgraded spring that canal uses to get rid of multiple CVEs
drianpauL · Jan 21, 2022 · 8083333 · 8083333
1 parent bef3071
commit 8083333
Show file tree

Hide file tree

Showing 8 changed files with 277 additions and 150 deletions.
diff --git a/distribution/server/src/assemble/LICENSE.bin.txt b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -328,7 +328,7 @@ The Apache Software License, Version 2.0
     - com.google.code.gson-gson-2.8.9.jar
     - io.gsonfire-gson-fire-1.8.5.jar
  * Guava
-    - com.google.guava-guava-30.1-jre.jar
+    - com.google.guava-guava-31.0.1-jre.jar
     - com.google.guava-failureaccess-1.0.1.jar
     - com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
  * J2ObjC Annotations -- com.google.j2objc-j2objc-annotations-1.3.jar
@@ -426,25 +426,25 @@ The Apache Software License, Version 2.0
     - org.asynchttpclient-async-http-client-2.12.1.jar
     - org.asynchttpclient-async-http-client-netty-utils-2.12.1.jar
  * Jetty
-    - org.eclipse.jetty-jetty-client-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-continuation-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-http-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-io-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-proxy-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-security-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-server-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-servlet-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-servlets-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-util-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-util-ajax-9.4.43.v20210629.jar
-    - org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.43.v20210629.jar
-    - org.eclipse.jetty.websocket-websocket-api-9.4.43.v20210629.jar
-    - org.eclipse.jetty.websocket-websocket-client-9.4.43.v20210629.jar
-    - org.eclipse.jetty.websocket-websocket-common-9.4.43.v20210629.jar
-    - org.eclipse.jetty.websocket-websocket-server-9.4.43.v20210629.jar
-    - org.eclipse.jetty.websocket-websocket-servlet-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-alpn-conscrypt-server-9.4.43.v20210629.jar
-    - org.eclipse.jetty-jetty-alpn-server-9.4.43.v20210629.jar
+    - org.eclipse.jetty-jetty-client-9.4.44.v20210927.jar
+    - org.eclipse.jetty-jetty-continuation-9.4.44.v20210927.jar
+    - org.eclipse.jetty-jetty-http-9.4.44.v20210927.jar
+    - org.eclipse.jetty-jetty-io-9.4.44.v20210927.jar
+    - org.eclipse.jetty-jetty-proxy-9.4.44.v20210927.jar
+    - org.eclipse.jetty-jetty-security-9.4.44.v20210927.jar
+    - org.eclipse.jetty-jetty-server-9.4.44.v20210927.jar
+    - org.eclipse.jetty-jetty-servlet-9.4.44.v20210927.jar
+    - org.eclipse.jetty-jetty-servlets-9.4.44.v20210927.jar
+    - org.eclipse.jetty-jetty-util-9.4.44.v20210927.jar
+    - org.eclipse.jetty-jetty-util-ajax-9.4.44.v20210927.jar
+    - org.eclipse.jetty.websocket-javax-websocket-client-impl-9.4.44.v20210927.jar
+    - org.eclipse.jetty.websocket-websocket-api-9.4.44.v20210927.jar
+    - org.eclipse.jetty.websocket-websocket-client-9.4.44.v20210927.jar
+    - org.eclipse.jetty.websocket-websocket-common-9.4.44.v20210927.jar
+    - org.eclipse.jetty.websocket-websocket-server-9.4.44.v20210927.jar
+    - org.eclipse.jetty.websocket-websocket-servlet-9.4.44.v20210927.jar
+    - org.eclipse.jetty-jetty-alpn-conscrypt-server-9.4.44.v20210927.jar
+    - org.eclipse.jetty-jetty-alpn-server-9.4.44.v20210927.jar
  * SnakeYaml -- org.yaml-snakeyaml-1.30.jar
  * RocksDB - org.rocksdb-rocksdbjni-6.10.2.jar
  * Google Error Prone Annotations - com.google.errorprone-error_prone_annotations-2.5.1.jar
@@ -545,7 +545,7 @@ MIT License
     - org.slf4j-slf4j-api-1.7.32.jar
     - org.slf4j-jcl-over-slf4j-1.7.32.jar
  * The Checker Framework
-    - org.checkerframework-checker-qual-3.5.0.jar
+    - org.checkerframework-checker-qual-3.12.0.jar
 
 Protocol Buffers License
  * Protocol Buffers

diff --git a/pom.xml b/pom.xml
@@ -110,7 +110,7 @@ flexible messaging model and an intuitive client API.</description>
     <curator.version>5.1.0</curator.version>
     <netty.version>4.1.72.Final</netty.version>
     <netty-tc-native.version>2.0.46.Final</netty-tc-native.version>
-    <jetty.version>9.4.43.v20210629</jetty.version>
+    <jetty.version>9.4.44.v20210927</jetty.version>
     <conscrypt.version>2.5.2</conscrypt.version>
     <jersey.version>2.34</jersey.version>
     <athenz.version>1.10.9</athenz.version>
@@ -160,11 +160,11 @@ flexible messaging model and an intuitive client API.</description>
     <debezium.version>1.7.1.Final</debezium.version>
     <jsonwebtoken.version>0.11.1</jsonwebtoken.version>
     <opencensus.version>0.18.0</opencensus.version>
-    <hbase.version>2.3.0</hbase.version>
-    <guava.version>30.1-jre</guava.version>
+    <hbase.version>2.4.9</hbase.version>
+    <guava.version>31.0.1-jre</guava.version>
     <jcip.version>1.0</jcip.version>
     <prometheus-jmx.version>0.14.0</prometheus-jmx.version>
-    <confluent.version>5.3.2</confluent.version>
+    <confluent.version>7.0.1</confluent.version>
     <kafka.confluent.schemaregistryclient.version>5.3.0</kafka.confluent.schemaregistryclient.version>
     <kafka.confluent.avroserializer.version>5.3.0</kafka.confluent.avroserializer.version>
     <kafka-avro-convert-jackson.version>1.9.13</kafka-avro-convert-jackson.version>
@@ -577,26 +577,10 @@ flexible messaging model and an intuitive client API.</description>
 
       <dependency>
         <groupId>org.eclipse.jetty</groupId>
-        <artifactId>jetty-servlet</artifactId>
-        <version>${jetty.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.eclipse.jetty</groupId>
-        <artifactId>jetty-servlets</artifactId>
-        <version>${jetty.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.eclipse.jetty</groupId>
-        <artifactId>jetty-proxy</artifactId>
-        <version>${jetty.version}</version>
-      </dependency>
-
-      <dependency>
-        <groupId>org.eclipse.jetty</groupId>
-        <artifactId>jetty-util</artifactId>
+        <artifactId>jetty-bom</artifactId>
         <version>${jetty.version}</version>
+        <type>pom</type>
+        <scope>import</scope>
       </dependency>
 
       <dependency>

diff --git a/pulsar-io/canal/pom.xml b/pulsar-io/canal/pom.xml
@@ -32,6 +32,11 @@
     <artifactId>pulsar-io-canal</artifactId>
     <name>Pulsar IO :: Canal</name>
 
+    <properties>
+        <spring.version>5.0.20.RELEASE</spring.version>
+        <canal.version>1.1.5</canal.version>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>${project.groupId}</groupId>
@@ -52,11 +57,54 @@
             <artifactId>fastjson</artifactId>
             <version>1.2.73</version>
         </dependency>
+
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-core</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-aop</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-context</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-jdbc</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-orm</artifactId>
+            <version>${spring.version}</version>
+        </dependency>
+
+        <dependency>
+            <groupId>com.alibaba.otter</groupId>
+            <artifactId>canal.protocol</artifactId>
+            <version>${canal.version}</version>
+        </dependency>
         <dependency>
             <groupId>com.alibaba.otter</groupId>
             <artifactId>canal.client</artifactId>
-            <version>1.1.4</version>
+            <version>${canal.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>ch.qos.logback</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.springframework</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
+
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-core</artifactId>

diff --git a/pulsar-io/flume/pom.xml b/pulsar-io/flume/pom.xml
@@ -31,6 +31,10 @@
     <artifactId>pulsar-io-flume</artifactId>
     <name>Pulsar IO :: Flume</name>
 
+    <properties>
+        <avro.version>1.8.2</avro.version>
+    </properties>
+
     <dependencies>
         <dependency>
             <groupId>${project.groupId}</groupId>
@@ -54,8 +58,8 @@
             <type>pom</type>
             <exclusions>
                 <exclusion>
-                    <artifactId>avro-ipc</artifactId>
                     <groupId>org.apache.avro</groupId>
+                    <artifactId>avro-ipc</artifactId>
                 </exclusion>
                 <exclusion>
                     <artifactId>avro</artifactId>
@@ -66,12 +70,27 @@
         <dependency>
             <groupId>org.apache.avro</groupId>
             <artifactId>avro</artifactId>
-            <version>1.8.1</version>
+            <version>${avro.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-lang</groupId>
+            <artifactId>commons-lang</artifactId>
+            <version>2.6</version>
         </dependency>
         <dependency>
             <groupId>org.apache.avro</groupId>
             <artifactId>avro-ipc</artifactId>
-            <version>1.8.1</version>
+            <version>${avro.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.mortbay.jetty</groupId>
+                    <artifactId>servlet-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>io.netty</groupId>
+                    <artifactId>netty</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>org.apache.curator</groupId>
@@ -106,7 +125,7 @@
         <dependency>
             <groupId>com.google.guava</groupId>
             <artifactId>guava</artifactId>
-            <version>18.0</version>
+            <version>${guava.version}</version>
         </dependency>
     </dependencies>
 

diff --git a/pulsar-sql/presto-distribution/LICENSE b/pulsar-sql/presto-distribution/LICENSE
@@ -221,7 +221,7 @@ The Apache Software License, Version 2.0
     - jackson-module-jaxb-annotations-2.12.6.jar
     - jackson-module-jsonSchema-2.12.6.jar
  * Guava
-    - guava-30.1-jre.jar
+    - guava-31.0.1-jre.jar
     - listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
     - failureaccess-1.0.1.jar
  * Google Guice
@@ -255,22 +255,22 @@ The Apache Software License, Version 2.0
  * Joda Time
     - joda-time-2.10.5.jar
   * Jetty
-    - http2-client-9.4.43.v20210629.jar
-    - http2-common-9.4.43.v20210629.jar
-    - http2-hpack-9.4.43.v20210629.jar
-    - http2-http-client-transport-9.4.43.v20210629.jar
-    - jetty-alpn-client-9.4.43.v20210629.jar
-    - http2-server-9.4.43.v20210629.jar
-    - jetty-alpn-java-client-9.4.43.v20210629.jar
-    - jetty-client-9.4.43.v20210629.jar
-    - jetty-http-9.4.43.v20210629.jar
-    - jetty-io-9.4.43.v20210629.jar
-    - jetty-jmx-9.4.43.v20210629.jar
-    - jetty-security-9.4.43.v20210629.jar
-    - jetty-server-9.4.43.v20210629.jar
-    - jetty-servlet-9.4.43.v20210629.jar
-    - jetty-util-9.4.43.v20210629.jar
-    - jetty-util-ajax-9.4.43.v20210629.jar
+    - http2-client-9.4.44.v20210927.jar
+    - http2-common-9.4.44.v20210927.jar
+    - http2-hpack-9.4.44.v20210927.jar
+    - http2-http-client-transport-9.4.44.v20210927.jar
+    - jetty-alpn-client-9.4.44.v20210927.jar
+    - http2-server-9.4.44.v20210927.jar
+    - jetty-alpn-java-client-9.4.44.v20210927.jar
+    - jetty-client-9.4.44.v20210927.jar
+    - jetty-http-9.4.44.v20210927.jar
+    - jetty-io-9.4.44.v20210927.jar
+    - jetty-jmx-9.4.44.v20210927.jar
+    - jetty-security-9.4.44.v20210927.jar
+    - jetty-server-9.4.44.v20210927.jar
+    - jetty-servlet-9.4.44.v20210927.jar
+    - jetty-util-9.4.44.v20210927.jar
+    - jetty-util-ajax-9.4.44.v20210927.jar
   * Apache BVal
     - bval-jsr-2.0.0.jar
   * Bytecode
@@ -490,7 +490,7 @@ MIT License
  * JUL to SLF4J Bridge
    - jul-to-slf4j-1.7.32.jar
  * Checker Qual
-   - checker-qual-3.5.0.jar
+   - checker-qual-3.12.0.jar 
 
 CDDL - 1.0
  * OSGi Resource Locator

diff --git a/pulsar-sql/presto-distribution/pom.xml b/pulsar-sql/presto-distribution/pom.xml
@@ -44,7 +44,7 @@
     <!--https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html-->
     <jackson.databind.version>2.12.6</jackson.databind.version>
     <maven.version>3.0.5</maven.version>
-    <guava.version>30.1-jre</guava.version>
+    <guava.version>31.0.1-jre</guava.version>
     <asynchttpclient.version>2.12.1</asynchttpclient.version>
     <errorprone.version>2.5.1</errorprone.version>
     <javax.servlet-api>4.0.1</javax.servlet-api>