From 80d297b15d649f572bdbc56859b4099631f33c57 Mon Sep 17 00:00:00 2001 From: Chad Wilson Date: Wed, 30 Mar 2022 23:43:55 +1300 Subject: [PATCH] Bump jackson-databind to 2.13.2.2 via switching to BOM Individual libs in Jackson don't necessarily all get released at the same time. The BOM is the right way to ensure versions are all on latest. In this case, to get a CVE patched within databind. See https://github.com/FasterXML/jackson-databind/issues/3428 for more detail --- agent/build.gradle | 6 +++--- base/build.gradle | 4 ++++ build.gradle | 4 ---- dependencies.gradle | 10 +++++----- server/build.gradle | 6 +++--- spark/spark-base/build.gradle | 3 ++- 6 files changed, 17 insertions(+), 16 deletions(-) diff --git a/agent/build.gradle b/agent/build.gradle index 75cd40e2b80..c53097b1ac5 100644 --- a/agent/build.gradle +++ b/agent/build.gradle @@ -163,9 +163,9 @@ task verifyJar(type: VerifyJarTask) { "httpmime-${project.versions.apacheHttpComponents}.jar", "istack-commons-runtime-3.0.7.jar", "j2objc-annotations-1.3.jar", - "jackson-annotations-${project.versions.jackson}.jar", - "jackson-core-${project.versions.jackson}.jar", - "jackson-databind-${project.versions.jackson}.jar", + "jackson-annotations-2.13.2.jar", + "jackson-core-2.13.2.jar", + "jackson-databind-2.13.2.2.jar", "javax.activation-api-1.2.0.jar", "javax.annotation-api-${project.versions.javaxAnnotation}.jar", "javax.inject-1.jar", diff --git a/base/build.gradle b/base/build.gradle index 7fa0fe5c630..eaf3e8756ea 100644 --- a/base/build.gradle +++ b/base/build.gradle @@ -20,6 +20,10 @@ dependencies { providedAtPackageTime project.deps.bouncyCastle providedAtPackageTime project.deps.bouncyCastlePkix + // Use BOMs to control versions of dependencies for other projects, all of which consume 'base'. + // This is following https://docs.gradle.org/current/userguide/platforms.html#sub:bom_import + api enforcedPlatform(project.deps.jacksonBom) + api(project.deps.apacheAnt) { transitive = false } diff --git a/build.gradle b/build.gradle index a4e800d1b8d..7e1195161be 100644 --- a/build.gradle +++ b/build.gradle @@ -634,15 +634,11 @@ subprojects { configurations.all { configuration -> def versionOverrides = [ - "com.fasterxml.jackson.core:jackson-annotations": project.versions.jackson, - "com.fasterxml.jackson.core:jackson-core" : project.versions.jackson, - "com.fasterxml.jackson.core:jackson-databind" : project.versions.jackson, "commons-beanutils:commons-beanutils" : project.versions.commonsBeanutils, "org.apache.commons:commons-pool2" : project.versions.commonsPool, "org.objenesis:objenesis" : project.versions.objenesis, ] - configuration.resolutionStrategy.eachDependency { DependencyResolveDetails details -> def overrideVersion = versionOverrides[details.requested.group + ":" + details.requested.name] diff --git a/dependencies.gradle b/dependencies.gradle index 1da0eee296d..d737ec1e208 100644 --- a/dependencies.gradle +++ b/dependencies.gradle @@ -61,7 +61,7 @@ final Map libraries = [ hamcrest : 'org.hamcrest:hamcrest-core:2.2', hibernate : 'org.hibernate:hibernate-ehcache:3.6.10.Final', httpClientMock : 'com.github.paweladamski:HttpClientMock:1.10.0', - jackson : 'com.fasterxml.jackson.core:jackson-core:2.13.2', + jacksonBom : 'com.fasterxml.jackson:jackson-bom:2.13.2.20220328', javaAssist : 'javassist:javassist:3.12.1.GA', javaxAnnotation : 'javax.annotation:javax.annotation-api:1.3.2', jaxb : 'javax.xml.bind:jaxb-api:2.3.1', @@ -142,7 +142,6 @@ final Map v = [ h2 : versionOf(libraries.h2), hamcrest : versionOf(libraries.hamcrest), hibernate : versionOf(libraries.hibernate), - jackson : versionOf(libraries.jackson), javaAssist : versionOf(libraries.javaAssist), javaxAnnotation : versionOf(libraries.javaxAnnotation), jaxb : versionOf(libraries.jaxb), @@ -189,14 +188,15 @@ final Map v = [ ] // While Dependabot won't be able to parse these deps, these will get upgraded for free anyway since they share versions -// with dependencies declared above that are parseable by Dependabot. This is just a workaround to be DRY while still -// benefiting from Dependabot's automatic PR upgrades. +// with dependencies declared above that are parseable by Dependabot, or are managed by platforms. +// This is just a workaround to be DRY while still benefiting from Dependabot's automatic PR upgrades. final Map related = [ apacheHttpMime : "org.apache.httpcomponents:httpmime:${v.apacheHttpComponents}", aspectjWeaver : "org.aspectj:aspectjweaver:${v.aspectj}", bouncyCastlePkix : "org.bouncycastle:bcpkix-jdk15on:${v.bouncyCastle}", hamcrestLibrary : "org.hamcrest:hamcrest-library:${v.hamcrest}", - jacksonDatabind : "com.fasterxml.jackson.core:jackson-databind:${v.jackson}", + jacksonCore : 'com.fasterxml.jackson.core:jackson-core', + jacksonDatabind : 'com.fasterxml.jackson.core:jackson-databind', jaxbRuntime : "org.glassfish.jaxb:jaxb-runtime:${v.jaxb}", jettyDeploy : "org.eclipse.jetty:jetty-deploy:${v.jetty}", jettyJmx : "org.eclipse.jetty:jetty-jmx:${v.jetty}", diff --git a/server/build.gradle b/server/build.gradle index 1a338c9af3f..165c91e79f4 100644 --- a/server/build.gradle +++ b/server/build.gradle @@ -863,9 +863,9 @@ task verifyWar(type: VerifyJarTask) { "httpmime-${project.versions.apacheHttpComponents}.jar", "istack-commons-runtime-3.0.7.jar", "j2objc-annotations-1.3.jar", - "jackson-annotations-${project.versions.jackson}.jar", - "jackson-core-${project.versions.jackson}.jar", - "jackson-databind-${project.versions.jackson}.jar", + "jackson-annotations-2.13.2.jar", + "jackson-core-2.13.2.jar", + "jackson-databind-2.13.2.2.jar", "jakarta.activation-2.0.1.jar", "javassist-${project.versions.javaAssist}.jar", "javax.activation-api-1.2.0.jar", diff --git a/spark/spark-base/build.gradle b/spark/spark-base/build.gradle index 54c58507c3b..d2d5998790d 100644 --- a/spark/spark-base/build.gradle +++ b/spark/spark-base/build.gradle @@ -20,7 +20,8 @@ dependencies { api project(':common') api project(':server') - implementation project.deps.jackson + implementation platform(project.deps.jacksonBom) + implementation project.deps.jacksonCore implementation project.deps.jacksonDatabind implementation project.deps.springWeb