From 8e3e9cfa0d994e6cf33096aab7df059722d27a5e Mon Sep 17 00:00:00 2001 From: Chad Wilson Date: Wed, 30 Mar 2022 23:43:55 +1300 Subject: [PATCH] Bump jackson-databind to 2.13.2.2 via switching to BOM Individual libs in Jackson don't necessarily all get released at the same time. The BOM is the right way to ensure versions are all on latest. In this case, to get a CVE patched within databind. See https://github.com/FasterXML/jackson-databind/issues/3428 for more detail --- base/build.gradle | 4 ++++ build.gradle | 4 ---- dependencies.gradle | 10 +++++----- server/build.gradle | 6 +++--- spark/spark-base/build.gradle | 3 ++- 5 files changed, 14 insertions(+), 13 deletions(-) diff --git a/base/build.gradle b/base/build.gradle index 7fa0fe5c6301..eaf3e8756ead 100644 --- a/base/build.gradle +++ b/base/build.gradle @@ -20,6 +20,10 @@ dependencies { providedAtPackageTime project.deps.bouncyCastle providedAtPackageTime project.deps.bouncyCastlePkix + // Use BOMs to control versions of dependencies for other projects, all of which consume 'base'. + // This is following https://docs.gradle.org/current/userguide/platforms.html#sub:bom_import + api enforcedPlatform(project.deps.jacksonBom) + api(project.deps.apacheAnt) { transitive = false } diff --git a/build.gradle b/build.gradle index a4e800d1b8dd..7e1195161be4 100644 --- a/build.gradle +++ b/build.gradle @@ -634,15 +634,11 @@ subprojects { configurations.all { configuration -> def versionOverrides = [ - "com.fasterxml.jackson.core:jackson-annotations": project.versions.jackson, - "com.fasterxml.jackson.core:jackson-core" : project.versions.jackson, - "com.fasterxml.jackson.core:jackson-databind" : project.versions.jackson, "commons-beanutils:commons-beanutils" : project.versions.commonsBeanutils, "org.apache.commons:commons-pool2" : project.versions.commonsPool, "org.objenesis:objenesis" : project.versions.objenesis, ] - configuration.resolutionStrategy.eachDependency { DependencyResolveDetails details -> def overrideVersion = versionOverrides[details.requested.group + ":" + details.requested.name] diff --git a/dependencies.gradle b/dependencies.gradle index 1da0eee296d8..d737ec1e2085 100644 --- a/dependencies.gradle +++ b/dependencies.gradle @@ -61,7 +61,7 @@ final Map libraries = [ hamcrest : 'org.hamcrest:hamcrest-core:2.2', hibernate : 'org.hibernate:hibernate-ehcache:3.6.10.Final', httpClientMock : 'com.github.paweladamski:HttpClientMock:1.10.0', - jackson : 'com.fasterxml.jackson.core:jackson-core:2.13.2', + jacksonBom : 'com.fasterxml.jackson:jackson-bom:2.13.2.20220328', javaAssist : 'javassist:javassist:3.12.1.GA', javaxAnnotation : 'javax.annotation:javax.annotation-api:1.3.2', jaxb : 'javax.xml.bind:jaxb-api:2.3.1', @@ -142,7 +142,6 @@ final Map v = [ h2 : versionOf(libraries.h2), hamcrest : versionOf(libraries.hamcrest), hibernate : versionOf(libraries.hibernate), - jackson : versionOf(libraries.jackson), javaAssist : versionOf(libraries.javaAssist), javaxAnnotation : versionOf(libraries.javaxAnnotation), jaxb : versionOf(libraries.jaxb), @@ -189,14 +188,15 @@ final Map v = [ ] // While Dependabot won't be able to parse these deps, these will get upgraded for free anyway since they share versions -// with dependencies declared above that are parseable by Dependabot. This is just a workaround to be DRY while still -// benefiting from Dependabot's automatic PR upgrades. +// with dependencies declared above that are parseable by Dependabot, or are managed by platforms. +// This is just a workaround to be DRY while still benefiting from Dependabot's automatic PR upgrades. final Map related = [ apacheHttpMime : "org.apache.httpcomponents:httpmime:${v.apacheHttpComponents}", aspectjWeaver : "org.aspectj:aspectjweaver:${v.aspectj}", bouncyCastlePkix : "org.bouncycastle:bcpkix-jdk15on:${v.bouncyCastle}", hamcrestLibrary : "org.hamcrest:hamcrest-library:${v.hamcrest}", - jacksonDatabind : "com.fasterxml.jackson.core:jackson-databind:${v.jackson}", + jacksonCore : 'com.fasterxml.jackson.core:jackson-core', + jacksonDatabind : 'com.fasterxml.jackson.core:jackson-databind', jaxbRuntime : "org.glassfish.jaxb:jaxb-runtime:${v.jaxb}", jettyDeploy : "org.eclipse.jetty:jetty-deploy:${v.jetty}", jettyJmx : "org.eclipse.jetty:jetty-jmx:${v.jetty}", diff --git a/server/build.gradle b/server/build.gradle index 1a338c9af3fc..165c91e79f4e 100644 --- a/server/build.gradle +++ b/server/build.gradle @@ -863,9 +863,9 @@ task verifyWar(type: VerifyJarTask) { "httpmime-${project.versions.apacheHttpComponents}.jar", "istack-commons-runtime-3.0.7.jar", "j2objc-annotations-1.3.jar", - "jackson-annotations-${project.versions.jackson}.jar", - "jackson-core-${project.versions.jackson}.jar", - "jackson-databind-${project.versions.jackson}.jar", + "jackson-annotations-2.13.2.jar", + "jackson-core-2.13.2.jar", + "jackson-databind-2.13.2.2.jar", "jakarta.activation-2.0.1.jar", "javassist-${project.versions.javaAssist}.jar", "javax.activation-api-1.2.0.jar", diff --git a/spark/spark-base/build.gradle b/spark/spark-base/build.gradle index 54c58507c3bf..d2d5998790d3 100644 --- a/spark/spark-base/build.gradle +++ b/spark/spark-base/build.gradle @@ -20,7 +20,8 @@ dependencies { api project(':common') api project(':server') - implementation project.deps.jackson + implementation platform(project.deps.jacksonBom) + implementation project.deps.jacksonCore implementation project.deps.jacksonDatabind implementation project.deps.springWeb