Update hibernate-validator and jetty-util

Change-Id: I93beb063bf3a1e5394651065b42c3b5f1bc5407d
Issue-ID: DCAEGEN2-361
Signed-off-by: Michael Hwang <mhwang@research.att.com>

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8432e8b..1c27804 100644 (file)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
 
 The version in the brackets represents the version of DCAE inventory and not the ONAP DCAE version.
 
+## [3.0.1]
+
+* Explicitly use 5.3.6.Final for hibernate-validator and 9.4.6 for jetty-util to address security issues
+
 ## [3.0.0]
 
 * Remove the dcae controller code (housekeeping)

diff --git a/pom.xml b/pom.xml
index 9dcfc45..95910a6 100644 (file)
--- a/pom.xml
+++ b/pom.xml
@@ -28,7 +28,7 @@ ECOMP is a trademark and service mark of AT&T Intellectual Property.
 
     <groupId>org.onap.dcaegen2.platform</groupId>
     <artifactId>inventory-api</artifactId>
-    <version>3.0.0</version>
+    <version>3.0.1</version>
     <name>dcaegen2-platform-inventory-api</name>
     <!--internal <version>3.0.0</version>-->
 
@@ -68,6 +68,16 @@ ECOMP is a trademark and service mark of AT&T Intellectual Property.
             <groupId>io.dropwizard</groupId>
             <artifactId>dropwizard-core</artifactId>
             <version>${dropwizard.version}</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.hibernate</groupId>
+                    <artifactId>hibernate-validator</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.eclipse.jetty</groupId>
+                    <artifactId>jetty-util</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>io.dropwizard</groupId>
@@ -86,6 +96,20 @@ ECOMP is a trademark and service mark of AT&T Intellectual Property.
             <artifactId>httpclient</artifactId>
             <version>4.5.5</version>
         </dependency>
+        <dependency>
+            <!-- To address security issue - CVE-2017-7536 -->
+            <groupId>org.hibernate</groupId>
+            <artifactId>hibernate-validator</artifactId>
+            <version>5.3.6.Final</version>
+        </dependency>
+        <dependency>
+            <!-- To address security issue - CVE-2017-9735
+                 REVIEW: Only updated jetty-util which may introduce runtime issues because
+                 other jetty libraries are on 9.4.2 still -->
+            <groupId>org.eclipse.jetty</groupId>
+            <artifactId>jetty-util</artifactId>
+            <version>9.4.6.v20170531</version>
+        </dependency>
         <dependency>
             <groupId>ch.qos.logback</groupId>
             <artifactId>logback-classic</artifactId>

diff --git a/version.properties b/version.properties
index fa21cfe..97784ff 100644 (file)
--- a/version.properties
+++ b/version.properties
@@ -3,7 +3,7 @@
 # because they are used in Jenkins, whose plug-in doesn't support\r
 major=3\r
 minor=0\r
-patch=0\r
+patch=1\r
 base_version=${major}.${minor}.${patch}\r
 # Release must be completed with git revision # in Jenkins\r
 \r