Upgrade io.netty : netty-codec-http2 and netty-common to 4.1.39.Final

These insecure dependencies are brought in by io.grpc:grpc-netty:1.17.1.
Override the io.netty dependencies and add exclusions where version is mandated.

Resulting dependencies in policy/models/models-interactions on master*
$ mvn dependency:tree -Dverbose| grep io.netty
[INFO] +- io.netty:netty-codec-http2:jar:4.1.39.Final:compile
[INFO] |  +- io.netty:netty-common:jar:4.1.39.Final:compile
[INFO] |  +- io.netty:netty-buffer:jar:4.1.39.Final:compile
[INFO] |  +- io.netty:netty-transport:jar:4.1.39.Final:compile
[INFO] |  |  \- io.netty:netty-resolver:jar:4.1.39.Final:compile
[INFO] |  +- io.netty:netty-codec:jar:4.1.39.Final:compile
[INFO] |  +- io.netty:netty-handler:jar:4.1.39.Final:compile
[INFO] |  \- io.netty:netty-codec-http:jar:4.1.39.Final:compile
[INFO] +- io.netty:netty-handler-proxy:jar:4.1.39.Final:compile
[INFO] |  \- io.netty:netty-codec-socks:jar:4.1.39.Final:compile
[INFO] |  +- io.netty:netty-codec-http2:jar:4.1.39.Final:provided
[INFO] |  |  +- io.netty:netty-common:jar:4.1.39.Final:provided
[INFO] |  |  +- io.netty:netty-buffer:jar:4.1.39.Final:provided
[INFO] |  |  +- io.netty:netty-transport:jar:4.1.39.Final:provided
[INFO] |  |  |  \- io.netty:netty-resolver:jar:4.1.39.Final:provided
[INFO] |  |  +- io.netty:netty-codec:jar:4.1.39.Final:provided
[INFO] |  |  +- io.netty:netty-handler:jar:4.1.39.Final:provided
[INFO] |  |  \- io.netty:netty-codec-http:jar:4.1.39.Final:provided
[INFO] |  +- io.netty:netty-handler-proxy:jar:4.1.39.Final:provided
[INFO] |  |  \- io.netty:netty-codec-socks:jar:4.1.39.Final:provided

Issue-ID: POLICY-2072
Signed-off-by: Rashmi Pujar <rashmi.pujar@bell.ca>
Change-Id: Ib3706e1c67e33fe73ebbfc80a6b474021b4a2679

diff --git a/models-interactions/model-impl/cds/pom.xml b/models-interactions/model-impl/cds/pom.xml
index 4545e24..1dd691a 100644 (file)
--- a/models-interactions/model-impl/cds/pom.xml
+++ b/models-interactions/model-impl/cds/pom.xml
@@ -34,7 +34,7 @@
   <properties>
     <grpc.version>1.17.1</grpc.version>
     <protobuf.version>3.6.1</protobuf.version>
-    <grpc.netty.version>4.1.30.Final</grpc.netty.version>
+    <grpc.netty.version>4.1.39.Final</grpc.netty.version>
     <ccsdk.version>0.4.4</ccsdk.version>
   </properties>
 
@@ -54,6 +54,18 @@
     </dependency>
 
     <!-- gRPC dependencies -->
+    <!-- io.netty artifacts have security issues and are transitive dependencies from io.grpc:grpc-netty:1.17.1.
+    Override io.netty dependencies and add exclusions to io.grpc:grpc-netty where io.netty version is mandated. -->
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-codec-http2</artifactId>
+      <version>${grpc.netty.version}</version>
+    </dependency>
+    <dependency>
+      <groupId>io.netty</groupId>
+      <artifactId>netty-handler-proxy</artifactId>
+      <version>${grpc.netty.version}</version>
+    </dependency>
     <dependency>
       <groupId>io.grpc</groupId>
       <artifactId>grpc-protobuf</artifactId>
@@ -74,6 +86,12 @@
       <groupId>io.grpc</groupId>
       <artifactId>grpc-netty</artifactId>
       <version>${grpc.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>io.netty</groupId>
+          <artifactId>netty-codec-http2</artifactId>
+        </exclusion>
+      </exclusions>
     </dependency>
     <dependency>
       <groupId>io.grpc</groupId>