From 42480c241e5882bd2e6002004e5013a0e1bd7429 Mon Sep 17 00:00:00 2001 From: Michael Arrastia Date: Thu, 3 May 2018 18:09:26 +0100 Subject: [PATCH] Address security vulnerabilities This includes version upgrades for: - logback-classic, logback-core - commons-collections - hadoop-common - hbase-client: settled on version 1.0.2 as container would not start with later versions - httpclient - netty, netty-all - zookeeper - jackson-core Also should resolve presence of flux-examples. Change-Id: Ifb55f5d6676a9971d1d9a46c695dc78eb1b99843 Issue-ID: AAI-1117 Signed-off-by: Michael Arrastia --- champ-lib/champ-core/pom.xml | 32 +++++++++++---- champ-lib/champ-janus/pom.xml | 16 ++++---- champ-lib/champ-titan/pom.xml | 14 +++++-- champ-lib/pom.xml | 76 +++------------------------------- champ-service-deps-janus/pom.xml | 26 ++++++------ champ-service-deps-titan/pom.xml | 14 ++++--- champ-service/pom.xml | 88 +++++++++++++++++++-------------------- pom.xml | 89 ++++++++++++++++++++++++++++++++++++++++ 8 files changed, 205 insertions(+), 150 deletions(-) diff --git a/champ-lib/champ-core/pom.xml b/champ-lib/champ-core/pom.xml index dbbb2b7..ee65310 100644 --- a/champ-lib/champ-core/pom.xml +++ b/champ-lib/champ-core/pom.xml @@ -25,8 +25,8 @@ limitations under the License. 4.0.0 - champ-lib org.onap.aai + champ-lib 1.2.0-SNAPSHOT @@ -37,17 +37,16 @@ limitations under the License. org.onap.aai.event-client event-client-api - ${event.client.version} + org.onap.aai.event-client event-client-dmaap - ${event.client.version} + org.onap.aai.event-client event-client-kafka - ${event.client.version} @@ -56,11 +55,13 @@ limitations under the License. groovy 2.4.12 + com.fasterxml.jackson.core jackson-databind 2.5.3 + org.apache.tinkerpop gremlin-core @@ -77,17 +78,34 @@ limitations under the License. + org.apache.tinkerpop tinkergraph-gremlin 3.2.3 true + com.google.code.gson gson 2.8.2 + + + org.apache.hbase + hbase-client + + + org.slf4j + slf4j-log4j12 + + + com.google.guava + guava + + + @@ -111,7 +129,6 @@ limitations under the License. true - + check process-sources - --> diff --git a/champ-lib/champ-janus/pom.xml b/champ-lib/champ-janus/pom.xml index 7d1532b..b316c27 100644 --- a/champ-lib/champ-janus/pom.xml +++ b/champ-lib/champ-janus/pom.xml @@ -25,8 +25,8 @@ limitations under the License. 4.0.0 - champ-lib org.onap.aai + champ-lib 1.2.0-SNAPSHOT @@ -42,11 +42,13 @@ limitations under the License. tinkergraph-gremlin ${tinkerpop.version} + org.onap.aai champ-core 1.2.0-SNAPSHOT + org.onap.aai champ-core @@ -54,6 +56,7 @@ limitations under the License. test-jar test + org.janusgraph janusgraph-cassandra @@ -78,6 +81,7 @@ limitations under the License. + org.janusgraph janusgraph-hbase @@ -92,10 +96,6 @@ limitations under the License. org.slf4j slf4j-log4j12 - - ch.qos.logback - logback-classic - org.apache.tinkerpop gremlin-core @@ -180,7 +180,6 @@ limitations under the License. true - + check process-sources - --> diff --git a/champ-lib/champ-titan/pom.xml b/champ-lib/champ-titan/pom.xml index 5bfc860..05d862c 100644 --- a/champ-lib/champ-titan/pom.xml +++ b/champ-lib/champ-titan/pom.xml @@ -41,11 +41,13 @@ limitations under the License. tinkergraph-gremlin ${tinkerpop.version} + org.onap.aai champ-core 1.2.0-SNAPSHOT + org.onap.aai champ-core @@ -53,6 +55,7 @@ limitations under the License. test-jar test + com.thinkaurelius.titan titan-cassandra @@ -75,8 +78,13 @@ limitations under the License. org.apache.tinkerpop gremlin-core + + org.apache.httpcomponents + httpclient + + com.thinkaurelius.titan titan-hbase @@ -179,7 +187,6 @@ limitations under the License. true - + check process-sources - --> diff --git a/champ-lib/pom.xml b/champ-lib/pom.xml index 4f82dff..d69f971 100644 --- a/champ-lib/pom.xml +++ b/champ-lib/pom.xml @@ -22,17 +22,15 @@ limitations under the License. xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 - org.onap.aai - champ-lib - pom - 1.2.0-SNAPSHOT - org.onap.aai champ 1.2.0-SNAPSHOT + champ-lib + pom + champ-core champ-titan @@ -41,8 +39,6 @@ limitations under the License. UTF-8 - 1.2.1 - @@ -53,26 +49,6 @@ limitations under the License. - - - - org.onap.aai.event-client - event-client-api - ${event.client.version} - - - org.onap.aai.event-client - event-client-dmaap - ${event.client.version} - - - org.onap.aai.event-client - event-client-kafka - ${event.client.version} - - - - junit @@ -80,27 +56,6 @@ limitations under the License. 4.12 test - - ch.qos.logback - logback-classic - 1.2.1 - true - - - org.apache.hbase - hbase-client - 0.98.4-hadoop2 - - - org.slf4j - slf4j-log4j12 - - - com.google.guava - guava - - - jdk.tools jdk.tools @@ -196,25 +151,6 @@ limitations under the License. - - org.apache.maven.plugins - maven-assembly-plugin - 3.0.0 - - - jar-with-dependencies - - - - - make-jar-with-dependencies - package - - single - - - - org.apache.maven.plugins maven-compiler-plugin @@ -278,7 +214,6 @@ limitations under the License. true - + check process-sources - --> diff --git a/champ-service-deps-janus/pom.xml b/champ-service-deps-janus/pom.xml index 398437f..9b1dd5e 100644 --- a/champ-service-deps-janus/pom.xml +++ b/champ-service-deps-janus/pom.xml @@ -22,17 +22,15 @@ limitations under the License. xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 - org.onap.aai - champ-service-deps-janus - pom - 1.2.0-SNAPSHOT - org.onap.aai champ 1.2.0-SNAPSHOT + champ-service-deps-janus + pom + org.onap.aai @@ -47,14 +45,6 @@ limitations under the License. ch.qos.logback logback-core - - org.apache.httpcomponents - httpclient - - - org.apache.httpcomponents - httpclient-cache - org.slf4j slf4j-api @@ -127,8 +117,17 @@ limitations under the License. org.onap.aai.event-client event-client-kafka + + org.apache.httpcomponents + httpclient + + + org.apache.httpcomponents + httpcore + + org.janusgraph janusgraph-cassandra @@ -193,6 +192,7 @@ limitations under the License. + org.janusgraph janusgraph-hbase diff --git a/champ-service-deps-titan/pom.xml b/champ-service-deps-titan/pom.xml index f979969..a67af1e 100644 --- a/champ-service-deps-titan/pom.xml +++ b/champ-service-deps-titan/pom.xml @@ -22,17 +22,15 @@ limitations under the License. xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> 4.0.0 - org.onap.aai - champ-service-deps-titan - pom - 1.2.0-SNAPSHOT - org.onap.aai champ 1.2.0-SNAPSHOT + champ-service-deps-titan + pom + org.onap.aai @@ -139,8 +137,13 @@ limitations under the License. org.onap.aai.event-client event-client-kafka + + org.apache.httpcomponents + httpcore + + com.thinkaurelius.titan titan-cassandra @@ -216,6 +219,7 @@ limitations under the License. + com.thinkaurelius.titan titan-hbase diff --git a/champ-service/pom.xml b/champ-service/pom.xml index 77e4680..2738dc5 100644 --- a/champ-service/pom.xml +++ b/champ-service/pom.xml @@ -67,6 +67,10 @@ limitations under the License. org.springframework.boot spring-boot-starter-tomcat + + ch.qos.logback + logback-classic + @@ -87,7 +91,6 @@ limitations under the License. provided - org.json json @@ -144,24 +147,6 @@ limitations under the License. 3.7 - - org.apache.httpcomponents - httpclient - 4.5.5 - - - - org.apache.httpcomponents - httpclient-cache - 4.5.5 - - - commons-logging - commons-logging - - - - org.onap.aai champ-core @@ -172,10 +157,6 @@ limitations under the License. org.apache.hbase hbase-client - - org.apache.httpcomponents - httpclient - log4j log4j @@ -203,6 +184,46 @@ limitations under the License. 1.5.0 test + + + ch.qos.logback + logback-classic + 1.2.3 + + + + ch.qos.logback + logback-core + 1.2.3 + + + + org.onap.dmaap.messagerouter.dmaapclient + dmaapClient + 1.1.5 + + + org.apache.httpcomponents + httpclient + + + org.apache.httpcomponents + httpclient-cache + + + + + + org.apache.httpcomponents + httpclient + 4.5.3 + + + + org.apache.httpcomponents + httpclient-cache + 4.5.3 + @@ -334,27 +355,6 @@ limitations under the License. true - - - org.jacoco - jacoco-maven-plugin - 0.7.9 - - - default-prepare-agent - - prepare-agent - - - - default-report - prepare-package - - report - - - - diff --git a/pom.xml b/pom.xml index 8b05b02..e829737 100755 --- a/pom.xml +++ b/pom.xml @@ -30,6 +30,7 @@ limitations under the License. https://nexus.onap.org + 1.2.1 @@ -39,6 +40,94 @@ limitations under the License. champ-service + + + + org.onap.aai.event-client + event-client-api + ${event.client.version} + + + + org.onap.aai.event-client + event-client-api + ${event.client.version} + + + + org.onap.aai.event-client + event-client-dmaap + ${event.client.version} + + + + org.onap.aai.event-client + event-client-kafka + ${event.client.version} + + + + commons-collections + commons-collections + 20040616 + + + + ch.qos.logback + logback-classic + 1.2.3 + + + + ch.qos.logback + logback-core + 1.2.3 + + + + org.apache.hadoop + hadoop-common + 2.7.6 + + + + org.apache.hbase + hbase-client + 1.0.2 + + + + org.onap.dmaap.messagerouter.dmaapclient + dmaapClient + 1.1.5 + + + + io.netty + netty-all + 4.1.24.Final + + + + io.netty + netty + 3.10.6.Final + + + + org.apache.zookeeper + zookeeper + 3.4.12 + + + + com.fasterxml.jackson.core + jackson-core + 2.8.11 + + + + ecomp-releases -- 2.16.6