NIFI-12276 Addressed Dependency Check Findings for support branch

minifi/pom.xml

@@ -455,6 +455,18 @@ limitations under the License.
                 <artifactId>guava</artifactId>
                 <version>32.1.2-jre</version>
             </dependency>
+
+            <!-- Override Commons Compiler 3.1.9 from calcite-core -->
+            <dependency>
+                <groupId>org.codehaus.janino</groupId>
+                <artifactId>commons-compiler</artifactId>
+                <version>3.1.10</version>
+            </dependency>
+            <dependency>
+                <groupId>org.codehaus.janino</groupId>
+                <artifactId>janino</artifactId>
+                <version>3.1.10</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 </project>

nifi-commons/nifi-property-protection-azure/pom.xml

@@ -26,7 +26,7 @@
             <dependency>
                 <groupId>com.azure</groupId>
                 <artifactId>azure-sdk-bom</artifactId>
-                <version>1.2.16</version>
+                <version>1.2.17</version>
                 <scope>import</scope>
                 <type>pom</type>
             </dependency>

nifi-commons/nifi-property-protection-gcp/pom.xml

@@ -22,7 +22,7 @@
     </parent>
     <artifactId>nifi-property-protection-gcp</artifactId>
     <properties>
-        <gcp.sdk.version>26.17.0</gcp.sdk.version>
+        <gcp.sdk.version>26.25.0</gcp.sdk.version>
         <guava.version>32.1.2-jre</guava.version>
     </properties>
     <dependencyManagement>

nifi-dependency-check-maven/suppressions.xml

@@ -259,4 +259,269 @@
         <packageUrl regex="true">^pkg:maven/io\.netty/netty.*?@.*$</packageUrl>
         <cve>CVE-2022-41915</cve>
     </suppress>
+    <suppress>
+        <notes>CVE-2023-34462 applies to Netty servers using SniHandler not Netty 4.1 shaded for Couchbase and HBase 2</notes>
+        <packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl>
+        <cve>CVE-2023-34462</cve>
+    </suppress>
+    <suppress>
+        <notes>The Square Wire framework is not the same as the Wire secure communication application</notes>
+        <packageUrl regex="true">^pkg:maven/com\.squareup\.wire/.*$</packageUrl>
+        <cpe>cpe:/a:wire:wire</cpe>
+    </suppress>
+    <suppress>
+        <notes>CVE-2023-44487 applies to Solr Server not Solr client libraries</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.solr/solr\-solrj@.*$</packageUrl>
+        <cve>CVE-2023-44487</cve>
+    </suppress>
+    <suppress>
+        <notes>Quartz maintainers dispute CVE-2023-39017 because it requires code injection from external users</notes>
+        <packageUrl regex="true">^pkg:maven/org\.quartz\-scheduler/quartz@.*$</packageUrl>
+        <cve>CVE-2023-39017</cve>
+    </suppress>
+    <suppress>
+        <notes>Avro project vulnerabilities do not apply to Parquet Avro</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-avro@.*$</packageUrl>
+        <cpe>cpe:/a:avro_project:avro</cpe>
+    </suppress>
+    <suppress>
+        <notes>CVE-2023-4759 is resolved in 6.7.0 which is already upgraded in nifi-registry</notes>
+        <packageUrl regex="true">^pkg:maven/org\.eclipse\.jgit/.*$</packageUrl>
+        <cve>CVE-2023-4759</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2023-4586 is resolved in Netty 4.1.100 which is already upgraded</notes>
+        <packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl>
+        <cve>CVE-2023-4586</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2023-35887 applies to MINA SSHD not MINA core libraries</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.mina/mina\-core@.*$</packageUrl>
+        <cve>CVE-2023-35887</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2016-5397 applies to Apache Thrift Go not Java</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
+        <cve>CVE-2016-5397</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2019-0210 applies to Apache Thrift Go server not Java</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
+        <cve>CVE-2019-0210</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2018-11798 applies Apache Thrift Node.js not Java</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libthrift@.*$</packageUrl>
+        <cve>CVE-2018-11798</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2019-11939 applies to Thrift Servers in Go not Java</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
+        <cve>CVE-2019-11939</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2019-3552 applies to Thrift Servers in CPP not Java</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
+        <cve>CVE-2019-3552</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2019-3553 applies to Thrift Servers in CPP not Java</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
+        <cve>CVE-2019-3553</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2019-3558 applies to Thrift Servers in Python not Java</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
+        <cve>CVE-2019-3558</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2019-3564 applies to Thrift Servers in Go not Java</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
+        <cve>CVE-2019-3564</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2019-3565 applies to Thrift Servers in CPP not Java</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
+        <cve>CVE-2019-3565</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2021-24028 applies to Facebook Thrift CPP</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
+        <cve>CVE-2021-24028</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2019-11938 applies to Facebook Thrift Servers</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
+        <cve>CVE-2019-11938</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2019-3559 applies to Facebook Thrift Servers</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.thrift/libfb303@.*$</packageUrl>
+        <cve>CVE-2019-3559</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2023-36479 was resolved in Jetty 10.0.16</notes>
+        <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\-servlets@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-36479</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes>The jetty-servlet-api is versioned according to the Java Servlet API version not the Jetty version</notes>
+        <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty\.toolchain/jetty\-servlet\-api@.*$</packageUrl>
+        <cpe>cpe:/a:eclipse:jetty</cpe>
+    </suppress>
+    <suppress>
+        <notes>CVE-2023-31419 applies to Elasticsearch Server not client libraries</notes>
+        <packageUrl regex="true">^pkg:maven/org\.elasticsearch/elasticsearch@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-31419</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes>CVE-2023-37475 applies to Hamba Avro in Go not Apache Avro for Java</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.avro/.*$</packageUrl>
+        <cve>CVE-2023-37475</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2023-45860 is resolved in Hazelcast 5.3.5</notes>
+        <packageUrl regex="true">^pkg:maven/com\.hazelcast/hazelcast@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-45860</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes>CVE-2023-36414 applies to Azure Identity for .NET not Java</notes>
+        <packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@.*$</packageUrl>
+        <cve>CVE-2023-36414</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2023-36415 applies to Azure Identity for Python not Java</notes>
+        <packageUrl regex="true">^pkg:maven/com\.azure/azure\-identity@.*$</packageUrl>
+        <cve>CVE-2023-36415</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2020-13949 applies to Thrift and not to Hive</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.hive.*$</packageUrl>
+        <cve>CVE-2020-13949</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2023-44487 applies to netty-codec-http2 as a Server</notes>
+        <packageUrl regex="true">^pkg:maven/io\.netty/netty.*$</packageUrl>
+        <cve>CVE-2023-44487</cve>
+    </suppress>
+    <suppress>
+        <notes>Parquet MR vulnerabilities do not apply to other Parquet libraries</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-(?!mr).*$</packageUrl>
+        <cpe>cpe:/a:apache:parquet-mr</cpe>
+    </suppress>
+    <suppress>
+        <notes>Apache Hadoop vulnerabilities do not apply to Parquet Hadoop Bundle library</notes>
+        <packageUrl regex="true">^pkg:maven/org\.apache\.parquet/parquet\-hadoop\-bundle@.*$</packageUrl>
+        <cpe>cpe:/a:apache:hadoop</cpe>
+    </suppress>
+    <suppress>
+        <notes>CVE-2017-7525 applies to Jackson 2 not Jackson 1</notes>
+        <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@.*$</packageUrl>
+        <vulnerabilityName>CVE-2017-7525</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes>CVE-2019-11358 applies to bundled copies of jQuery not used in the project</notes>
+        <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
+        <cve>CVE-2019-11358</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2020-11022 applies to bundled copies of jQuery not used in the project</notes>
+        <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
+        <cve>CVE-2020-11022</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2020-11023 applies to bundled copies of jQuery not used in the project</notes>
+        <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
+        <cve>CVE-2020-11023</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2020-23064 applies to bundled copies of jQuery not used in the project</notes>
+        <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
+        <cve>CVE-2020-23064</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2011-4969 applies to bundled copies of jQUery not used in the project</notes>
+        <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
+        <cve>CVE-2011-4969</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2012-6708 applies to bundled copies of jQUery not used in the project</notes>
+        <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
+        <cve>CVE-2012-6708</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2015-9251 applies to bundled copies of jQUery not used in the project</notes>
+        <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
+        <cve>CVE-2015-9251</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2020-7656 applies to bundled copies of jQUery not used in the project</notes>
+        <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
+        <cve>CVE-2020-7656</cve>
+    </suppress>
+    <suppress>
+        <notes>jQuery vulnerability warning for historical versions</notes>
+        <packageUrl regex="true">^pkg:javascript/jquery@.*$</packageUrl>
+        <vulnerabilityName>jQuery 1.x and 2.x are End-of-Life and no longer receiving security updates</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes>CVE-2020-28458 applies to bundled copies of jQuery datatables not used in the project</notes>
+        <packageUrl regex="true">^pkg:javascript/jquery\.datatables@.*$</packageUrl>
+        <cve>CVE-2020-28458</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2021-23445 applies to bundled copies of jQuery datatables not used in the project</notes>
+        <packageUrl regex="true">^pkg:javascript/jquery\.datatables@.*$</packageUrl>
+        <cve>CVE-2021-23445</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2023-44487 references gRPC for Go</notes>
+        <packageUrl regex="true">^pkg:maven/io\.grpc/grpc.*$</packageUrl>
+        <cve>CVE-2023-44487</cve>
+    </suppress>
+    <suppress>
+        <notes>Guava temporary directory file creation is not used</notes>
+        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+        <cve>CVE-2023-2976</cve>
+    </suppress>
+    <suppress>
+        <notes>Guava temporary directory file creation is not used</notes>
+        <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
+        <cve>CVE-2020-8908</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2021-44521 applies to Apache Cassandra Server</notes>
+        <packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$</packageUrl>
+        <cve>CVE-2021-44521</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2020-17516 applies to Apache Cassandra Server</notes>
+        <packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$</packageUrl>
+        <cve>CVE-2020-17516</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2019-2684 applies to Apache Cassandra Server</notes>
+        <packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$</packageUrl>
+        <cve>CVE-2019-2684</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2020-13946 applies to Apache Cassandra Server</notes>
+        <packageUrl regex="true">^pkg:maven/com\.datastax\.cassandra/cassandra\-driver\-extras@.*$</packageUrl>
+        <cve>CVE-2020-13946</cve>
+    </suppress>
+    <suppress>
+        <notes>CVE-2019-10172 applies to Jackson 1 XmlMapper not JSON mapper used in Ranger plugins</notes>
+        <packageUrl regex="true">^pkg:maven/org\.codehaus\.jackson/jackson\-mapper\-asl@.*$</packageUrl>
+        <cve>CVE-2019-10172</cve>
+    </suppress>
+    <suppress>
+        <notes>Bundled versions of jQuery DataTables are not used</notes>
+        <packageUrl regex="true">^pkg:javascript/jquery\.datatables@.*$</packageUrl>
+        <vulnerabilityName>prototype pollution</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes>Bundled versions of jQuery DataTables are not used</notes>
+        <packageUrl regex="true">^pkg:javascript/jquery\.datatables@.*$</packageUrl>
+        <vulnerabilityName>possible XSS</vulnerabilityName>
+    </suppress>
 </suppressions>

nifi-nar-bundles/nifi-accumulo-bundle/pom.xml

@@ -59,18 +59,6 @@
                 <artifactId>hadoop-client-runtime</artifactId>
                 <version>${hadoop.version}</version>
             </dependency>
-            <!-- Override ZooKeeper from accumulo-core -->
-            <dependency>
-                <groupId>org.apache.zookeeper</groupId>
-                <artifactId>zookeeper</artifactId>
-                <version>${zookeeper.version}</version>
-                <exclusions>
-                    <exclusion>
-                        <groupId>ch.qos.logback</groupId>
-                        <artifactId>logback-classic</artifactId>
-                    </exclusion>
-                </exclusions>
-            </dependency>
             <!-- Override commons-configuration2:2.5 from accumulo-core -->
             <dependency>
                 <groupId>org.apache.commons</groupId>

nifi-nar-bundles/nifi-asana-bundle/pom.xml

@@ -72,6 +72,12 @@
                     </exclusion>
                 </exclusions>
             </dependency>
+            <!-- Override grpc-context from Asana -->
+            <dependency>
+                <groupId>io.grpc</groupId>
+                <artifactId>grpc-context</artifactId>
+                <version>1.59.0</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 </project>

nifi-nar-bundles/nifi-atlas-bundle/pom.xml

@@ -117,6 +117,12 @@
                 <artifactId>guava</artifactId>
                 <version>${guava.version}</version>
             </dependency>
+            <!-- Override Jettison from Atlas -->
+            <dependency>
+                <groupId>org.codehaus.jettison</groupId>
+                <artifactId>jettison</artifactId>
+                <version>1.5.4</version>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 </project>

nifi-nar-bundles/nifi-azure-bundle/pom.xml

@@ -27,7 +27,7 @@
 
     <properties>
         <microsoft.azure-storage.version>8.6.6</microsoft.azure-storage.version>
-        <azure.sdk.bom.version>1.2.16</azure.sdk.bom.version>
+        <azure.sdk.bom.version>1.2.17</azure.sdk.bom.version>
         <msal4j.version>1.13.10</msal4j.version>
         <qpid.proton.version>0.34.1</qpid.proton.version>
     </properties>

nifi-nar-bundles/nifi-box-bundle/pom.xml

@@ -33,4 +33,15 @@
         <module>nifi-box-services-api</module>
         <module>nifi-box-services-nar</module>
     </modules>
+
+    <dependencyManagement>
+        <dependencies>
+            <!-- Override jose4j 0.9.0 from box-java-sdk -->
+            <dependency>
+                <groupId>org.bitbucket.b_c</groupId>
+                <artifactId>jose4j</artifactId>
+                <version>0.9.3</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
 </project>

nifi-nar-bundles/nifi-framework-bundle/pom.xml

@@ -461,11 +461,6 @@
                 <artifactId>metrics-core</artifactId>
                 <version>4.2.19</version>
             </dependency>
-            <dependency>
-                <groupId>org.apache.zookeeper</groupId>
-                <artifactId>zookeeper</artifactId>
-                <version>${zookeeper.version}</version>
-            </dependency>
             <dependency>
                 <groupId>org.apache.curator</groupId>
                 <artifactId>curator-framework</artifactId>

nifi-nar-bundles/nifi-gcp-bundle/pom.xml

@@ -26,7 +26,7 @@
     <packaging>pom</packaging>
 
     <properties>
-        <google.libraries.version>26.22.0</google.libraries.version>
+        <google.libraries.version>26.25.0</google.libraries.version>
     </properties>
 
     <dependencyManagement>