From d6183bc3224526e9355a6bab1333b0a98543f6a7 Mon Sep 17 00:00:00 2001
From: Shashank Patidar <shashank@traceable.ai>
Date: Sat, 20 Nov 2021 11:15:42 +0530
Subject: [PATCH 1/2] fix vulnerabilities

---
 otel-extensions/build.gradle.kts           | 4 ++++
 shaded-protobuf-java-util/build.gradle.kts | 4 ++++
 testing-bootstrap/build.gradle.kts         | 4 +++-
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/otel-extensions/build.gradle.kts b/otel-extensions/build.gradle.kts
index 813c0099c..b6f17348c 100644
--- a/otel-extensions/build.gradle.kts
+++ b/otel-extensions/build.gradle.kts
@@ -46,6 +46,10 @@ dependencies {
     api("com.google.protobuf:protobuf-java-util")
     // convert yaml to json, since java protobuf impl supports only json
     implementation("com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.11.3")
+    // fix vulnerability
+    constraints {
+        api("com.google.code.gson:gson:2.8.9")
+    }
 
     testImplementation("io.opentelemetry:opentelemetry-sdk-extension-autoconfigure:${versions["opentelemetry"]}-alpha")
     testImplementation("io.opentelemetry:opentelemetry-sdk:${versions["opentelemetry"]}")
diff --git a/shaded-protobuf-java-util/build.gradle.kts b/shaded-protobuf-java-util/build.gradle.kts
index 282bf049d..2c7617f91 100644
--- a/shaded-protobuf-java-util/build.gradle.kts
+++ b/shaded-protobuf-java-util/build.gradle.kts
@@ -8,6 +8,10 @@ dependencies {
         exclude("com.google.protobuf", "protobuf-java")
         exclude("com.google.guava", "guava")
     }
+    // fix vulnerability
+    constraints {
+        implementation("com.google.code.gson:gson:2.8.9")
+    }
 }
 
 tasks.shadowJar {
diff --git a/testing-bootstrap/build.gradle.kts b/testing-bootstrap/build.gradle.kts
index 166c1ed63..3724acbbd 100644
--- a/testing-bootstrap/build.gradle.kts
+++ b/testing-bootstrap/build.gradle.kts
@@ -16,7 +16,9 @@ dependencies {
     implementation(project(":javaagent-core"))
     implementation(project(":filter-api"))
 
-    implementation("ch.qos.logback:logback-classic:1.2.3")
+    implementation("ch.qos.logback:logback-classic:1.2.3") {
+        exclude("ch.qos.logback:logback-core@1.2.3")
+    }
     implementation("org.slf4j:slf4j-api:${versions["slf4j"]}")
 }
 

From ef6cb7dd011b3ffeb5de926aebbe729b4777ce15 Mon Sep 17 00:00:00 2001
From: Shashank Patidar <shashank@traceable.ai>
Date: Sat, 20 Nov 2021 11:22:12 +0530
Subject: [PATCH 2/2] fix vulnerabilities

---
 testing-bootstrap/build.gradle.kts | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/testing-bootstrap/build.gradle.kts b/testing-bootstrap/build.gradle.kts
index 3724acbbd..11feaec4b 100644
--- a/testing-bootstrap/build.gradle.kts
+++ b/testing-bootstrap/build.gradle.kts
@@ -16,9 +16,7 @@ dependencies {
     implementation(project(":javaagent-core"))
     implementation(project(":filter-api"))
 
-    implementation("ch.qos.logback:logback-classic:1.2.3") {
-        exclude("ch.qos.logback:logback-core@1.2.3")
-    }
+    implementation("ch.qos.logback:logback-classic:1.2.7")
     implementation("org.slf4j:slf4j-api:${versions["slf4j"]}")
 }