From cda3760468b529e92c2d3cb2812b38c193619f07 Mon Sep 17 00:00:00 2001
From: Kaushal Kumar <ravi.kaushal97@gmail.com>
Date: Thu, 20 Oct 2022 16:54:40 -0700
Subject: [PATCH] Address CVE-2022-42003 (#312)

* address jackson-databind cve

Signed-off-by: Kaushal Kumar <kshkmr@amazon.com>

* upgrade protobuf-java

Signed-off-by: Kaushal Kumar <kshkmr@amazon.com>

Signed-off-by: Kaushal Kumar <kshkmr@amazon.com>
Co-authored-by: Kaushal Kumar <kshkmr@amazon.com>
---
 build.gradle                                               | 4 ++--
 licenses/jackson-databind-2.13.4.2.jar.sha1                | 1 +
 licenses/jackson-databind-2.13.4.jar.sha1                  | 1 -
 licenses/performanceanalyzer-rca-2.4.0.0-SNAPSHOT.jar.sha1 | 2 +-
 licenses/protobuf-java-3.19.2.jar.sha1                     | 1 -
 licenses/protobuf-java-3.21.8.jar.sha1                     | 1 +
 6 files changed, 5 insertions(+), 5 deletions(-)
 create mode 100644 licenses/jackson-databind-2.13.4.2.jar.sha1
 delete mode 100644 licenses/jackson-databind-2.13.4.jar.sha1
 delete mode 100644 licenses/protobuf-java-3.19.2.jar.sha1
 create mode 100644 licenses/protobuf-java-3.21.8.jar.sha1

diff --git a/build.gradle b/build.gradle
index de964dc1..d27723b0 100644
--- a/build.gradle
+++ b/build.gradle
@@ -240,7 +240,7 @@ checkstyleTest.enabled = false
 dependencies {
 
     def jacksonVersion = "2.13.4"
-    def jacksonDataBindVersion = "2.13.4"
+    def jacksonDataBindVersion = "2.13.4.2"
     def nettyVersion = "4.1.79.Final"
 
     configurations {
@@ -281,7 +281,7 @@ dependencies {
     implementation(group: 'com.google.errorprone', name: 'error_prone_annotations', version: '2.9.0') {
         force = 'true'
     }
-    implementation(group: 'com.google.protobuf', name:'protobuf-java', version: '3.19.2') {
+    implementation(group: 'com.google.protobuf', name:'protobuf-java', version: '3.21.8') {
         force = 'true'
     }
     implementation("io.netty:netty-buffer:${nettyVersion}") {
diff --git a/licenses/jackson-databind-2.13.4.2.jar.sha1 b/licenses/jackson-databind-2.13.4.2.jar.sha1
new file mode 100644
index 00000000..a7782e8a
--- /dev/null
+++ b/licenses/jackson-databind-2.13.4.2.jar.sha1
@@ -0,0 +1 @@
+325c06bdfeb628cfb80ebaaf1a26cc1eb558a585
\ No newline at end of file
diff --git a/licenses/jackson-databind-2.13.4.jar.sha1 b/licenses/jackson-databind-2.13.4.jar.sha1
deleted file mode 100644
index fcc6491d..00000000
--- a/licenses/jackson-databind-2.13.4.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-98b0edfa8e4084078f10b7b356c300ded4a71491
\ No newline at end of file
diff --git a/licenses/performanceanalyzer-rca-2.4.0.0-SNAPSHOT.jar.sha1 b/licenses/performanceanalyzer-rca-2.4.0.0-SNAPSHOT.jar.sha1
index d0dffef4..9e3e8b89 100644
--- a/licenses/performanceanalyzer-rca-2.4.0.0-SNAPSHOT.jar.sha1
+++ b/licenses/performanceanalyzer-rca-2.4.0.0-SNAPSHOT.jar.sha1
@@ -1 +1 @@
-b094cbaa8ddb1d30573c98115754a5928cb03327
\ No newline at end of file
+8c5cb2ca38982c8d45e3dca9033d44687b9cb798
\ No newline at end of file
diff --git a/licenses/protobuf-java-3.19.2.jar.sha1 b/licenses/protobuf-java-3.19.2.jar.sha1
deleted file mode 100644
index 0aeaa9ed..00000000
--- a/licenses/protobuf-java-3.19.2.jar.sha1
+++ /dev/null
@@ -1 +0,0 @@
-e958ce38f96b612d3819ff1c753d4d70609aea74
\ No newline at end of file
diff --git a/licenses/protobuf-java-3.21.8.jar.sha1 b/licenses/protobuf-java-3.21.8.jar.sha1
new file mode 100644
index 00000000..703c149a
--- /dev/null
+++ b/licenses/protobuf-java-3.21.8.jar.sha1
@@ -0,0 +1 @@
+2a1eebb74b844d9ccdf1d22eb2f57cec709698a9
\ No newline at end of file