Issues #5002, #4979, #4463, #4464, #4465, #4466 - Update several library dependencies to address reported CVEs.

core/build.gradle

@@ -77,12 +77,10 @@ dependencies {
         'com.jcraft:jsch.agentproxy.usocket-nc:0.0.9',
         'com.jcraft:jsch.agentproxy.connector-factory:0.0.9',
         'com.jcraft:jsch.agentproxy.core:0.0.9',
-        'com.fasterxml.jackson.core:jackson-databind:2.8.11.2',
-        'com.fasterxml.jackson.core:jackson-core:2.8.11',
-        'com.fasterxml.jackson.core:jackson-annotations:2.8.0',
+        "com.fasterxml.jackson.core:jackson-databind:${jacksonDatabindVersion}",
         'org.yaml:snakeyaml:1.17',
-        'com.squareup.retrofit2:retrofit:2.2.0',
-        'com.squareup.retrofit2:converter-jackson:2.2.0'
+        'com.squareup.retrofit2:retrofit:2.6.0',
+        'com.squareup.retrofit2:converter-jackson:2.6.0'
 
 
     compile ('commons-httpclient:commons-httpclient:3.0.1') {
@@ -94,7 +92,7 @@ dependencies {
 
     testCompile "org.codehaus.groovy:groovy-all:${groovyVersion}"
     testCompile "org.spockframework:spock-core:0.7-groovy-2.0"
-    testCompile "com.squareup.retrofit2:retrofit-mock:2.2.0"
+    testCompile "com.squareup.retrofit2:retrofit-mock:2.6.0"
     testCompile "cglib:cglib-nodep:2.2.2"
 
 }
@@ -135,7 +133,7 @@ jar.doFirst {
     manifest {
         attributes 'Rundeck-Version': version,
                    'Rundeck-Tools-Dependencies': configurations.runtime.files.collect { "$it.name" }.join(" ")
-                   
+
     }
 }
 
@@ -356,4 +354,4 @@ bintray {
             }
         }
     }
-}
+}

gradle.properties

@@ -13,18 +13,25 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
-
 #####################################################################
 # Rundeck Build Properties
 #####################################################################
-
-group = org.rundeck
-currentVersion = 3.1.0
-grailsVersion = 3.3.8
+group=org.rundeck
+currentVersion=3.1.0
+grailsVersion=3.3.8
 gormVersion=6.1.10.RELEASE
 hibernateVersion=5.1.13.Final
 gradleWrapperVersion=3.5
-groovyVersion = 2.4.15
-jettyVersion=9.4.11.v20180605
-mavenCentralUrl = http://repo1.maven.org/maven2/
-grailsCentralUrl = http://grails.org/plugins
+groovyVersion=2.4.15
+mavenCentralUrl=http://repo1.maven.org/maven2/
+grailsCentralUrl=http://grails.org/plugins
+jacksonDatabindVersion=2.9.9.1
+#
+# Override of spring-boot dependencies versions.
+# available properties at:
+# https://github.com/spring-projects/spring-boot/blob/1.5.x/spring-boot-dependencies/pom.xml
+#
+jackson.version=2.9.9
+logback.version=1.2.3
+spring-security.version=4.2.13.RELEASE
+#jetty.version=9.4.11.v20180605

rundeck-storage/build.gradle

@@ -184,8 +184,7 @@ project(':rundeck-storage:rundeck-storage-conf') {
 project(':rundeck-storage:rundeck-storage-filesys') {
     dependencies {
         compile project(':rundeck-storage:rundeck-storage-data')
-        compile "com.fasterxml.jackson.core:jackson-core:2.8.11"
-        compile "com.fasterxml.jackson.core:jackson-databind:2.8.11.2"
+        compile "com.fasterxml.jackson.core:jackson-databind:${jacksonDatabindVersion}"
     }
 
     bintray {

rundeckapp/build.gradle

@@ -46,8 +46,6 @@ repositories {
     flatDir dirs: "$rootDir/locallib"
 }
 
-def springBootVersion = "1.5.12.RELEASE"
-//ext['jackson.version'] = '2.8.11'
 
 dependencies {
 
@@ -94,6 +92,7 @@ dependencies {
     compile 'org.grails.plugins:external-config:1.1.2'
     compile 'commons-fileupload:commons-fileupload:1.3.3'
 
+
     // Grails Plugins.
     //compile 'org.grails:grails-plugin-filters:3.0.17'
 
@@ -128,9 +127,12 @@ dependencies {
     compile "org.grails.plugins:events"
     compile "org.grails.plugins:gsp"
     compile "com.google.code.gson:gson:2.8.2"
-    compile "org.eclipse.jetty:jetty-jaas:${jettyVersion}"
-    compile "org.eclipse.jetty:jetty-util:${jettyVersion}"
-    compile "org.eclipse.jetty:jetty-security:${jettyVersion}"
+    compile "com.fasterxml.jackson.core:jackson-databind:${jacksonDatabindVersion}"
+    compile "com.fasterxml.jackson.core:jackson-core"
+    compile "com.fasterxml.jackson.core:jackson-annotations"
+    compile "org.eclipse.jetty:jetty-jaas"
+    compile "org.eclipse.jetty:jetty-util"
+    compile "org.eclipse.jetty:jetty-security"
     compile 'org.grails.plugins:spring-security-core:3.2.3'
     compile 'org.kohsuke:libpam4j:1.10'
     compile 'ca.juliusdavies:not-yet-commons-ssl:0.3.17'
@@ -140,13 +142,13 @@ dependencies {
     profile "org.grails.profiles:web"
 //    runtime "org.springframework:spring-test:5.0.3.RELEASE"
     runtime "org.glassfish.web:el-impl:2.1.2-b03"
-    runtime "com.h2database:h2:1.4.197"
+    runtime "com.h2database:h2:1.4.199"
 
     // Database drivers
     runtime 'mysql:mysql-connector-java:5.1.47'
     runtime 'com.microsoft.sqlserver:mssql-jdbc:6.4.0.jre8'
     runtime 'org.mariadb.jdbc:mariadb-java-client:1.7.4'
-    runtime 'org.postgresql:postgresql:42.2.2'
+    runtime 'org.postgresql:postgresql:42.2.6'
     runtime 'org.rundeck.hibernate:rundeck-oracle-dialect:1.0.0'