Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(dependencies): Upgrade net.minidev:json-smart to resolve CVE #891

Merged
merged 1 commit into from
Aug 27, 2021
Merged

chore(dependencies): Upgrade net.minidev:json-smart to resolve CVE #891

merged 1 commit into from
Aug 27, 2021

Conversation

j-sandy
Copy link
Contributor

@j-sandy j-sandy commented Aug 26, 2021

CVE-2021-27568
net.minidev:json-smart is introduced transitively by spring-boot and springframework through com.jayway.jsonpath:json-path, and also by oracle-sdk, azure-client-auth through com.nimbusds:nimbus-jose-jwt. Affected components are clouddriver, echo, front50, gate, halyard, kayenta and orca.

@j-sandy
Copy link
Contributor Author

j-sandy commented Aug 26, 2021

After implementing json-smart cve fix, echo dependency insight:

$.\gradlew echo-web:dI --dependency net.minidev:json-smart --configuration runtimeClasspath

> Task :echo-web:dependencyInsight
net.minidev:json-smart:2.4.1
   variant "runtime" [
      org.gradle.status              = release (not requested)
      org.gradle.usage               = java-runtime
      org.gradle.libraryelements     = jar
      org.gradle.category            = library

      Requested attributes not found in the selected variant:
         org.gradle.dependency.bundling = external
         org.gradle.jvm.version         = 11
   ]
   Selection reasons:
      - By constraint
      - By conflict resolution : between versions 2.4.1 and 2.3

net.minidev:json-smart:2.4.1
\--- io.spinnaker.kork:kork-bom:json-smart-cve-fix-SNAPSHOT
     +--- runtimeClasspath
     +--- project :echo-pubsub-aws
     |    \--- runtimeClasspath
     +--- project :echo-pubsub-google
     |    \--- runtimeClasspath
     +--- project :echo-artifacts
     |    +--- runtimeClasspath
     |    +--- project :echo-pubsub-aws (*)
     |    \--- project :echo-pubsub-google (*)
     +--- project :echo-notifications
     |    +--- runtimeClasspath
     |    \--- project :echo-pubsub-google (*)
     +--- project :echo-scheduler
     |    \--- runtimeClasspath
     +--- project :echo-pubsub-core
     |    +--- runtimeClasspath
     |    +--- project :echo-pubsub-aws (*)
     |    \--- project :echo-pubsub-google (*)
     +--- project :echo-pipelinetriggers
     |    +--- runtimeClasspath
     |    +--- project :echo-notifications (*)
     |    +--- project :echo-scheduler (*)
     |    \--- project :echo-pubsub-core (*)
     +--- project :echo-rest
     |    \--- runtimeClasspath
     +--- project :echo-webhooks
     |    \--- runtimeClasspath
     +--- project :echo-telemetry
     |    \--- runtimeClasspath
     +--- project :echo-core
     |    +--- runtimeClasspath
     |    +--- project :echo-pubsub-aws (*)
     |    +--- project :echo-pubsub-google (*)
     |    +--- project :echo-artifacts (*)
     |    +--- project :echo-notifications (*)
     |    +--- project :echo-scheduler (*)
     |    +--- project :echo-pubsub-core (*)
     |    +--- project :echo-pipelinetriggers (*)
     |    +--- project :echo-rest (*)
     |    +--- project :echo-webhooks (*)
     |    \--- project :echo-telemetry (*)
     +--- project :echo-model
     |    +--- runtimeClasspath
     |    +--- project :echo-pubsub-aws (*)
     |    +--- project :echo-pubsub-google (*)
     |    +--- project :echo-artifacts (*)
     |    +--- project :echo-notifications (*)
     |    +--- project :echo-scheduler (*)
     |    +--- project :echo-pubsub-core (*)
     |    +--- project :echo-pipelinetriggers (*)
     |    +--- project :echo-rest (*)
     |    +--- project :echo-webhooks (*)
     |    +--- project :echo-telemetry (*)
     |    \--- project :echo-core (*)
     \--- project :echo-api
          +--- project :echo-rest (*)
          +--- project :echo-telemetry (*)
          +--- project :echo-core (*)
          \--- project :echo-model (*)

net.minidev:json-smart:2.3 -> 2.4.1
\--- com.jayway.jsonpath:json-path:2.4.0
     +--- project :echo-pipelinetriggers (requested com.jayway.jsonpath:json-path)
     |    +--- runtimeClasspath
     |    +--- project :echo-notifications
     |    |    +--- runtimeClasspath
     |    |    \--- project :echo-pubsub-google
     |    |         \--- runtimeClasspath
     |    +--- project :echo-scheduler
     |    |    \--- runtimeClasspath
     |    \--- project :echo-pubsub-core
     |         +--- runtimeClasspath
     |         +--- project :echo-pubsub-aws
     |         |    \--- runtimeClasspath
     |         \--- project :echo-pubsub-google (*)
     +--- io.spinnaker.kork:kork-bom:json-smart-cve-fix-SNAPSHOT
     |    +--- runtimeClasspath
     |    +--- project :echo-pubsub-aws (*)
     |    +--- project :echo-pubsub-google (*)
     |    +--- project :echo-artifacts
     |    |    +--- runtimeClasspath
     |    |    +--- project :echo-pubsub-aws (*)
     |    |    \--- project :echo-pubsub-google (*)
     |    +--- project :echo-notifications (*)
     |    +--- project :echo-scheduler (*)
     |    +--- project :echo-pubsub-core (*)
     |    +--- project :echo-pipelinetriggers (*)
     |    +--- project :echo-rest
     |    |    \--- runtimeClasspath
     |    +--- project :echo-webhooks
     |    |    \--- runtimeClasspath
     |    +--- project :echo-telemetry
     |    |    \--- runtimeClasspath
     |    +--- project :echo-core
     |    |    +--- runtimeClasspath
     |    |    +--- project :echo-pubsub-aws (*)
     |    |    +--- project :echo-pubsub-google (*)
     |    |    +--- project :echo-artifacts (*)
     |    |    +--- project :echo-notifications (*)
     |    |    +--- project :echo-scheduler (*)
     |    |    +--- project :echo-pubsub-core (*)
     |    |    +--- project :echo-pipelinetriggers (*)
     |    |    +--- project :echo-rest (*)
     |    |    +--- project :echo-webhooks (*)
     |    |    \--- project :echo-telemetry (*)
     |    +--- project :echo-model
     |    |    +--- runtimeClasspath
     |    |    +--- project :echo-pubsub-aws (*)
     |    |    +--- project :echo-pubsub-google (*)
     |    |    +--- project :echo-artifacts (*)
     |    |    +--- project :echo-notifications (*)
     |    |    +--- project :echo-scheduler (*)
     |    |    +--- project :echo-pubsub-core (*)
     |    |    +--- project :echo-pipelinetriggers (*)
     |    |    +--- project :echo-rest (*)
     |    |    +--- project :echo-webhooks (*)
     |    |    +--- project :echo-telemetry (*)
     |    |    \--- project :echo-core (*)
     |    \--- project :echo-api
     |         +--- project :echo-rest (*)
     |         +--- project :echo-telemetry (*)
     |         +--- project :echo-core (*)
     |         \--- project :echo-model (*)
     \--- org.springframework.hateoas:spring-hateoas:1.0.3.RELEASE
          +--- io.spinnaker.kork:kork-bom:json-smart-cve-fix-SNAPSHOT (*)
          \--- org.springframework.data:spring-data-rest-core:3.2.5.RELEASE
               +--- io.spinnaker.kork:kork-bom:json-smart-cve-fix-SNAPSHOT (*)
               \--- org.springframework.data:spring-data-rest-webmvc:3.2.5.RELEASE
                    +--- runtimeClasspath (requested org.springframework.data:spring-data-rest-webmvc)
                    \--- io.spinnaker.kork:kork-bom:json-smart-cve-fix-SNAPSHOT (*)

@j-sandy
Copy link
Contributor Author

j-sandy commented Aug 26, 2021

After implementing json-smart cve fix, clouddriver dependency insight:

$.\gradlew clouddriver-web:dI --dependency net.minidev:json-smart --configuration runtimeClasspath

> Task :clouddriver-web:dependencyInsight
net.minidev:json-smart:2.4.1
   variant "runtime" [
      org.gradle.status                  = release (not requested)
      org.gradle.usage                   = java-runtime
      org.gradle.libraryelements         = jar
      org.gradle.category                = library

      Requested attributes not found in the selected variant:
         org.gradle.dependency.bundling     = external
         org.jetbrains.kotlin.platform.type = jvm
         org.gradle.jvm.version             = 11
   ]
   Selection reasons:
      - By constraint
      - By conflict resolution : between versions 2.4.1 and 2.3

net.minidev:json-smart:2.4.1
\--- io.spinnaker.kork:kork-bom:json-smart-cve-fix-SNAPSHOT
     +--- runtimeClasspath
     +--- project :clouddriver-kubernetes
     |    \--- runtimeClasspath
     +--- project :clouddriver-ecs
     |    \--- runtimeClasspath
     +--- project :clouddriver-lambda
     |    \--- runtimeClasspath
     +--- project :clouddriver-appengine
     |    \--- runtimeClasspath
     +--- project :clouddriver-cloudfoundry
     |    \--- runtimeClasspath
     +--- project :clouddriver-google
     |    \--- runtimeClasspath
     +--- project :clouddriver-artifacts
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes (*)
     |    +--- project :clouddriver-ecs (*)
     |    +--- project :clouddriver-lambda (*)
     |    +--- project :clouddriver-appengine (*)
     |    +--- project :clouddriver-cloudfoundry (*)
     |    \--- project :clouddriver-google (*)
     +--- project :clouddriver-elasticsearch
     |    \--- runtimeClasspath
     +--- project :clouddriver-sql-mysql
     |    \--- runtimeClasspath
     +--- project :clouddriver-sql-postgres
     |    \--- runtimeClasspath
     +--- project :cats:cats-sql
     |    +--- project :clouddriver-sql-mysql (*)
     |    \--- project :clouddriver-sql-postgres (*)
     +--- project :clouddriver-sql
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-sql-mysql (*)
     |    +--- project :clouddriver-sql-postgres (*)
     |    \--- project :cats:cats-sql (*)
     +--- project :clouddriver-tencentcloud
     |    \--- runtimeClasspath
     +--- project :clouddriver-titus
     |    \--- runtimeClasspath
     +--- project :clouddriver-aws
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-ecs (*)
     |    +--- project :clouddriver-lambda (*)
     |    \--- project :clouddriver-titus (*)
     +--- project :clouddriver-eureka
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-tencentcloud (*)
     |    +--- project :clouddriver-titus (*)
     |    \--- project :clouddriver-aws (*)
     +--- project :clouddriver-oracle
     |    \--- runtimeClasspath
     +--- project :clouddriver-azure
     |    \--- runtimeClasspath
     +--- project :clouddriver-consul
     |    +--- runtimeClasspath
     |    \--- project :clouddriver-google (*)
     +--- project :clouddriver-huaweicloud
     |    \--- runtimeClasspath
     +--- project :clouddriver-yandex
     |    \--- runtimeClasspath
     +--- project :clouddriver-docker
     |    +--- runtimeClasspath
     |    \--- project :clouddriver-cloudfoundry (*)
     +--- project :clouddriver-core
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes (*)
     |    +--- project :clouddriver-ecs (*)
     |    +--- project :clouddriver-lambda (*)
     |    +--- project :clouddriver-appengine (*)
     |    +--- project :clouddriver-cloudfoundry (*)
     |    +--- project :clouddriver-google (*)
     |    +--- project :clouddriver-artifacts (*)
     |    +--- project :clouddriver-elasticsearch (*)
     |    +--- project :cats:cats-sql (*)
     |    +--- project :clouddriver-sql (*)
     |    +--- project :clouddriver-tencentcloud (*)
     |    +--- project :clouddriver-titus (*)
     |    +--- project :clouddriver-aws (*)
     |    +--- project :clouddriver-eureka (*)
     |    +--- project :clouddriver-oracle (*)
     |    +--- project :clouddriver-azure (*)
     |    +--- project :clouddriver-consul (*)
     |    +--- project :clouddriver-huaweicloud (*)
     |    +--- project :clouddriver-yandex (*)
     |    \--- project :clouddriver-docker (*)
     +--- project :clouddriver-security
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes (*)
     |    +--- project :clouddriver-ecs (*)
     |    +--- project :clouddriver-lambda (*)
     |    +--- project :clouddriver-appengine (*)
     |    +--- project :clouddriver-cloudfoundry (*)
     |    +--- project :clouddriver-google (*)
     |    +--- project :clouddriver-elasticsearch (*)
     |    +--- project :cats:cats-sql (*)
     |    +--- project :clouddriver-tencentcloud (*)
     |    +--- project :clouddriver-titus (*)
     |    +--- project :clouddriver-aws (*)
     |    +--- project :clouddriver-oracle (*)
     |    +--- project :clouddriver-azure (*)
     |    +--- project :clouddriver-huaweicloud (*)
     |    +--- project :clouddriver-yandex (*)
     |    +--- project :clouddriver-docker (*)
     |    \--- project :clouddriver-core (*)
     +--- project :cats:cats-redis
     |    +--- project :cats:cats-sql (*)
     |    \--- project :clouddriver-core (*)
     +--- project :cats:cats-core
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes (*)
     |    +--- project :clouddriver-ecs (*)
     |    +--- project :clouddriver-lambda (*)
     |    +--- project :clouddriver-appengine (*)
     |    +--- project :clouddriver-cloudfoundry (*)
     |    +--- project :clouddriver-google (*)
     |    +--- project :cats:cats-sql (*)
     |    +--- project :clouddriver-sql (*)
     |    +--- project :clouddriver-tencentcloud (*)
     |    +--- project :clouddriver-titus (*)
     |    +--- project :clouddriver-aws (*)
     |    +--- project :clouddriver-eureka (*)
     |    +--- project :clouddriver-oracle (*)
     |    +--- project :clouddriver-azure (*)
     |    +--- project :clouddriver-huaweicloud (*)
     |    +--- project :clouddriver-yandex (*)
     |    +--- project :clouddriver-docker (*)
     |    +--- project :clouddriver-core (*)
     |    +--- project :clouddriver-security (*)
     |    \--- project :cats:cats-redis (*)
     +--- project :clouddriver-api
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes (*)
     |    +--- project :clouddriver-ecs (*)
     |    +--- project :clouddriver-lambda (*)
     |    +--- project :clouddriver-appengine (*)
     |    +--- project :clouddriver-cloudfoundry (*)
     |    +--- project :clouddriver-google (*)
     |    +--- project :clouddriver-artifacts (*)
     |    +--- project :clouddriver-elasticsearch (*)
     |    +--- project :cats:cats-sql (*)
     |    +--- project :clouddriver-sql (*)
     |    +--- project :clouddriver-tencentcloud (*)
     |    +--- project :clouddriver-titus (*)
     |    +--- project :clouddriver-aws (*)
     |    +--- project :clouddriver-eureka (*)
     |    +--- project :clouddriver-oracle (*)
     |    +--- project :clouddriver-azure (*)
     |    +--- project :clouddriver-huaweicloud (*)
     |    +--- project :clouddriver-yandex (*)
     |    +--- project :clouddriver-docker (*)
     |    +--- project :clouddriver-core (*)
     |    +--- project :clouddriver-security (*)
     |    +--- project :cats:cats-redis (*)
     |    \--- project :cats:cats-core (*)
     +--- project :clouddriver-google-common
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-appengine (*)
     |    \--- project :clouddriver-google (*)
     +--- project :clouddriver-configserver
     |    +--- runtimeClasspath
     |    \--- project :clouddriver-kubernetes (*)
     +--- project :clouddriver-saga
     |    +--- project :clouddriver-titus (*)
     |    +--- project :clouddriver-aws (*)
     |    \--- project :clouddriver-core (*)
     \--- project :clouddriver-event
          +--- project :clouddriver-sql (*)
          \--- project :clouddriver-saga (*)

net.minidev:json-smart:2.3 -> 2.4.1
\--- com.jayway.jsonpath:json-path:2.4.0
     +--- project :clouddriver-kubernetes (requested com.jayway.jsonpath:json-path:2.3.0)
     |    \--- runtimeClasspath
     +--- io.spinnaker.kork:kork-bom:json-smart-cve-fix-SNAPSHOT
     |    +--- runtimeClasspath
     |    +--- project :clouddriver-kubernetes (*)
     |    +--- project :clouddriver-ecs
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-lambda
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-appengine
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-cloudfoundry
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-google
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-artifacts
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-kubernetes (*)
     |    |    +--- project :clouddriver-ecs (*)
     |    |    +--- project :clouddriver-lambda (*)
     |    |    +--- project :clouddriver-appengine (*)
     |    |    +--- project :clouddriver-cloudfoundry (*)
     |    |    \--- project :clouddriver-google (*)
     |    +--- project :clouddriver-elasticsearch
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-sql-mysql
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-sql-postgres
     |    |    \--- runtimeClasspath
     |    +--- project :cats:cats-sql
     |    |    +--- project :clouddriver-sql-mysql (*)
     |    |    \--- project :clouddriver-sql-postgres (*)
     |    +--- project :clouddriver-sql
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-sql-mysql (*)
     |    |    +--- project :clouddriver-sql-postgres (*)
     |    |    \--- project :cats:cats-sql (*)
     |    +--- project :clouddriver-tencentcloud
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-titus
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-aws
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-ecs (*)
     |    |    +--- project :clouddriver-lambda (*)
     |    |    \--- project :clouddriver-titus (*)
     |    +--- project :clouddriver-eureka
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-tencentcloud (*)
     |    |    +--- project :clouddriver-titus (*)
     |    |    \--- project :clouddriver-aws (*)
     |    +--- project :clouddriver-oracle
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-azure
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-consul
     |    |    +--- runtimeClasspath
     |    |    \--- project :clouddriver-google (*)
     |    +--- project :clouddriver-huaweicloud
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-yandex
     |    |    \--- runtimeClasspath
     |    +--- project :clouddriver-docker
     |    |    +--- runtimeClasspath
     |    |    \--- project :clouddriver-cloudfoundry (*)
     |    +--- project :clouddriver-core
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-kubernetes (*)
     |    |    +--- project :clouddriver-ecs (*)
     |    |    +--- project :clouddriver-lambda (*)
     |    |    +--- project :clouddriver-appengine (*)
     |    |    +--- project :clouddriver-cloudfoundry (*)
     |    |    +--- project :clouddriver-google (*)
     |    |    +--- project :clouddriver-artifacts (*)
     |    |    +--- project :clouddriver-elasticsearch (*)
     |    |    +--- project :cats:cats-sql (*)
     |    |    +--- project :clouddriver-sql (*)
     |    |    +--- project :clouddriver-tencentcloud (*)
     |    |    +--- project :clouddriver-titus (*)
     |    |    +--- project :clouddriver-aws (*)
     |    |    +--- project :clouddriver-eureka (*)
     |    |    +--- project :clouddriver-oracle (*)
     |    |    +--- project :clouddriver-azure (*)
     |    |    +--- project :clouddriver-consul (*)
     |    |    +--- project :clouddriver-huaweicloud (*)
     |    |    +--- project :clouddriver-yandex (*)
     |    |    \--- project :clouddriver-docker (*)
     |    +--- project :clouddriver-security
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-kubernetes (*)
     |    |    +--- project :clouddriver-ecs (*)
     |    |    +--- project :clouddriver-lambda (*)
     |    |    +--- project :clouddriver-appengine (*)
     |    |    +--- project :clouddriver-cloudfoundry (*)
     |    |    +--- project :clouddriver-google (*)
     |    |    +--- project :clouddriver-elasticsearch (*)
     |    |    +--- project :cats:cats-sql (*)
     |    |    +--- project :clouddriver-tencentcloud (*)
     |    |    +--- project :clouddriver-titus (*)
     |    |    +--- project :clouddriver-aws (*)
     |    |    +--- project :clouddriver-oracle (*)
     |    |    +--- project :clouddriver-azure (*)
     |    |    +--- project :clouddriver-huaweicloud (*)
     |    |    +--- project :clouddriver-yandex (*)
     |    |    +--- project :clouddriver-docker (*)
     |    |    \--- project :clouddriver-core (*)
     |    +--- project :cats:cats-redis
     |    |    +--- project :cats:cats-sql (*)
     |    |    \--- project :clouddriver-core (*)
     |    +--- project :cats:cats-core
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-kubernetes (*)
     |    |    +--- project :clouddriver-ecs (*)
     |    |    +--- project :clouddriver-lambda (*)
     |    |    +--- project :clouddriver-appengine (*)
     |    |    +--- project :clouddriver-cloudfoundry (*)
     |    |    +--- project :clouddriver-google (*)
     |    |    +--- project :cats:cats-sql (*)
     |    |    +--- project :clouddriver-sql (*)
     |    |    +--- project :clouddriver-tencentcloud (*)
     |    |    +--- project :clouddriver-titus (*)
     |    |    +--- project :clouddriver-aws (*)
     |    |    +--- project :clouddriver-eureka (*)
     |    |    +--- project :clouddriver-oracle (*)
     |    |    +--- project :clouddriver-azure (*)
     |    |    +--- project :clouddriver-huaweicloud (*)
     |    |    +--- project :clouddriver-yandex (*)
     |    |    +--- project :clouddriver-docker (*)
     |    |    +--- project :clouddriver-core (*)
     |    |    +--- project :clouddriver-security (*)
     |    |    \--- project :cats:cats-redis (*)
     |    +--- project :clouddriver-api
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-kubernetes (*)
     |    |    +--- project :clouddriver-ecs (*)
     |    |    +--- project :clouddriver-lambda (*)
     |    |    +--- project :clouddriver-appengine (*)
     |    |    +--- project :clouddriver-cloudfoundry (*)
     |    |    +--- project :clouddriver-google (*)
     |    |    +--- project :clouddriver-artifacts (*)
     |    |    +--- project :clouddriver-elasticsearch (*)
     |    |    +--- project :cats:cats-sql (*)
     |    |    +--- project :clouddriver-sql (*)
     |    |    +--- project :clouddriver-tencentcloud (*)
     |    |    +--- project :clouddriver-titus (*)
     |    |    +--- project :clouddriver-aws (*)
     |    |    +--- project :clouddriver-eureka (*)
     |    |    +--- project :clouddriver-oracle (*)
     |    |    +--- project :clouddriver-azure (*)
     |    |    +--- project :clouddriver-huaweicloud (*)
     |    |    +--- project :clouddriver-yandex (*)
     |    |    +--- project :clouddriver-docker (*)
     |    |    +--- project :clouddriver-core (*)
     |    |    +--- project :clouddriver-security (*)
     |    |    +--- project :cats:cats-redis (*)
     |    |    \--- project :cats:cats-core (*)
     |    +--- project :clouddriver-google-common
     |    |    +--- runtimeClasspath
     |    |    +--- project :clouddriver-appengine (*)
     |    |    \--- project :clouddriver-google (*)
     |    +--- project :clouddriver-configserver
     |    |    +--- runtimeClasspath
     |    |    \--- project :clouddriver-kubernetes (*)
     |    +--- project :clouddriver-saga
     |    |    +--- project :clouddriver-titus (*)
     |    |    +--- project :clouddriver-aws (*)
     |    |    \--- project :clouddriver-core (*)
     |    \--- project :clouddriver-event
     |         +--- project :clouddriver-sql (*)
     |         \--- project :clouddriver-saga (*)
     \--- org.springframework.boot:spring-boot-starter-test:2.2.5.RELEASE
          +--- project :clouddriver-ecs (requested org.springframework.boot:spring-boot-starter-test) (*)
          \--- io.spinnaker.kork:kork-bom:json-smart-cve-fix-SNAPSHOT (*)

net.minidev:json-smart:[1.3.1,2.3] -> 2.4.1
+--- com.nimbusds:nimbus-jose-jwt:6.5.1
|    +--- com.oracle.oci.sdk:oci-java-sdk-common:1.5.17
|    |    +--- io.spinnaker.kork:kork-bom:json-smart-cve-fix-SNAPSHOT
|    |    |    +--- runtimeClasspath
|    |    |    +--- project :clouddriver-kubernetes
|    |    |    |    \--- runtimeClasspath
|    |    |    +--- project :clouddriver-ecs
|    |    |    |    \--- runtimeClasspath
|    |    |    +--- project :clouddriver-lambda
|    |    |    |    \--- runtimeClasspath
|    |    |    +--- project :clouddriver-appengine
|    |    |    |    \--- runtimeClasspath
|    |    |    +--- project :clouddriver-cloudfoundry
|    |    |    |    \--- runtimeClasspath
|    |    |    +--- project :clouddriver-google
|    |    |    |    \--- runtimeClasspath
|    |    |    +--- project :clouddriver-artifacts
|    |    |    |    +--- runtimeClasspath
|    |    |    |    +--- project :clouddriver-kubernetes (*)
|    |    |    |    +--- project :clouddriver-ecs (*)
|    |    |    |    +--- project :clouddriver-lambda (*)
|    |    |    |    +--- project :clouddriver-appengine (*)
|    |    |    |    +--- project :clouddriver-cloudfoundry (*)
|    |    |    |    \--- project :clouddriver-google (*)
|    |    |    +--- project :clouddriver-elasticsearch
|    |    |    |    \--- runtimeClasspath
|    |    |    +--- project :clouddriver-sql-mysql
|    |    |    |    \--- runtimeClasspath
|    |    |    +--- project :clouddriver-sql-postgres
|    |    |    |    \--- runtimeClasspath
|    |    |    +--- project :cats:cats-sql
|    |    |    |    +--- project :clouddriver-sql-mysql (*)
|    |    |    |    \--- project :clouddriver-sql-postgres (*)
|    |    |    +--- project :clouddriver-sql
|    |    |    |    +--- runtimeClasspath
|    |    |    |    +--- project :clouddriver-sql-mysql (*)
|    |    |    |    +--- project :clouddriver-sql-postgres (*)
|    |    |    |    \--- project :cats:cats-sql (*)
|    |    |    +--- project :clouddriver-tencentcloud
|    |    |    |    \--- runtimeClasspath
|    |    |    +--- project :clouddriver-titus
|    |    |    |    \--- runtimeClasspath
|    |    |    +--- project :clouddriver-aws
|    |    |    |    +--- runtimeClasspath
|    |    |    |    +--- project :clouddriver-ecs (*)
|    |    |    |    +--- project :clouddriver-lambda (*)
|    |    |    |    \--- project :clouddriver-titus (*)
|    |    |    +--- project :clouddriver-eureka
|    |    |    |    +--- runtimeClasspath
|    |    |    |    +--- project :clouddriver-tencentcloud (*)
|    |    |    |    +--- project :clouddriver-titus (*)
|    |    |    |    \--- project :clouddriver-aws (*)
|    |    |    +--- project :clouddriver-oracle
|    |    |    |    \--- runtimeClasspath
|    |    |    +--- project :clouddriver-azure
|    |    |    |    \--- runtimeClasspath
|    |    |    +--- project :clouddriver-consul
|    |    |    |    +--- runtimeClasspath
|    |    |    |    \--- project :clouddriver-google (*)
|    |    |    +--- project :clouddriver-huaweicloud
|    |    |    |    \--- runtimeClasspath
|    |    |    +--- project :clouddriver-yandex
|    |    |    |    \--- runtimeClasspath
|    |    |    +--- project :clouddriver-docker
|    |    |    |    +--- runtimeClasspath
|    |    |    |    \--- project :clouddriver-cloudfoundry (*)
|    |    |    +--- project :clouddriver-core
|    |    |    |    +--- runtimeClasspath
|    |    |    |    +--- project :clouddriver-kubernetes (*)
|    |    |    |    +--- project :clouddriver-ecs (*)
|    |    |    |    +--- project :clouddriver-lambda (*)
|    |    |    |    +--- project :clouddriver-appengine (*)
|    |    |    |    +--- project :clouddriver-cloudfoundry (*)
|    |    |    |    +--- project :clouddriver-google (*)
|    |    |    |    +--- project :clouddriver-artifacts (*)
|    |    |    |    +--- project :clouddriver-elasticsearch (*)
|    |    |    |    +--- project :cats:cats-sql (*)
|    |    |    |    +--- project :clouddriver-sql (*)
|    |    |    |    +--- project :clouddriver-tencentcloud (*)
|    |    |    |    +--- project :clouddriver-titus (*)
|    |    |    |    +--- project :clouddriver-aws (*)
|    |    |    |    +--- project :clouddriver-eureka (*)
|    |    |    |    +--- project :clouddriver-oracle (*)
|    |    |    |    +--- project :clouddriver-azure (*)
|    |    |    |    +--- project :clouddriver-consul (*)
|    |    |    |    +--- project :clouddriver-huaweicloud (*)
|    |    |    |    +--- project :clouddriver-yandex (*)
|    |    |    |    \--- project :clouddriver-docker (*)
|    |    |    +--- project :clouddriver-security
|    |    |    |    +--- runtimeClasspath
|    |    |    |    +--- project :clouddriver-kubernetes (*)
|    |    |    |    +--- project :clouddriver-ecs (*)
|    |    |    |    +--- project :clouddriver-lambda (*)
|    |    |    |    +--- project :clouddriver-appengine (*)
|    |    |    |    +--- project :clouddriver-cloudfoundry (*)
|    |    |    |    +--- project :clouddriver-google (*)
|    |    |    |    +--- project :clouddriver-elasticsearch (*)
|    |    |    |    +--- project :cats:cats-sql (*)
|    |    |    |    +--- project :clouddriver-tencentcloud (*)
|    |    |    |    +--- project :clouddriver-titus (*)
|    |    |    |    +--- project :clouddriver-aws (*)
|    |    |    |    +--- project :clouddriver-oracle (*)
|    |    |    |    +--- project :clouddriver-azure (*)
|    |    |    |    +--- project :clouddriver-huaweicloud (*)
|    |    |    |    +--- project :clouddriver-yandex (*)
|    |    |    |    +--- project :clouddriver-docker (*)
|    |    |    |    \--- project :clouddriver-core (*)
|    |    |    +--- project :cats:cats-redis
|    |    |    |    +--- project :cats:cats-sql (*)
|    |    |    |    \--- project :clouddriver-core (*)
|    |    |    +--- project :cats:cats-core
|    |    |    |    +--- runtimeClasspath
|    |    |    |    +--- project :clouddriver-kubernetes (*)
|    |    |    |    +--- project :clouddriver-ecs (*)
|    |    |    |    +--- project :clouddriver-lambda (*)
|    |    |    |    +--- project :clouddriver-appengine (*)
|    |    |    |    +--- project :clouddriver-cloudfoundry (*)
|    |    |    |    +--- project :clouddriver-google (*)
|    |    |    |    +--- project :cats:cats-sql (*)
|    |    |    |    +--- project :clouddriver-sql (*)
|    |    |    |    +--- project :clouddriver-tencentcloud (*)
|    |    |    |    +--- project :clouddriver-titus (*)
|    |    |    |    +--- project :clouddriver-aws (*)
|    |    |    |    +--- project :clouddriver-eureka (*)
|    |    |    |    +--- project :clouddriver-oracle (*)
|    |    |    |    +--- project :clouddriver-azure (*)
|    |    |    |    +--- project :clouddriver-huaweicloud (*)
|    |    |    |    +--- project :clouddriver-yandex (*)
|    |    |    |    +--- project :clouddriver-docker (*)
|    |    |    |    +--- project :clouddriver-core (*)
|    |    |    |    +--- project :clouddriver-security (*)
|    |    |    |    \--- project :cats:cats-redis (*)
|    |    |    +--- project :clouddriver-api
|    |    |    |    +--- runtimeClasspath
|    |    |    |    +--- project :clouddriver-kubernetes (*)
|    |    |    |    +--- project :clouddriver-ecs (*)
|    |    |    |    +--- project :clouddriver-lambda (*)
|    |    |    |    +--- project :clouddriver-appengine (*)
|    |    |    |    +--- project :clouddriver-cloudfoundry (*)
|    |    |    |    +--- project :clouddriver-google (*)
|    |    |    |    +--- project :clouddriver-artifacts (*)
|    |    |    |    +--- project :clouddriver-elasticsearch (*)
|    |    |    |    +--- project :cats:cats-sql (*)
|    |    |    |    +--- project :clouddriver-sql (*)
|    |    |    |    +--- project :clouddriver-tencentcloud (*)
|    |    |    |    +--- project :clouddriver-titus (*)
|    |    |    |    +--- project :clouddriver-aws (*)
|    |    |    |    +--- project :clouddriver-eureka (*)
|    |    |    |    +--- project :clouddriver-oracle (*)
|    |    |    |    +--- project :clouddriver-azure (*)
|    |    |    |    +--- project :clouddriver-huaweicloud (*)
|    |    |    |    +--- project :clouddriver-yandex (*)
|    |    |    |    +--- project :clouddriver-docker (*)
|    |    |    |    +--- project :clouddriver-core (*)
|    |    |    |    +--- project :clouddriver-security (*)
|    |    |    |    +--- project :cats:cats-redis (*)
|    |    |    |    \--- project :cats:cats-core (*)
|    |    |    +--- project :clouddriver-google-common
|    |    |    |    +--- runtimeClasspath
|    |    |    |    +--- project :clouddriver-appengine (*)
|    |    |    |    \--- project :clouddriver-google (*)
|    |    |    +--- project :clouddriver-configserver
|    |    |    |    +--- runtimeClasspath
|    |    |    |    \--- project :clouddriver-kubernetes (*)
|    |    |    +--- project :clouddriver-saga
|    |    |    |    +--- project :clouddriver-titus (*)
|    |    |    |    +--- project :clouddriver-aws (*)
|    |    |    |    \--- project :clouddriver-core (*)
|    |    |    \--- project :clouddriver-event
|    |    |         +--- project :clouddriver-sql (*)
|    |    |         \--- project :clouddriver-saga (*)
|    |    +--- com.oracle.oci.sdk:oci-java-sdk-core:1.5.17
|    |    |    +--- project :clouddriver-artifacts (requested com.oracle.oci.sdk:oci-java-sdk-core) (*)
|    |    |    +--- project :clouddriver-oracle (requested com.oracle.oci.sdk:oci-java-sdk-core) (*)
|    |    |    \--- io.spinnaker.kork:kork-bom:json-smart-cve-fix-SNAPSHOT (*)
|    |    +--- com.oracle.oci.sdk:oci-java-sdk-identity:1.5.17
|    |    |    +--- project :clouddriver-oracle (requested com.oracle.oci.sdk:oci-java-sdk-identity) (*)
|    |    |    \--- io.spinnaker.kork:kork-bom:json-smart-cve-fix-SNAPSHOT (*)
|    |    +--- com.oracle.oci.sdk:oci-java-sdk-loadbalancer:1.5.17
|    |    |    +--- project :clouddriver-oracle (requested com.oracle.oci.sdk:oci-java-sdk-loadbalancer) (*)
|    |    |    \--- io.spinnaker.kork:kork-bom:json-smart-cve-fix-SNAPSHOT (*)
|    |    +--- com.oracle.oci.sdk:oci-java-sdk-workrequests:1.5.17
|    |    |    +--- io.spinnaker.kork:kork-bom:json-smart-cve-fix-SNAPSHOT (*)
|    |    |    \--- com.oracle.oci.sdk:oci-java-sdk-core:1.5.17 (*)
|    |    +--- com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions:1.5.17
|    |    |    \--- com.oracle.oci.sdk:oci-java-sdk-objectstorage:1.5.17
|    |    |         +--- project :clouddriver-oracle (requested com.oracle.oci.sdk:oci-java-sdk-objectstorage) (*)
|    |    |         \--- io.spinnaker.kork:kork-bom:json-smart-cve-fix-SNAPSHOT (*)
|    |    \--- com.oracle.oci.sdk:oci-java-sdk-objectstorage-generated:1.5.17
|    |         +--- com.oracle.oci.sdk:oci-java-sdk-objectstorage:1.5.17 (*)
|    |         \--- com.oracle.oci.sdk:oci-java-sdk-objectstorage-extensions:1.5.17 (*)
|    \--- com.nimbusds:oauth2-oidc-sdk:6.5 (requested com.nimbusds:nimbus-jose-jwt:[6.0.1,))
|         \--- com.microsoft.azure:adal4j:1.6.4
|              +--- project :clouddriver-azure (requested com.microsoft.azure:adal4j:1.6.3) (*)
|              \--- com.microsoft.azure:azure-client-authentication:1.7.0
|                   \--- com.microsoft.azure:azure:1.35.0
|                        \--- project :clouddriver-azure (*)

dbyron-sf
dbyron-sf reviewed Aug 26, 2021
View reviewed changes
spinnaker-dependencies/spinnaker-dependencies.gradle Outdated
@@ -141,6 +141,7 @@ dependencies {
api("javax.xml.bind:jaxb-api:2.3.1")
api("mysql:mysql-connector-java:8.0.20")
api("net.logstash.logback:logstash-logback-encoder:4.11")
api("net.minidev:json-smart:2.4.1") // TODO: remove this with upgrade of spring-boot version to 2.6.0 or above
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From https://docs.spring.io/spring-boot/docs/2.5.0/reference/htmlsingle/#dependency-versions it looks like spring boot 2.5.0 or above would do it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's right, I think somehow I missed it. I will update the comment accordingly.

chore(dependencies): Upgrade net.minidev:json-smart to resolve CVE
774c707 
CVE-2021-27568
net.minidev:json-smart is introduced transitively by spring-boot and springframework through com.jayway.jsonpath:json-path, and also by oracle-sdk, azure-client-auth through com.nimbusds:nimbus-jose-jwt
@dbyron-sf dbyron-sf added the ready to merge Approved and ready for merge label Aug 27, 2021
@mergify mergify bot merged commit 9fbf2f8 into spinnaker:master Aug 27, 2021
@mergify mergify bot added the auto merged label Aug 27, 2021
@j-sandy j-sandy deleted the json-smart-cve-fix branch August 27, 2021 16:47
@j-sandy j-sandy mentioned this pull request Sep 1, 2021
Closed
3 tasks
@link108
Copy link
Member

link108 commented Oct 26, 2021

@Mergifyio backport release-1.27.x

mergify bot pushed a commit that referenced this pull request Oct 26, 2021
@j-sandy
chore(dependencies): Upgrade net.minidev:json-smart to resolve CVE (#891
18e9628 
)

CVE-2021-27568
net.minidev:json-smart is introduced transitively by spring-boot and springframework through com.jayway.jsonpath:json-path, and also by oracle-sdk, azure-client-auth through com.nimbusds:nimbus-jose-jwt

Co-authored-by: j-sandy <jsandy>
(cherry picked from commit 9fbf2f8)
@mergify mergify bot mentioned this pull request Oct 26, 2021
Merged
@mergify
Copy link
Contributor

mergify bot commented Oct 26, 2021

backport release-1.27.x

✅ Backports have been created

link108 added a commit that referenced this pull request Oct 26, 2021
@mergify @j-sandy @link108
chore(dependencies): Upgrade net.minidev:json-smart to resolve CVE (b…
a189a47 
…ackport #891) (#901)

Co-authored-by: j-sandy <jsandy>
Co-authored-by: Sandesh <sandeshjainhyd@gmail.com>
Co-authored-by: Cameron Motevasselani <cmotevasselani@gmail.com>
@j-sandy j-sandy mentioned this pull request Mar 31, 2022
Closed
6 tasks
ylebedeva pushed a commit to ylebedeva/kork that referenced this pull request May 3, 2022
@j-sandy @ylebedeva-pd
chore(dependencies): Upgrade net.minidev:json-smart to resolve CVE (s…
73ebe31 
…pinnaker#891)

CVE-2021-27568
net.minidev:json-smart is introduced transitively by spring-boot and springframework through com.jayway.jsonpath:json-path, and also by oracle-sdk, azure-client-auth through com.nimbusds:nimbus-jose-jwt

Co-authored-by: j-sandy <jsandy>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dbyron-sf dbyron-sf dbyron-sf approved these changes

Assignees
No one assigned
Labels
auto merged ready to merge Approved and ready for merge target-release/1.28
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@j-sandy @link108 @dbyron-sf @spinnakerbot