Update transitive dependencies

agent/agent-tooling/build.gradle.kts

@@ -90,11 +90,3 @@ dependencies {
   testImplementation("uk.org.webcompere:system-stubs-jupiter:2.0.2")
   testImplementation("io.github.hakky54:logcaptor")
 }
-
-configurations {
-  all {
-    // excluding unused dependencies for size (~1.8mb)
-    exclude("com.fasterxml.jackson.dataformat", "jackson-dataformat-xml")
-    exclude("com.fasterxml.woodstox", "woodstox-core")
-  }
-}

agent/agent-tooling/gradle.lockfile

@@ -13,8 +13,10 @@ com.azure:azure-storage-internal-avro:12.7.0=runtimeClasspath
 com.fasterxml.jackson.core:jackson-annotations:2.15.0=runtimeClasspath
 com.fasterxml.jackson.core:jackson-core:2.15.0=runtimeClasspath
 com.fasterxml.jackson.core:jackson-databind:2.15.0=runtimeClasspath
+com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.15.0=runtimeClasspath
 com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.15.0=runtimeClasspath
 com.fasterxml.jackson:jackson-bom:2.15.0=runtimeClasspath
+com.fasterxml.woodstox:woodstox-core:6.5.1=runtimeClasspath
 com.github.oshi:oshi-core:6.4.2=runtimeClasspath
 com.github.stephenc.jcip:jcip-annotations:1.0-1=runtimeClasspath
 com.google.errorprone:error_prone_annotations:2.18.0=runtimeClasspath
@@ -65,6 +67,7 @@ net.minidev:accessors-smart:2.4.9=runtimeClasspath
 net.minidev:json-smart:2.4.10=runtimeClasspath
 org.apache.commons:commons-lang3:3.12.0=runtimeClasspath
 org.apache.commons:commons-text:1.10.0=runtimeClasspath
+org.codehaus.woodstox:stax2-api:4.2.1=runtimeClasspath
 org.junit:junit-bom:5.9.3=runtimeClasspath
 org.reactivestreams:reactive-streams:1.0.4=runtimeClasspath
 org.slf4j:jcl-over-slf4j:1.7.36=runtimeClasspath

agent/agent/build.gradle.kts

@@ -218,3 +218,14 @@ fun CopySpec.isolateClasses(jars: Iterable<File>) {
     into("META-INF")
   }
 }
+
+configurations {
+  all {
+    // excluding unused dependencies for size (~1.8mb)
+    exclude("com.fasterxml.jackson.dataformat", "jackson-dataformat-xml")
+    exclude("com.fasterxml.woodstox", "woodstox-core")
+
+    resolutionStrategy.force("com.azure:azure-identity:1.8.3")
+    resolutionStrategy.force("com.microsoft.azure:msal4j:1.13.8")
+  }
+}

agent/azure-monitor-exporter/build.gradle.kts

@@ -45,11 +45,3 @@ dependencies {
   testCompileOnly("com.google.code.findbugs:jsr305")
   testCompileOnly("com.fasterxml.jackson.datatype:jackson-datatype-jsr310")
 }
-
-configurations {
-  all {
-    // excluding unused dependencies for size (~1.8mb)
-    exclude("com.fasterxml.jackson.dataformat", "jackson-dataformat-xml")
-    exclude("com.fasterxml.woodstox", "woodstox-core")
-  }
-}

dependencyManagement/build.gradle.kts

@@ -73,11 +73,6 @@ val CORE_DEPENDENCIES = listOf(
   // temporarily overriding transitive dependency from azure-core until next azure-bom release
   // which targets at least reactor-netty-http:1.1.1
   "io.projectreactor.netty:reactor-netty-http:1.1.6",
-  // CVE-2023-1370 - https://github.com/advisories/GHSA-493p-pfq6-5258
-  // Transitive dependency: json-smart -> com.microsoft.azure:msal4j:1.13.5 ->  com.azure:azure-identity
-  // -> azure-monitor-exporter
-  // upstream fix: https://github.com/AzureAD/microsoft-authentication-library-for-java/pull/612
-  "net.minidev:json-smart:2.4.10"
 )
 
 val DEPENDENCIES = listOf(

licenses/more-licenses.md

@@ -1,7 +1,7 @@
 
 #agent
 ##Dependency License Report
-_2023-05-05 14:48:11 UTC_
+_2023-05-05 14:24:24 PDT_
 ## Apache License, Version 2.0
 
 **1** **Group:** `com.fasterxml.jackson.core` **Name:** `jackson-annotations` **Version:** `2.15.0` 
@@ -45,22 +45,21 @@ _2023-05-05 14:48:11 UTC_
 > - **POM Project URL**: [https://bitbucket.org/connect2id/nimbus-content-type](https://bitbucket.org/connect2id/nimbus-content-type)
 > - **POM License**: Apache License, Version 2.0 - [http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0)
 
-**8** **Group:** `com.nimbusds` **Name:** `lang-tag` **Version:** `1.6` 
+**8** **Group:** `com.nimbusds` **Name:** `lang-tag` **Version:** `1.7` 
 > - **Manifest Project URL**: [https://connect2id.com/](https://connect2id.com/)
 > - **Manifest License**: Apache License, Version 2.0 (Not Packaged)
 > - **POM Project URL**: [https://bitbucket.org/connect2id/nimbus-language-tags](https://bitbucket.org/connect2id/nimbus-language-tags)
 > - **POM License**: Apache License, Version 2.0 - [http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0)
 
-**9** **Group:** `com.nimbusds` **Name:** `nimbus-jose-jwt` **Version:** `9.22` 
+**9** **Group:** `com.nimbusds` **Name:** `nimbus-jose-jwt` **Version:** `9.30.2` 
 > - **Manifest Project URL**: [https://connect2id.com](https://connect2id.com)
 > - **Manifest License**: Apache License, Version 2.0 (Not Packaged)
 > - **POM Project URL**: [https://bitbucket.org/connect2id/nimbus-jose-jwt](https://bitbucket.org/connect2id/nimbus-jose-jwt)
 > - **POM License**: Apache License, Version 2.0 - [http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0)
 
-**10** **Group:** `com.nimbusds` **Name:** `oauth2-oidc-sdk` **Version:** `9.35` 
-> - **Manifest Project URL**: [https://connect2id.com](https://connect2id.com)
+**10** **Group:** `com.nimbusds` **Name:** `oauth2-oidc-sdk` **Version:** `10.7.1` 
+> - **Project URL**: [https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions](https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions)
 > - **Manifest License**: Apache License, Version 2.0 (Not Packaged)
-> - **POM Project URL**: [https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions](https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions)
 > - **POM License**: Apache License, Version 2.0 - [https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0)
 
 **11** **Group:** `com.squareup.moshi` **Name:** `moshi` **Version:** `1.11.0` 
@@ -314,7 +313,7 @@ _2023-05-05 14:48:11 UTC_
 > - **POM Project URL**: [https://github.com/Azure/azure-sdk-for-java](https://github.com/Azure/azure-sdk-for-java)
 > - **POM License**: MIT License - [https://opensource.org/licenses/MIT](https://opensource.org/licenses/MIT)
 
-**59** **Group:** `com.azure` **Name:** `azure-identity` **Version:** `1.8.2` 
+**59** **Group:** `com.azure` **Name:** `azure-identity` **Version:** `1.8.3` 
 > - **POM Project URL**: [https://github.com/Azure/azure-sdk-for-java](https://github.com/Azure/azure-sdk-for-java)
 > - **POM License**: MIT License - [https://opensource.org/licenses/MIT](https://opensource.org/licenses/MIT)
 
@@ -339,12 +338,12 @@ _2023-05-05 14:48:11 UTC_
 > - **Manifest License**: "SPDX-License-Identifier: MIT";link="https://opensource.org/licenses/MIT" (Not Packaged)
 > - **POM License**: MIT License - [https://opensource.org/licenses/MIT](https://opensource.org/licenses/MIT)
 
-**65** **Group:** `com.microsoft.azure` **Name:** `msal4j` **Version:** `1.13.7` 
+**65** **Group:** `com.microsoft.azure` **Name:** `msal4j` **Version:** `1.13.8` 
 > - **Project URL**: [https://github.com/AzureAD/microsoft-authentication-library-for-java](https://github.com/AzureAD/microsoft-authentication-library-for-java)
 > - **Manifest License**: "MIT License" (Not Packaged)
 > - **POM License**: MIT License - [https://opensource.org/licenses/MIT](https://opensource.org/licenses/MIT)
 
-**66** **Group:** `com.microsoft.azure` **Name:** `msal4j-persistence-extension` **Version:** `1.1.0` 
+**66** **Group:** `com.microsoft.azure` **Name:** `msal4j-persistence-extension` **Version:** `1.2.0` 
 > - **POM Project URL**: [https://github.com/AzureAD/microsoft-authentication-extensions-for-java](https://github.com/AzureAD/microsoft-authentication-extensions-for-java)
 > - **POM License**: MIT License - [https://opensource.org/licenses/MIT](https://opensource.org/licenses/MIT)