diff --git a/build.gradle b/build.gradle index 127dbc382d..19d0368acb 100644 --- a/build.gradle +++ b/build.gradle @@ -157,12 +157,13 @@ allprojects { maven { // Mondrian dependencies are available via this repository. It's a direct dependency of the Query // module but is declared here as many modules depend on Query and therefore need it as well. - url "https://repo.orl.eng.hitachivantara.com/artifactory/pnt-mvn" + url "https://repo.orl.eng.hitachivantara.com/artifactory/pnt-mvn" content { includeGroup "pentaho" includeGroup "org.pentaho" includeGroup "org.olap4j" includeGroup "javacup" + includeGroup "eigenbase" } } } diff --git a/gradle.properties b/gradle.properties index 14bd918da0..f69caf46eb 100644 --- a/gradle.properties +++ b/gradle.properties @@ -103,7 +103,7 @@ apacheDirectoryVersion=2.1.3 apacheMinaVersion=2.2.1 # Keep in sync with springBootTomcatVersion below -apacheTomcatVersion=9.0.80 +apacheTomcatVersion=9.0.82 # (mothership) -> json-path -> json-smart -> accessor-smart # (core) -> graalvm @@ -222,7 +222,7 @@ jodaTimeVersion=2.8.1 # brought in transitively from guava and other google packages. Need to resolve consistently jsr305Version=3.0.2 -orgJsonVersion=20230618 +orgJsonVersion=20231013 jsoupVersion=1.16.1 @@ -243,7 +243,7 @@ mysqlDriverVersion=8.1.0 mssqlJdbcVersion=12.4.1.jre11 # forced compatibility between docker and UserReg-WS -nettyVersion=4.1.94.Final +nettyVersion=4.1.100.Final objenesisVersion=1.0 @@ -285,7 +285,7 @@ snappyJavaVersion=1.1.10.5 springBootVersion=2.7.16 # This MUST match the Tomcat version dictated by springBootVersion # Also, keep this in sync with apacheTomcatVersion above -springBootTomcatVersion=9.0.80 +springBootTomcatVersion=9.0.82 springVersion=5.3.30 diff --git a/server/embedded/build.gradle b/server/embedded/build.gradle index e39751bd2a..62a1526320 100644 --- a/server/embedded/build.gradle +++ b/server/embedded/build.gradle @@ -31,7 +31,34 @@ dependencies { implementation "org.springframework.boot:spring-boot-starter-web:${springBootVersion}" implementation "org.springframework.boot:spring-boot-starter-actuator:${springBootVersion}" implementation "org.springframework.boot:spring-boot-starter-validation:${springBootVersion}" - + + // Force to the latest Tomcat version until Spring Boot 2.7.17 is released and we can adopt it + implementation('org.apache.tomcat.embed:tomcat-embed-core') { + version { + strictly "${springBootTomcatVersion}" + } + } + implementation('org.apache.tomcat.embed:tomcat-embed-el') { + version { + strictly "${springBootTomcatVersion}" + } + } + implementation('org.apache.tomcat.embed:tomcat-embed-websocket') { + version { + strictly "${springBootTomcatVersion}" + } + } + implementation('org.apache.tomcat:tomcat-annotations-api') { + version { + strictly "${springBootTomcatVersion}" + } + } + implementation('org.apache.tomcat:tomcat-jsp-api') { + version { + strictly "${springBootTomcatVersion}" + } + } + // This is a transitive dependency from spring-boot-starter that we're forcing to pick up CVE hotfixes. We're not // vulnerable since we're not accepting untrusted Spring Boot config files, but this cleans up the reporting. // At some point Spring Boot should update its preferred version and we can yank this