Fix log4j vulnerability (#91)

* Update Log4j version to address CVE-2021-44228 * Update all other Java dependencies to the latest stable version * Remove unused properties files * Use the latest stable version of Flyway from 7.x series * Dep check exclusion for netty-tcnative-classes (uses a different versioning scheme to the rest of Netty) * Add exemption for null license in netty-tcnative-classes
finos · Dec 14, 2021 · 7e6ebaa · 7e6ebaa
1 parent 901f332
commit 7e6ebaa
Show file tree

Hide file tree

Showing 7 changed files with 32 additions and 118 deletions.
diff --git a/.github/config/trac-int-mariadb.properties b/.github/config/trac-int-mariadb.properties
diff --git a/.github/config/trac-int-mysql.properties b/.github/config/trac-int-mysql.properties
diff --git a/.github/config/trac-int-postgresql.properties b/.github/config/trac-int-postgresql.properties
diff --git a/.github/config/trac-int-sqlserver.properties b/.github/config/trac-int-sqlserver.properties
diff --git a/dev/compliance/owasp-false-positives.xml b/dev/compliance/owasp-false-positives.xml
@@ -27,4 +27,14 @@
         <cpe>cpe:/a:www-sql_project:www-sql</cpe>
     </suppress>
 
+    <!-- Netty's Tomcat native classes JAR uses a different versioning scheme to the rest of Netty -->
+    <!-- This confuses Dependency Check into thinking an older version of Netty is being used -->
+    <suppress>
+        <notes><![CDATA[
+           file name: netty-tcnative-classes-2.0.46.Final.jar
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/io\.netty/netty\-tcnative\-classes@.*$</packageUrl>
+        <cpe>cpe:/a:netty:netty</cpe>
+    </suppress>
+
 </suppressions>
diff --git a/dev/compliance/permitted-licenses.json b/dev/compliance/permitted-licenses.json
@@ -28,6 +28,10 @@
     {
       "moduleName": "com.fasterxml.jackson:jackson-bom",
       "moduleLicense": null
+    },
+    {
+      "moduleName": "io.netty:netty-tcnative-classes",
+      "moduleLicense": null
     }
   ]
 }
diff --git a/gradle/versions.gradle b/gradle/versions.gradle
@@ -16,54 +16,54 @@
 
 ext {
 
-    guava_version = '30.1.1-jre'
+    guava_version = '31.0.1-jre'
 
-    netty_version = '4.1.68.Final'
+    netty_version = '4.1.72.Final'
 
     // Proto / gRPC (use a consistent set of versions, as defined by gRPC)
-    proto_version = '3.18.0'
-    grpc_version = '1.40.1'
-    gapi_version = '2.5.0'
+    proto_version = '3.19.1'
+    grpc_version = '1.42.0'
+    gapi_version = '2.7.0'
 
 
     // Data technologies
-    arrow_version = '6.0.0'
+    arrow_version = '6.0.1'
     jackson_version = '2.13.0'
 
 
     // SQL (JDBC) drivers
     h2_version = '1.4.200'
     mysql_version = '8.0.27'
-    mariadb_version = '2.7.0'
-    postgresql_version = '42.2.16'
-    sqlserver_version = '8.4.1.jre11'
-    oracle_version = '19.7.0.0'
+    mariadb_version = '2.7.4'
+    postgresql_version = '42.3.1'
+    sqlserver_version = '9.4.1.jre11'
+    oracle_version = '19.12.0.0'
 
     // JDBC Connection pool
-    hikari_cp_version = '3.4.5'
+    hikari_cp_version = '5.0.0'
 
 
     // Config
     snakeyaml_version = '1.29'
 
     // Apache Commons Components
-    commons_cli_version = "1.4"
+    commons_cli_version = "1.5.0"
 
     // Logging
-    slf4j_version = '1.7.30'
-    log4j_version = '2.14.1'
+    slf4j_version = '1.7.32'
+    log4j_version = '2.16.0'
 
 
     // Flyway (database deploy tool)
-    flyway_version = '7.1.0'
+    flyway_version = '7.15.0'
 
     // Plugins
-    aws_sdk_version = '1.12.93'
+    aws_sdk_version = '1.12.128'
     gcp_sdk_version = '1.118.1'
 
 
     // Test dependencies
 
-    junit_version = '5.8.1'
-    mockito_version = '3.12.4'
+    junit_version = '5.8.2'
+    mockito_version = '4.1.0'
 }