diff --git a/src/backend/build.gradle b/src/backend/build.gradle index 52b86fb443..8ca8d52086 100644 --- a/src/backend/build.gradle +++ b/src/backend/build.gradle @@ -27,7 +27,7 @@ import com.dorongold.gradle.tasktree.TaskTreePlugin buildscript { ext { set('springDependencyManagePluginVersion', "1.0.11.RELEASE") - set("springBootVersion", "2.6.13") + set("springBootVersion", "2.7.11") set("gradleJooqVersion", "3.0.0") } @@ -68,7 +68,7 @@ buildscript { plugins { id "java-library" id "io.spring.dependency-management" version '1.0.11.RELEASE' apply false - id 'org.springframework.boot' version '2.6.13' apply false + id 'org.springframework.boot' version '2.7.11' apply false id "idea" id 'nu.studer.jooq' version '3.0.0' } @@ -82,7 +82,7 @@ ext { set("springVersion", "5.3.25") // https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-dependencies - set("springBootVersion", "2.6.13") + set("springBootVersion", "2.7.11") // https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-dependencies set('springCloudVersion', "2021.0.5") set('springCloudOtelVersion', "1.1.3") @@ -94,7 +94,8 @@ ext { set('jacksonVersion', "2.13.5") set('jaxrsVersion', "2.0") // https://mvnrepository.com/artifact/ch.qos.logback/logback-core - set('logbackVersion', "1.2.10") + // Fix CVE-2023-6378 1.2.11->1.2.13 + set('logbackVersion', "1.2.13") // https://mvnrepository.com/artifact/org.slf4j/slf4j-api set('slf4jVersion', "1.7.30") set('servletVersion', "3.0.1") @@ -118,13 +119,14 @@ ext { // https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient set('apacheHttpClientVersion', "4.5.13") set('apacheThriftVersion', "0.15.0") - set('commonsIOVersion', "2.6") + // Fix CVE-2024-47554 CVE-2021-29425 2.6->2.14.0 + set('commonsIOVersion', "2.14.0") set('javaxServletVersion', "4.0.1") - set('guavaVersion', "28.2-jre") + // Fix CVE-2023-2976 CVE-2020-8908 28.2-jre->32.0.0-android + set('guavaVersion', "32.0.0-android") set('caffeineVersion', "2.9.3") set('jjwtVersion', "0.9.1") set('hibernateValidatorVersion', "6.1.4.Final") - set('micrometerPrometheusVersion', "1.5.1") set('flapdoodleEmbeddedMongdbDBVersion', "4.4.0") set('jodaTimeVersion', "2.10.5") set('bcprovVersion', "1.70") @@ -137,8 +139,6 @@ ext { set('kubernetesJavaClientVersion', "11.0.4") set('springCloudKubernetesVersion', "2.0.6") set('cryptoJavaSDKVersion', "1.1.3") - // Fix CVE-2023-44487 - set('tomcat.version', "9.0.90") // Fix CVE-2019-10086,CVE-2014-0114 set('commonsBeanutilsVersion', "1.9.4") if (System.getProperty("bkjobVersion")) { @@ -151,6 +151,31 @@ ext { set('bkAuditJavaSdkVersion', "1.0.8") set('mockitoVersion', "4.0.0") set('embeddedRedisVersion', "0.6") + // Fix CVE-2023-44981,CVE-2024-23944 3.7.1->3.8.4 + set('zookeeperVersion', "3.8.4") + // Fix CVE-2023-3635 2.8.0->3.4.0 + set('okioVersion', "3.4.0") + // Fix CVE-2023-34062 1.0.24->1.0.39 + set('reactorNettyHttpVersion', "1.0.39") + set('reactorNettyCoreVersion', "1.0.39") + // Fix CVE-2023-44487 4.1.84.Final->4.1.100.Final + set('nettyCodecHttp2Version', "4.1.100.Final") + // Fix CVE-2024-38809 CVE-2024-22262 CVE-2024-22259 CVE-2024-22243 5.3.23->5.3.39 + set('springWebVersion', "5.3.39") + // Fix CVE-2021-0341 4.9.1->4.9.2 + set('okHttpVersion', "4.9.2") + // Fix CVE-2023-46120 5.13.1->5.18.0 + set('amqpClientVersion', "5.18.0") + // Fix CVE-2023-4759 5.13.1.202206130422-r->6.6.1.202309021850-r + set('jgitVersion', "6.6.1.202309021850-r") + + // 使用Spring Boot内置的版本号变量,不采用驼峰命名,保持与官方BOM文件一致 + // Fix CVE-2023-22102 8.0.33->8.2.0 + set('mysql.version', "8.2.0") + // Fix CVE-2023-44487, CVE-2024-52316 + set('tomcat.version', "9.0.96") + // Fix CVE-2022-41854 CVE-2022-38752 CVE-2022-38751 CVE-2022-38749 CVE-2022-25857 CVE-2022-1471 1.29->1.33 + set('snakeyaml.version', "2.0") } group "com.tencent.bk.job" @@ -309,7 +334,6 @@ subprojects { dependency "com.github.ben-manes.caffeine:caffeine:$caffeineVersion" dependency group: 'io.jsonwebtoken', name: 'jjwt', version: "$jjwtVersion" dependency "net.sourceforge.jchardet:jchardet:1.0" - dependency "io.micrometer:micrometer-registry-prometheus:$micrometerPrometheusVersion" dependency "de.flapdoodle.embed:de.flapdoodle.embed.mongo.spring26x:$flapdoodleEmbeddedMongdbDBVersion" dependency "de.flapdoodle.embed:de.flapdoodle.embed.mongo:$flapdoodleEmbeddedMongdbDBVersion" dependency "joda-time:joda-time:$jodaTimeVersion" @@ -345,6 +369,15 @@ subprojects { dependency "com.tencent.bk.sdk:spring-boot-bk-audit-starter:$bkAuditJavaSdkVersion" dependency "org.mockito:mockito-inline:$mockitoVersion" dependency "com.github.kstyrc:embedded-redis:$embeddedRedisVersion" + dependency "org.apache.zookeeper:zookeeper:$zookeeperVersion" + dependency "com.squareup.okio:okio:$okioVersion" + dependency "io.projectreactor.netty:reactor-netty-http:$reactorNettyHttpVersion" + dependency "io.projectreactor.netty:reactor-netty-core:$reactorNettyCoreVersion" + dependency "io.netty:netty-codec-http2:$nettyCodecHttp2Version" + dependency "org.springframework:spring-web:$springWebVersion" + dependency "com.squareup.okhttp3:okhttp:$okHttpVersion" + dependency "com.rabbitmq:amqp-client:$amqpClientVersion" + dependency "org.eclipse.jgit:org.eclipse.jgit:$jgitVersion" } } dependencies { diff --git a/src/backend/commons/common-service/src/test/java/FeatureToggleTest.java b/src/backend/commons/common-service/src/test/java/FeatureToggleTest.java index d4493adae2..d6a44a14bc 100644 --- a/src/backend/commons/common-service/src/test/java/FeatureToggleTest.java +++ b/src/backend/commons/common-service/src/test/java/FeatureToggleTest.java @@ -40,6 +40,7 @@ import org.junit.jupiter.api.Test; import org.mockito.MockedStatic; import org.mockito.Mockito; +import org.yaml.snakeyaml.LoaderOptions; import org.yaml.snakeyaml.Yaml; import org.yaml.snakeyaml.constructor.Constructor; @@ -54,7 +55,8 @@ class FeatureToggleTest { @BeforeAll static void beforeAll() { - Yaml yaml = new Yaml(new Constructor(FeatureToggleProperties.class)); + Constructor constructor = new Constructor(FeatureToggleProperties.class, new LoaderOptions()); + Yaml yaml = new Yaml(constructor); InputStream inputStream = FeatureToggleTest.class.getClassLoader() .getResourceAsStream("features_1.yaml"); FeatureToggleProperties featureToggleProperties = yaml.load(inputStream); diff --git a/src/backend/job-analysis/boot-job-analysis/build.gradle b/src/backend/job-analysis/boot-job-analysis/build.gradle index 6e99aed05e..188cfb7edb 100644 --- a/src/backend/job-analysis/boot-job-analysis/build.gradle +++ b/src/backend/job-analysis/boot-job-analysis/build.gradle @@ -32,7 +32,7 @@ dependencies { implementation 'org.springframework.cloud:spring-cloud-starter-bootstrap' implementation 'org.springframework:spring-webmvc' implementation(group: 'org.springframework.boot', name: 'spring-boot-starter-data-redis') - runtimeOnly('mysql:mysql-connector-java') + runtimeOnly('com.mysql:mysql-connector-j') testImplementation("com.h2database:h2") } diff --git a/src/backend/job-assemble/build.gradle b/src/backend/job-assemble/build.gradle index 80183d6905..72f42b1ffc 100644 --- a/src/backend/job-assemble/build.gradle +++ b/src/backend/job-assemble/build.gradle @@ -40,7 +40,7 @@ dependencies { implementation project(":job-analysis:service-job-analysis") implementation 'org.springframework.boot:spring-boot-starter-jdbc' implementation 'org.springframework.cloud:spring-cloud-starter-bootstrap' - runtimeOnly 'mysql:mysql-connector-java' + runtimeOnly 'com.mysql:mysql-connector-j' testImplementation 'org.springframework.boot:spring-boot-starter-test' testImplementation 'org.junit.jupiter:junit-jupiter' diff --git a/src/backend/job-backup/boot-job-backup/build.gradle b/src/backend/job-backup/boot-job-backup/build.gradle index 7d568a1f12..c50a373160 100644 --- a/src/backend/job-backup/boot-job-backup/build.gradle +++ b/src/backend/job-backup/boot-job-backup/build.gradle @@ -32,7 +32,7 @@ dependencies { implementation 'org.springframework.cloud:spring-cloud-starter-bootstrap' implementation 'org.springframework:spring-webmvc' implementation(group: 'org.springframework.boot', name: 'spring-boot-starter-data-redis') - runtimeOnly('mysql:mysql-connector-java') + runtimeOnly('com.mysql:mysql-connector-j') testImplementation("com.h2database:h2") } diff --git a/src/backend/job-crontab/boot-job-crontab/build.gradle b/src/backend/job-crontab/boot-job-crontab/build.gradle index e7e295bd34..3897320590 100644 --- a/src/backend/job-crontab/boot-job-crontab/build.gradle +++ b/src/backend/job-crontab/boot-job-crontab/build.gradle @@ -32,7 +32,7 @@ dependencies { implementation(group: 'org.springframework.boot', name: 'spring-boot-starter-data-redis') implementation 'org.springframework.cloud:spring-cloud-starter-bootstrap' implementation 'org.springframework:spring-webmvc' - runtimeOnly 'mysql:mysql-connector-java' + runtimeOnly 'com.mysql:mysql-connector-j' testImplementation("com.h2database:h2") } diff --git a/src/backend/job-execute/boot-job-execute/build.gradle b/src/backend/job-execute/boot-job-execute/build.gradle index 0c6b09b945..c85d3fc2c5 100644 --- a/src/backend/job-execute/boot-job-execute/build.gradle +++ b/src/backend/job-execute/boot-job-execute/build.gradle @@ -28,7 +28,7 @@ dependencies { api project(":commons:common-i18n") implementation 'org.springframework.boot:spring-boot-starter-jdbc' implementation 'org.springframework.cloud:spring-cloud-starter-bootstrap' - runtimeOnly 'mysql:mysql-connector-java' + runtimeOnly 'com.mysql:mysql-connector-j' testImplementation("com.h2database:h2") } diff --git a/src/backend/job-file-gateway/boot-job-file-gateway/build.gradle b/src/backend/job-file-gateway/boot-job-file-gateway/build.gradle index eaa55be903..3a1abfbe1f 100644 --- a/src/backend/job-file-gateway/boot-job-file-gateway/build.gradle +++ b/src/backend/job-file-gateway/boot-job-file-gateway/build.gradle @@ -31,7 +31,7 @@ dependencies { implementation 'org.springframework.cloud:spring-cloud-starter-bootstrap' implementation 'org.springframework:spring-webmvc' implementation(group: 'org.springframework.boot', name: 'spring-boot-starter-data-redis') - runtimeOnly('mysql:mysql-connector-java') + runtimeOnly('com.mysql:mysql-connector-j') } springBoot { getMainClass().set("com.tencent.bk.job.file_gateway.JobFileGatewayBootApplication") diff --git a/src/backend/job-manage/boot-job-manage/build.gradle b/src/backend/job-manage/boot-job-manage/build.gradle index 2ac59cfe24..128925f73c 100644 --- a/src/backend/job-manage/boot-job-manage/build.gradle +++ b/src/backend/job-manage/boot-job-manage/build.gradle @@ -32,7 +32,7 @@ dependencies { implementation 'org.springframework.cloud:spring-cloud-starter-bootstrap' implementation 'org.springframework:spring-webmvc' implementation(group: 'org.springframework.boot', name: 'spring-boot-starter-data-redis') - runtimeOnly('mysql:mysql-connector-java') + runtimeOnly('com.mysql:mysql-connector-j') testImplementation("com.h2database:h2") } diff --git a/src/backend/task_gen_jooq.gradle b/src/backend/task_gen_jooq.gradle index bf29ad52db..76d42daf0d 100644 --- a/src/backend/task_gen_jooq.gradle +++ b/src/backend/task_gen_jooq.gradle @@ -25,7 +25,7 @@ apply plugin: 'nu.studer.jooq' dependencies { api "org.jooq:jooq" - jooqRuntime "mysql:mysql-connector-java" + jooqRuntime "com.mysql:mysql-connector-j" } def nameArr = name.split('-') diff --git a/src/backend/task_job_package.gradle b/src/backend/task_job_package.gradle index 26a7bc3e10..c5e00103ad 100644 --- a/src/backend/task_job_package.gradle +++ b/src/backend/task_job_package.gradle @@ -79,7 +79,7 @@ task postProcessRelease(type: GenCompleteDependJarListAndRemoveInfectedJarsTask) remove "logback-classic-.*jar" remove "logback-core-.*jar" remove "mchange-commons-java-.*jar" - remove "mysql-connector-java-.*jar" + remove "com.mysql:mysql-connector-j-.*jar" remove "org.eclipse.jgit-.*jar" remove "org.eclipse.jgit.http.apache-.*jar" remove "reactive-streams-.*jar" diff --git a/support-files/dependJarInfo/md5List.txt b/support-files/dependJarInfo/md5List.txt index 32229a38ab..2784043b23 100644 --- a/support-files/dependJarInfo/md5List.txt +++ b/support-files/dependJarInfo/md5List.txt @@ -1,4 +1,4 @@ -d398009d58dc7158787121d0e19a1b3c +6f314f6a68d3d9748d496ec47b155f13 a77a4f0e9645fb5e17fb17f8b1c7cc1b 5725bdda5da45c1a62c385dcb77c7fed a4d97c5a2f94b8b5d132761a769e5eeb @@ -98,15 +98,15 @@ ea1e4457c0b7197df6e69cde35d2b352 d094c22570d65e132c19cea5d352e381 236b9969df6b394e88283a9f813b9b95 bafb53f0385a82d4f9c1145917908736 -64f7a68f931aed8e5ad8243470440f0b -841fc80c6edff60d947a3872a2db4d45 +fc49f9a98304889b228adbbd7288ae43 +25736944b46d10756764364afcb455fc badce92967671a310b5356f009ea57b2 97c4575d9d49d9afb71492e6bb4417da 190f0fcbde700574c56bf127ac32d2ad f9092388f452855f4f41d9a294f9f4e9 d1a6c1d2717ace5be9fc4c7c889d2159 4c11f98e756dc607d6aad28469d612b1 -fdf55dcef04b09f2eaf42b75e61ccc9a +a331817ab5c572777e25539a70b51bb6 583a5b0db40c45508feefd900c9513f1 739701e8e7cd9a1a37c6e2b215b6e13a adefee7023c7df6aa3ce1c991be1cc81 @@ -123,8 +123,8 @@ b851ccee6b416361992d43f861fa3306 63e24bf59ed6cb64eb62e8cd0e495a6c 1a5d6d1073dd2f5d026852dea49e23d4 848917322d5b4e121e53cc512d01a2f4 -84aeabf86d2950a53e33ae331870bed1 -0e0a533627085c406ac7eb57a4b22632 +5081e9662b2e83dc9ee89c5214522a48 +c9b7ceabcfc3cfca14709667dd8ec121 c4ceefed77d79affded2a1302e74606d d7299dbaec0e0ed7af281b07cc40c8c1 69122b098fff1c6b1bf2cd3b355e7e03 diff --git a/support-files/dependJarInfo/nameList.txt b/support-files/dependJarInfo/nameList.txt index 54b20bbf13..3a00912a65 100644 --- a/support-files/dependJarInfo/nameList.txt +++ b/support-files/dependJarInfo/nameList.txt @@ -106,7 +106,7 @@ micrometer-core micrometer-registry-prometheus mongodb-driver-core mongodb-driver-sync -mysql-connector-java +mysql-connector-j netflix-commons-util netflix-statistics netty-buffer diff --git a/support-files/dependJarInfo/versionList.txt b/support-files/dependJarInfo/versionList.txt index a2c45ca855..8f62acf36d 100644 --- a/support-files/dependJarInfo/versionList.txt +++ b/support-files/dependJarInfo/versionList.txt @@ -1,4 +1,4 @@ -5.13.1 +5.18.0 0.7.6 1.9.7 1.9.7 @@ -98,15 +98,15 @@ 9999.0-empty-to-avoid-conflict-with-guava 2.13.3 2.13.3 -1.2.10 -1.2.10 +1.2.13 +1.2.13 1.2.0.Final 0.2.15 1.5.5 1.5.1 4.0.5 4.0.5 -8.0.25 +8.2.0 0.3.0 0.1.1 4.1.52.Final @@ -123,8 +123,8 @@ 4.1.52.Final 1.1.0 1.1.3 -5.13.1.202206130422-r -5.13.1.202206130422-r +6.6.1.202309021850-r +6.6.1.202309021850-r 3.11.4 2.3.2 1.0.4