TencentBlueKing · jsonwan · Jan 20, 2025 · Dec 16, 2024 · Dec 26, 2024 · Jan 17, 2025
diff --git a/src/backend/build.gradle b/src/backend/build.gradle
@@ -27,7 +27,7 @@ import com.dorongold.gradle.tasktree.TaskTreePlugin
 buildscript {
     ext {
         set('springDependencyManagePluginVersion', "1.0.11.RELEASE")
-        set("springBootVersion", "2.6.13")
+        set("springBootVersion", "2.7.11")
         set("gradleJooqVersion", "3.0.0")
     }
 
@@ -68,7 +68,7 @@ buildscript {
 plugins {
     id "java-library"
     id "io.spring.dependency-management" version '1.0.11.RELEASE' apply false
-    id 'org.springframework.boot' version '2.6.13' apply false
+    id 'org.springframework.boot' version '2.7.11' apply false
     id "idea"
     id 'nu.studer.jooq' version '3.0.0'
 }
@@ -82,7 +82,7 @@ ext {
 
     set("springVersion", "5.3.25")
     // https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-dependencies
-    set("springBootVersion", "2.6.13")
+    set("springBootVersion", "2.7.11")
     // https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-dependencies
     set('springCloudVersion', "2021.0.5")
     set('springCloudOtelVersion', "1.1.3")
@@ -94,7 +94,8 @@ ext {
     set('jacksonVersion', "2.13.5")
     set('jaxrsVersion', "2.0")
     // https://mvnrepository.com/artifact/ch.qos.logback/logback-core
-    set('logbackVersion', "1.2.10")
+    // Fix CVE-2023-6378 1.2.11->1.2.13
+    set('logbackVersion', "1.2.13")
     // https://mvnrepository.com/artifact/org.slf4j/slf4j-api
     set('slf4jVersion', "1.7.30")
     set('servletVersion', "3.0.1")
@@ -118,13 +119,14 @@ ext {
     // https://mvnrepository.com/artifact/org.apache.httpcomponents/httpclient
     set('apacheHttpClientVersion', "4.5.13")
     set('apacheThriftVersion', "0.15.0")
-    set('commonsIOVersion', "2.6")
+    // Fix CVE-2024-47554 CVE-2021-29425 2.6->2.14.0
+    set('commonsIOVersion', "2.14.0")
     set('javaxServletVersion', "4.0.1")
-    set('guavaVersion', "28.2-jre")
+    // Fix CVE-2023-2976 CVE-2020-8908 28.2-jre->32.0.0-android
+    set('guavaVersion', "32.0.0-android")
     set('caffeineVersion', "2.9.3")
     set('jjwtVersion', "0.9.1")
     set('hibernateValidatorVersion', "6.1.4.Final")
-    set('micrometerPrometheusVersion', "1.5.1")
     set('flapdoodleEmbeddedMongdbDBVersion', "4.4.0")
     set('jodaTimeVersion', "2.10.5")
     set('bcprovVersion', "1.70")
@@ -137,8 +139,8 @@ ext {
     set('kubernetesJavaClientVersion', "11.0.4")
     set('springCloudKubernetesVersion', "2.0.6")
     set('cryptoJavaSDKVersion', "1.1.3")
-    // Fix CVE-2023-44487
-    set('tomcat.version', "9.0.90")
+    // Fix CVE-2023-44487, CVE-2024-52316
+    set('tomcat.version', "9.0.96")
     // Fix CVE-2019-10086,CVE-2014-0114
     set('commonsBeanutilsVersion', "1.9.4")
     if (System.getProperty("bkjobVersion")) {
@@ -151,6 +153,27 @@ ext {
     set('bkAuditJavaSdkVersion', "1.0.8")
     set('mockitoVersion', "4.0.0")
     set('embeddedRedisVersion', "0.6")
+    // Fix CVE-2023-44981,CVE-2024-23944 3.7.1->3.8.4
+    set('zookeeperVersion', "3.8.4")
+    // Fix CVE-2022-41854 CVE-2022-38752 CVE-2022-38751 CVE-2022-38749 CVE-2022-25857 CVE-2022-1471 1.29->1.33
+    set('snakeyaml.version', "2.0")
+    // Fix CVE-2023-3635 2.8.0->3.4.0
+    set('okioVersion', "3.4.0")
+    // Fix CVE-2023-34062 1.0.24->1.0.39
+    set('reactorNettyHttpVersion', "1.0.39")
+    set('reactorNettyCoreVersion', "1.0.39")
+    // Fix CVE-2023-44487 4.1.84.Final->4.1.100.Final
+    set('nettyCodecHttp2Version', "4.1.100.Final")
+    // Fix CVE-2024-38809 CVE-2024-22262 CVE-2024-22259 CVE-2024-22243 5.3.23->5.3.39
+    set('springWebVersion', "5.3.39")
+    // Fix CVE-2021-0341 4.9.1->4.9.2
+    set('okHttpVersion', "4.9.2")
+    // Fix CVE-2023-46120 5.13.1->5.18.0
+    set('amqpClientVersion', "5.18.0")
+    // Fix CVE-2023-4759 5.13.1.202206130422-r->6.6.1.202309021850-r
+    set('jgitVersion', "6.6.1.202309021850-r")
+    // Fix CVE-2023-22102 8.0.33->8.2.0
+    set('mysql.version', "8.2.0")
 }
 
 group "com.tencent.bk.job"
@@ -309,7 +332,6 @@ subprojects {
             dependency "com.github.ben-manes.caffeine:caffeine:$caffeineVersion"
             dependency group: 'io.jsonwebtoken', name: 'jjwt', version: "$jjwtVersion"
             dependency "net.sourceforge.jchardet:jchardet:1.0"
-            dependency "io.micrometer:micrometer-registry-prometheus:$micrometerPrometheusVersion"
             dependency "de.flapdoodle.embed:de.flapdoodle.embed.mongo.spring26x:$flapdoodleEmbeddedMongdbDBVersion"
             dependency "de.flapdoodle.embed:de.flapdoodle.embed.mongo:$flapdoodleEmbeddedMongdbDBVersion"
             dependency "joda-time:joda-time:$jodaTimeVersion"
@@ -345,6 +367,15 @@ subprojects {
             dependency "com.tencent.bk.sdk:spring-boot-bk-audit-starter:$bkAuditJavaSdkVersion"
             dependency "org.mockito:mockito-inline:$mockitoVersion"
             dependency "com.github.kstyrc:embedded-redis:$embeddedRedisVersion"
+            dependency "org.apache.zookeeper:zookeeper:$zookeeperVersion"
+            dependency "com.squareup.okio:okio:$okioVersion"
+            dependency "io.projectreactor.netty:reactor-netty-http:$reactorNettyHttpVersion"
+            dependency "io.projectreactor.netty:reactor-netty-core:$reactorNettyCoreVersion"
+            dependency "io.netty:netty-codec-http2:$nettyCodecHttp2Version"
+            dependency "org.springframework:spring-web:$springWebVersion"
+            dependency "com.squareup.okhttp3:okhttp:$okHttpVersion"
+            dependency "com.rabbitmq:amqp-client:$amqpClientVersion"
+            dependency "org.eclipse.jgit:org.eclipse.jgit:$jgitVersion"
         }
     }
     dependencies {

diff --git a/src/backend/commons/common-service/src/test/java/FeatureToggleTest.java b/src/backend/commons/common-service/src/test/java/FeatureToggleTest.java
@@ -40,6 +40,7 @@
 import org.junit.jupiter.api.Test;
 import org.mockito.MockedStatic;
 import org.mockito.Mockito;
+import org.yaml.snakeyaml.LoaderOptions;
 import org.yaml.snakeyaml.Yaml;
 import org.yaml.snakeyaml.constructor.Constructor;
 
@@ -54,7 +55,8 @@ class FeatureToggleTest {
 
     @BeforeAll
     static void beforeAll() {
-        Yaml yaml = new Yaml(new Constructor(FeatureToggleProperties.class));
+        Constructor constructor = new Constructor(FeatureToggleProperties.class, new LoaderOptions());
+        Yaml yaml = new Yaml(constructor);
         InputStream inputStream = FeatureToggleTest.class.getClassLoader()
             .getResourceAsStream("features_1.yaml");
         FeatureToggleProperties featureToggleProperties = yaml.load(inputStream);

diff --git a/src/backend/job-analysis/boot-job-analysis/build.gradle b/src/backend/job-analysis/boot-job-analysis/build.gradle
@@ -32,7 +32,7 @@ dependencies {
     implementation 'org.springframework.cloud:spring-cloud-starter-bootstrap'
     implementation 'org.springframework:spring-webmvc'
     implementation(group: 'org.springframework.boot', name: 'spring-boot-starter-data-redis')
-    runtimeOnly('mysql:mysql-connector-java')
+    runtimeOnly('com.mysql:mysql-connector-j')
 
     testImplementation("com.h2database:h2")
 }

diff --git a/src/backend/job-assemble/build.gradle b/src/backend/job-assemble/build.gradle
@@ -40,7 +40,7 @@ dependencies {
     implementation project(":job-analysis:service-job-analysis")
     implementation 'org.springframework.boot:spring-boot-starter-jdbc'
     implementation 'org.springframework.cloud:spring-cloud-starter-bootstrap'
-    runtimeOnly 'mysql:mysql-connector-java'
+    runtimeOnly 'com.mysql:mysql-connector-j'
 
     testImplementation 'org.springframework.boot:spring-boot-starter-test'
     testImplementation 'org.junit.jupiter:junit-jupiter'

diff --git a/src/backend/job-backup/boot-job-backup/build.gradle b/src/backend/job-backup/boot-job-backup/build.gradle
@@ -32,7 +32,7 @@ dependencies {
     implementation 'org.springframework.cloud:spring-cloud-starter-bootstrap'
     implementation 'org.springframework:spring-webmvc'
     implementation(group: 'org.springframework.boot', name: 'spring-boot-starter-data-redis')
-    runtimeOnly('mysql:mysql-connector-java')
+    runtimeOnly('com.mysql:mysql-connector-j')
 
     testImplementation("com.h2database:h2")
 }

diff --git a/src/backend/job-crontab/boot-job-crontab/build.gradle b/src/backend/job-crontab/boot-job-crontab/build.gradle
@@ -32,7 +32,7 @@ dependencies {
     implementation(group: 'org.springframework.boot', name: 'spring-boot-starter-data-redis')
     implementation 'org.springframework.cloud:spring-cloud-starter-bootstrap'
     implementation 'org.springframework:spring-webmvc'
-    runtimeOnly 'mysql:mysql-connector-java'
+    runtimeOnly 'com.mysql:mysql-connector-j'
 
     testImplementation("com.h2database:h2")
 }

diff --git a/src/backend/job-execute/boot-job-execute/build.gradle b/src/backend/job-execute/boot-job-execute/build.gradle
@@ -28,7 +28,7 @@ dependencies {
     api project(":commons:common-i18n")
     implementation 'org.springframework.boot:spring-boot-starter-jdbc'
     implementation 'org.springframework.cloud:spring-cloud-starter-bootstrap'
-    runtimeOnly 'mysql:mysql-connector-java'
+    runtimeOnly 'com.mysql:mysql-connector-j'
 
     testImplementation("com.h2database:h2")
 }

diff --git a/src/backend/job-file-gateway/boot-job-file-gateway/build.gradle b/src/backend/job-file-gateway/boot-job-file-gateway/build.gradle
@@ -31,7 +31,7 @@ dependencies {
     implementation 'org.springframework.cloud:spring-cloud-starter-bootstrap'
     implementation 'org.springframework:spring-webmvc'
     implementation(group: 'org.springframework.boot', name: 'spring-boot-starter-data-redis')
-    runtimeOnly('mysql:mysql-connector-java')
+    runtimeOnly('com.mysql:mysql-connector-j')
 }
 springBoot {
     getMainClass().set("com.tencent.bk.job.file_gateway.JobFileGatewayBootApplication")

diff --git a/src/backend/job-manage/boot-job-manage/build.gradle b/src/backend/job-manage/boot-job-manage/build.gradle
@@ -32,7 +32,7 @@ dependencies {
     implementation 'org.springframework.cloud:spring-cloud-starter-bootstrap'
     implementation 'org.springframework:spring-webmvc'
     implementation(group: 'org.springframework.boot', name: 'spring-boot-starter-data-redis')
-    runtimeOnly('mysql:mysql-connector-java')
+    runtimeOnly('com.mysql:mysql-connector-j')
 
     testImplementation("com.h2database:h2")
 }

diff --git a/src/backend/task_gen_jooq.gradle b/src/backend/task_gen_jooq.gradle
@@ -25,7 +25,7 @@ apply plugin: 'nu.studer.jooq'
 
 dependencies {
     api "org.jooq:jooq"
-    jooqRuntime "mysql:mysql-connector-java"
+    jooqRuntime "com.mysql:mysql-connector-j"
 }
 
 def nameArr = name.split('-')

diff --git a/src/backend/task_job_package.gradle b/src/backend/task_job_package.gradle
@@ -79,7 +79,7 @@ task postProcessRelease(type: GenCompleteDependJarListAndRemoveInfectedJarsTask)
     remove "logback-classic-.*jar"
     remove "logback-core-.*jar"
     remove "mchange-commons-java-.*jar"
-    remove "mysql-connector-java-.*jar"
+    remove "com.mysql:mysql-connector-j-.*jar"
     remove "org.eclipse.jgit-.*jar"
     remove "org.eclipse.jgit.http.apache-.*jar"
     remove "reactive-streams-.*jar"

diff --git a/support-files/dependJarInfo/md5List.txt b/support-files/dependJarInfo/md5List.txt
@@ -1,4 +1,4 @@
-d398009d58dc7158787121d0e19a1b3c
+6f314f6a68d3d9748d496ec47b155f13
 a77a4f0e9645fb5e17fb17f8b1c7cc1b
 5725bdda5da45c1a62c385dcb77c7fed
 a4d97c5a2f94b8b5d132761a769e5eeb
@@ -98,15 +98,15 @@ ea1e4457c0b7197df6e69cde35d2b352
 d094c22570d65e132c19cea5d352e381
 236b9969df6b394e88283a9f813b9b95
 bafb53f0385a82d4f9c1145917908736
-64f7a68f931aed8e5ad8243470440f0b
-841fc80c6edff60d947a3872a2db4d45
+fc49f9a98304889b228adbbd7288ae43
+25736944b46d10756764364afcb455fc
 badce92967671a310b5356f009ea57b2
 97c4575d9d49d9afb71492e6bb4417da
 190f0fcbde700574c56bf127ac32d2ad
 f9092388f452855f4f41d9a294f9f4e9
 d1a6c1d2717ace5be9fc4c7c889d2159
 4c11f98e756dc607d6aad28469d612b1
-fdf55dcef04b09f2eaf42b75e61ccc9a
+a331817ab5c572777e25539a70b51bb6
 583a5b0db40c45508feefd900c9513f1
 739701e8e7cd9a1a37c6e2b215b6e13a
 adefee7023c7df6aa3ce1c991be1cc81
@@ -123,8 +123,8 @@ b851ccee6b416361992d43f861fa3306
 63e24bf59ed6cb64eb62e8cd0e495a6c
 1a5d6d1073dd2f5d026852dea49e23d4
 848917322d5b4e121e53cc512d01a2f4
-84aeabf86d2950a53e33ae331870bed1
-0e0a533627085c406ac7eb57a4b22632
+5081e9662b2e83dc9ee89c5214522a48
+c9b7ceabcfc3cfca14709667dd8ec121
 c4ceefed77d79affded2a1302e74606d
 d7299dbaec0e0ed7af281b07cc40c8c1
 69122b098fff1c6b1bf2cd3b355e7e03

diff --git a/support-files/dependJarInfo/nameList.txt b/support-files/dependJarInfo/nameList.txt
@@ -106,7 +106,7 @@ micrometer-core
 micrometer-registry-prometheus
 mongodb-driver-core
 mongodb-driver-sync
-mysql-connector-java
+mysql-connector-j
 netflix-commons-util
 netflix-statistics
 netty-buffer

diff --git a/support-files/dependJarInfo/versionList.txt b/support-files/dependJarInfo/versionList.txt
@@ -1,4 +1,4 @@
-5.13.1
+5.18.0
 0.7.6
 1.9.7
 1.9.7
@@ -98,15 +98,15 @@
 9999.0-empty-to-avoid-conflict-with-guava
 2.13.3
 2.13.3
-1.2.10
-1.2.10
+1.2.13
+1.2.13
 1.2.0.Final
 0.2.15
 1.5.5
 1.5.1
 4.0.5
 4.0.5
-8.0.25
+8.2.0
 0.3.0
 0.1.1
 4.1.52.Final
@@ -123,8 +123,8 @@
 4.1.52.Final
 1.1.0
 1.1.3
-5.13.1.202206130422-r
-5.13.1.202206130422-r
+6.6.1.202309021850-r
+6.6.1.202309021850-r
 3.11.4
 2.3.2
 1.0.4