address CVEs CVE-2025-25193, CVE-2025-24970, CVE-2024-57699 (#3575) (#…

…3577) * address CVEs CVE-2025-25193, CVE-2025-24970, CVE-2024-57699 Signed-off-by: Jing Zhang <[email protected]> * add exact version 2.5.2 for json-smart hardcode awssdk version to 2.30.18 Signed-off-by: Jing Zhang <[email protected]> --------- Signed-off-by: Jing Zhang <[email protected]> (cherry picked from commit 4d95466) Co-authored-by: Jing Zhang <[email protected]>
opensearch-project · Feb 21, 2025 · 5132aab · 5132aab
1 parent d6e8341
commit 5132aab
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 17 deletions.
diff --git a/common/build.gradle b/common/build.gradle
@@ -35,7 +35,10 @@ dependencies {
         exclude group: 'com.google.j2objc', module: 'j2objc-annotations'
         exclude group: 'com.google.guava', module: 'listenablefuture'
     }
-    compileOnly 'com.jayway.jsonpath:json-path:2.9.0'
+    compileOnly ('com.jayway.jsonpath:json-path:2.9.0') {
+        exclude group: 'net.minidev', module: 'json-smart'
+    }
+    compileOnly ('net.minidev:json-smart:2.5.2')
     compileOnly("com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}")
     compileOnly("com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}")
     compileOnly group: 'com.networknt' , name: 'json-schema-validator', version: '1.4.0'

diff --git a/memory/build.gradle b/memory/build.gradle
@@ -43,7 +43,10 @@ dependencies {
     testImplementation("com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}")
     testImplementation("com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}")
     testImplementation group: 'com.networknt' , name: 'json-schema-validator', version: '1.4.0'
-    testImplementation 'com.jayway.jsonpath:json-path:2.9.0'
+    testImplementation ('com.jayway.jsonpath:json-path:2.9.0') {
+        exclude group: 'net.minidev', module: 'json-smart'
+    }
+    testImplementation('net.minidev:json-smart:2.5.2')
 }
 
 test {

diff --git a/ml-algorithms/build.gradle b/ml-algorithms/build.gradle
@@ -67,21 +67,24 @@ dependencies {
         }
     }
 
-    implementation platform('software.amazon.awssdk:bom:2.29.12')
-    api 'software.amazon.awssdk:auth:2.29.12'
+    implementation platform('software.amazon.awssdk:bom:2.30.18')
+    api 'software.amazon.awssdk:auth:2.30.18'
     implementation 'software.amazon.awssdk:apache-client'
     implementation ('com.amazonaws:aws-encryption-sdk-java:2.4.1') {
         exclude group: 'org.bouncycastle', module: 'bcprov-ext-jdk18on'
     }
     implementation 'org.bouncycastle:bcprov-jdk18on:1.78.1'
 
-    compileOnly group: 'software.amazon.awssdk', name: 'aws-core', version: '2.29.12'
-    compileOnly group: 'software.amazon.awssdk', name: 's3', version: '2.29.12'
-    compileOnly group: 'software.amazon.awssdk', name: 'regions', version: '2.29.12'
+    compileOnly group: 'software.amazon.awssdk', name: 'aws-core', version: "2.30.18"
+    compileOnly group: 'software.amazon.awssdk', name: 's3', version: "2.30.18"
+    compileOnly group: 'software.amazon.awssdk', name: 'regions', version: "2.30.18"
 
-    implementation 'com.jayway.jsonpath:json-path:2.9.0'
+    implementation ('com.jayway.jsonpath:json-path:2.9.0') {
+        exclude group: 'net.minidev', module: 'json-smart'
+    }
+    implementation('net.minidev:json-smart:2.5.2')
     implementation group: 'org.json', name: 'json', version: '20231013'
-    implementation group: 'software.amazon.awssdk', name: 'netty-nio-client', version: '2.29.12'
+    implementation group: 'software.amazon.awssdk', name: 'netty-nio-client', version: "2.30.18"
     testImplementation("com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}")
     testImplementation("com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}")
     testImplementation group: 'com.networknt' , name: 'json-schema-validator', version: '1.4.0'
@@ -94,7 +97,7 @@ lombok {
 configurations.all {
     resolutionStrategy.force 'com.google.protobuf:protobuf-java:3.25.5'
     resolutionStrategy.force 'org.apache.commons:commons-compress:1.26.0'
-    resolutionStrategy.force 'software.amazon.awssdk:bom:2.29.12'
+    resolutionStrategy.force 'software.amazon.awssdk:bom:2.30.18'
 }
 
 

diff --git a/plugin/build.gradle b/plugin/build.gradle
@@ -54,15 +54,15 @@ dependencies {
     implementation project(':opensearch-ml-memory')
     compileOnly "com.google.guava:guava:32.1.3-jre"
 
-    implementation group: 'software.amazon.awssdk', name: 'aws-core', version: '2.29.12'
-    implementation group: 'software.amazon.awssdk', name: 's3', version: '2.29.12'
-    implementation group: 'software.amazon.awssdk', name: 'regions', version: '2.29.12'
+    implementation group: 'software.amazon.awssdk', name: 'aws-core', version: "2.30.18"
+    implementation group: 'software.amazon.awssdk', name: 's3', version: "2.30.18"
+    implementation group: 'software.amazon.awssdk', name: 'regions', version: "2.30.18"
 
-    implementation group: 'software.amazon.awssdk', name: 'aws-xml-protocol', version: '2.29.12'
+    implementation group: 'software.amazon.awssdk', name: 'aws-xml-protocol', version: "2.30.18"
 
-    implementation group: 'software.amazon.awssdk', name: 'aws-query-protocol', version: '2.29.12'
+    implementation group: 'software.amazon.awssdk', name: 'aws-query-protocol', version: "2.30.18"
 
-    implementation group: 'software.amazon.awssdk', name: 'protocol-core', version: '2.29.12'
+    implementation group: 'software.amazon.awssdk', name: 'protocol-core', version: "2.30.18"
 
     zipArchive group: 'org.opensearch.plugin', name:'opensearch-job-scheduler', version: "${opensearch_build}"
     compileOnly "org.opensearch:opensearch-job-scheduler-spi:${opensearch_build}"
@@ -84,7 +84,10 @@ dependencies {
     implementation "org.apache.logging.log4j:log4j-slf4j-impl:2.19.0"
     testImplementation group: 'commons-io', name: 'commons-io', version: '2.15.1'
     implementation group: 'org.apache.commons', name: 'commons-text', version: '1.10.0'
-    implementation 'com.jayway.jsonpath:json-path:2.9.0'
+    implementation ('com.jayway.jsonpath:json-path:2.9.0') {
+        exclude group: 'net.minidev', module: 'json-smart'
+    }
+    implementation('net.minidev:json-smart:2.5.2')
 }
 
 publishing {