Merge branch 'develop' into dependabot/maven/java/surefire.plugin.ver…

…sion-3.2.5
gchq · Mar 11, 2024 · b77b949 · b77b949
2 parents 8277e6d + 3d7ecb5
commit b77b949
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 5 deletions.
diff --git a/NOTICES b/NOTICES
@@ -61,6 +61,10 @@ Apache Kerby (org.apache.kerby:*:2.0.3):
 
 - Apache License, Version 2.0
 
+XNIO (org.jboss.xnio:xnio-api:3.8.13.Final):
+
+- Apache License, Version 2.0
+
 Kotlin Stdlib (org.jetbrains.kotlin:*:1.6.20):
 
 - Apache License, Version 2.0

diff --git a/code-style/dependency-check-suppressions.xml b/code-style/dependency-check-suppressions.xml
@@ -224,4 +224,21 @@
         <packageUrl regex="true">^pkg:maven/software\.amazon\.ion/ion\-java@.*$</packageUrl>
         <cve>CVE-2024-21634</cve>
     </suppress>
+    <suppress>
+        <notes><![CDATA[
+        XNIO is a dependency for Hadoop, used by Kerby's kerb-admin module, which is a transitive dependency for Hadoop
+        authentication. At time of writing, there's no version of XNIO without this problem.
+
+        Since HDFS is not used, it doesn't seem like this should be needed as a dependency. We can look at removing this
+        from the classpath.
+
+        We're using Hadoop for our integration with Parquet, and for bulk import jobs on Spark. The Parquet integration
+        only talks to S3 in practice, although the Hadoop integration is designed for HDFS, which may be why this is a
+        dependency. Spark also seems to only use Hadoop authentication when talking to HDFS:
+
+        https://spark.apache.org/docs/latest/security.html#kerberos
+        ]]></notes>
+        <packageUrl regex="true">^pkg:maven/org\.jboss\.xnio/xnio\-api@.*$</packageUrl>
+        <vulnerabilityName>CVE-2023-5685</vulnerabilityName>
+    </suppress>
 </suppressions>
diff --git a/java/pom.xml b/java/pom.xml
@@ -92,6 +92,8 @@
         <json-smart.version>2.4.11</json-smart.version>
         <!-- Hadoop declares an old version of Kerby with vulnerabilities. Managed from 1.0.1. -->
         <kerby.version>2.0.3</kerby.version>
+        <!-- Hadoop declares an old version of XNIO with vulnerabilities. Managed from 3.8.8.Final. -->
+        <xnio.version>3.8.13.Final</xnio.version>
         <!-- Spark declares an old version of OkHttp with vulnerabilities. Managed from 4.10.0. -->
         <okhttp3.version>4.11.0</okhttp3.version>
         <!--
@@ -121,9 +123,9 @@
         <commons-text.version>1.10.0</commons-text.version>
         <janino.version>3.1.9</janino.version>
         <commons-net.version>3.9.0</commons-net.version>
-        <jackson.version>2.15.2</jackson.version>
+        <jackson.version>2.16.2</jackson.version>
         <!-- Trino integration uses a different version of JJWT, this is the version used in the build module -->
-        <jjwt.build.version>0.12.3</jjwt.build.version>
+        <jjwt.build.version>0.12.5</jjwt.build.version>
         <facebook.collections.version>0.1.32</facebook.collections.version>
         <!-- Facebook Collections brings in a vulnerable version of Guava, so we manage this -->
         <guava.version>32.0.1-jre</guava.version>
@@ -144,15 +146,15 @@
         <!-- Build module uses Jersey for communicating with GitHub API -->
         <jersey.version>2.38</jersey.version>
         <!-- Netty version is managed because S3, Athena and Arrow depend on it but use incompatible versions -->
-        <netty.version>4.1.94.Final</netty.version>
+        <netty.version>4.1.107.Final</netty.version>
         <!-- Jetty and Jakarta versions are managed because WireMock and Hadoop use different versions. -->
         <!-- We want to avoid mixing them but they should be compatible. -->
         <jetty.version>9.4.53.v20231009</jetty.version>
         <jakarta.activation.version>1.2.2</jakarta.activation.version>
         <jakarta.xml.bind.version>2.3.3</jakarta.xml.bind.version>
         <jungrapht.version>1.4</jungrapht.version>
         <!-- Testing -->
-        <junit.version>5.10.1</junit.version>
+        <junit.version>5.10.2</junit.version>
         <junit.platform.version>1.10.1</junit.platform.version>
         <mockito.version>4.11.0</mockito.version>
         <testcontainers.version>1.19.0</testcontainers.version>
@@ -175,7 +177,7 @@
         <surefire.plugin.version>3.2.5</surefire.plugin.version>
         <failsafe.plugin.version>${surefire.plugin.version}</failsafe.plugin.version>
         <surefire.report.plugin.version>${surefire.plugin.version}</surefire.report.plugin.version>
-        <shade.plugin.version>3.4.1</shade.plugin.version>
+        <shade.plugin.version>3.5.2</shade.plugin.version>
         <assembly.plugin.version>3.3.0</assembly.plugin.version>
         <jar.plugin.version>3.3.0</jar.plugin.version>
         <compiler.plugin.version>3.10.1</compiler.plugin.version>
@@ -490,6 +492,11 @@
                 <artifactId>kerb-simplekdc</artifactId>
                 <version>${kerby.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.jboss.xnio</groupId>
+                <artifactId>xnio-api</artifactId>
+                <version>${xnio.version}</version>
+            </dependency>
             <dependency>
                 <groupId>com.squareup.okhttp3</groupId>
                 <artifactId>okhttp</artifactId>