Merge pull request #7003 from lpalashevski/tp-security-updates

Third party transitive depdendency updates

build.gradle

@@ -77,7 +77,8 @@ allprojects {
         hibernatevalidatorVersion = '8.0.0.Final'
         httpclientVersion = '4.5.13'
         httpcoreVersion = '4.4.15'
-        jacksonVersion = '2.13.3'
+        jacksonVersion = '2.13.4'
+        jacksonDatabindVersion = '2.13.4.2'
         jacksonaslVersion = '1.9.14-atlassian-6'
         jakartaannotationVersion = '1.3.5'
         jakartapersistenceVersion = '3.1.0'
@@ -140,7 +141,7 @@ allprojects {
             implementation("ch.qos.logback:logback-classic:${logbackVersion}")
             implementation("ch.qos.logback:logback-core:${logbackVersion}")
             implementation("com.datastax.oss:java-driver-core:${ossVersion}")
-            implementation("com.fasterxml.jackson.core:jackson-databind:${jacksonVersion}")
+            implementation("com.fasterxml.jackson.core:jackson-databind:${jacksonDatabindVersion}")
             implementation("com.fasterxml.jackson.core:jackson-annotations:${jacksonVersion}")
             implementation("com.fasterxml.jackson.core:jackson-core:${jacksonVersion}")
             implementation("com.fasterxml.jackson.core:jackson-datatype-jsr310:${jacksonVersion}")
@@ -288,7 +289,13 @@ allprojects {
             testImplementation("org.slf4j:slf4j-simple:${slf4jVersion}")
             testImplementation("org.testng:testng:${testngVersion}")
             testImplementation("org.hamcrest:hamcrest:${hamcrestVersion}")
+
+            // Explicitly enforced versions of transitive dependencies to mitigate potential CVEs reported by static security scans.
+            //TODO: Remove dependency line below in case the new parent library is updated and pulls good version.
+            runtimeOnly("org.antlr:antlr4:4.9.3")
+            runtimeOnly("com.beust:jcommander:1.78")
         }
+        implementation platform('net.openhft:chronicle-bom:2.21ea47')
     }
 
     /*

pom.xml

@@ -155,7 +155,7 @@
         <mockito.version>4.8.0</mockito.version>
         <slf4j.version>1.7.36</slf4j.version>
         <testng.version>7.5</testng.version>
-        <jackson.databind.version>2.13.4</jackson.databind.version>
+        <jackson.databind.version>2.13.4.1</jackson.databind.version>
         <jackson.version>2.13.4</jackson.version>
         <logback.version>1.2.11</logback.version>
         <kafka.version>3.3.1</kafka.version>
@@ -3418,6 +3418,35 @@
                 <version>${reactivestreams.version}</version>
             </dependency>
 
+
+            <!-- Explicitly enforced versions of transitive dependencies to mitigate potential CVEs reported by static security scans. -->
+            <!-- TODO: Remove dependency block below in case the new parent library is updated and pulls good version. -->
+
+            <!-- [CVE-2018-18928] CWE-190 com.ibm.icu:icu4j:jar:61.1 via org.antlr:antlr4:jar:4.9.1 << org.apache.tinkerpop:gremlin-core:jar:3.5.2  -->
+            <dependency>
+                <groupId>org.antlr</groupId>
+                <artifactId>antlr4</artifactId>
+                <version>4.9.3</version>
+                <scope>runtime</scope>
+            </dependency>
+
+            <!-- [sonatype-2021-0234] CWE-190 net.openhft:chronicle-wire:jar:2.20 via org.apache.cassandra:cassandra-all:jar:4.0.6 << org.janusgraph:janusgraph-cql:jar:0.6.1  -->
+            <dependency>
+                <groupId>net.openhft</groupId>
+                <artifactId>chronicle-bom</artifactId>
+                <version>2.21ea47</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+
+            <!-- [sonatype-2019-0992] CWE-494 jcommander:1.30 via org.apache.cassandra:cassandra-all:jar:4.0.6 -->
+            <dependency>
+                <groupId>com.beust</groupId>
+                <artifactId>jcommander</artifactId>
+                <version>1.78</version>
+                <scope>runtime</scope>
+            </dependency>
+
         </dependencies>
 
     </dependencyManagement>