build: Update dependencies in hale-platform to resolve security issues

update libraries ING-4067
halestudio · Nov 29, 2023 · b1a16b8 · b1a16b8
1 parent bd60c74
commit b1a16b8
Show file tree

Hide file tree

Showing 5 changed files with 192 additions and 22 deletions.
diff --git a/build.gradle b/build.gradle
@@ -90,8 +90,8 @@ include {
 		]
 	}
 
-	from('modules/shared/logging.gradle') {
-		slf4jAndLogback '1.7.10', '1.0.13'
+	from('modules/logging.gradle') {
+		slf4jAndLogback '1.7.36', '1.2.12'
 	}
 
 	from 'modules/shared/orientdb.gradle', {
@@ -282,7 +282,7 @@ platform {
 	bnd group: 'net.sf.trove4j', name: 'trove4j', {
 		instructions 'Eclipse-BuddyPolicy': 'registered'
 	}
-	bundle 'commons-io:commons-io:2.4'
+	bundle 'commons-io:commons-io:2.14.0'
 	// https://www.cve.org/CVERecord?id=CVE-2022-42889
 	bundle 'org.apache.commons:commons-text:1.10.0'
 	bundle 'net.sf.ehcache:ehcache-core:2.6.6'
@@ -298,10 +298,10 @@ platform {
 	bundle 'asm:asm-analysis:3.3.1'
 
 	// ivy with at least 2.4 because of bug in IvySettings
-	bundle 'org.apache.ivy:ivy:2.4.0'
+	bundle 'org.apache.ivy:ivy:2.5.2'
 
 	// web stuff
-	bundle 'commons-fileupload:commons-fileupload:1.3.1'
+	bundle 'commons-fileupload:commons-fileupload:1.5'
 	bundle 'org.openid4java:openid4java:0.9.8'
 	bundle 'net.tanesha.recaptcha4j:recaptcha4j:0.0.8'
 	bundle "org.wicketstuff:wicketstuff-html5:$wicketVersion"
@@ -322,7 +322,7 @@ platform {
 //	bundle 'com.ning:async-http-client:1.8.15'
 
 	// quartz scheduler
-	bundle 'org.quartz-scheduler:quartz:1.7.3'
+	bundle 'org.quartz-scheduler:quartz:2.3.2'
 
 	// XML
 //	bundle 'org.apache.ws.xmlschema:xmlschema-core:2.0.2'
@@ -397,10 +397,10 @@ platform {
 		}
 	}
 	// jackson 2
-	bundle 'com.fasterxml.jackson.core:jackson-core:2.3.2'
-	bundle 'com.fasterxml.jackson.core:jackson-databind:2.3.2' , {
+	bundle 'com.fasterxml.jackson.core:jackson-core:2.13.4'
+	bundle 'com.fasterxml.jackson.core:jackson-databind:2.13.4' , {
 		bnd {
-			optionalImport group: 'javax.xml'
+			optionalImport('javax.xml', '*')
 		}
 	}
 
@@ -668,7 +668,7 @@ platform {
 	}
 
 	// YAML library
-	bundle 'org.yaml:snakeyaml:1.21'
+	bundle 'org.yaml:snakeyaml:2.2'
 
 	// Pebble template engine
 	def pebbleVersion = '3.0.1'

diff --git a/modules/jetty-support/jetty-support.gradle b/modules/jetty-support/jetty-support.gradle
@@ -1,6 +1,6 @@
 // Adapted jetty related bundles
 platform {
-	def jettyVersion = '9.2.1.v20140609'
+	def jettyVersion = '9.4.53.v20231009'
 	//def jettyVersion = '9.4.10.v20180503' // Originally upgraded during the platform migration to Photon. Not sure why anymore, so left out for the moment
 	def jettyGroup = 'org.eclipse.jetty'
 

diff --git a/modules/logging.gradle b/modules/logging.gradle
@@ -0,0 +1,61 @@
+import org.gradle.api.artifacts.DependencyResolveDetails
+
+/**
+ * Adds slf4j and logback to the platform
+ */
+def slf4jAndLogback(String slf4jVersion = '1.7.5', String logbackVersion = '1.0.13') {
+	def log4jToSlf4jjVersion = '2.19.0'
+	repositories {
+		mavenCentral()
+	}
+	configurations {
+		bndplatform {
+			// resolution configuration for logging bridges (... over slf4j)
+
+			resolutionStrategy.eachDependency { DependencyResolveDetails details ->
+				if (details.requested.name == 'commons-logging') {
+					// prefer 'jcl-over-slf4j' over 'commons-logging'
+					details.useTarget "org.slf4j:jcl-over-slf4j:${slf4jVersion}"
+				}
+			}
+
+			resolutionStrategy.eachDependency { DependencyResolveDetails details ->
+				if (details.requested.name == 'log4j' && details.requested.group == 'log4j') {
+					// prefer 'log4j-over-slf4j' over 'log4j'
+					details.useTarget "org.slf4j:log4j-over-slf4j:${slf4jVersion}"
+				}
+			}
+
+			// exclude SLF4J over LOG4J - logback is used
+			exclude group: "org.slf4j", module: "slf4j-log4j12"
+		}
+	}
+
+	platform {
+		feature id: 'platform.shared.slf4jlogback',
+				name: 'SLF4J and Logback',
+				version: slf4jVersion, {
+			// slf4j
+			bundle "org.slf4j:slf4j-api:${slf4jVersion}"
+//			bundle "org.slf4j:slf4j-ext:${slf4jVersion}"
+			bundle "org.slf4j:slf4j-ext:${slf4jVersion}", {
+				bnd {
+					optionalImport 'ch.qos.cal10n', 'ch.qos.cal10n.*'
+				}
+			}
+			bundle "org.apache.logging.log4j:log4j-to-slf4j:${log4jToSlf4jjVersion}"
+
+			// jul adapter
+			bundle "org.slf4j:jul-to-slf4j:${slf4jVersion}"
+
+			// logback
+			bundle "ch.qos.logback:logback-classic:${logbackVersion}"
+			bundle "ch.qos.logback:logback-core:${logbackVersion}", {
+				bnd {
+					// suppress Require-Capability: osgi.ee;filter:="(osgi.ee=UNKNOWN)" generated by bnd
+					instruction '-removeheaders', 'Require-Capability'
+				}
+			}
+		}
+	}
+}
diff --git a/modules/schemacrawler.gradle b/modules/schemacrawler.gradle
@@ -19,7 +19,7 @@ platform {
 				instruction 'DynamicImport-Package', '*'
 			}
 		}
-		bundle 'com.thoughtworks.xstream:xstream:1.4.5', { // dependency of schemacrawler not listed in pom!
+		bundle 'com.thoughtworks.xstream:xstream:1.4.20', { // dependency of schemacrawler not listed in pom!
 			bnd {
 				optionalImport 'sun.misc'
 			}