Merge pull request #1374 from luanwenfei-venus/develop

开源版本漏洞修复
sermant-io · Dec 7, 2023 · 44bd379 · 44bd379
2 parents 198029d + ed99a97
commit 44bd379
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 7 deletions.
diff --git a/pom.xml b/pom.xml
@@ -51,15 +51,15 @@
         <zookeeper.version>3.6.3</zookeeper.version>
         <lombok.version>1.18.22</lombok.version>
         <asm.version>8.0.1</asm.version>
-        <common.io.version>1.3.2</common.io.version>
+        <common.io.version>2.7</common.io.version>
         <org.jacoco.version>0.8.8</org.jacoco.version>
         <simpleclient.version>0.16.0</simpleclient.version>
 
         <slf4j.version>1.7.35</slf4j.version>
         <log4j2.version>2.17.2</log4j2.version>
         <logback.version>1.2.9</logback.version>
 
-        <junit.version>4.12</junit.version>
+        <junit.version>4.13.1</junit.version>
         <junit.jupiter.version>5.8.1</junit.jupiter.version>
         <mockito-core.version>3.9.0</mockito-core.version>
         <mockito-inline.version>3.9.0</mockito-inline.version>

diff --git a/sermant-plugins/sermant-router/spring-router-plugin/pom.xml b/sermant-plugins/sermant-router/spring-router-plugin/pom.xml
@@ -20,11 +20,12 @@
         <eureka.version>1.10.7</eureka.version>
         <hystrix.version>1.4.3</hystrix.version>
         <zuul.version>1.3.1</zuul.version>
+        <common-io.version>2.7</common-io.version>
         <spring.test.version>5.2.0.RELEASE</spring.test.version>
         <tomcat.version>9.0.43</tomcat.version>
-        <okhttp.version>4.1.0</okhttp.version>
+        <okhttp.version>4.11.0</okhttp.version>
         <okhttp.sq.version>2.7.5</okhttp.sq.version>
-        <apache-httpclient.version>4.3</apache-httpclient.version>
+        <apache-httpclient.version>4.5.13</apache-httpclient.version>
         <http.client.async.verion>4.1.5</http.client.async.verion>
     </properties>
 
@@ -98,8 +99,19 @@
                     <groupId>org.mockito</groupId>
                     <artifactId>mockito-all</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>commons-io</groupId>
+                    <artifactId>commons-io</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
+        <!--    zuul自身引入的commons-io有漏洞，排除后引入无漏洞版本    -->
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>${common-io.version}</version>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>com.squareup.okhttp3</groupId>
             <artifactId>okhttp</artifactId>

diff --git a/sermant-plugins/sermant-service-registry/spring-cloud-registry-plugin/pom.xml b/sermant-plugins/sermant-service-registry/spring-cloud-registry-plugin/pom.xml
@@ -22,6 +22,7 @@
         <feigin.version>10.0.0</feigin.version>
         <zuul.version>1.3.0</zuul.version>
         <gson.version>2.8.9</gson.version>
+        <common-io.version>2.7</common-io.version>
     </properties>
 
     <dependencies>
@@ -101,8 +102,19 @@
                     <groupId>org.mockito</groupId>
                     <artifactId>mockito-all</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>commons-io</groupId>
+                    <artifactId>commons-io</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
+        <!--    zuul自身引入的commons-io有漏洞，排除后引入无漏洞版本    -->
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>${common-io.version}</version>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>com.huaweicloud.sermant</groupId>
             <artifactId>registry-common</artifactId>

diff --git a/sermant-plugins/sermant-springboot-registry/springboot-registry-plugin/pom.xml b/sermant-plugins/sermant-springboot-registry/springboot-registry-plugin/pom.xml
@@ -19,9 +19,9 @@
         <package.plugin.type>plugin</package.plugin.type>
         <spring.version>5.2.9.RELEASE</spring.version>
         <http.client.async.verion>4.1.5</http.client.async.verion>
-        <okhttp.version>4.1.0</okhttp.version>
+        <okhttp.version>4.11.0</okhttp.version>
         <okhttp.sq.version>2.7.5</okhttp.sq.version>
-        <httpclient.version>4.5.12</httpclient.version>
+        <httpclient.version>4.5.13</httpclient.version>
         <httpclient5.version>5.1.1</httpclient5.version>
         <jetty.client.version>9.4.11.v20180605</jetty.client.version>
         <feign.version>10.2.3</feign.version>

diff --git a/sermant-plugins/sermant-tag-transmission/tag-transmission-httpclient4.x-plugin/pom.xml b/sermant-plugins/sermant-tag-transmission/tag-transmission-httpclient4.x-plugin/pom.xml
@@ -16,7 +16,7 @@
         <maven.compiler.target>8</maven.compiler.target>
         <config.skip.flag>false</config.skip.flag>
         <package.plugin.type>plugin</package.plugin.type>
-        <apache-httpclient.version>4.3</apache-httpclient.version>
+        <apache-httpclient.version>4.5.13</apache-httpclient.version>
     </properties>
 
     <dependencies>