update dependencies to address CVEs (#16374)
update dependencies to address new batch of CVEs:
- Azure POM from 1.2.19 to 1.2.23 to update transitive dependency nimbus-jose-jwt to address: CVE-2023-52428
- commons-configuration2 from 2.8.0 to 2.10.1 to address: CVE-2024-29131 CVE-2024-29133
- bcpkix-jdk18on from 1.76 to 1.78.1 to address: CVE-2024-30172 CVE-2024-30171 CVE-2024-29857
diff --git a/extensions-core/azure-extensions/pom.xml b/extensions-core/azure-extensions/pom.xml
index e037a96..494b246 100644
--- a/extensions-core/azure-extensions/pom.xml
+++ b/extensions-core/azure-extensions/pom.xml
@@ -38,7 +38,7 @@
<dependency>
<groupId>com.azure</groupId>
<artifactId>azure-sdk-bom</artifactId>
- <version>1.2.19</version>
+ <version>1.2.23</version>
<type>pom</type>
<scope>import</scope>
</dependency>
diff --git a/licenses.yaml b/licenses.yaml
index f854586..ff0c0aa 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -652,7 +652,7 @@
license_category: binary
module: java-core
license_name: Apache License version 2.0
-version: 2.8.0
+version: 2.10.1
libraries:
- org.apache.commons: commons-configuration2
@@ -1054,7 +1054,7 @@
license_category: binary
module: extensions/druid-kubernetes-extensions
license_name: MIT License
-version: "1.76"
+version: "1.78.1"
libraries:
- org.bouncycastle: bcprov-jdk18on
- org.bouncycastle: bcprov-ext-jdk18on
@@ -4223,7 +4223,7 @@
module: extensions/druid-azure-extensions
license_name: MIT License
copyright: Microsoft
-version: 1.11.1
+version: 1.12.0
libraries:
- com.azure: azure-identity
@@ -4234,18 +4234,29 @@
module: extensions/druid-azure-extensions
license_name: MIT License
copyright: Microsoft
-version: 12.21.1
+version: 12.21.4
libraries:
- com.azure: azure-storage-blob-batch
---
+name: Microsoft Azure Blob Storage SDK
+license_category: binary
+module: extensions/druid-azure-extensions
+license_name: MIT License
+copyright: Microsoft
+version: 12.25.4
+libraries:
+ - com.azure: azure-storage-blob
+
+---
+
name: Microsoft Azure Storage Common
license_category: binary
module: extensions/druid-azure-extensions
license_name: MIT License
copyright: Microsoft
-version: 12.24.1
+version: 12.24.4
libraries:
- com.azure: azure-storage-common
@@ -4256,7 +4267,7 @@
module: extensions/druid-azure-extensions
license_name: MIT License
copyright: Microsoft
-version: 12.10.1
+version: 12.10.4
libraries:
- com.azure: azure-storage-internal-avro
@@ -4272,12 +4283,23 @@
- com.azure: azure-json
---
+
+name: Microsoft Azure XML
+license_category: binary
+module: extensions/druid-azure-extensions
+license_name: MIT License
+copyright: Microsoft
+version: 1.0.0
+libraries:
+ - com.azure: azure-xml
+
+---
name: Microsoft Azure Netty Http
license_category: binary
module: extensions/druid-azure-extensions
license_name: MIT License
copyright: Microsoft
-version: 1.13.11
+version: 1.14.2
libraries:
- com.azure: azure-core-http-netty
@@ -4288,7 +4310,7 @@
module: extensions/druid-azure-extensions
license_name: MIT License
copyright: Microsoft
-version: 1.45.1
+version: 1.48.0
libraries:
- com.azure: azure-core
@@ -4299,7 +4321,7 @@
module: extensions/druid-azure-extensions
license_name: MIT License
copyright: Microsoft
-version: 1.14.0
+version: 1.15.0
libraries:
- com.microsoft.azure: msal4j
@@ -4310,7 +4332,7 @@
module: extensions/druid-azure-extensions
license_name: MIT License
copyright: Microsoft
-version: 1.2.0
+version: 1.3.0
libraries:
- com.microsoft.azure: msal4j-persistence-extension
@@ -4320,7 +4342,7 @@
license_category: binary
module: extensions/druid-azure-extensions
license_name: Apache License version 2.0
-version: 2.2
+version: 2.3
libraries:
- com.nimbusds: content-type
@@ -4330,7 +4352,7 @@
license_category: binary
module: extensions/druid-azure-extensions
license_name: Apache License version 2.0
-version: 9.30.2
+version: 9.37.3
libraries:
- com.nimbusds: nimbus-jose-jwt
@@ -4340,7 +4362,7 @@
license_category: binary
module: extensions/druid-azure-extensions
license_name: Apache License version 2.0
-version: 10.7.1
+version: 11.9.1
libraries:
- com.nimbusds: oauth2-oidc-sdk
@@ -4350,7 +4372,7 @@
license_category: binary
module: extensions/druid-azure-extensions
license_name: Apache License version 2.0
-version: 1.0.39
+version: 1.0.43
libraries:
- io.projectreactor.netty: reactor-netty-core
- io.projectreactor.netty: reactor-netty-http
@@ -4361,7 +4383,7 @@
license_category: binary
module: extensions/druid-azure-extensions
license_name: Apache License version 2.0
-version: 3.4.34
+version: 3.4.36
libraries:
- io.projectreactor: reactor-core
---
diff --git a/pom.xml b/pom.xml
index d742deb..db1026b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -405,6 +405,20 @@
<artifactId>gson</artifactId>
<version>${gson.version}</version>
</dependency>
+ <!-- Transitive dependency of kubernetes-client java and docker-java-core
+ in kubernetes-extensions and it-integration tests -->
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcpkix-jdk18on</artifactId>
+ <version>1.78.1</version>
+ </dependency>
+ <!-- Transitive dependency of hive-common in druid-kerberos, druid-ranger-security and
+ druid-iceberg-extension -->
+ <dependency>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-configuration2</artifactId>
+ <version>2.10.1</version>
+ </dependency>
<dependency>
<groupId>org.apache.zookeeper</groupId>
<artifactId>zookeeper</artifactId>