Merge pull request #14 from maxbettercloud/deps-update

More security updates

Author: mark-jones-at-bettercloud

CHANGELOG.md

@@ -1,6 +1,8 @@
 History
 -------
 
+* **3.2.0**: Updating dependencies to fix Snyk issues
+
 * **3.1.0**: Bumps hbase-client version to 2.4.13
 
 * **3.0.0**: Bumps jacksonVersion and bigtableVersion to address security vulnerabilities, removes hbase-shaded-client and pulls in the standard hbase-client

build.gradle

@@ -1,5 +1,5 @@
 group = 'com.bettercloud'
-version = '3.1.0'
+version = '3.2.0'
 
 ext.isReleaseVersion = !version.endsWith('SNAPSHOT')
 
@@ -19,16 +19,28 @@ if (!hasProperty('nexusPassword')) {
     ext.nexusPassword = ''
 }
 
+repositories {
+    mavenLocal()
+}
+
 allprojects {
-    apply plugin: 'maven'
     apply plugin: 'java-library'
+    apply plugin: 'maven'
+    apply plugin: 'maven-publish'
 
     sourceCompatibility = JavaVersion.VERSION_1_8
     targetCompatibility = JavaVersion.VERSION_1_8
 
     repositories {
         mavenCentral()
     }
+
+    configurations.all {
+        exclude group: 'log4j'
+        // see https://www.slf4j.org/codes.html#log4jDelegationLoop
+        exclude group: 'org.slf4j', module: 'slf4j-log4j12'
+        exclude group: 'org.slf4j', module: 'slf4j-reload4j'
+    }
 }
 
 subprojects {
@@ -39,6 +51,15 @@ subprojects {
     version = rootProject.version
 
     dependencies {
+        constraints {
+            implementation('net.minidev:json-smart:2.4.8') {
+                because('CWE-400, CVE-2021-27568 - Denial of Service')
+            }
+        }
+
+        // see https://www.slf4j.org/legacy.html
+        implementation "org.slf4j:log4j-over-slf4j:$log4jOverSlf4jVersion"
+
         testImplementation "junit:junit:$junitVersion"
         testImplementation "org.mockito:mockito-core:$mockitoVersion"
     }
@@ -62,6 +83,14 @@ subprojects {
         sign configurations.archives
     }
 
+    publishing {
+        publications {
+            maven(MavenPublication) {
+                from components.java
+            }
+        }
+    }
+
     uploadArchives {
         repositories {
             mavenDeployer {

core/build.gradle

@@ -3,5 +3,15 @@ dependencies {
         exclude group: 'org.apache.hbase', module: 'hbase-shaded-client'
     }
     api "com.fasterxml.jackson.core:jackson-databind:$jacksonVersion"
-    api "org.apache.hbase:hbase-client:$hbaseClientVersion"
+    api ("org.apache.hbase:hbase-client:$hbaseClientVersion") {
+        exclude group: 'org.apache.hadoop', module: 'hadoop-common'
+        exclude group: 'org.apache.zookeeper', module: 'zookeeper'
+    }
+    api ("org.apache.hadoop:hadoop-common:$hadoopCommonVersion") {
+        exclude group: 'org.apache.zookeeper', module: 'zookeeper'
+    }
+    implementation ("org.apache.zookeeper:zookeeper:$zookeeperVersion") {
+        exclude group: 'io.netty', module: 'netty-handler'
+    }
+    implementation "io.netty:netty-handler:$nettyVersion"
 }

gradle.properties

@@ -1,8 +1,14 @@
-bigtableVersion=2.4.0
+autoServiceVersion=1.0.1
+bigtableVersion=2.5.0
 jacksonVersion=2.13.3
-autoServiceVersion=1.0-rc4
-hbaseClientVersion=2.4.13
 javaPoetVersion=1.11.1
-junitVersion=4.12
-mockitoVersion=2.24.0
-compileTestingVersion=0.15
+hadoopCommonVersion=2.10.2
+hbaseClientVersion=2.4.13
+log4jOverSlf4jVersion=1.7.36
+nettyVersion=4.1.79.Final
+zookeeperVersion=3.5.10
+
+# Tests
+compileTestingVersion=0.19
+junitVersion=4.13.2
+mockitoVersion=2.24.0