CC-18964 CCMSG-2421 CCMSG-2420 Update Ivy, commons-net, json-smart, mina-core and xmlbuilder

[venkatteki]

Problem

woodstox-core:5.3.0 and jettison:1.1 are vulnerable.

Solution

Pin woodstox-core:6.5.0 and jettison:1.5.3 to fix the CVE

Does this solution apply anywhere else?

• [ ] yes
• [ ] no

If yes, where?

Test Strategy

Testing done:

• [ ] Unit tests
• [ ] Integration tests
• [ ] System tests
• [ ] Manual tests

Release Plan

[janjwerner-confluent]

Two nits:

• woodstox-core brought by dependecies is version 5.3.1. I rather use 5.4.0 to stay in the same major / minor versioning
• can we try to exclude jettison? INFO] +- org.apache.hadoop:hadoop-minicluster:jar:2.10.2:test [INFO] | +- org.apache.hadoop:hadoop-common:test-jar:tests:2.10.2:test [INFO] | | +- commons-cli:commons-cli:jar:1.2:compile [INFO] | | +- org.apache.commons:commons-math3:jar:3.1.1:compile [INFO] | | +- xmlenc:xmlenc:jar:0.52:compile [INFO] | | +- commons-net:commons-net:jar:3.1:compile [INFO] | | +- javax.servlet:servlet-api:jar:2.5:compile [INFO] | | +- org.mortbay.jetty:jetty:jar:6.1.26:compile [INFO] | | +- org.mortbay.jetty:jetty-util:jar:6.1.26:compile [INFO] | | +- org.mortbay.jetty:jetty-sslengine:jar:6.1.26:compile [INFO] | | +- javax.servlet.jsp:jsp-api:jar:2.1:runtime [INFO] | | +- com.sun.jersey:jersey-core:jar:1.9:compile [INFO] | | +- com.sun.jersey:jersey-json:jar:1.9:compile [INFO] | | | +- org.codehaus.jettison:jettison:jar:1.1:compile My understanding is that jettison is a dependency of a TEST dependency and I would assume it should be a TEST dependency as well. Can we bring in hadoopcommon-2.10.2 in test scope and explicitly remove jettison?

[janjwerner-confluent]

Thank you for the catch with the incorrect versions @naveenmall11

[venkatteki]

@confluentinc/connect-team1 can you please review this PR

[naveenmall11]

Thank you for the catch with the incorrect versions @naveenmall11

@janjwerner-confluent can we confirm on twistlock that these dependencies are not there on this PR scan?

[janjwerner-confluent]

The latest build 18 takes down CVE count from 23 in master to 8 the remaining issues are connector breaking. https://twistlock.tools.confluent-internal.io/#!/monitor/vulnerabilities/images/ci?search=Confluent%20Public%20Repo%20PR%20builder%2Fkafka-connect-hdfs%2FPR-652 Please review / test /merge. @venkatteki @snehashisp

[venkatteki]

@confluentinc/connect-team1 Can you please review

[rishabhbits038]

Verified the connector in kafka-docker-playground. Merging this