Set dependency resolution strategy to use netty-handler version 4.1.94-Final for sub-project oci-repository-plugin.
Reason:
There is a guava vulnerability CVE-2023-2976 (GHSA-7g45-4rm6-3mm3).
There are 3 use cases in the code base that use older version of guava:
A dependency of OCI Repository plugin to compile source code.
A dependency of Gradle plugin. spotless.
A dependency of Gradle core plugin checksytle.
There are also 2 medium level vulnerabilities that resolved in the PR.
One is resolved by upgrading oci-java-sdk
The other one needs to upgrade the compiled OpenSearch version of OCI Repository plugin.
Currently the plugin is compiled with OpenSearch 2.7.0, it needs a separate PR to make it compatible with newer OpenSearch version. As a workaround, I applied another resolution strategy of dependency version to netty-handler to resolve the vulnerability alert.
After the code change, it can be seen that only the newer version of guava is being used:
./gradlew dependencies
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.
Description
com.google.guava:guava
version from31.1-jre
to32.1.2-jre
com.diffplug.spotless
version from6.17.0
to6.21.0
oci-java-sdk
version from3.10.0
to3.24.0
guava
version32.1.2-jre
for all Gradle projects. Reference: https://github.com/opensearch-project/OpenSearch/commit/134257816acfa69db9b1a969e1854f4ece5a6e55netty-handler
version4.1.94-Final
for sub-projectoci-repository-plugin
.Reason: There is a guava vulnerability CVE-2023-2976 (GHSA-7g45-4rm6-3mm3). There are 3 use cases in the code base that use older version of guava:
spotless
.checksytle
.There are also 2 medium level vulnerabilities that resolved in the PR.
oci-java-sdk
netty-handler
to resolve the vulnerability alert.After the code change, it can be seen that only the newer version of
guava
is being used: ./gradlew dependencies./gradlew oci-repository-plugin:dependencies
Issues Resolved
Resolve security vulnerability scanners complain about guava vulnerability CVE-2023-2976(GHSA-7g45-4rm6-3mm3). For example, in the PR check https://github.com/opensearch-project/opensearch-oci-object-storage/pull/56/checks?check_run_id=16429779859, there are 3 vulnerabilities.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check here.