Update dependencies to patch CVE (#1625)

* Update aws-java-sdk-core for CVE-2020-28491 Signed-off-by: Sean Kao <seankao@amazon.com> * Update httpclient for CVE-2020-13956 Signed-off-by: Sean Kao <seankao@amazon.com> * Update wiremock and jetty-server for CVE's CVE-2018-12536 CVE-2019-10241 CVE-2019-10247 CVE-2019-10426 CVE-2021-34428 CVE-2022-2047 CVE-2023-26048 Signed-off-by: Sean Kao <seankao@amazon.com> --------- Signed-off-by: Sean Kao <seankao@amazon.com>
opensearch-project · May 11, 2023 · 04976fb · 04976fb
1 parent 1b81f4e
commit 04976fb
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 15 deletions.
diff --git a/sql-jdbc/build.gradle b/sql-jdbc/build.gradle
@@ -45,17 +45,20 @@ repositories {
 }
 
 dependencies {
-    implementation group: 'org.apache.httpcomponents', name: 'httpclient', version: '4.5.6'
+    implementation group: 'org.apache.httpcomponents', name: 'httpclient', version: '4.5.13'
     implementation group: 'com.fasterxml.jackson.core', name: 'jackson-databind', version: '2.13.4.1'
-    implementation group: 'com.amazonaws', name: 'aws-java-sdk-core', version: '1.11.452'
+    implementation group: 'com.amazonaws', name: 'aws-java-sdk-core', version: '1.12.1'
 
     testImplementation('org.junit.jupiter:junit-jupiter-api:5.3.1')
     testImplementation('org.junit.jupiter:junit-jupiter-params:5.3.1')
-    testImplementation('com.github.tomakehurst:wiremock:2.20.0')
+    testImplementation('com.github.tomakehurst:wiremock:3.0.0-beta-2')
     testImplementation('org.mockito:mockito-core:2.23.0')
     testImplementation('org.junit.jupiter:junit-jupiter-engine:5.3.1')
     testImplementation('org.junit-pioneer:junit-pioneer:0.3.0')
-    testImplementation('org.eclipse.jetty:jetty-server:9.2.24.v20180105')
+    testImplementation('org.eclipse.jetty:jetty-server:11.0.14')
+
+    // Enforce wiremock to use latest guava
+    testImplementation('com.google.guava:guava:31.1-jre')
 
     testRuntimeOnly('org.slf4j:slf4j-simple:1.7.25') // capture WireMock logging
 }

diff --git a/sql-jdbc/src/test/java/org/opensearch/jdbc/test/TLSServer.java b/sql-jdbc/src/test/java/org/opensearch/jdbc/test/TLSServer.java
@@ -6,6 +6,8 @@
 
 package org.opensearch.jdbc.test;
 
+import org.eclipse.jetty.server.HttpConnectionFactory;
+import org.eclipse.jetty.server.SslConnectionFactory;
 import org.opensearch.jdbc.internal.util.UrlParser;
 import org.opensearch.jdbc.test.mocks.MockOpenSearch;
 import org.eclipse.jetty.server.ConnectionFactory;
@@ -20,9 +22,9 @@
 import org.eclipse.jetty.server.handler.AbstractHandler;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
 public class TLSServer {
@@ -70,7 +72,7 @@ public static Server startSecureServer(
         ServerConnector httpsConnector = null;
 
         // setup ssl
-        SslContextFactory sslContextFactory = new SslContextFactory();
+        SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
         sslContextFactory.setKeyStorePath(keyStorePath);
         sslContextFactory.setKeyStorePassword(keyStorePassword);
         sslContextFactory.setKeyStoreType(keyStoreType);
@@ -83,17 +85,19 @@ public static Server startSecureServer(
         sslContextFactory.setNeedClientAuth(needClientAuth);
 
         HttpConfiguration httpConfig = new HttpConfiguration();
-        httpConfig.addCustomizer(new SecureRequestCustomizer());
+        SecureRequestCustomizer src = new SecureRequestCustomizer();
+        src.setSniHostCheck(false);
+        httpConfig.addCustomizer(src);
 
         httpsConnector = createServerConnector(
                 jettyServer,
                 host,
                 0,
-                new org.eclipse.jetty.server.SslConnectionFactory(
+                new SslConnectionFactory(
                         sslContextFactory,
                         "http/1.1"
                 ),
-                new org.eclipse.jetty.server.HttpConnectionFactory(httpConfig)
+                new HttpConnectionFactory(httpConfig)
         );
 
         jettyServer.addConnector(httpsConnector);
@@ -132,8 +136,6 @@ private static ServerConnector createServerConnector(
                 connectionFactories
         );
         connector.setPort(port);
-        connector.setStopTimeout(0);
-        connector.getSelectorManager().setStopTimeout(0);
         connector.setHost(bindAddress);
 
         return connector;

diff --git a/.../org/opensearch/jdbc/transport/http/auth/aws/AWSRequestSigningApacheInterceptorTests.java b/.../org/opensearch/jdbc/transport/http/auth/aws/AWSRequestSigningApacheInterceptorTests.java
@@ -24,8 +24,8 @@
 
 import java.io.IOException;
 
-import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 
 public class AWSRequestSigningApacheInterceptorTests {