fix: update log4j (#38)

aaron-steinfeld · web-flow · commit b28543b1b41e · 2021-12-10T11:01:42.000-08:00
* fix: update log4j

* fix: more vuln updates
diff --git a/kafka-streams-framework/build.gradle.kts b/kafka-streams-framework/build.gradle.kts
@@ -1,30 +1,36 @@
 plugins {
-    `java-library`
-    jacoco
-    id("org.hypertrace.publish-plugin")
-    id("org.hypertrace.jacoco-report-plugin")
+  `java-library`
+  jacoco
+  id("org.hypertrace.publish-plugin")
+  id("org.hypertrace.jacoco-report-plugin")
 }
 
 tasks.test {
-    useJUnitPlatform()
+  useJUnitPlatform()
 }
 
 dependencies {
-    api(project(":kafka-streams-serdes"))
-    api("com.typesafe:config:1.4.1")
-    api("org.apache.kafka:kafka-streams:6.0.1-ccs")
-    api("io.confluent:kafka-streams-avro-serde:6.0.1")
+  api(project(":kafka-streams-serdes"))
+  api("com.typesafe:config:1.4.1")
+  api("org.apache.kafka:kafka-streams:6.0.1-ccs")
+  api("io.confluent:kafka-streams-avro-serde:6.0.1")
 
-    implementation("com.google.guava:guava:30.1-jre")
-    implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.23")
-    implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.23")
-    implementation("org.apache.kafka:kafka-clients:6.0.1-ccs")
+  implementation("com.google.guava:guava:30.1-jre")
+  implementation("org.hypertrace.core.serviceframework:platform-metrics:0.1.31")
+  implementation("org.hypertrace.core.serviceframework:platform-service-framework:0.1.31")
+  implementation("org.apache.kafka:kafka-clients:6.0.1-ccs")
 
-    testImplementation("org.apache.kafka:kafka-streams-test-utils:6.0.1-ccs")
-    testImplementation("org.junit.jupiter:junit-jupiter:5.7.0")
-    testImplementation("org.junit-pioneer:junit-pioneer:1.1.0")
-    testImplementation("org.mockito:mockito-core:3.6.28")
-    testImplementation("org.hamcrest:hamcrest-core:2.2")
-    testRuntimeOnly("org.apache.logging.log4j:log4j-slf4j-impl:2.14.0")
+  constraints {
+    api("org.glassfish.jersey.core:jersey-common:2.34") {
+      because("https://snyk.io/vuln/SNYK-JAVA-ORGGLASSFISHJERSEYCORE-1255637")
+    }
+  }
+
+  testImplementation("org.apache.kafka:kafka-streams-test-utils:6.0.1-ccs")
+  testImplementation("org.junit.jupiter:junit-jupiter:5.7.0")
+  testImplementation("org.junit-pioneer:junit-pioneer:1.1.0")
+  testImplementation("org.mockito:mockito-core:3.6.28")
+  testImplementation("org.hamcrest:hamcrest-core:2.2")
+  testRuntimeOnly("org.apache.logging.log4j:log4j-slf4j-impl:2.15.0")
 }
 
diff --git a/kafka-streams-serdes/build.gradle.kts b/kafka-streams-serdes/build.gradle.kts
@@ -1,29 +1,32 @@
 plugins {
-    `java-library`
-    jacoco
-    id("org.hypertrace.avro-plugin")
-    id("org.hypertrace.publish-plugin")
-    id("org.hypertrace.jacoco-report-plugin")
+  `java-library`
+  jacoco
+  id("org.hypertrace.avro-plugin")
+  id("org.hypertrace.publish-plugin")
+  id("org.hypertrace.jacoco-report-plugin")
 }
 
 tasks.test {
-    useJUnitPlatform()
+  useJUnitPlatform()
 }
 
 dependencies {
-    api("org.apache.kafka:kafka-streams:6.0.1-ccs")
-    implementation("org.apache.avro:avro:1.10.2")
-    implementation("org.apache.kafka:kafka-clients:6.0.1-ccs")
-    testImplementation("org.junit.jupiter:junit-jupiter:5.7.0")
-    constraints {
-        api("com.fasterxml.jackson.core:jackson-databind:2.11.0") {
-            because("XML External Entity (XXE) Injection (new) [High Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302] in com.fasterxml.jackson.core:jackson-databind@2.10.5\n" +
-                "   introduced by com.fasterxml.jackson.core:jackson-databind@2.10.5")
-        }
+  api("org.apache.kafka:kafka-streams:6.0.1-ccs")
+  implementation("org.apache.avro:avro:1.10.2")
+  implementation("org.apache.kafka:kafka-clients:6.0.1-ccs")
+  testImplementation("org.junit.jupiter:junit-jupiter:5.7.0")
+  constraints {
+    api("com.fasterxml.jackson.core:jackson-databind:2.11.0") {
+      because("XML External Entity (XXE) Injection (new) [High Severity][https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302] in com.fasterxml.jackson.core:jackson-databind@2.10.5\n" +
+          "   introduced by com.fasterxml.jackson.core:jackson-databind@2.10.5")
     }
+    implementation("org.apache.commons:commons-compress:1.21") {
+      because("Multiple Vulnerabilities [https://nvd.nist.gov/vuln/detail/CVE-2021-35515] [https://nvd.nist.gov/vuln/detail/CVE-2021-35516] [https://nvd.nist.gov/vuln/detail/CVE-2021-35517] [https://nvd.nist.gov/vuln/detail/CVE-2021-36090] in org.apache.commons:commons-compress@1.20")
+    }
+  }
 }
 
 // Disabling compatibility check for the test avro definitions.
 tasks.named<org.hypertrace.gradle.avro.CheckAvroCompatibility>("avroCompatibilityCheck") {
-    enabled = false
+  enabled = false
 }
