From bffcdc98d3a5dba6d9534e6f6f4f3f2817638a85 Mon Sep 17 00:00:00 2001 From: Adam Valenta Date: Tue, 22 Oct 2024 14:45:01 +0200 Subject: [PATCH 1/3] GH-16423 - fix hadoop jars after gcs upgrade --- h2o-assemblies/main/build.gradle | 2 +- h2o-persist-gcs/build.gradle | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/h2o-assemblies/main/build.gradle b/h2o-assemblies/main/build.gradle index 25bc231de6a4..b1d2dc242e37 100644 --- a/h2o-assemblies/main/build.gradle +++ b/h2o-assemblies/main/build.gradle @@ -53,7 +53,7 @@ dependencies { // Upgrade dependencies coming from Hadoop to address vulnerabilities api "org.apache.commons:commons-compress:1.26.0" - api "com.google.protobuf:protobuf-java:3.25.5" + api "com.google.protobuf:protobuf-java:3.21.7" constraints { api('com.fasterxml.jackson.core:jackson-databind:2.17.2') { diff --git a/h2o-persist-gcs/build.gradle b/h2o-persist-gcs/build.gradle index 507ef11e51bf..38d05e6a6bdf 100644 --- a/h2o-persist-gcs/build.gradle +++ b/h2o-persist-gcs/build.gradle @@ -4,10 +4,16 @@ description = "H2O Persist GCS" dependencies { api project(":h2o-core") - api ('com.google.cloud:google-cloud-storage:2.43.2') + api ('com.google.cloud:google-cloud-storage:2.13.1') testImplementation project(":h2o-test-support") testRuntimeOnly project(":${defaultWebserverModule}") + + constraints { + api('com.google.protobuf:protobuf-java:3.25.5') { + + } + } } apply from: "${rootDir}/gradle/dataCheck.gradle" From 86020b405a1f4df814d2441a0bbf342219d6c2b7 Mon Sep 17 00:00:00 2001 From: Adam Valenta Date: Wed, 23 Oct 2024 17:39:36 +0200 Subject: [PATCH 2/3] upgrade protobug in main jar --- h2o-assemblies/main/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/h2o-assemblies/main/build.gradle b/h2o-assemblies/main/build.gradle index b1d2dc242e37..25bc231de6a4 100644 --- a/h2o-assemblies/main/build.gradle +++ b/h2o-assemblies/main/build.gradle @@ -53,7 +53,7 @@ dependencies { // Upgrade dependencies coming from Hadoop to address vulnerabilities api "org.apache.commons:commons-compress:1.26.0" - api "com.google.protobuf:protobuf-java:3.21.7" + api "com.google.protobuf:protobuf-java:3.25.5" constraints { api('com.fasterxml.jackson.core:jackson-databind:2.17.2') { From af1d775abdaa9c207160c512bfa62a0f9fe57fc0 Mon Sep 17 00:00:00 2001 From: Adam Valenta Date: Wed, 23 Oct 2024 18:01:06 +0200 Subject: [PATCH 3/3] add message --- h2o-persist-gcs/build.gradle | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/h2o-persist-gcs/build.gradle b/h2o-persist-gcs/build.gradle index 38d05e6a6bdf..d07448510c39 100644 --- a/h2o-persist-gcs/build.gradle +++ b/h2o-persist-gcs/build.gradle @@ -11,7 +11,9 @@ dependencies { constraints { api('com.google.protobuf:protobuf-java:3.25.5') { - + because 'Fixes CVE-2024-7254' + because 'Fixes SNYK-JAVA-COMGOOGLEPROTOBUF-8055227' + because 'Fixes SNYK-JAVA-COMGOOGLEPROTOBUF-8055228' } } }