Merge pull request #37 from nicoloboschi/fix-pulsar-connectors-vulnerable-deps

nicoloboschi · web-flow · commit 9d7d543bef44 · 2022-01-19T15:12:13.000+01:00
[pulsar connectors] Upgrade dependencies to get rid of multiple CVEs
diff --git a/connector-luna/build.gradle b/connector-luna/build.gradle
@@ -31,6 +31,19 @@ dependencies {
     compileOnly("com.datastax.oss:pulsar-io-common:${lunaVersion}")
     compileOnly("com.datastax.oss:pulsar-io-core:${lunaVersion}")
 
+    constraints {
+        implementation("ch.qos.logback:logback-classic:${logbackVersion}")
+        implementation("com.fasterxml.jackson.core:jackson-databind:${jacksonDatabindVersion}")
+        implementation("com.github.jnr:jnr-posix:${jnrVersion}")
+        implementation("io.netty:netty-handler:${nettyVersion}")
+        implementation("io.netty:netty-transport-native-epoll:${nettyVersion}")
+        implementation("io.netty:netty-transport-native-unix-common:${nettyVersion}")
+        implementation("io.netty:netty-codec-haproxy:${nettyVersion}")
+        implementation("io.netty:netty-tcnative-boringssl-static:${nettyTcNativeVersion}")
+        implementation("org.apache.commons:commons-compress:${commonCompressVersion}")
+        implementation("com.google.code.gson:gson:${gsonVersion}")
+    }
+
     testRuntimeOnly("org.slf4j:slf4j-simple:${slf4jVersion}")
     testRuntimeOnly "org.projectlombok:lombok:${lombokVersion}"
     testAnnotationProcessor "org.projectlombok:lombok:${lombokVersion}"
diff --git a/connector-pulsar/build.gradle b/connector-pulsar/build.gradle
@@ -36,6 +36,18 @@ dependencies {
     compileOnly("${pulsarGroup}:pulsar-io-common:${pulsarVersion}")
     compileOnly("${pulsarGroup}:pulsar-io-core:${pulsarVersion}")
 
+    constraints {
+        implementation("ch.qos.logback:logback-classic:${logbackVersion}")
+        implementation("com.fasterxml.jackson.core:jackson-databind:${jacksonDatabindVersion}")
+        implementation("com.github.jnr:jnr-posix:${jnrVersion}")
+        implementation("io.netty:netty-handler:${nettyVersion}")
+        implementation("io.netty:netty-transport-native-epoll:${nettyVersion}")
+        implementation("io.netty:netty-transport-native-unix-common:${nettyVersion}")
+        implementation("io.netty:netty-codec-haproxy:${nettyVersion}")
+        implementation("io.netty:netty-tcnative-boringssl-static:${nettyTcNativeVersion}")
+        implementation("org.apache.commons:commons-compress:${commonCompressVersion}")
+    }
+
     testRuntimeOnly("org.slf4j:slf4j-simple:${slf4jVersion}")
     testRuntimeOnly "org.projectlombok:lombok:${lombokVersion}"
     testAnnotationProcessor "org.projectlombok:lombok:${lombokVersion}"
diff --git a/gradle.properties b/gradle.properties
@@ -26,6 +26,14 @@ caffeineVersion=2.8.8
 guavaVersion=30.1-jre
 messagingConnectorsCommonsVersion=1.0.14
 slf4jVersion=1.7.30
+# pulsar connector
+logbackVersion=1.2.9
+jacksonDatabindVersion=2.12.6
+jnrVersion=3.1.15
+nettyVersion=4.1.72.Final
+nettyTcNativeVersion=2.0.46.Final
+commonCompressVersion=1.21
+gsonVersion=2.8.9
 
 # cassandra settings for docker images
 commitlog_sync_period_in_ms=2000
