From 3b41e56e8e15a12b0045ac34f80c2b6953f6a1a1 Mon Sep 17 00:00:00 2001 From: kelvinqian00 Date: Tue, 23 Jan 2024 16:19:23 -0500 Subject: [PATCH 01/10] Update Cheshire to 5.12 --- deps.edn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deps.edn b/deps.edn index fa084bb..3e23bf3 100644 --- a/deps.edn +++ b/deps.edn @@ -17,7 +17,7 @@ com.cognitect/transit-clj {:mvn/version "1.0.324" ;; clears CVE-2022-41719 :exclusions [org.msgpack/msgpack]} - cheshire/cheshire {:mvn/version "5.11.0"}} + cheshire/cheshire {:mvn/version "5.12.0"}} :aliases {:cli {:extra-paths ["src/cli"] :extra-deps {org.clojure/tools.cli {:mvn/version "1.0.206"} From 0fccf1a27e86116712f3e2ecb9d0f795b8a81fc3 Mon Sep 17 00:00:00 2001 From: kelvinqian00 Date: Tue, 23 Jan 2024 16:41:23 -0500 Subject: [PATCH 02/10] Update transit-clj to 1.0.333 --- deps.edn | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deps.edn b/deps.edn index 3e23bf3..12d714e 100644 --- a/deps.edn +++ b/deps.edn @@ -14,7 +14,7 @@ {:mvn/version "0.8.1" :exclusions [org.clojure/clojurescript]} org.clojure/data.json {:mvn/version "2.4.0"} - com.cognitect/transit-clj {:mvn/version "1.0.324" + com.cognitect/transit-clj {:mvn/version "1.0.333" ;; clears CVE-2022-41719 :exclusions [org.msgpack/msgpack]} cheshire/cheshire {:mvn/version "5.12.0"}} From d3dd836c686fa8e83f17985f3ee42cda86089340 Mon Sep 17 00:00:00 2001 From: kelvinqian00 Date: Tue, 23 Jan 2024 16:41:49 -0500 Subject: [PATCH 03/10] Remove msgpack exclusion --- deps.edn | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/deps.edn b/deps.edn index 12d714e..e49ee49 100644 --- a/deps.edn +++ b/deps.edn @@ -14,9 +14,7 @@ {:mvn/version "0.8.1" :exclusions [org.clojure/clojurescript]} org.clojure/data.json {:mvn/version "2.4.0"} - com.cognitect/transit-clj {:mvn/version "1.0.333" - ;; clears CVE-2022-41719 - :exclusions [org.msgpack/msgpack]} + com.cognitect/transit-clj {:mvn/version "1.0.333"} cheshire/cheshire {:mvn/version "5.12.0"}} :aliases {:cli {:extra-paths ["src/cli"] From 07510edfef4c876d3622d4be2d9903b65b94bfbd Mon Sep 17 00:00:00 2001 From: kelvinqian00 Date: Tue, 23 Jan 2024 16:42:59 -0500 Subject: [PATCH 04/10] Update logback to 1.3.14 --- deps.edn | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deps.edn b/deps.edn index e49ee49..89dd1cb 100644 --- a/deps.edn +++ b/deps.edn @@ -20,7 +20,7 @@ {:cli {:extra-paths ["src/cli"] :extra-deps {org.clojure/tools.cli {:mvn/version "1.0.206"} ch.qos.logback/logback-classic - {:mvn/version "1.2.9" + {:mvn/version "1.3.14" :exclusions [org.slf4j/slf4j-api]} org.slf4j/slf4j-api {:mvn/version "1.7.26"} org.slf4j/jul-to-slf4j {:mvn/version "1.7.26"} @@ -39,7 +39,7 @@ com.yetanalytics/lrs {:mvn/version "1.2.11"} io.pedestal/pedestal.jetty {:mvn/version "0.5.9"} ;; Some integration tests use logback - ch.qos.logback/logback-classic {:mvn/version "1.2.9" + ch.qos.logback/logback-classic {:mvn/version "1.3.14" :exclusions [org.slf4j/slf4j-api]} org.slf4j/slf4j-api {:mvn/version "1.7.26"} org.slf4j/jul-to-slf4j {:mvn/version "1.7.26"} From ba5ca020a929d4f48d352e9727838524442353cc Mon Sep 17 00:00:00 2001 From: kelvinqian00 Date: Tue, 23 Jan 2024 16:48:18 -0500 Subject: [PATCH 05/10] Revert "Remove msgpack exclusion" This reverts commit d3dd836c686fa8e83f17985f3ee42cda86089340. --- deps.edn | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/deps.edn b/deps.edn index 89dd1cb..834428f 100644 --- a/deps.edn +++ b/deps.edn @@ -14,7 +14,9 @@ {:mvn/version "0.8.1" :exclusions [org.clojure/clojurescript]} org.clojure/data.json {:mvn/version "2.4.0"} - com.cognitect/transit-clj {:mvn/version "1.0.333"} + com.cognitect/transit-clj {:mvn/version "1.0.333" + ;; clears CVE-2022-41719 + :exclusions [org.msgpack/msgpack]} cheshire/cheshire {:mvn/version "5.12.0"}} :aliases {:cli {:extra-paths ["src/cli"] From fbcd102b942aad4505bc76a898dbe97a46e58832 Mon Sep 17 00:00:00 2001 From: kelvinqian00 Date: Tue, 23 Jan 2024 16:50:41 -0500 Subject: [PATCH 06/10] Add jackson-core exclusion --- deps.edn | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/deps.edn b/deps.edn index 834428f..06c782d 100644 --- a/deps.edn +++ b/deps.edn @@ -15,8 +15,9 @@ :exclusions [org.clojure/clojurescript]} org.clojure/data.json {:mvn/version "2.4.0"} com.cognitect/transit-clj {:mvn/version "1.0.333" - ;; clears CVE-2022-41719 - :exclusions [org.msgpack/msgpack]} + ;; clears CVE-2023-5072 and CVE-2022-41719 + :exclusions [com.fasterxml.jackson.core/jackson-core + org.msgpack/msgpack]} cheshire/cheshire {:mvn/version "5.12.0"}} :aliases {:cli {:extra-paths ["src/cli"] From 11ced63e12dd9ca78dfb8b17a5f1af6933947b88 Mon Sep 17 00:00:00 2001 From: kelvinqian00 Date: Tue, 23 Jan 2024 17:04:50 -0500 Subject: [PATCH 07/10] Add separate jackson-core version --- deps.edn | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/deps.edn b/deps.edn index 06c782d..9db7e98 100644 --- a/deps.edn +++ b/deps.edn @@ -18,7 +18,9 @@ ;; clears CVE-2023-5072 and CVE-2022-41719 :exclusions [com.fasterxml.jackson.core/jackson-core org.msgpack/msgpack]} - cheshire/cheshire {:mvn/version "5.12.0"}} + cheshire/cheshire {:mvn/version "5.12.0" + :exclusions [com.fasterxml.jackson.core/jackson-core]} + com.fasterxml.jackson.core/jackson-core {:mvn/version "2.16.1"}} :aliases {:cli {:extra-paths ["src/cli"] :extra-deps {org.clojure/tools.cli {:mvn/version "1.0.206"} From 1d5e3fae7effc634af89a27263336675a4a08921 Mon Sep 17 00:00:00 2001 From: kelvinqian00 Date: Tue, 23 Jan 2024 17:05:52 -0500 Subject: [PATCH 08/10] Revert "Add separate jackson-core version" This reverts commit 11ced63e12dd9ca78dfb8b17a5f1af6933947b88. --- deps.edn | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/deps.edn b/deps.edn index 9db7e98..06c782d 100644 --- a/deps.edn +++ b/deps.edn @@ -18,9 +18,7 @@ ;; clears CVE-2023-5072 and CVE-2022-41719 :exclusions [com.fasterxml.jackson.core/jackson-core org.msgpack/msgpack]} - cheshire/cheshire {:mvn/version "5.12.0" - :exclusions [com.fasterxml.jackson.core/jackson-core]} - com.fasterxml.jackson.core/jackson-core {:mvn/version "2.16.1"}} + cheshire/cheshire {:mvn/version "5.12.0"}} :aliases {:cli {:extra-paths ["src/cli"] :extra-deps {org.clojure/tools.cli {:mvn/version "1.0.206"} From b9b5ec1decb783c64e169c18e98ca498cedcc381 Mon Sep 17 00:00:00 2001 From: kelvinqian00 Date: Tue, 23 Jan 2024 17:05:57 -0500 Subject: [PATCH 09/10] Revert "Add jackson-core exclusion" This reverts commit fbcd102b942aad4505bc76a898dbe97a46e58832. --- deps.edn | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/deps.edn b/deps.edn index 06c782d..834428f 100644 --- a/deps.edn +++ b/deps.edn @@ -15,9 +15,8 @@ :exclusions [org.clojure/clojurescript]} org.clojure/data.json {:mvn/version "2.4.0"} com.cognitect/transit-clj {:mvn/version "1.0.333" - ;; clears CVE-2023-5072 and CVE-2022-41719 - :exclusions [com.fasterxml.jackson.core/jackson-core - org.msgpack/msgpack]} + ;; clears CVE-2022-41719 + :exclusions [org.msgpack/msgpack]} cheshire/cheshire {:mvn/version "5.12.0"}} :aliases {:cli {:extra-paths ["src/cli"] From e45927206256b6ec42814b11c462cf43d495fccf Mon Sep 17 00:00:00 2001 From: kelvinqian00 Date: Tue, 23 Jan 2024 17:07:06 -0500 Subject: [PATCH 10/10] Update nvd-clojure version --- .github/workflows/ci.yml | 2 +- .github/workflows/nvd_sched.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2d4ae68..c29a78b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -37,7 +37,7 @@ jobs: nvd_scan: uses: yetanalytics/actions/.github/workflows/nvd-scan.yml@v0.0.4 with: - nvd-clojure-version: '2.9.0' + nvd-clojure-version: '3.6.0' classpath-command: 'clojure -Spath -A:cli' nvd-config-filename: '.nvd/config.json' diff --git a/.github/workflows/nvd_sched.yml b/.github/workflows/nvd_sched.yml index aab665f..84b1f33 100644 --- a/.github/workflows/nvd_sched.yml +++ b/.github/workflows/nvd_sched.yml @@ -8,7 +8,7 @@ jobs: nvd_scan: uses: yetanalytics/actions/.github/workflows/nvd-scan.yml@v0.0.4 with: - nvd-clojure-version: '2.9.0' + nvd-clojure-version: '3.6.0' classpath-command: 'clojure -Spath -A:cli' nvd-config-filename: '.nvd/config.json'