Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BENCH-4616] Update lib constraints to address vuln #1072

Merged
merged 3 commits into from
Nov 21, 2024
Merged

[BENCH-4616] Update lib constraints to address vuln #1072

merged 3 commits into from
Nov 21, 2024

Conversation

dexamundsen
Copy link
Contributor

  • io.netty:netty-common: fixed in 4.1.115.Final
  • org.springframework.security:spring-security-*: fixed in 6.3.5

Bumping spring plugin resolves both, and also removes the need for other constraints
indexer and underlay does not include spring plugin, hence need netty explicitly constrained

dexamundsen
dexamundsen commented Nov 21, 2024
View reviewed changes
annotationProcessor/build.gradle
@@ -55,16 +55,6 @@ dependencies {
exclude group: 'io.opentelemetry.instrumentation'
}

// explicity declare libs and version to address synk warnings
implementation "org.springframework:spring-context:${vSpringWeb}"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not needed with spring plugin upgrade

dexamundsen
dexamundsen commented Nov 21, 2024
View reviewed changes
buildSrc/src/main/groovy/tanagra.java-conventions.gradle
@@ -42,14 +42,6 @@ dependencyLocking {
dependencies {
// GCP BOM - See https://github.com/GoogleCloudPlatform/cloud-opensource-java/wiki/The-Google-Cloud-Platform-Libraries-BOM
implementation platform('com.google.cloud:libraries-bom:26.49.0')
constraints {
// "-jre" for Java 8 or higher
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no longer needed with current gcp bom

dexamundsen
dexamundsen commented Nov 21, 2024
View reviewed changes
service/build.gradle
@@ -58,13 +58,8 @@ configurations.all {
}

dependencies {
// added to address synk warnings
constraints {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no longer needed

dexamundsen
dexamundsen commented Nov 21, 2024
View reviewed changes
service/build.gradle
@@ -109,16 +104,6 @@ dependencies {
implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'org.springframework.security:spring-security-core'

// explicity declare libs and version to address synk warnings
implementation "org.springframework:spring-context:${vSpringWeb}"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not needed with spring plugin update

@dexamundsen dexamundsen merged commit 266cc97 into main Nov 21, 2024
8 checks passed
@dexamundsen dexamundsen deleted the dexamundsen/bench-4616 branch November 21, 2024 20:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tjennison-work tjennison-work tjennison-work approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dexamundsen @tjennison-work