diff --git a/agent/agent-tooling/build.gradle.kts b/agent/agent-tooling/build.gradle.kts index 21339d0851c..29122966df4 100644 --- a/agent/agent-tooling/build.gradle.kts +++ b/agent/agent-tooling/build.gradle.kts @@ -90,11 +90,3 @@ dependencies { testImplementation("uk.org.webcompere:system-stubs-jupiter:2.0.2") testImplementation("io.github.hakky54:logcaptor") } - -configurations { - all { - // excluding unused dependencies for size (~1.8mb) - exclude("com.fasterxml.jackson.dataformat", "jackson-dataformat-xml") - exclude("com.fasterxml.woodstox", "woodstox-core") - } -} diff --git a/agent/agent-tooling/gradle.lockfile b/agent/agent-tooling/gradle.lockfile index d66847ceba3..0f459b51b7d 100644 --- a/agent/agent-tooling/gradle.lockfile +++ b/agent/agent-tooling/gradle.lockfile @@ -13,8 +13,10 @@ com.azure:azure-storage-internal-avro:12.7.0=runtimeClasspath com.fasterxml.jackson.core:jackson-annotations:2.15.0=runtimeClasspath com.fasterxml.jackson.core:jackson-core:2.15.0=runtimeClasspath com.fasterxml.jackson.core:jackson-databind:2.15.0=runtimeClasspath +com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.15.0=runtimeClasspath com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.15.0=runtimeClasspath com.fasterxml.jackson:jackson-bom:2.15.0=runtimeClasspath +com.fasterxml.woodstox:woodstox-core:6.5.1=runtimeClasspath com.github.oshi:oshi-core:6.4.2=runtimeClasspath com.github.stephenc.jcip:jcip-annotations:1.0-1=runtimeClasspath com.google.errorprone:error_prone_annotations:2.18.0=runtimeClasspath @@ -65,6 +67,7 @@ net.minidev:accessors-smart:2.4.9=runtimeClasspath net.minidev:json-smart:2.4.10=runtimeClasspath org.apache.commons:commons-lang3:3.12.0=runtimeClasspath org.apache.commons:commons-text:1.10.0=runtimeClasspath +org.codehaus.woodstox:stax2-api:4.2.1=runtimeClasspath org.junit:junit-bom:5.9.3=runtimeClasspath org.reactivestreams:reactive-streams:1.0.4=runtimeClasspath org.slf4j:jcl-over-slf4j:1.7.36=runtimeClasspath diff --git a/agent/agent/build.gradle.kts b/agent/agent/build.gradle.kts index f1b919aa505..8c0b0563365 100644 --- a/agent/agent/build.gradle.kts +++ b/agent/agent/build.gradle.kts @@ -218,3 +218,15 @@ fun CopySpec.isolateClasses(jars: Iterable) { into("META-INF") } } + +configurations { + all { + // excluding unused dependencies for size (~1.8mb) + exclude("com.fasterxml.jackson.dataformat", "jackson-dataformat-xml") + exclude("com.fasterxml.woodstox", "woodstox-core") + + // these are needed until next com.azure:azure-sdk-bom 1.2.13 is released + resolutionStrategy.force("com.azure:azure-identity:1.8.3") + resolutionStrategy.force("com.microsoft.azure:msal4j:1.13.8") + } +} diff --git a/agent/azure-monitor-exporter/build.gradle.kts b/agent/azure-monitor-exporter/build.gradle.kts index 6b4a015a443..52c1d4c8172 100644 --- a/agent/azure-monitor-exporter/build.gradle.kts +++ b/agent/azure-monitor-exporter/build.gradle.kts @@ -45,11 +45,3 @@ dependencies { testCompileOnly("com.google.code.findbugs:jsr305") testCompileOnly("com.fasterxml.jackson.datatype:jackson-datatype-jsr310") } - -configurations { - all { - // excluding unused dependencies for size (~1.8mb) - exclude("com.fasterxml.jackson.dataformat", "jackson-dataformat-xml") - exclude("com.fasterxml.woodstox", "woodstox-core") - } -} diff --git a/dependencyManagement/build.gradle.kts b/dependencyManagement/build.gradle.kts index 684d9764253..4e557acff79 100644 --- a/dependencyManagement/build.gradle.kts +++ b/dependencyManagement/build.gradle.kts @@ -73,11 +73,6 @@ val CORE_DEPENDENCIES = listOf( // temporarily overriding transitive dependency from azure-core until next azure-bom release // which targets at least reactor-netty-http:1.1.1 "io.projectreactor.netty:reactor-netty-http:1.1.6", - // CVE-2023-1370 - https://github.com/advisories/GHSA-493p-pfq6-5258 - // Transitive dependency: json-smart -> com.microsoft.azure:msal4j:1.13.5 -> com.azure:azure-identity - // -> azure-monitor-exporter - // upstream fix: https://github.com/AzureAD/microsoft-authentication-library-for-java/pull/612 - "net.minidev:json-smart:2.4.10" ) val DEPENDENCIES = listOf( diff --git a/licenses/more-licenses.md b/licenses/more-licenses.md index 4d4aa486ed3..34e8c497a58 100644 --- a/licenses/more-licenses.md +++ b/licenses/more-licenses.md @@ -1,7 +1,7 @@ #agent ##Dependency License Report -_2023-05-05 14:48:11 UTC_ +_2023-05-05 14:24:24 PDT_ ## Apache License, Version 2.0 **1** **Group:** `com.fasterxml.jackson.core` **Name:** `jackson-annotations` **Version:** `2.15.0` @@ -45,22 +45,21 @@ _2023-05-05 14:48:11 UTC_ > - **POM Project URL**: [https://bitbucket.org/connect2id/nimbus-content-type](https://bitbucket.org/connect2id/nimbus-content-type) > - **POM License**: Apache License, Version 2.0 - [http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0) -**8** **Group:** `com.nimbusds` **Name:** `lang-tag` **Version:** `1.6` +**8** **Group:** `com.nimbusds` **Name:** `lang-tag` **Version:** `1.7` > - **Manifest Project URL**: [https://connect2id.com/](https://connect2id.com/) > - **Manifest License**: Apache License, Version 2.0 (Not Packaged) > - **POM Project URL**: [https://bitbucket.org/connect2id/nimbus-language-tags](https://bitbucket.org/connect2id/nimbus-language-tags) > - **POM License**: Apache License, Version 2.0 - [http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0) -**9** **Group:** `com.nimbusds` **Name:** `nimbus-jose-jwt` **Version:** `9.22` +**9** **Group:** `com.nimbusds` **Name:** `nimbus-jose-jwt` **Version:** `9.30.2` > - **Manifest Project URL**: [https://connect2id.com](https://connect2id.com) > - **Manifest License**: Apache License, Version 2.0 (Not Packaged) > - **POM Project URL**: [https://bitbucket.org/connect2id/nimbus-jose-jwt](https://bitbucket.org/connect2id/nimbus-jose-jwt) > - **POM License**: Apache License, Version 2.0 - [http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0) -**10** **Group:** `com.nimbusds` **Name:** `oauth2-oidc-sdk` **Version:** `9.35` -> - **Manifest Project URL**: [https://connect2id.com](https://connect2id.com) +**10** **Group:** `com.nimbusds` **Name:** `oauth2-oidc-sdk` **Version:** `10.7.1` +> - **Project URL**: [https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions](https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions) > - **Manifest License**: Apache License, Version 2.0 (Not Packaged) -> - **POM Project URL**: [https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions](https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions) > - **POM License**: Apache License, Version 2.0 - [https://www.apache.org/licenses/LICENSE-2.0](https://www.apache.org/licenses/LICENSE-2.0) **11** **Group:** `com.squareup.moshi` **Name:** `moshi` **Version:** `1.11.0` @@ -314,7 +313,7 @@ _2023-05-05 14:48:11 UTC_ > - **POM Project URL**: [https://github.com/Azure/azure-sdk-for-java](https://github.com/Azure/azure-sdk-for-java) > - **POM License**: MIT License - [https://opensource.org/licenses/MIT](https://opensource.org/licenses/MIT) -**59** **Group:** `com.azure` **Name:** `azure-identity` **Version:** `1.8.2` +**59** **Group:** `com.azure` **Name:** `azure-identity` **Version:** `1.8.3` > - **POM Project URL**: [https://github.com/Azure/azure-sdk-for-java](https://github.com/Azure/azure-sdk-for-java) > - **POM License**: MIT License - [https://opensource.org/licenses/MIT](https://opensource.org/licenses/MIT) @@ -339,12 +338,12 @@ _2023-05-05 14:48:11 UTC_ > - **Manifest License**: "SPDX-License-Identifier: MIT";link="https://opensource.org/licenses/MIT" (Not Packaged) > - **POM License**: MIT License - [https://opensource.org/licenses/MIT](https://opensource.org/licenses/MIT) -**65** **Group:** `com.microsoft.azure` **Name:** `msal4j` **Version:** `1.13.7` +**65** **Group:** `com.microsoft.azure` **Name:** `msal4j` **Version:** `1.13.8` > - **Project URL**: [https://github.com/AzureAD/microsoft-authentication-library-for-java](https://github.com/AzureAD/microsoft-authentication-library-for-java) > - **Manifest License**: "MIT License" (Not Packaged) > - **POM License**: MIT License - [https://opensource.org/licenses/MIT](https://opensource.org/licenses/MIT) -**66** **Group:** `com.microsoft.azure` **Name:** `msal4j-persistence-extension` **Version:** `1.1.0` +**66** **Group:** `com.microsoft.azure` **Name:** `msal4j-persistence-extension` **Version:** `1.2.0` > - **POM Project URL**: [https://github.com/AzureAD/microsoft-authentication-extensions-for-java](https://github.com/AzureAD/microsoft-authentication-extensions-for-java) > - **POM License**: MIT License - [https://opensource.org/licenses/MIT](https://opensource.org/licenses/MIT)