From 5b4a8fdcf594f8790188f215d0d7bb2d359c7d70 Mon Sep 17 00:00:00 2001 From: zhuangchong <37063904+zhuangchong@users.noreply.github.com> Date: Thu, 15 Oct 2020 19:52:23 +0800 Subject: [PATCH] [fix-3788][pom]spring framework Security breach (#3882) * spring framework Security breach,update springboot version. * update license. * update license. * update netty license. * update license. * Update known-dependencies.txt * Update known-dependencies.txt Co-authored-by: zhuangchong Co-authored-by: dailidong --- dolphinscheduler-dist/release-docs/LICENSE | 40 +++++----- dolphinscheduler-dist/release-docs/NOTICE | 4 +- pom.xml | 6 +- tools/dependencies/known-dependencies.txt | 92 +++++++++++----------- 4 files changed, 71 insertions(+), 71 deletions(-) diff --git a/dolphinscheduler-dist/release-docs/LICENSE b/dolphinscheduler-dist/release-docs/LICENSE index 707ea5cab1..2bc80b300f 100644 --- a/dolphinscheduler-dist/release-docs/LICENSE +++ b/dolphinscheduler-dist/release-docs/LICENSE @@ -230,7 +230,7 @@ The text of each license is also included at licenses/LICENSE-[project].txt. clickhouse-jdbc 0.1.52: https://mvnrepository.com/artifact/ru.yandex.clickhouse/clickhouse-jdbc/0.1.52, Apache 2.0 commons-beanutils 1.7.0 https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils/1.7.0, Apache 2.0 commons-cli 1.2: https://mvnrepository.com/artifact/commons-cli/commons-cli/1.2, Apache 2.0 - commons-codec 1.6: https://mvnrepository.com/artifact/commons-codec/commons-codec/1.6, Apache 2.0 + commons-codec 1.11: https://mvnrepository.com/artifact/commons-codec/commons-codec/1.11, Apache 2.0 commons-collections 3.2.2: https://mvnrepository.com/artifact/commons-collections/commons-collections/3.2.2, Apache 2.0 commons-collections4 4.1: https://mvnrepository.com/artifact/org.apache.commons/commons-collections4/4.1, Apache 2.0 commons-compress 1.4.1: https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.4.1, Apache 2.0 @@ -348,20 +348,20 @@ The text of each license is also included at licenses/LICENSE-[project].txt. snakeyaml 1.23: https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.23, Apache 2.0 snappy 0.2: https://mvnrepository.com/artifact/org.iq80.snappy/snappy/0.2, Apache 2.0 snappy-java 1.0.4.1: https://github.com/xerial/snappy-java, Apache 2.0 - spring-aop 5.1.5.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-aop/5.1.5.RELEASE, Apache 2.0 - spring-beans 5.1.5.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-beans/5.1.5.RELEASE, Apache 2.0 - spring-boot 2.1.3.RELEASE: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot/2.1.3.RELEASE, Apache 2.0 - spring-boot-autoconfigure 2.1.3.RELEASE: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-autoconfigure/2.1.3.RELEASE, Apache 2.0 - spring-boot-starter 2.1.3.RELEASE: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter/2.1.3.RELEASE, Apache 2.0 - spring-boot-starter-aop 2.1.3.RELEASE: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-aop/2.1.3.RELEASE, Apache 2.0 - spring-boot-starter-jdbc 2.1.3.RELEASE: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-jdbc/2.1.3.RELEASE, Apache 2.0 - spring-boot-starter-jetty 2.1.3.RELEASE: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-jetty/2.1.3.RELEASE, Apache 2.0 - spring-boot-starter-json 2.1.3.RELEASE: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-json/2.1.3.RELEASE, Apache 2.0 - spring-boot-starter-logging 2.1.3.RELEASE: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-logging/2.1.3.RELEASE, Apache 2.0 - spring-boot-starter-web 2.1.3.RELEASE: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-web/2.1.3.RELEASE, Apache 2.0 - spring-context 5.1.5.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-context/5.1.5.RELEASE, Apache 2.0 - spring-core 5.1.5.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-core, Apache 2.0 - spring-expression 5.1.5.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-expression, Apache 2.0 + spring-aop 5.1.18.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-aop/5.1.18.RELEASE, Apache 2.0 + spring-beans 5.1.18.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-beans/5.1.18.RELEASE, Apache 2.0 + spring-boot 2.1.17.RELEASE: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot/2.1.17.RELEASE, Apache 2.0 + spring-boot-autoconfigure 2.1.17.RELEASE: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-autoconfigure/2.1.17.RELEASE, Apache 2.0 + spring-boot-starter 2.1.17.RELEASE: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter/2.1.17.RELEASE, Apache 2.0 + spring-boot-starter-aop 2.1.17.RELEASE: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-aop/2.1.17.RELEASE, Apache 2.0 + spring-boot-starter-jdbc 2.1.17.RELEASE: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-jdbc/2.1.17.RELEASE, Apache 2.0 + spring-boot-starter-jetty 2.1.17.RELEASE: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-jetty/2.1.17.RELEASE, Apache 2.0 + spring-boot-starter-json 2.1.17.RELEASE: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-json/2.1.17.RELEASE, Apache 2.0 + spring-boot-starter-logging 2.1.17.RELEASE: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-logging/2.1.17.RELEASE, Apache 2.0 + spring-boot-starter-web 2.1.17.RELEASE: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-web/2.1.17.RELEASE, Apache 2.0 + spring-context 5.1.18.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-context/5.1.18.RELEASE, Apache 2.0 + spring-core 5.1.18.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-core/5.1.18.RELEASE, Apache 2.0 + spring-expression 5.1.18.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-expression/5.1.18.RELEASE, Apache 2.0 springfox-core 2.9.2: https://mvnrepository.com/artifact/io.springfox/springfox-core, Apache 2.0 springfox-schema 2.9.2: https://mvnrepository.com/artifact/io.springfox/springfox-schema, Apache 2.0 springfox-spi 2.9.2: https://mvnrepository.com/artifact/io.springfox/springfox-spi, Apache 2.0 @@ -369,13 +369,13 @@ The text of each license is also included at licenses/LICENSE-[project].txt. springfox-swagger2 2.9.2: https://mvnrepository.com/artifact/io.springfox/springfox-swagger2/2.9.2, Apache 2.0 springfox-swagger-common 2.9.2: https://mvnrepository.com/artifact/io.springfox/springfox-swagger-common/2.9.2, Apache 2.0 springfox-swagger-ui 2.9.2: https://mvnrepository.com/artifact/io.springfox/springfox-swagger-ui/2.9.2, Apache 2.0 - spring-jcl 5.1.5.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-jcl/5.1.5.RELEASE, Apache 2.0 - spring-jdbc 5.1.5.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-jdbc/5.1.5.RELEASE, Apache 2.0 + spring-jcl 5.1.18.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-jcl/5.1.18.RELEASE, Apache 2.0 + spring-jdbc 5.1.18.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-jdbc/5.1.18.RELEASE, Apache 2.0 spring-plugin-core 1.2.0.RELEASE: https://mvnrepository.com/artifact/org.springframework.plugin/spring-plugin-core/1.2.0.RELEASE, Apache 2.0 spring-plugin-metadata 1.2.0.RELEASE: https://mvnrepository.com/artifact/org.springframework.plugin/spring-plugin-metadata/1.2.0.RELEASE, Apache 2.0 - spring-tx 5.1.5.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-tx/5.1.5.RELEASE, Apache 2.0 - spring-web 5.1.5.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-web/5.1.5.RELEASE, Apache 2.0 - spring-webmvc 5.1.5.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-webmvc/5.1.5.RELEASE, Apache 2.0 + spring-tx 5.1.18.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-tx/5.1.18.RELEASE, Apache 2.0 + spring-web 5.1.18.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-web/5.1.18.RELEASE, Apache 2.0 + spring-webmvc 5.1.18.RELEASE: https://mvnrepository.com/artifact/org.springframework/spring-webmvc/5.1.18.RELEASE, Apache 2.0 swagger-annotations 1.5.20: https://mvnrepository.com/artifact/io.swagger/swagger-annotations/1.5.20, Apache 2.0 swagger-bootstrap-ui 1.9.3: https://mvnrepository.com/artifact/com.github.xiaoymin/swagger-bootstrap-ui/1.9.3, Apache 2.0 swagger-models 1.5.20: https://mvnrepository.com/artifact/io.swagger/swagger-models/1.5.20, Apache 2.0 diff --git a/dolphinscheduler-dist/release-docs/NOTICE b/dolphinscheduler-dist/release-docs/NOTICE index 901659e689..fdc68efbf3 100644 --- a/dolphinscheduler-dist/release-docs/NOTICE +++ b/dolphinscheduler-dist/release-docs/NOTICE @@ -384,8 +384,8 @@ This product contains the Maven wrapper scripts from 'Maven Wrapper', that provi Spring Framework NOTICE ======================================================================== -Spring Framework 5.1.5.RELEASE -Copyright (c) 2002-2019 Pivotal, Inc. +Spring Framework 5.1.18.RELEASE +Copyright (c) 2002-2020 Pivotal, Inc. This product is licensed to you under the Apache License, Version 2.0 (the "License"). You may not use this product except in compliance with diff --git a/pom.xml b/pom.xml index 9e4934e833..f7609611f4 100644 --- a/pom.xml +++ b/pom.xml @@ -59,8 +59,8 @@ UTF-8 UTF-8 4.3.0 - 5.1.5.RELEASE - 2.1.3.RELEASE + 5.1.18.RELEASE + 2.1.17.RELEASE 1.8 1.2.3 2.7.3 @@ -71,7 +71,7 @@ 5.0.5 1.1.22 1.4.200 - 1.6 + 1.11 1.1.1 4.4.1 4.4.1 diff --git a/tools/dependencies/known-dependencies.txt b/tools/dependencies/known-dependencies.txt index 4a7f1662f0..96089d5dcd 100755 --- a/tools/dependencies/known-dependencies.txt +++ b/tools/dependencies/known-dependencies.txt @@ -2,26 +2,26 @@ HikariCP-3.2.0.jar activation-1.1.jar ant-1.6.5.jar aopalliance-1.0.jar -apache-el-8.5.35.1.jar +apache-el-8.5.54.jar apacheds-i18n-2.0.0-M15.jar apacheds-kerberos-codec-2.0.0-M15.jar api-asn1-api-1.0.0-M20.jar api-util-1.0.0-M20.jar asm-3.1.jar -aspectjweaver-1.9.2.jar +aspectjweaver-1.9.6.jar audience-annotations-0.5.0.jar avro-1.7.4.jar aws-java-sdk-1.7.4.jar bonecp-0.8.0.RELEASE.jar -byte-buddy-1.9.10.jar +byte-buddy-1.9.16.jar classmate-1.4.0.jar clickhouse-jdbc-0.1.52.jar commons-cli-1.2.jar -commons-codec-1.6.jar +commons-codec-1.11.jar commons-collections-3.2.2.jar commons-collections4-4.1.jar commons-compress-1.4.1.jar -commons-compiler-3.0.12.jar +commons-compiler-3.0.16.jar commons-configuration-1.10.jar commons-daemon-1.0.13.jar commons-beanutils-1.7.0.jar @@ -44,7 +44,7 @@ datanucleus-core-4.1.6.jar datanucleus-rdbms-4.1.7.jar derby-10.14.2.0.jar druid-1.1.22.jar -gson-2.8.5.jar +gson-2.8.6.jar guava-20.0.jar guice-3.0.jar guice-servlet-3.0.jar @@ -65,7 +65,7 @@ hadoop-yarn-client-2.7.3.jar hadoop-yarn-common-2.7.3.jar hadoop-yarn-server-common-2.7.3.jar hamcrest-core-1.3.jar -hibernate-validator-6.0.14.Final.jar +hibernate-validator-6.0.20.Final.jar hive-common-2.1.0.jar hive-jdbc-2.1.0.jar hive-metastore-2.1.0.jar @@ -77,19 +77,19 @@ hive-storage-api-2.1.0.jar htrace-core-3.1.0-incubating.jar httpclient-4.4.1.jar httpcore-4.4.1.jar -httpmime-4.5.7.jar +httpmime-4.5.12.jar jackson-annotations-2.9.8.jar jackson-core-2.9.8.jar jackson-core-asl-1.9.13.jar jackson-databind-2.9.8.jar -jackson-datatype-jdk8-2.9.8.jar -jackson-datatype-jsr310-2.9.8.jar +jackson-datatype-jdk8-2.9.10.jar +jackson-datatype-jsr310-2.9.10.jar jackson-jaxrs-1.9.13.jar jackson-mapper-asl-1.9.13.jar -jackson-module-parameter-names-2.9.8.jar +jackson-module-parameter-names-2.9.10.jar jackson-xc-1.9.13.jar jamon-runtime-2.3.1.jar -janino-3.0.12.jar +janino-3.0.16.jar java-xmlbuilder-0.4.jar javax.activation-api-1.2.0.jar javax.annotation-api-1.3.2.jar @@ -100,7 +100,7 @@ javax.servlet-api-3.1.0.jar javolution-5.5.1.jar jaxb-api-2.3.1.jar jaxb-impl-2.2.3-1.jar -jboss-logging-3.3.2.Final.jar +jboss-logging-3.3.3.Final.jar jdo-api-3.0.1.jar jersey-client-1.9.jar jersey-core-1.9.jar @@ -110,21 +110,21 @@ jersey-server-1.9.jar jets3t-0.9.0.jar jettison-1.1.jar jetty-6.1.26.jar -jetty-continuation-9.4.14.v20181114.jar -jetty-http-9.4.14.v20181114.jar -jetty-io-9.4.14.v20181114.jar -jetty-security-9.4.14.v20181114.jar -jetty-server-9.4.14.v20181114.jar -jetty-servlet-9.4.14.v20181114.jar -jetty-servlets-9.4.14.v20181114.jar +jetty-continuation-9.4.31.v20200723.jar +jetty-http-9.4.31.v20200723.jar +jetty-io-9.4.31.v20200723.jar +jetty-security-9.4.31.v20200723.jar +jetty-server-9.4.31.v20200723.jar +jetty-servlet-9.4.31.v20200723.jar +jetty-servlets-9.4.31.v20200723.jar jetty-util-6.1.26.jar -jetty-util-9.4.14.v20181114.jar -jetty-webapp-9.4.14.v20181114.jar -jetty-xml-9.4.14.v20181114.jar +jetty-util-9.4.31.v20200723.jar +jetty-webapp-9.4.31.v20200723.jar +jetty-xml-9.4.31.v20200723.jar jline-0.9.94.jar jna-4.5.2.jar jna-platform-4.5.2.jar -joda-time-2.10.1.jar +joda-time-2.10.6.jar jpam-1.1.jar jsch-0.1.42.jar jsp-2.1-6.1.14.jar @@ -133,7 +133,7 @@ jsp-api-2.1.jar jsqlparser-2.1.jar jsr305-3.0.0.jar jta-1.1.jar -jul-to-slf4j-1.7.25.jar +jul-to-slf4j-1.7.30.jar junit-4.12.jar leveldbjni-all-1.8.jar libfb303-0.9.3.jar @@ -155,7 +155,7 @@ mybatis-plus-core-3.2.0.jar mybatis-plus-extension-3.2.0.jar mybatis-spring-2.0.2.jar netty-3.6.2.Final.jar -netty-all-4.1.33.Final.jar +netty-all-4.1.52.Final.jar opencsv-2.3.jar oshi-core-3.5.0.jar paranamer-2.3.jar @@ -169,27 +169,27 @@ slf4j-api-1.7.5.jar snakeyaml-1.23.jar snappy-0.2.jar snappy-java-1.0.4.1.jar -spring-aop-5.1.5.RELEASE.jar -spring-beans-5.1.5.RELEASE.jar -spring-boot-2.1.3.RELEASE.jar -spring-boot-autoconfigure-2.1.3.RELEASE.jar -spring-boot-starter-2.1.3.RELEASE.jar -spring-boot-starter-aop-2.1.3.RELEASE.jar -spring-boot-starter-jdbc-2.1.3.RELEASE.jar -spring-boot-starter-jetty-2.1.3.RELEASE.jar -spring-boot-starter-json-2.1.3.RELEASE.jar -spring-boot-starter-logging-2.1.3.RELEASE.jar -spring-boot-starter-web-2.1.3.RELEASE.jar -spring-context-5.1.5.RELEASE.jar -spring-core-5.1.5.RELEASE.jar -spring-expression-5.1.5.RELEASE.jar -spring-jcl-5.1.5.RELEASE.jar -spring-jdbc-5.1.5.RELEASE.jar +spring-aop-5.1.18.RELEASE.jar +spring-beans-5.1.18.RELEASE.jar +spring-boot-2.1.17.RELEASE.jar +spring-boot-autoconfigure-2.1.17.RELEASE.jar +spring-boot-starter-2.1.17.RELEASE.jar +spring-boot-starter-aop-2.1.17.RELEASE.jar +spring-boot-starter-jdbc-2.1.17.RELEASE.jar +spring-boot-starter-jetty-2.1.17.RELEASE.jar +spring-boot-starter-json-2.1.17.RELEASE.jar +spring-boot-starter-logging-2.1.17.RELEASE.jar +spring-boot-starter-web-2.1.17.RELEASE.jar +spring-context-5.1.18.RELEASE.jar +spring-core-5.1.18.RELEASE.jar +spring-expression-5.1.18.RELEASE.jar +spring-jcl-5.1.18.RELEASE.jar +spring-jdbc-5.1.18.RELEASE.jar spring-plugin-core-1.2.0.RELEASE.jar spring-plugin-metadata-1.2.0.RELEASE.jar -spring-tx-5.1.5.RELEASE.jar -spring-web-5.1.5.RELEASE.jar -spring-webmvc-5.1.5.RELEASE.jar +spring-tx-5.1.18.RELEASE.jar +spring-web-5.1.18.RELEASE.jar +spring-webmvc-5.1.18.RELEASE.jar springfox-core-2.9.2.jar springfox-schema-2.9.2.jar springfox-spi-2.9.2.jar @@ -210,4 +210,4 @@ xmlenc-0.52.jar xz-1.0.jar zookeeper-3.4.14.jar guava-retrying-2.0.0.jar -presto-jdbc-0.238.1.jar \ No newline at end of file +presto-jdbc-0.238.1.jar