Upgrading OSS libraries with known open CVEs

[scottcarter87]

Pull Request type

• [*] Build related changes (Please run ./gradlew generateLock saveLock to refresh dependencies)

NOTE: Please remember to run ./gradlew spotlessApply to fix any format violations.

Changes in this PR

Upgrading OSS libraries used within conductor that have known CVEs. The vulnerable packages were detected by our OSSPI container scans and needed to be fixed in order for us to remain compliant and able to use conductor. This PR applies the fixes that we needed to ensure that Conductor could be deployed within our environment.

• CVE-2023-2976 (Google Guava)
• CVE-2020-8908 (Google Guava)
• CVE-2016-1000027 (Spring Web)
• CVE-2023-20863 (Spring Web)
• CVE-2023-20860 (Spring Web)
• CVE-2023-20861 (Spring Web)
• CVE-2023-1436 (Jettison)
• CVE-2022-45693 (Jettison)
• CVE-2022-45685 (Jettison)
• CVE-2022-40150 (Jettison)
• CVE-2022-40149 (Jettison)
• CVE-2022-41854 (Snakeyaml)
• CVE-2022-38752 (Snakeyaml)
• CVE-2022-38751 (Snakeyaml)
• CVE-2022-38750 (Snakeyaml)
• CVE-2022-38749 (Snakeyaml)
• CVE-2022-1471 (Snakeyaml)
• CVE-2022-25857 (Snakeyaml)
• CVE-2023-28708 (tomcat-embed-core)
• CVE-2022-45143 (tomcat-embed-core)
• CVE-2022-42252 (tomcat-embed-core)
• CVE-2022-31159 (AWS SDK S3)
• CVE-2023-20863 (Spring Core)
• CVE-2023-20860 (Spring Core)
• CVE-2023-20861 (Spring Core)
• CVE-2022-42004 (Jackson Databind)
• CVE-2022-42003 (Jackson Databind)
• CVE-2023-20873 (Spring Boot Actuator Autoconfigure)
• CVE-2023-20883 (Spring Boot Autoconfigure)
• CVE-2023-32731 (Protobuf)
• CVE-2023-1428 (Protobuf)
• CVE-2023-32732 (Protobuf)
• CVE-2020-7020 (Elasticsearch)
• CVE-2020-7021 (Elasticsearch)
• CVE-2021-22135 (Elasticsearch)
• CVE-2021-22137 (Elasticsearch)
• CVE-2021-22144 (Elasticsearch)
• PRISMA-2023-0067 (Jackson Core)
• CVE-2023-41080 (Tomcat Embed Core)

[pkrasko]

+1

[VerstraeteBert]

Need this as well.

[ivakoleva]

+1
Provide the list of CVEs fixed, it is helpful to build the release notes accordingly.

[v1r3n]

@scottcarter87 can you take a look at the failing build?

[scottcarter87]

@v1r3n I get the same error locally. Taking a look.

[scottcarter87]

Still getting a weird error locally on java-sdk for one test. Not sure if its my local setup (M2 Mac) which also has issues with the version of test containers used or if there is an additional test issue now. The first CI failure was resolved by using a newer protobuf version.

WorkflowCreationTests.verifyInlineWorkflowExecution()

5050 [Test worker] WARN  com.netflix.conductor.client.http.ClientBase [] - Unable to invoke Conductor API with uri: http://localhost:8080/api/metadata/taskdefs/get_user_info, unexpected response from server: statusCode=404, responseBody='{"status":404,"message":"No such taskType found by name: get_user_info","instance":"cartersc7MR71.vmware.com","retryable":false}'.
5050 [ForkJoinPool.commonPool-worker-8] WARN  com.netflix.conductor.client.http.ClientBase [] - Unable to invoke Conductor API with uri: http://localhost:8080/api/metadata/taskdefs/fork_gen, unexpected response from server: statusCode=404, responseBody='{"status":404,"message":"No such taskType found by name: fork_gen","instance":"cartersc7MR71.vmware.com","retryable":false}'.
5050 [ForkJoinPool.commonPool-worker-3] WARN  com.netflix.conductor.client.http.ClientBase [] - Unable to invoke Conductor API with uri: http://localhost:8080/api/metadata/taskdefs/task2, unexpected response from server: statusCode=404, responseBody='{"status":404,"message":"No such taskType found by name: task2","instance":"cartersc7MR71.vmware.com","retryable":false}'.
5125 [pool-8-thread-19] WARN  com.netflix.config.sources.URLConfigurationSource [] - No URLs will be polled as dynamic configuration sources.
5125 [pool-8-thread-19] INFO  com.netflix.config.sources.URLConfigurationSource [] - To enable URLs as dynamic configuration sources, define System property archaius.configurationSource.additionalUrls or make config.properties available on classpath.
5130 [pool-8-thread-19] INFO  com.netflix.config.DynamicPropertyFactory [] - DynamicPropertyFactory is initialized with configuration sources: com.netflix.config.ConcurrentCompositeConfiguration@5328f8ca

Cannot invoke "javax.script.ScriptEngine.createBindings()" because "com.netflix.conductor.core.events.ScriptEvaluator.engine" is null
Expected :COMPLETED
Actual   :FAILED

[scottcarter87]

@v1r3n All of the build issues have been resolved and I get a clean build locally. Please run the build again if you could.

[scottcarter87]

+1 Provide the list of CVEs fixed, it is helpful to build the release notes accordingly.

Added to the main description

[ivakoleva]

What is left to do in order to apply the improvement?

[wildMythicWest]

+1

[scottcarter87]

Updated with the latest code from main

[scottcarter87]

@v1r3n any specific reason this is still sitting un-merged?