From 0b0c6f8d38f7127949d9fe9d396ec68e5bde45a5 Mon Sep 17 00:00:00 2001
From: Mario Kevo <48509719+mkevo@users.noreply.github.com>
Date: Wed, 14 Sep 2022 20:49:46 +0200
Subject: [PATCH] GEODE-10415: bump dependencies due to vulnerability scan
 (#7855)

---
 .../plugins/DependencyConstraints.groovy      |  4 +-
 .../tests/GenericAppServerInstall.java        |  2 +-
 .../resources/assembly_content.txt            | 43 +++++++++---------
 .../resources/gfsh_dependency_classpath.txt   | 44 +++++++++----------
 .../resources/dependency_classpath.txt        | 36 +++++++--------
 5 files changed, 65 insertions(+), 64 deletions(-)

diff --git a/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy b/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
index 2a3ed0143602..649d6dc4ad20 100644
--- a/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
+++ b/build-tools/geode-dependency-management/src/main/groovy/org/apache/geode/gradle/plugins/DependencyConstraints.groovy
@@ -41,7 +41,7 @@ class DependencyConstraints {
     deps.put("jgroups.version", "3.6.14.Final")
     deps.put("log4j.version", "2.17.2")
     deps.put("micrometer.version", "1.9.1")
-    deps.put("shiro.version", "1.9.0")
+    deps.put("shiro.version", "1.9.1")
     deps.put("slf4j-api.version", "1.7.32")
     deps.put("jboss-modules.version", "1.11.0.Final")
     deps.put("jackson.version", "2.13.3")
@@ -61,7 +61,7 @@ class DependencyConstraints {
 
     // The jetty version is also hard-coded in geode-assembly:test
     // at o.a.g.sessions.tests.GenericAppServerInstall.java
-    deps.put("jetty.version", "9.4.46.v20220331")
+    deps.put("jetty.version", "9.4.47.v20220610")
 
     // These versions are referenced in test.gradle, which is aggressively injected into all projects.
     deps.put("junit.version", "4.13.2")
diff --git a/geode-assembly/src/distributedTest/java/org/apache/geode/session/tests/GenericAppServerInstall.java b/geode-assembly/src/distributedTest/java/org/apache/geode/session/tests/GenericAppServerInstall.java
index 42bd6e7eeca7..88d0e5c77be3 100644
--- a/geode-assembly/src/distributedTest/java/org/apache/geode/session/tests/GenericAppServerInstall.java
+++ b/geode-assembly/src/distributedTest/java/org/apache/geode/session/tests/GenericAppServerInstall.java
@@ -34,7 +34,7 @@
  * specific code outside of the {@link GenericAppServerVersion}.
  */
 public class GenericAppServerInstall extends ContainerInstall {
-  private static final String JETTY_VERSION = "9.4.46.v20220331";
+  private static final String JETTY_VERSION = "9.4.47.v20220610";
 
   /**
    * Get the version number, download URL, and container name of a generic app server using
diff --git a/geode-assembly/src/integrationTest/resources/assembly_content.txt b/geode-assembly/src/integrationTest/resources/assembly_content.txt
index f19575b92114..966298fe1abc 100644
--- a/geode-assembly/src/integrationTest/resources/assembly_content.txt
+++ b/geode-assembly/src/integrationTest/resources/assembly_content.txt
@@ -1007,6 +1007,8 @@ lib/istack-commons-runtime-4.0.1.jar
 lib/jackson-annotations-2.13.3.jar
 lib/jackson-core-2.13.3.jar
 lib/jackson-databind-2.13.3.jar
+lib/jackson-datatype-joda-2.13.3.jar
+lib/jackson-datatype-jsr310-2.13.3.jar
 lib/javax.activation-api-1.2.0.jar
 lib/javax.mail-api-1.6.2.jar
 lib/javax.resource-api-1.7.1.jar
@@ -1014,19 +1016,20 @@ lib/javax.servlet-api-3.1.0.jar
 lib/javax.transaction-api-1.3.jar
 lib/jaxb-api-2.3.1.jar
 lib/jaxb-impl-2.3.2.jar
-lib/jetty-http-9.4.46.v20220331.jar
-lib/jetty-io-9.4.46.v20220331.jar
-lib/jetty-security-9.4.46.v20220331.jar
-lib/jetty-server-9.4.46.v20220331.jar
-lib/jetty-servlet-9.4.46.v20220331.jar
-lib/jetty-util-9.4.46.v20220331.jar
-lib/jetty-util-ajax-9.4.46.v20220331.jar
-lib/jetty-webapp-9.4.46.v20220331.jar
-lib/jetty-xml-9.4.46.v20220331.jar
+lib/jetty-http-9.4.47.v20220610.jar
+lib/jetty-io-9.4.47.v20220610.jar
+lib/jetty-security-9.4.47.v20220610.jar
+lib/jetty-server-9.4.47.v20220610.jar
+lib/jetty-servlet-9.4.47.v20220610.jar
+lib/jetty-util-9.4.47.v20220610.jar
+lib/jetty-util-ajax-9.4.47.v20220610.jar
+lib/jetty-webapp-9.4.47.v20220610.jar
+lib/jetty-xml-9.4.47.v20220610.jar
 lib/jgroups-3.6.14.Final.jar
 lib/jline-2.12.jar
 lib/jna-5.11.0.jar
 lib/jna-platform-5.11.0.jar
+lib/joda-time-2.10.14.jar
 lib/jopt-simple-5.0.4.jar
 lib/log4j-api-2.17.2.jar
 lib/log4j-core-2.17.2.jar
@@ -1044,16 +1047,17 @@ lib/mx4j-remote-3.0.2.jar
 lib/mx4j-tools-3.0.1.jar
 lib/ra.jar
 lib/rmiio-2.1.2.jar
-lib/shiro-cache-1.9.0.jar
-lib/shiro-config-core-1.9.0.jar
-lib/shiro-config-ogdl-1.9.0.jar
-lib/shiro-core-1.9.0.jar
-lib/shiro-crypto-cipher-1.9.0.jar
-lib/shiro-crypto-core-1.9.0.jar
-lib/shiro-crypto-hash-1.9.0.jar
-lib/shiro-event-1.9.0.jar
-lib/shiro-lang-1.9.0.jar
+lib/shiro-cache-1.9.1.jar
+lib/shiro-config-core-1.9.1.jar
+lib/shiro-config-ogdl-1.9.1.jar
+lib/shiro-core-1.9.1.jar
+lib/shiro-crypto-cipher-1.9.1.jar
+lib/shiro-crypto-core-1.9.1.jar
+lib/shiro-crypto-hash-1.9.1.jar
+lib/shiro-event-1.9.1.jar
+lib/shiro-lang-1.9.1.jar
 lib/slf4j-api-1.7.32.jar
+lib/slf4j-api-1.7.36.jar
 lib/snappy-0.4.jar
 lib/spring-beans-5.3.21.jar
 lib/spring-context-5.3.21.jar
@@ -1070,6 +1074,3 @@ tools/Modules/Apache_Geode_Modules-0.0.0-Tomcat.zip
 tools/Modules/Apache_Geode_Modules-0.0.0-tcServer.zip
 tools/Modules/Apache_Geode_Modules-0.0.0-tcServer30.zip
 tools/Pulse/geode-pulse-0.0.0.war
-lib/jackson-datatype-joda-2.13.3.jar
-lib/jackson-datatype-jsr310-2.13.3.jar
-lib/joda-time-2.10.14.jar
diff --git a/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt b/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt
index 62619491b2f8..a128557a0ead 100644
--- a/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt
+++ b/geode-assembly/src/integrationTest/resources/gfsh_dependency_classpath.txt
@@ -21,8 +21,10 @@ spring-shell-1.2.0.RELEASE.jar
 spring-web-5.3.21.jar
 commons-lang3-3.12.0.jar
 rmiio-2.1.2.jar
+jackson-datatype-joda-2.13.3.jar
 jackson-annotations-2.13.3.jar
 jackson-core-2.13.3.jar
+jackson-datatype-jsr310-2.13.3.jar
 jackson-databind-2.13.3.jar
 swagger-annotations-2.2.1.jar
 jopt-simple-5.0.4.jar
@@ -45,8 +47,8 @@ antlr-2.7.7.jar
 istack-commons-runtime-4.0.1.jar
 jaxb-impl-2.3.2.jar
 commons-validator-1.7.jar
-shiro-core-1.9.0.jar
-shiro-config-ogdl-1.9.0.jar
+shiro-core-1.9.1.jar
+shiro-config-ogdl-1.9.1.jar
 commons-beanutils-1.9.4.jar
 commons-codec-1.15.jar
 commons-collections-3.2.2.jar
@@ -57,23 +59,24 @@ classgraph-4.8.147.jar
 micrometer-core-1.9.1.jar
 fastutil-8.5.8.jar
 javax.resource-api-1.7.1.jar
-jetty-webapp-9.4.46.v20220331.jar
-jetty-servlet-9.4.46.v20220331.jar
-jetty-security-9.4.46.v20220331.jar
-jetty-server-9.4.46.v20220331.jar
+jetty-webapp-9.4.47.v20220610.jar
+jetty-servlet-9.4.47.v20220610.jar
+jetty-security-9.4.47.v20220610.jar
+jetty-server-9.4.47.v20220610.jar
 javax.servlet-api-3.1.0.jar
+joda-time-2.10.14.jar
 jna-platform-5.11.0.jar
 jna-5.11.0.jar
 snappy-0.4.jar
 jgroups-3.6.14.Final.jar
-shiro-cache-1.9.0.jar
-shiro-crypto-hash-1.9.0.jar
-shiro-crypto-cipher-1.9.0.jar
-shiro-config-core-1.9.0.jar
-shiro-event-1.9.0.jar
-shiro-crypto-core-1.9.0.jar
-shiro-lang-1.9.0.jar
-slf4j-api-1.7.32.jar
+shiro-cache-1.9.1.jar
+shiro-crypto-hash-1.9.1.jar
+shiro-crypto-cipher-1.9.1.jar
+shiro-config-core-1.9.1.jar
+shiro-event-1.9.1.jar
+shiro-crypto-core-1.9.1.jar
+shiro-lang-1.9.1.jar
+slf4j-api-1.7.36.jar
 spring-beans-5.3.21.jar
 javax.activation-api-1.2.0.jar
 jline-2.12.jar
@@ -82,11 +85,8 @@ spring-jcl-5.3.21.jar
 HdrHistogram-2.1.12.jar
 LatencyUtils-2.0.3.jar
 javax.transaction-api-1.3.jar
-jetty-xml-9.4.46.v20220331.jar
-jetty-http-9.4.46.v20220331.jar
-jetty-io-9.4.46.v20220331.jar
-jetty-util-ajax-9.4.46.v20220331.jar
-jetty-util-9.4.46.v20220331.jar
-jackson-datatype-joda-2.13.3.jar
-jackson-datatype-jsr310-2.13.3.jar
-joda-time-2.10.14.jar
\ No newline at end of file
+jetty-xml-9.4.47.v20220610.jar
+jetty-http-9.4.47.v20220610.jar
+jetty-io-9.4.47.v20220610.jar
+jetty-util-ajax-9.4.47.v20220610.jar
+jetty-util-9.4.47.v20220610.jar
diff --git a/geode-server-all/src/integrationTest/resources/dependency_classpath.txt b/geode-server-all/src/integrationTest/resources/dependency_classpath.txt
index c2929148ac1c..083f54034e87 100644
--- a/geode-server-all/src/integrationTest/resources/dependency_classpath.txt
+++ b/geode-server-all/src/integrationTest/resources/dependency_classpath.txt
@@ -1,8 +1,8 @@
 spring-web-5.3.21.jar
-shiro-event-1.9.0.jar
-shiro-crypto-hash-1.9.0.jar
-shiro-crypto-cipher-1.9.0.jar
-shiro-config-core-1.9.0.jar
+shiro-event-1.9.1.jar
+shiro-crypto-hash-1.9.1.jar
+shiro-crypto-cipher-1.9.1.jar
+shiro-config-core-1.9.1.jar
 commons-digester-2.1.jar
 commons-validator-1.7.jar
 spring-jcl-5.3.21.jar
@@ -16,18 +16,18 @@ javax.activation-api-1.2.0.jar
 javax.resource-api-1.7.1.jar
 LatencyUtils-2.0.3.jar
 jline-2.12.jar
-jetty-servlet-9.4.46.v20220331.jar
+jetty-servlet-9.4.47.v20220610.jar
 spring-core-5.3.21.jar
-jetty-util-ajax-9.4.46.v20220331.jar
+jetty-util-ajax-9.4.47.v20220610.jar
 geode-cq-0.0.0.jar
 geode-old-client-support-0.0.0.jar
 javax.servlet-api-3.1.0.jar
 jgroups-3.6.14.Final.jar
-shiro-cache-1.9.0.jar
+shiro-cache-1.9.1.jar
 httpcore-4.4.15.jar
 spring-beans-5.3.21.jar
 lucene-queries-6.6.6.jar
-shiro-core-1.9.0.jar
+shiro-core-1.9.1.jar
 HikariCP-4.0.3.jar
 slf4j-api-1.7.32.jar
 geode-http-service-0.0.0.jar
@@ -38,18 +38,18 @@ geode-lucene-0.0.0.jar
 lucene-core-6.6.6.jar
 fastutil-8.5.8.jar
 geode-gfsh-0.0.0.jar
-jetty-http-9.4.46.v20220331.jar
+jetty-http-9.4.47.v20220610.jar
 geode-memcached-0.0.0.jar
 rmiio-2.1.2.jar
 geode-tcp-server-0.0.0.jar
 log4j-jcl-2.17.2.jar
 geode-connectors-0.0.0.jar
 jackson-core-2.13.3.jar
-jetty-util-9.4.46.v20220331.jar
+jetty-util-9.4.47.v20220610.jar
 log4j-slf4j-impl-2.17.2.jar
 lucene-analyzers-common-6.6.6.jar
 geode-membership-0.0.0.jar
-jetty-webapp-9.4.46.v20220331.jar
+jetty-webapp-9.4.47.v20220610.jar
 commons-lang3-3.12.0.jar
 jopt-simple-5.0.4.jar
 swagger-annotations-2.2.1.jar
@@ -59,11 +59,11 @@ log4j-api-2.17.2.jar
 geode-serialization-0.0.0.jar
 istack-commons-runtime-4.0.1.jar
 lucene-queryparser-6.6.6.jar
-jetty-io-9.4.46.v20220331.jar
+jetty-io-9.4.47.v20220610.jar
 geode-deployment-legacy-0.0.0.jar
 commons-beanutils-1.9.4.jar
 log4j-core-2.17.2.jar
-shiro-crypto-core-1.9.0.jar
+shiro-crypto-core-1.9.1.jar
 jaxb-api-2.3.1.jar
 geode-unsafe-0.0.0.jar
 spring-shell-1.2.0.RELEASE.jar
@@ -73,20 +73,20 @@ log4j-jul-2.17.2.jar
 HdrHistogram-2.1.12.jar
 jackson-annotations-2.13.3.jar
 micrometer-core-1.9.1.jar
-shiro-config-ogdl-1.9.0.jar
+shiro-config-ogdl-1.9.1.jar
 geode-log4j-0.0.0.jar
 lucene-analyzers-phonetic-6.6.6.jar
 spring-context-5.3.21.jar
-jetty-security-9.4.46.v20220331.jar
+jetty-security-9.4.47.v20220610.jar
 geode-logging-0.0.0.jar
 commons-io-2.11.0.jar
-shiro-lang-1.9.0.jar
+shiro-lang-1.9.1.jar
 javax.transaction-api-1.3.jar
 geode-common-0.0.0.jar
 antlr-2.7.7.jar
-jetty-xml-9.4.46.v20220331.jar
+jetty-xml-9.4.47.v20220610.jar
 geode-rebalancer-0.0.0.jar
-jetty-server-9.4.46.v20220331.jar
+jetty-server-9.4.47.v20220610.jar
 jackson-datatype-jsr310-2.13.3.jar
 jackson-datatype-joda-2.13.3.jar
 joda-time-2.10.14.jar
\ No newline at end of file