fix CVE from ai.djl dependency (#3478) (#3482)

Signed-off-by: Zan Niu <[email protected]> Co-authored-by: zane-neo <[email protected]>
opensearch-project · Jan 31, 2025 · 6ba54cf · 6ba54cf
1 parent 8f604cb
commit 6ba54cf
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 11 deletions.
diff --git a/common/build.gradle b/common/build.gradle
@@ -24,7 +24,7 @@ dependencies {
     testImplementation "org.opensearch.test:framework:${opensearch_version}"
 
     compileOnly group: 'org.apache.commons', name: 'commons-text', version: '1.10.0'
-    compileOnly group: 'com.google.code.gson', name: 'gson', version: '2.10.1'
+    compileOnly group: 'com.google.code.gson', name: 'gson', version: '2.11.0'
     compileOnly group: 'org.json', name: 'json', version: '20231013'
     testImplementation group: 'org.json', name: 'json', version: '20231013'
     implementation('com.google.guava:guava:32.1.3-jre') {

diff --git a/memory/build.gradle b/memory/build.gradle
@@ -28,15 +28,17 @@ dependencies {
     implementation group: 'org.opensearch', name: 'opensearch', version: "${opensearch_version}"
     implementation group: 'org.apache.httpcomponents.core5', name: 'httpcore5', version: "5.2.2"
     implementation "org.opensearch:common-utils:${common_utils_version}"
-    implementation group: 'com.google.guava', name: 'guava', version: '32.1.3-jre'
+    implementation (group: 'com.google.guava', name: 'guava', version: '32.1.3-jre') {
+	exclude group: 'com.google.errorprone', module: 'error_prone_annotations'
+    }
     testImplementation (group: 'junit', name: 'junit', version: '4.13.2') {
         exclude module : 'hamcrest'
         exclude module : 'hamcrest-core'
     }
     testImplementation group: 'org.mockito', name: 'mockito-core', version: '5.7.0'
     testImplementation "org.opensearch.test:framework:${opensearch_version}"
     testImplementation "org.opensearch.client:opensearch-rest-client:${opensearch_version}"
-    testImplementation group: 'com.google.code.gson', name: 'gson', version: '2.10.1'
+    testImplementation group: 'com.google.code.gson', name: 'gson', version: '2.11.0'
     testImplementation group: 'org.json', name: 'json', version: '20231013'
     testImplementation("com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}")
     testImplementation("com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}")
@@ -84,4 +86,4 @@ spotless {
 
         eclipse().withP2Mirrors(Map.of("https://download.eclipse.org/", "https://mirror.umd.edu/eclipse/")).configFile rootProject.file('.eclipseformat.xml')
     }
-}
+}
diff --git a/ml-algorithms/build.gradle b/ml-algorithms/build.gradle
@@ -41,9 +41,11 @@ dependencies {
     implementation group: 'io.protostuff', name: 'protostuff-collectionschema', version: '1.8.0'
     testImplementation group: 'junit', name: 'junit', version: '4.13.2'
     testImplementation group: 'org.mockito', name: 'mockito-core', version: '5.7.0'
-    implementation group: 'com.google.guava', name: 'guava', version: '32.1.3-jre'
-    implementation group: 'com.google.code.gson', name: 'gson', version: '2.10.1'
-    implementation platform("ai.djl:bom:0.28.0")
+    implementation (group: 'com.google.guava', name: 'guava', version: '32.1.3-jre') {
+	exclude group: 'com.google.errorprone', module: 'error_prone_annotations'
+    }
+    implementation group: 'com.google.code.gson', name: 'gson', version: '2.11.0'
+    implementation platform("ai.djl:bom:0.31.1")
     implementation group: 'ai.djl.pytorch', name: 'pytorch-model-zoo'
     implementation group: 'ai.djl', name: 'api'
     implementation group: 'ai.djl.huggingface', name: 'tokenizers'

diff --git a/plugin/build.gradle b/plugin/build.gradle
@@ -75,8 +75,10 @@ dependencies {
     implementation("com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}")
     implementation("com.fasterxml.jackson.core:jackson-databind:${versions.jackson_databind}")
     implementation group: 'com.networknt' , name: 'json-schema-validator', version: '1.4.0'
-    implementation group: 'com.google.guava', name: 'guava', version: '32.1.3-jre'
-    implementation group: 'com.google.code.gson', name: 'gson', version: '2.10.1'
+    implementation (group: 'com.google.guava', name: 'guava', version: '32.1.3-jre') {
+	exclude group: 'com.google.errorprone', module: 'error_prone_annotations'
+    }
+    implementation group: 'com.google.code.gson', name: 'gson', version: '2.11.0'
     implementation group: 'org.apache.commons', name: 'commons-lang3', version: '3.10'
     implementation group: 'org.apache.commons', name: 'commons-math3', version: '3.6.1'
     implementation "org.apache.logging.log4j:log4j-slf4j-impl:2.19.0"

diff --git a/search-processors/build.gradle b/search-processors/build.gradle
@@ -30,13 +30,15 @@ repositories {
 dependencies {
     implementation project(path: ":${rootProject.name}-common", configuration: 'shadow')
     compileOnly group: 'org.opensearch', name: 'opensearch', version: "${opensearch_version}"
-    compileOnly group: 'com.google.code.gson', name: 'gson', version: '2.10.1'
+    compileOnly group: 'com.google.code.gson', name: 'gson', version: '2.11.0'
     implementation 'org.apache.commons:commons-lang3:3.12.0'
     implementation project(':opensearch-ml-memory')
     implementation group: 'org.opensearch', name: 'common-utils', version: "${common_utils_version}"
     // https://mvnrepository.com/artifact/org.apache.httpcomponents.core5/httpcore5
     implementation group: 'org.apache.httpcomponents.core5', name: 'httpcore5', version: "5.2.2"
-    implementation group: 'com.google.guava', name: 'guava', version: '32.1.2-jre'
+    implementation (group: 'com.google.guava', name: 'guava', version: '32.1.2-jre') {
+	exclude group: 'com.google.errorprone', module: 'error_prone_annotations'
+    }
     implementation group: 'org.json', name: 'json', version: '20231013'
     implementation group: 'org.apache.commons', name: 'commons-text', version: '1.10.0'
     testImplementation "org.opensearch.test:framework:${opensearch_version}"