Bump json-smart from 2.4.8 to 2.4.9 (#2979)

Fixes CVE-2023-1370 --------- Co-authored-by: Jean Bisutti <[email protected]> Co-authored-by: github-actions[bot] <github-action[bot]@users.noreply.github.com>
microsoft · Mar 27, 2023 · 1f7a1b6 · 1f7a1b6
1 parent eb8f7c4
commit 1f7a1b6
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 10 deletions.
diff --git a/agent/agent-bootstrap/gradle.lockfile b/agent/agent-bootstrap/gradle.lockfile
@@ -3,8 +3,8 @@
 # This file is expected to be part of source control.
 ch.qos.logback.contrib:logback-json-classic:0.1.5=runtimeClasspath
 ch.qos.logback.contrib:logback-json-core:0.1.5=runtimeClasspath
-ch.qos.logback:logback-classic:1.2.11=runtimeClasspath
-ch.qos.logback:logback-core:1.2.11=runtimeClasspath
+ch.qos.logback:logback-classic:1.2.12=runtimeClasspath
+ch.qos.logback:logback-core:1.2.12=runtimeClasspath
 com.azure:azure-sdk-bom:1.2.11=runtimeClasspath
 com.fasterxml.jackson:jackson-bom:2.14.2=runtimeClasspath
 com.google.guava:guava-bom:31.1-jre=runtimeClasspath

diff --git a/agent/agent-tooling/gradle.lockfile b/agent/agent-tooling/gradle.lockfile
@@ -59,8 +59,8 @@ io.projectreactor.netty:reactor-netty-http:1.1.5=runtimeClasspath
 io.projectreactor:reactor-core:3.5.4=runtimeClasspath
 net.java.dev.jna:jna-platform:5.13.0=runtimeClasspath
 net.java.dev.jna:jna:5.13.0=runtimeClasspath
-net.minidev:accessors-smart:2.4.8=runtimeClasspath
-net.minidev:json-smart:2.4.8=runtimeClasspath
+net.minidev:accessors-smart:2.4.9=runtimeClasspath
+net.minidev:json-smart:2.4.9=runtimeClasspath
 org.apache.commons:commons-lang3:3.12.0=runtimeClasspath
 org.apache.commons:commons-text:1.10.0=runtimeClasspath
 org.junit:junit-bom:5.9.2=runtimeClasspath

diff --git a/agent/azure-monitor-exporter/build.gradle.kts b/agent/azure-monitor-exporter/build.gradle.kts
@@ -19,6 +19,12 @@ dependencies {
   implementation("com.azure:azure-core")
   implementation("com.azure:azure-identity")
 
+  // CVE-2023-1370 - https://github.com/advisories/GHSA-493p-pfq6-5258
+  // Transitive dependency: json-smart -> com.microsoft.azure:msal4j:1.13.5 ->  com.azure:azure-identity
+  // -> azure-monitor-exporter
+  // upstream fix: https://github.com/AzureAD/microsoft-authentication-library-for-java/pull/612
+  implementation("net.minidev:json-smart:2.4.9")
+
   compileOnly("io.opentelemetry:opentelemetry-sdk")
   compileOnly("io.opentelemetry:opentelemetry-sdk-metrics")
   compileOnly("io.opentelemetry:opentelemetry-sdk-logs")

diff --git a/agent/azure-monitor-exporter/gradle.lockfile b/agent/azure-monitor-exporter/gradle.lockfile
@@ -49,10 +49,10 @@ io.projectreactor.netty:reactor-netty-http:1.1.5=runtimeClasspath
 io.projectreactor:reactor-core:3.5.4=runtimeClasspath
 net.java.dev.jna:jna-platform:5.6.0=runtimeClasspath
 net.java.dev.jna:jna:5.6.0=runtimeClasspath
-net.minidev:accessors-smart:2.4.8=runtimeClasspath
-net.minidev:json-smart:2.4.8=runtimeClasspath
+net.minidev:accessors-smart:2.4.9=runtimeClasspath
+net.minidev:json-smart:2.4.9=runtimeClasspath
 org.junit:junit-bom:5.9.2=runtimeClasspath
-org.ow2.asm:asm:9.1=runtimeClasspath
+org.ow2.asm:asm:9.3=runtimeClasspath
 org.reactivestreams:reactive-streams:1.0.4=runtimeClasspath
 org.slf4j:slf4j-api:1.7.36=runtimeClasspath
 org.testcontainers:testcontainers-bom:1.17.6=runtimeClasspath

diff --git a/licenses/more-licenses.md b/licenses/more-licenses.md
@@ -1,7 +1,7 @@
 
 #agent
 ##Dependency License Report
-_2023-03-24 04:32:06 UTC_
+_2023-03-27 10:28:49 UTC_
 ## Apache License, Version 2.0
 
 **1** **Group:** `com.fasterxml.jackson.core` **Name:** `jackson-annotations` **Version:** `2.14.2` 
@@ -210,12 +210,12 @@ _2023-03-24 04:32:06 UTC_
 > - **POM License**: GNU LESSER GENERAL PUBLIC LICENSE, Version 2.1 - [https://www.gnu.org/licenses/lgpl-2.1](https://www.gnu.org/licenses/lgpl-2.1)
 > - **Embedded license files**: [jna-platform-5.13.0.jar/META-INF/LICENSE](jna-platform-5.13.0.jar/META-INF/LICENSE)
 
-**41** **Group:** `net.minidev` **Name:** `accessors-smart` **Version:** `2.4.8` 
+**41** **Group:** `net.minidev` **Name:** `accessors-smart` **Version:** `2.4.9` 
 > - **Project URL**: [https://urielch.github.io/](https://urielch.github.io/)
 > - **Manifest License**: Apache License, Version 2.0 (Not Packaged)
 > - **POM License**: Apache License, Version 2.0 - [http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0)
 
-**42** **Group:** `net.minidev` **Name:** `json-smart` **Version:** `2.4.8` 
+**42** **Group:** `net.minidev` **Name:** `json-smart` **Version:** `2.4.9` 
 > - **Project URL**: [https://urielch.github.io/](https://urielch.github.io/)
 > - **Manifest License**: Apache License, Version 2.0 (Not Packaged)
 > - **POM License**: Apache License, Version 2.0 - [http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0)