Update dependencies to fix CVE-2024-7254, CVE-2024-36114 & CVE-2024-53990 (#107)

* deps: Update dependencies to fix CVE-2024-7254, CVE-2024-36114 & CVE-2024-53990

* Add explanation comment and scope.

* Remove the runtime scope for protobuf & async-http-client

* CI fix & remove unwanted exclusion

* Updated confluent/kafka image version to use 7.8.2 as the latest(7.9.0) is not supported yet.

---------

Co-authored-by: mallasandeep <[email protected]>

Author: ganesh-ctds

ci/init_hydra_oauth_server.sh

@@ -33,7 +33,7 @@ wait_for_url() {
 }
 
 # Start hydra server
-docker-compose -f ci/hydra/docker-compose.yml up -d
+docker compose -f ci/hydra/docker-compose.yml up -d
 
 # Wait until the hydra server started
 wait_for_url "http://localhost:4445/clients" "Waiting for Hydra admin REST to start"

pom.xml

@@ -68,7 +68,9 @@
     <fusionauth-jwt.version>5.2.1</fusionauth-jwt.version>
     <snakeyaml.version>2.0</snakeyaml.version>
     <zstd-jni.version>1.5.2-4</zstd-jni.version>
-
+    <asynchttpclient.version>2.12.4</asynchttpclient.version>
+    <aircompressor.version>0.27</aircompressor.version>
+    <protobuf.version>3.25.5</protobuf.version>
     <!-- plugin dependencies -->
     <license-maven-plugin.version>3.0.rc1</license-maven-plugin.version>
     <maven-checkstyle-plugin.version>3.1.1</maven-checkstyle-plugin.version>
@@ -126,7 +128,25 @@
         <artifactId>kafka-clients</artifactId>
         <version>${kafka.version}</version>
       </dependency>
-
+      <!-- Override transitive dependency version to fix vulnerability -->
+      <dependency>
+        <groupId>io.airlift</groupId>
+        <artifactId>aircompressor</artifactId>
+        <version>${aircompressor.version}</version>
+        <scope>runtime</scope>
+      </dependency>
+      <!-- Override transitive dependency version to fix vulnerability -->
+      <dependency>
+        <groupId>com.google.protobuf</groupId>
+        <artifactId>protobuf-java</artifactId>
+        <version>${protobuf.version}</version>
+      </dependency>
+      <!-- Override transitive dependency version to fix vulnerability -->
+      <dependency>
+        <groupId>org.asynchttpclient</groupId>
+        <artifactId>async-http-client</artifactId>
+        <version>${asynchttpclient.version}</version>
+      </dependency>
       <dependency>
         <groupId>${pulsar.group.id}</groupId>
         <artifactId>pulsar-broker</artifactId>

tests/src/test/java/io/streamnative/pulsar/handlers/kop/docker/DockerTest.java

@@ -30,8 +30,8 @@ public class DockerTest {
 
     private static final String IMAGE_LUNASTREAMING31 = "datastax/lunastreaming:3.1";
     private static final String IMAGE_PULSAR31 = "apachepulsar/pulsar:3.1.1";
-    private static final String CONFLUENT_CLIENT = "confluentinc/cp-kafka:latest";
-    private static final String CONFLUENT_SCHEMAREGISTRY_CLIENT = "confluentinc/cp-schema-registry:latest";
+    private static final String CONFLUENT_CLIENT = "confluentinc/cp-kafka:7.8.2";
+    private static final String CONFLUENT_SCHEMAREGISTRY_CLIENT = "confluentinc/cp-schema-registry:7.8.2";
 
     @Test
     public void test() throws Exception {