From ac54786822e049808866ca06c2bb88ded6ea9762 Mon Sep 17 00:00:00 2001 From: Rob Rudin Date: Mon, 29 Sep 2025 16:16:12 -0400 Subject: [PATCH] MLE-24494 Bumped zookeeper to 3.9.4 This only affects the tests, as the connector doesn't include zookeeper --- build.gradle | 19 -------------- marklogic-spark-connector/build.gradle | 35 +++++++++++++++++++++++--- 2 files changed, 31 insertions(+), 23 deletions(-) diff --git a/build.gradle b/build.gradle index eb3c80d1..6d5fee03 100644 --- a/build.gradle +++ b/build.gradle @@ -40,25 +40,6 @@ subprojects { } } - configurations.all { - resolutionStrategy.eachDependency { DependencyResolveDetails details -> - // These all impact Spark and its dependencies, but not the published connector as the connector does not contain - // any Spark libraries. - if (details.requested.group.equals("org.apache.hadoop") and details.requested.version.equals("3.4.1")) { - details.useVersion "3.4.2" - details.because "Using 3.4.2 to minimize CVEs and because Flux is doing the same thing." - } - if (details.requested.group.equals("org.codehaus.janino")) { - details.useVersion "3.1.12" - details.because "Bumping from 3.1.9 (what Spark SQL 4.0.1 depends on) to 3.1.12 to minimize CVEs." - } - if (details.requested.group.equals("io.netty") and details.requested.version.startsWith("4.1.1")) { - details.useVersion "4.1.127.Final" - details.because "Bumping from 4.1.118 (what Spark SQL 4.0.1 depends on) to 4.1.127 to minimize CVEs." - } - } - } - test { useJUnitPlatform() finalizedBy jacocoTestReport diff --git a/marklogic-spark-connector/build.gradle b/marklogic-spark-connector/build.gradle index d0ad6558..7d2635f2 100644 --- a/marklogic-spark-connector/build.gradle +++ b/marklogic-spark-connector/build.gradle @@ -3,9 +3,36 @@ plugins { id 'maven-publish' } +configurations { + all { + resolutionStrategy.eachDependency { DependencyResolveDetails details -> + // These all impact Spark and its dependencies, but not the published connector as the connector does not contain + // any Spark libraries. + if (details.requested.group.equals("org.apache.hadoop") and details.requested.version.equals("3.4.1")) { + details.useVersion "3.4.2" + details.because "Using 3.4.2 to minimize CVEs and because Flux is doing the same thing." + } + if (details.requested.group.equals("org.codehaus.janino")) { + details.useVersion "3.1.12" + details.because "Bumping from 3.1.9 (what Spark SQL 4.0.1 depends on) to 3.1.12 to minimize CVEs." + } + if (details.requested.group.equals("io.netty") and details.requested.version.startsWith("4.1.1")) { + details.useVersion "4.1.127.Final" + details.because "Bumping from 4.1.118 (what Spark SQL 4.0.1 depends on) to 4.1.127 to minimize CVEs." + } + } + + resolutionStrategy { + // Addresses CVE-2025-58457; Spark depends on 3.9.3, and the CVE is fixed in 3.9.4. + force "org.apache.zookeeper:zookeeper:3.9.4" + } + } +} + + dependencies { // Need to compile against Spark, but its libraries are not part of the connector jar. - compileOnly ("org.apache.spark:spark-sql_2.13:${sparkVersion}") { + compileOnly("org.apache.spark:spark-sql_2.13:${sparkVersion}") { // Excluded from Flux for size reasons, so excluded here as well to ensure we don't need it when running tests. exclude module: "rocksdbjni" } @@ -53,7 +80,7 @@ dependencies { // Needed for some XML operations that are far easier with JDOM2 than with DOM. implementation "org.jdom:jdom2:2.0.6.1" - implementation ("dev.langchain4j:langchain4j:${langchain4jVersion}") { + implementation("dev.langchain4j:langchain4j:${langchain4jVersion}") { exclude group: "com.fasterxml.jackson.core" } @@ -67,12 +94,12 @@ dependencies { // org.junit.platform.commons.JUnitException: TestEngine with ID 'junit-jupiter' failed to discover tests testRuntimeOnly "org.junit.platform:junit-platform-launcher:1.13.4" - testImplementation ("org.apache.spark:spark-sql_2.13:${sparkVersion}") { + testImplementation("org.apache.spark:spark-sql_2.13:${sparkVersion}") { exclude module: "rocksdbjni" } // Supports testing the embedder feature. - testImplementation ("dev.langchain4j:langchain4j-embeddings-all-minilm-l6-v2:1.5.0-beta11") { + testImplementation("dev.langchain4j:langchain4j-embeddings-all-minilm-l6-v2:1.5.0-beta11") { exclude group: "com.fasterxml.jackson.core" }