Fix 79 component governance security alerts from low to critical (#1646)

heyams · web-flow · commit c34600234054 · 2021-04-23T16:39:03.000-07:00
* Invoke gradle task prepare to generate source, javadoc, pom.jar

* Delete unused component which was flagged as a security vulnerability by Component Governance

* Use the same version of guava to fix security vulnerability

* Upgrade commons-codec

* Upgrade commons-io to 2.7

* Upgrade com.azure:azure-storage-blob to 12.11.0-beta.3
diff --git a/agent/agent-gc-monitor/gc-monitor-api/gradle/dependency-locks/compileClasspath.lockfile b/agent/agent-gc-monitor/gc-monitor-api/gradle/dependency-locks/compileClasspath.lockfile
@@ -0,0 +1,4 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+org.slf4j:slf4j-api:1.7.26
diff --git a/agent/agent-gc-monitor/gc-monitor-api/gradle/dependency-locks/runtimeClasspath.lockfile b/agent/agent-gc-monitor/gc-monitor-api/gradle/dependency-locks/runtimeClasspath.lockfile
@@ -1,5 +1,4 @@
-# This is a Gradle generated file for dependency locking.
-# Manual edits can break the build and are not advised.
-# This file is expected to be part of source control.
-commons-io:commons-io:2.6
-org.apache.commons:commons-lang3:3.7
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+org.slf4j:slf4j-api:1.7.26
diff --git a/agent/agent-gc-monitor/gc-monitor-core/gradle/dependency-locks/compileClasspath.lockfile b/agent/agent-gc-monitor/gc-monitor-core/gradle/dependency-locks/compileClasspath.lockfile
@@ -0,0 +1,4 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+org.slf4j:slf4j-api:1.7.26
diff --git a/agent/agent-gc-monitor/gc-monitor-core/gradle/dependency-locks/runtimeClasspath.lockfile b/agent/agent-gc-monitor/gc-monitor-core/gradle/dependency-locks/runtimeClasspath.lockfile
@@ -0,0 +1,4 @@
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+org.slf4j:slf4j-api:1.7.26
diff --git a/agent/agent-profiler/agent-service-profiler/gradle/dependency-locks/compileClasspath.lockfile b/agent/agent-profiler/agent-service-profiler/gradle/dependency-locks/compileClasspath.lockfile
@@ -1,43 +1,43 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-com.azure:azure-core-http-netty:1.9.0
-com.azure:azure-core:1.14.1
-com.azure:azure-storage-blob:12.11.0-beta.2
-com.azure:azure-storage-common:12.11.0-beta.2
-com.azure:azure-storage-internal-avro:12.0.3-beta.2
-com.fasterxml.jackson.core:jackson-annotations:2.12.1
-com.fasterxml.jackson.core:jackson-core:2.12.1
-com.fasterxml.jackson.core:jackson-databind:2.12.1
-com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.12.1
-com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.12.1
-com.fasterxml.jackson.module:jackson-module-jaxb-annotations:2.12.1
-com.fasterxml.jackson:jackson-bom:2.12.1
-com.fasterxml.woodstox:woodstox-core:6.2.3
+com.azure:azure-core-http-netty:1.9.1
+com.azure:azure-core:1.15.0
+com.azure:azure-storage-blob:12.11.0-beta.3
+com.azure:azure-storage-common:12.11.0-beta.3
+com.azure:azure-storage-internal-avro:12.0.3-beta.3
+com.fasterxml.jackson.core:jackson-annotations:2.12.2
+com.fasterxml.jackson.core:jackson-core:2.12.2
+com.fasterxml.jackson.core:jackson-databind:2.12.2
+com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.12.2
+com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.12.2
+com.fasterxml.jackson.module:jackson-module-jaxb-annotations:2.12.2
+com.fasterxml.jackson:jackson-bom:2.12.2
+com.fasterxml.woodstox:woodstox-core:6.2.4
 com.microsoft.jfr:jfr-streaming:1.0.0
 com.microsoft.rest.v2:client-runtime:2.1.1
 com.squareup.moshi:moshi-adapters:1.9.3
 com.squareup.moshi:moshi:1.9.3
 com.squareup.okio:okio:1.16.0
 commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
-io.netty:netty-buffer:4.1.59.Final
+io.netty:netty-buffer:4.1.60.Final
 io.netty:netty-codec-dns:4.1.59.Final
-io.netty:netty-codec-http2:4.1.59.Final
-io.netty:netty-codec-http:4.1.59.Final
-io.netty:netty-codec-socks:4.1.59.Final
-io.netty:netty-codec:4.1.59.Final
-io.netty:netty-common:4.1.59.Final
-io.netty:netty-handler-proxy:4.1.59.Final
-io.netty:netty-handler:4.1.59.Final
+io.netty:netty-codec-http2:4.1.60.Final
+io.netty:netty-codec-http:4.1.60.Final
+io.netty:netty-codec-socks:4.1.60.Final
+io.netty:netty-codec:4.1.60.Final
+io.netty:netty-common:4.1.60.Final
+io.netty:netty-handler-proxy:4.1.60.Final
+io.netty:netty-handler:4.1.60.Final
 io.netty:netty-resolver-dns-native-macos:4.1.59.Final
 io.netty:netty-resolver-dns:4.1.59.Final
-io.netty:netty-resolver:4.1.59.Final
+io.netty:netty-resolver:4.1.60.Final
 io.netty:netty-tcnative-boringssl-static:2.0.36.Final
-io.netty:netty-transport-native-epoll:4.1.59.Final
-io.netty:netty-transport-native-kqueue:4.1.59.Final
-io.netty:netty-transport-native-unix-common:4.1.59.Final
-io.netty:netty-transport:4.1.59.Final
+io.netty:netty-transport-native-epoll:4.1.60.Final
+io.netty:netty-transport-native-kqueue:4.1.60.Final
+io.netty:netty-transport-native-unix-common:4.1.60.Final
+io.netty:netty-transport:4.1.60.Final
 io.projectreactor.netty:reactor-netty-core:1.0.4
 io.projectreactor.netty:reactor-netty-http:1.0.4
 io.projectreactor.netty:reactor-netty:1.0.4
diff --git a/agent/agent-profiler/agent-service-profiler/gradle/dependency-locks/runtimeClasspath.lockfile b/agent/agent-profiler/agent-service-profiler/gradle/dependency-locks/runtimeClasspath.lockfile
@@ -1,43 +1,43 @@
 # This is a Gradle generated file for dependency locking.
 # Manual edits can break the build and are not advised.
 # This file is expected to be part of source control.
-com.azure:azure-core-http-netty:1.9.0
-com.azure:azure-core:1.14.1
-com.azure:azure-storage-blob:12.11.0-beta.2
-com.azure:azure-storage-common:12.11.0-beta.2
-com.azure:azure-storage-internal-avro:12.0.3-beta.2
-com.fasterxml.jackson.core:jackson-annotations:2.12.1
-com.fasterxml.jackson.core:jackson-core:2.12.1
-com.fasterxml.jackson.core:jackson-databind:2.12.1
-com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.12.1
-com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.12.1
-com.fasterxml.jackson.module:jackson-module-jaxb-annotations:2.12.1
-com.fasterxml.jackson:jackson-bom:2.12.1
-com.fasterxml.woodstox:woodstox-core:6.2.3
+com.azure:azure-core-http-netty:1.9.1
+com.azure:azure-core:1.15.0
+com.azure:azure-storage-blob:12.11.0-beta.3
+com.azure:azure-storage-common:12.11.0-beta.3
+com.azure:azure-storage-internal-avro:12.0.3-beta.3
+com.fasterxml.jackson.core:jackson-annotations:2.12.2
+com.fasterxml.jackson.core:jackson-core:2.12.2
+com.fasterxml.jackson.core:jackson-databind:2.12.2
+com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.12.2
+com.fasterxml.jackson.datatype:jackson-datatype-jsr310:2.12.2
+com.fasterxml.jackson.module:jackson-module-jaxb-annotations:2.12.2
+com.fasterxml.jackson:jackson-bom:2.12.2
+com.fasterxml.woodstox:woodstox-core:6.2.4
 com.microsoft.jfr:jfr-streaming:1.0.0
 com.microsoft.rest.v2:client-runtime:2.1.1
 com.squareup.moshi:moshi-adapters:1.9.3
 com.squareup.moshi:moshi:1.9.3
 com.squareup.okio:okio:1.16.0
 commons-codec:commons-codec:1.11
 commons-logging:commons-logging:1.2
-io.netty:netty-buffer:4.1.59.Final
+io.netty:netty-buffer:4.1.60.Final
 io.netty:netty-codec-dns:4.1.59.Final
-io.netty:netty-codec-http2:4.1.59.Final
-io.netty:netty-codec-http:4.1.59.Final
-io.netty:netty-codec-socks:4.1.59.Final
-io.netty:netty-codec:4.1.59.Final
-io.netty:netty-common:4.1.59.Final
-io.netty:netty-handler-proxy:4.1.59.Final
-io.netty:netty-handler:4.1.59.Final
+io.netty:netty-codec-http2:4.1.60.Final
+io.netty:netty-codec-http:4.1.60.Final
+io.netty:netty-codec-socks:4.1.60.Final
+io.netty:netty-codec:4.1.60.Final
+io.netty:netty-common:4.1.60.Final
+io.netty:netty-handler-proxy:4.1.60.Final
+io.netty:netty-handler:4.1.60.Final
 io.netty:netty-resolver-dns-native-macos:4.1.59.Final
 io.netty:netty-resolver-dns:4.1.59.Final
-io.netty:netty-resolver:4.1.59.Final
+io.netty:netty-resolver:4.1.60.Final
 io.netty:netty-tcnative-boringssl-static:2.0.36.Final
-io.netty:netty-transport-native-epoll:4.1.59.Final
-io.netty:netty-transport-native-kqueue:4.1.59.Final
-io.netty:netty-transport-native-unix-common:4.1.59.Final
-io.netty:netty-transport:4.1.59.Final
+io.netty:netty-transport-native-epoll:4.1.60.Final
+io.netty:netty-transport-native-kqueue:4.1.60.Final
+io.netty:netty-transport-native-unix-common:4.1.60.Final
+io.netty:netty-transport:4.1.60.Final
 io.projectreactor.netty:reactor-netty-core:1.0.4
 io.projectreactor.netty:reactor-netty-http-brave:1.0.4
 io.projectreactor.netty:reactor-netty-http:1.0.4
diff --git a/agent/agent-tooling/gradle/dependency-locks/compileClasspath.lockfile b/agent/agent-tooling/gradle/dependency-locks/compileClasspath.lockfile
@@ -11,7 +11,7 @@ com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.j2objc:j2objc-annotations:1.3
 com.squareup.moshi:moshi:1.9.3
 com.squareup.okio:okio:1.16.0
-commons-codec:commons-codec:1.11
+commons-codec:commons-codec:1.13
 commons-logging:commons-logging:1.2
 io.opentelemetry.instrumentation:opentelemetry-instrumentation-api-caching:1.0.0+ai.patch.1-alpha
 io.opentelemetry.instrumentation:opentelemetry-instrumentation-api:1.0.0+ai.patch.1-alpha
diff --git a/agent/agent-tooling/gradle/dependency-locks/runtimeClasspath.lockfile b/agent/agent-tooling/gradle/dependency-locks/runtimeClasspath.lockfile
@@ -17,8 +17,8 @@ com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.j2objc:j2objc-annotations:1.3
 com.squareup.moshi:moshi:1.9.3
 com.squareup.okio:okio:1.16.0
-commons-codec:commons-codec:1.11
-commons-io:commons-io:2.6
+commons-codec:commons-codec:1.13
+commons-io:commons-io:2.7
 commons-logging:commons-logging:1.2
 io.opentelemetry.instrumentation:opentelemetry-instrumentation-api-caching:1.0.0+ai.patch.1-alpha
 io.opentelemetry.instrumentation:opentelemetry-instrumentation-api:1.0.0+ai.patch.1-alpha
diff --git a/agent/exporter/gradle/dependency-locks/runtimeClasspath.lockfile b/agent/exporter/gradle/dependency-locks/runtimeClasspath.lockfile
@@ -12,7 +12,7 @@ com.google.j2objc:j2objc-annotations:1.3
 com.squareup.moshi:moshi:1.9.3
 com.squareup.okio:okio:1.16.0
 commons-codec:commons-codec:1.11
-commons-io:commons-io:2.6
+commons-io:commons-io:2.7
 commons-logging:commons-logging:1.2
 io.opentelemetry:opentelemetry-api-metrics:1.0.0-alpha
 io.opentelemetry:opentelemetry-api:1.0.0
diff --git a/agent/instrumentation/gradle/dependency-locks/runtimeClasspath.lockfile b/agent/instrumentation/gradle/dependency-locks/runtimeClasspath.lockfile
@@ -18,8 +18,8 @@ com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
 com.google.j2objc:j2objc-annotations:1.3
 com.squareup.moshi:moshi:1.9.3
 com.squareup.okio:okio:1.16.0
-commons-codec:commons-codec:1.11
-commons-io:commons-io:2.6
+commons-codec:commons-codec:1.13
+commons-io:commons-io:2.7
 commons-logging:commons-logging:1.2
 io.opentelemetry.instrumentation:opentelemetry-grpc-1.5:1.0.0+ai.patch.1-alpha
 io.opentelemetry.instrumentation:opentelemetry-instrumentation-api-caching:1.0.0+ai.patch.1-alpha
diff --git a/azure-application-insights-spring-boot-starter/gradle/dependency-locks/compileClasspath.lockfile b/azure-application-insights-spring-boot-starter/gradle/dependency-locks/compileClasspath.lockfile
diff --git a/core/gradle/dependency-locks/compileClasspath.lockfile b/core/gradle/dependency-locks/compileClasspath.lockfile
@@ -1,24 +1,24 @@
-# This is a Gradle generated file for dependency locking.
-# Manual edits can break the build and are not advised.
-# This file is expected to be part of source control.
-com.github.oshi:oshi-core:5.6.0
-com.google.code.findbugs:jsr305:3.0.2
-com.google.code.gson:gson:2.8.2
-com.google.errorprone:error_prone_annotations:2.5.1
-com.google.guava:failureaccess:1.0.1
-com.google.guava:guava:30.1.1-jre
-com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.j2objc:j2objc-annotations:1.3
-com.squareup.moshi:moshi:1.9.3
-com.squareup.okio:okio:1.16.0
-commons-codec:commons-codec:1.11
-commons-io:commons-io:2.6
-commons-logging:commons-logging:1.2
-net.java.dev.jna:jna-platform:5.7.0
-net.java.dev.jna:jna:5.7.0
-org.apache.commons:commons-lang3:3.11
-org.apache.commons:commons-text:1.9
-org.apache.httpcomponents:httpclient:4.5.13
-org.apache.httpcomponents:httpcore:4.4.13
-org.checkerframework:checker-qual:3.8.0
-org.slf4j:slf4j-api:1.7.30
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+com.github.oshi:oshi-core:5.6.0
+com.google.code.findbugs:jsr305:3.0.2
+com.google.code.gson:gson:2.8.2
+com.google.errorprone:error_prone_annotations:2.5.1
+com.google.guava:failureaccess:1.0.1
+com.google.guava:guava:30.1.1-jre
+com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
+com.google.j2objc:j2objc-annotations:1.3
+com.squareup.moshi:moshi:1.9.3
+com.squareup.okio:okio:1.16.0
+commons-codec:commons-codec:1.11
+commons-io:commons-io:2.7
+commons-logging:commons-logging:1.2
+net.java.dev.jna:jna-platform:5.7.0
+net.java.dev.jna:jna:5.7.0
+org.apache.commons:commons-lang3:3.11
+org.apache.commons:commons-text:1.9
+org.apache.httpcomponents:httpclient:4.5.13
+org.apache.httpcomponents:httpcore:4.4.13
+org.checkerframework:checker-qual:3.8.0
+org.slf4j:slf4j-api:1.7.30
diff --git a/core/gradle/dependency-locks/runtimeClasspath.lockfile b/core/gradle/dependency-locks/runtimeClasspath.lockfile
@@ -1,24 +1,24 @@
-# This is a Gradle generated file for dependency locking.
-# Manual edits can break the build and are not advised.
-# This file is expected to be part of source control.
-com.github.oshi:oshi-core:5.6.0
-com.google.code.findbugs:jsr305:3.0.2
-com.google.code.gson:gson:2.8.2
-com.google.errorprone:error_prone_annotations:2.5.1
-com.google.guava:failureaccess:1.0.1
-com.google.guava:guava:30.1.1-jre
-com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
-com.google.j2objc:j2objc-annotations:1.3
-com.squareup.moshi:moshi:1.9.3
-com.squareup.okio:okio:1.16.0
-commons-codec:commons-codec:1.11
-commons-io:commons-io:2.6
-commons-logging:commons-logging:1.2
-net.java.dev.jna:jna-platform:5.7.0
-net.java.dev.jna:jna:5.7.0
-org.apache.commons:commons-lang3:3.11
-org.apache.commons:commons-text:1.9
-org.apache.httpcomponents:httpclient:4.5.13
-org.apache.httpcomponents:httpcore:4.4.13
-org.checkerframework:checker-qual:3.8.0
-org.slf4j:slf4j-api:1.7.30
+# This is a Gradle generated file for dependency locking.
+# Manual edits can break the build and are not advised.
+# This file is expected to be part of source control.
+com.github.oshi:oshi-core:5.6.0
+com.google.code.findbugs:jsr305:3.0.2
+com.google.code.gson:gson:2.8.2
+com.google.errorprone:error_prone_annotations:2.5.1
+com.google.guava:failureaccess:1.0.1
+com.google.guava:guava:30.1.1-jre
+com.google.guava:listenablefuture:9999.0-empty-to-avoid-conflict-with-guava
+com.google.j2objc:j2objc-annotations:1.3
+com.squareup.moshi:moshi:1.9.3
+com.squareup.okio:okio:1.16.0
+commons-codec:commons-codec:1.11
+commons-io:commons-io:2.7
+commons-logging:commons-logging:1.2
+net.java.dev.jna:jna-platform:5.7.0
+net.java.dev.jna:jna:5.7.0
+org.apache.commons:commons-lang3:3.11
+org.apache.commons:commons-text:1.9
+org.apache.httpcomponents:httpclient:4.5.13
+org.apache.httpcomponents:httpcore:4.4.13
+org.checkerframework:checker-qual:3.8.0
+org.slf4j:slf4j-api:1.7.30
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
@@ -21,7 +21,7 @@ ext {
 
             oshi                             : "5.6.0",
 
-            azureStorageBlob                 : "12.11.0-beta.2",
+            azureStorageBlob                 : "12.11.0-beta.3",
             azureClientRuntime               : "2.1.1",
             microsoftJfrStreaming            : "1.0.0",
 
@@ -30,9 +30,9 @@ ext {
 
             // TODO remove dependencies on apache commons
             commonsLang                      : "3.7",
-            commonsIo                        : "2.6",
+            commonsIo                        : "2.7",
             commonsText                      : "1.9",
-            commonsCodec                     : "1.11",
+            commonsCodec                     : "1.13",
 
             // TODO update to JUnit 5
             junit                            : "4.12",
diff --git a/test/smoke/testApps/Cassandra/build.gradle b/test/smoke/testApps/Cassandra/build.gradle
@@ -2,7 +2,7 @@ apply plugin: 'war'
 
 dependencies {
     implementation group: 'com.datastax.cassandra', name: 'cassandra-driver-core', version: '3.8.0'
-    implementation group: 'com.google.guava', name: 'guava', version: '27.1-android'
+    implementation group: 'com.google.guava', name: 'guava', version: versions.guava
 
     compileOnly 'javax.servlet:javax.servlet-api:3.0.1'
 }
diff --git a/test/smoke/testApps/HeartBeat/build.gradle b/test/smoke/testApps/HeartBeat/build.gradle
@@ -1,11 +1,11 @@
 apply plugin: 'war'
 
 dependencies {
-    implementation 'com.google.guava:guava:20.0'
+    implementation "com.google.guava:guava:${versions.guava}"
 
     compileOnly 'javax.servlet:javax.servlet-api:3.0.1'
 
-    smokeTestImplementation 'com.google.guava:guava:23.0'
+    smokeTestImplementation "com.google.guava:guava:${versions.guava}"
 
     testImplementation 'com.google.guava:guava:23.0' // VSCODE intellisense bug workaround
 }
diff --git a/test/smoke/testApps/SpringBootTest/build.gradle b/test/smoke/testApps/SpringBootTest/build.gradle
@@ -13,7 +13,7 @@ apply plugin: 'org.springframework.boot'
 
 dependencies {
     implementation springBootStarterJar
-    implementation 'com.google.guava:guava:27.1-android'
+    implementation "com.google.guava:guava:${versions.guava}"
     implementation (group: 'org.springframework.boot', name: 'spring-boot-starter-web', version: '2.1.7.RELEASE') {
         exclude group: 'org.springframework.boot', module: 'spring-boot-starter-tomcat'
     }
