Upgrade lib to address snyk + consolidate constraints (#1172)

annotationProcessor/build.gradle

@@ -8,13 +8,6 @@ plugins {
 
 sourceCompatibility = JavaVersion.VERSION_17
 
-
-dependencyManagement {
-    dependencies {
-        dependency "org.apache.tomcat.embed:tomcat-embed-core:${vApacheTomcat}"
-    }
-}
-
 dependencies {
     implementation project(':underlay')
     implementation project(':service')

annotationProcessor/gradle.lockfile

@@ -200,19 +200,8 @@ io.kubernetes:client-java-proto:21.0.2=productionRuntimeClasspath,runtimeClasspa
 io.kubernetes:client-java:21.0.2=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.micrometer:micrometer-commons:1.13.8=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.micrometer:micrometer-observation:1.13.8=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-buffer:4.1.115.Final=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-codec-http2:4.1.115.Final=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-codec-http:4.1.115.Final=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-codec-socks:4.1.115.Final=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-codec:4.1.115.Final=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-common:4.1.115.Final=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-handler-proxy:4.1.115.Final=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-handler:4.1.115.Final=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-resolver:4.1.115.Final=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-tcnative-boringssl-static:2.0.69.Final=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-tcnative-classes:2.0.69.Final=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-transport-native-unix-common:4.1.115.Final=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-transport:4.1.115.Final=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+io.netty:netty-buffer:4.1.118.Final=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+io.netty:netty-common:4.1.118.Final=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.opencensus:opencensus-api:0.31.1=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-exemplar-util:0.31.0=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-grpc-metrics:0.31.1=productionRuntimeClasspath,runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath

build.gradle

@@ -7,7 +7,7 @@ buildscript {
         vGoogleProtobuf = '0.9.4'
 
         // library versions - constraints to address vulns
-        vIoNetty = '4.1.115.Final'
+        vIoNetty = '4.1.118.Final'
         vIoNettyNative = '2.0.69.Final'
         vLogback = '1.5.15'
 

buildSrc/src/main/groovy/tanagra.java-conventions.gradle

@@ -60,6 +60,20 @@ dependencyManagement {
         // addresses security vulnerabilities
         dependency "ch.qos.logback:logback-classic:${vLogback}"
         dependency "ch.qos.logback:logback-core:${vLogback}"
+        dependency "org.apache.tomcat.embed:tomcat-embed-core:${vApacheTomcat}"
+        dependency "io.swagger.core.v3:swagger-annotations:${vSwaggerAnnotations}"
+        dependency "io.swagger.codegen.v3:swagger-codegen-cli:${vSwaggerCodegen}"
+        dependency "io.netty:netty-buffer:${vIoNetty}"
+        dependency "io.netty:netty-common:${vIoNetty}"
+        dependency "io.netty:netty-codec-http2:${vIoNetty}"
+        dependency "io.netty:netty-codec-socks:${vIoNetty}"
+        dependency "io.netty:netty-handler-proxy:${vIoNetty}"
+        dependency "io.netty:netty-tcnative-boringssl-static:${vIoNettyNative}"
+        dependency "io.netty:netty-tcnative-classes:${vIoNettyNative}"
+
+        dependency 'org.apache.commons:commons-compress:1.26.2'
+        dependency 'org.apache.avro:avro:1.11.4'
+        dependency 'com.charleskorn.kaml:kaml:0.60.0'
         dependency 'org.jetbrains.kotlin:kotlin-stdlib:2.1.0'
     }
 }

client/build.gradle

@@ -1,11 +1,8 @@
-import org.springframework.boot.gradle.plugin.SpringBootPlugin
-
 plugins {
     id 'java-library'
     id 'maven-publish'
 
     id 'com.jfrog.artifactory' version '5.2.2'
-    id 'io.spring.dependency-management'
     id 'org.springframework.boot' version "${vSpringBoot}"
     id 'org.hidetake.swagger.generator' version "${vHidetakeSwagger}"
 }
@@ -30,16 +27,6 @@ javadoc {
     options.addStringOption('Xdoclint:none', '-quiet')
 }
 
-dependencyManagement {
-    imports {
-        mavenBom SpringBootPlugin.BOM_COORDINATES
-    }
-    dependencies {
-        dependency "io.swagger.core.v3:swagger-annotations:${vSwaggerAnnotations}"
-        dependency "io.swagger.codegen.v3:swagger-codegen-cli:${vSwaggerCodegen}"
-    }
-}
-
 dependencies {
     implementation "io.swagger.core.v3:swagger-annotations:${vSwaggerAnnotations}"
     swaggerCodegen "io.swagger.codegen.v3:swagger-codegen-cli:${vSwaggerCodegen}"

indexer/build.gradle

@@ -10,20 +10,6 @@ ext {
 }
 
 dependencies {
-    // added to address snyk warnings
-    constraints {
-        implementation 'org.apache.commons:commons-compress:1.26.2'
-        implementation "io.netty:netty-codec-http2:${vIoNetty}"
-        implementation 'org.apache.avro:avro:1.11.4'
-        runtimeOnly 'com.charleskorn.kaml:kaml:0.60.0'
-
-        // added to use same netty versions across subprojects
-        implementation "io.netty:netty-codec-socks:${vIoNetty}"
-        implementation "io.netty:netty-handler-proxy:${vIoNetty}"
-        implementation "io.netty:netty-tcnative-boringssl-static:${vIoNettyNative}"
-        implementation "io.netty:netty-tcnative-classes:${vIoNettyNative}"
-    }
-
     implementation project(':underlay')
     testImplementation(testFixtures(project(':underlay')))
 

indexer/gradle.lockfile

@@ -169,19 +169,19 @@ io.grpc:grpc-services:1.67.1=compileClasspath,runtimeClasspath,testCompileClassp
 io.grpc:grpc-stub:1.67.1=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.grpc:grpc-util:1.67.1=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.grpc:grpc-xds:1.67.1=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-buffer:4.1.115.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-codec-http2:4.1.115.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-codec-http:4.1.115.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-codec-socks:4.1.115.Final=runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-codec:4.1.115.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-common:4.1.115.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-handler-proxy:4.1.115.Final=runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-handler:4.1.115.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-resolver:4.1.115.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+io.netty:netty-buffer:4.1.118.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+io.netty:netty-codec-http2:4.1.118.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+io.netty:netty-codec-http:4.1.118.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+io.netty:netty-codec-socks:4.1.118.Final=runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+io.netty:netty-codec:4.1.118.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+io.netty:netty-common:4.1.118.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+io.netty:netty-handler-proxy:4.1.118.Final=runtimeClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+io.netty:netty-handler:4.1.118.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+io.netty:netty-resolver:4.1.118.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.netty:netty-tcnative-boringssl-static:2.0.69.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.netty:netty-tcnative-classes:2.0.69.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-transport-native-unix-common:4.1.115.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-transport:4.1.115.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+io.netty:netty-transport-native-unix-common:4.1.118.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
+io.netty:netty-transport:4.1.118.Final=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.opencensus:opencensus-api:0.31.1=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-exemplar-util:0.31.0=compileClasspath,runtimeClasspath,testCompileClasspath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-grpc-metrics:0.31.0=compileClasspath,testCompileClasspath

service/build.gradle

@@ -21,17 +21,12 @@ dependencyManagement {
     imports {
         mavenBom SpringBootPlugin.BOM_COORDINATES
     }
-    dependencies {
-        dependency "io.swagger.core.v3:swagger-annotations:${vSwaggerAnnotations}"
-        dependency "io.swagger.codegen.v3:swagger-codegen-cli:${vSwaggerCodegen}"
-
-        // added to address snyk vulnerability
-        dependency "org.apache.tomcat.embed:tomcat-embed-core:${vApacheTomcat}"
-    }
 }
 
 dependencies {
-    implementation project(':indexer')
+    implementation(project(':indexer')) {
+        exclude group: 'io.netty'
+    }
     implementation project(':underlay')
     testImplementation(testFixtures(project(":underlay")))
 

service/gradle.lockfile

@@ -208,19 +208,8 @@ io.kubernetes:client-java-proto:21.0.2=compileProtoPath,productionRuntimeClasspa
 io.kubernetes:client-java:21.0.2=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.micrometer:micrometer-commons:1.13.8=compileClasspath,compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.micrometer:micrometer-observation:1.13.8=compileClasspath,compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-buffer:4.1.115.Final=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-codec-http2:4.1.115.Final=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-codec-http:4.1.115.Final=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-codec-socks:4.1.115.Final=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-codec:4.1.115.Final=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-common:4.1.115.Final=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-handler-proxy:4.1.115.Final=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-handler:4.1.115.Final=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-resolver:4.1.115.Final=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-tcnative-boringssl-static:2.0.69.Final=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-tcnative-classes:2.0.69.Final=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-transport-native-unix-common:4.1.115.Final=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-transport:4.1.115.Final=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
+io.netty:netty-buffer:4.1.118.Final=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
+io.netty:netty-common:4.1.118.Final=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.opencensus:opencensus-api:0.31.1=compileClasspath,compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-exemplar-util:0.31.0=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-grpc-metrics:0.31.1=compileProtoPath,productionRuntimeClasspath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath

underlay/build.gradle

@@ -6,12 +6,6 @@ plugins {
 sourceCompatibility = JavaVersion.VERSION_17
 
 dependencies {
-    // added to address snyk warnings
-    constraints {
-        implementation "io.netty:netty-buffer:${vIoNetty}"
-        implementation "io.netty:netty-common:${vIoNetty}"
-    }
-
     implementation "com.fasterxml.jackson.core:jackson-core:${vJackson}"
     implementation "com.fasterxml.jackson.datatype:jackson-datatype-jsr310:${vJackson}"
     implementation 'jakarta.annotation:jakarta.annotation-api:3.0.0'

underlay/gradle.lockfile

@@ -98,8 +98,8 @@ io.grpc:grpc-services:1.67.1=compileProtoPath,runtimeClasspath,testCompileProtoP
 io.grpc:grpc-stub:1.67.1=compileClasspath,compileProtoPath,runtimeClasspath,testCompileClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.grpc:grpc-util:1.67.1=compileClasspath,compileProtoPath,runtimeClasspath,testCompileClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.grpc:grpc-xds:1.67.1=compileProtoPath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-buffer:4.1.115.Final=compileProtoPath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
-io.netty:netty-common:4.1.115.Final=compileProtoPath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
+io.netty:netty-buffer:4.1.118.Final=compileProtoPath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
+io.netty:netty-common:4.1.118.Final=compileProtoPath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.opencensus:opencensus-api:0.31.1=compileClasspath,compileProtoPath,runtimeClasspath,testCompileClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.opencensus:opencensus-contrib-http-util:0.31.1=compileClasspath,compileProtoPath,runtimeClasspath,testCompileClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath
 io.opencensus:opencensus-proto:0.2.0=compileProtoPath,runtimeClasspath,testCompileProtoPath,testFixturesCompileProtoPath,testFixturesRuntimeClasspath,testRuntimeClasspath