From f04fc9b8e53bc846e8880f1964740d0e0ad538a0 Mon Sep 17 00:00:00 2001
From: Victor Barua <victor.barua@datadoghq.com>
Date: Thu, 13 Feb 2025 15:21:43 -0800
Subject: [PATCH] build: bump json-smart (#329)

---
 isthmus/build.gradle.kts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/isthmus/build.gradle.kts b/isthmus/build.gradle.kts
index 820467242..09ac023e6 100644
--- a/isthmus/build.gradle.kts
+++ b/isthmus/build.gradle.kts
@@ -81,6 +81,10 @@ val PROTOBUF_VERSION = properties.get("protobuf.version")
 dependencies {
   implementation(project(":core"))
   implementation("org.apache.calcite:calcite-core:${CALCITE_VERSION}")
+  // calcite-core 1.37.0 brings in net.minidev:json-smart:2.5.0 which has a CVE associated with it.
+  // See: https://osv.dev/vulnerability/GHSA-pq2g-wx69-c263
+  // This causes the build to fail. Pull in the fixed version until Calcite is updated
+  implementation("net.minidev:json-smart:2.5.2")
   implementation("org.apache.calcite:calcite-server:${CALCITE_VERSION}")
   testImplementation("org.junit.jupiter:junit-jupiter:${JUNIT_VERSION}")
   implementation("org.reflections:reflections:0.9.12")