Fix Docker Image Java Vulnerabilities (#11623)

* fixed vulnerablity issue * jackson-dataformat --------- Co-authored-by: Himank Mehta <himankmehta@Himanks-MacBook-Air.local> Co-authored-by: Mohit Yadav <105265192+mohityadav766@users.noreply.github.com> Co-authored-by: Sriharsha Chintalapani <harshach@users.noreply.github.com>
2026-01-07 13:07:22 +00:00 · 2023-05-18 05:08:05 +05:30 · 2023-05-18 05:08:05 +05:30 · fb4e7c3c74
commit fb4e7c3c74
parent 9b78f12305
5 changed files with 33 additions and 4 deletions
--- a/openmetadata-service/pom.xml
+++ b/openmetadata-service/pom.xml
@ -165,6 +165,10 @@
          <groupId>com.fasterxml.jackson.dataformat</groupId>
          <artifactId>jackson-dataformat-cbor</artifactId>
        </exclusion>
+        <exclusion>
+          <groupId>org.yaml</groupId>
+          <artifactId>snakeyaml</artifactId>
+        </exclusion>
      </exclusions>
    </dependency>
    <dependency>
@ -328,6 +332,18 @@
      <groupId>com.networknt</groupId>
      <artifactId>json-schema-validator</artifactId>
      <version>${json-schema-validator.version}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>org.yaml</groupId>
+          <artifactId>snakeyaml</artifactId>
+        </exclusion>
+      </exclusions>
+    </dependency>
+
+    <dependency>
+      <groupId>org.yaml</groupId>
+      <artifactId>snakeyaml</artifactId>
+      <version>${snakeyaml.version}</version>
    </dependency>

    <!-- https://mvnrepository.com/artifact/io.jsonwebtoken/jjwt -->
@ -426,12 +442,23 @@
      <groupId>com.onelogin</groupId>
      <artifactId>java-saml</artifactId>
      <version>${java.saml}</version>
+      <exclusions>
+        <exclusion>
+          <groupId>com.fasterxml.woodstox</groupId>
+          <artifactId>woodstox-core</artifactId>
+        </exclusion>
+      </exclusions>
    </dependency>
    <dependency>
      <groupId>org.quartz-scheduler</groupId>
      <artifactId>quartz</artifactId>
      <version>${quartz.version}</version>
    </dependency>
+    <dependency>
+      <groupId>com.fasterxml.woodstox</groupId>
+      <artifactId>woodstox-core</artifactId>
+      <version>${woodstox.version}</version>
+    </dependency>
  </dependencies>

  <profiles>
--- a/openmetadata-service/src/main/java/org/openmetadata/service/elasticsearch/ElasticSearchEventPublisher.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/elasticsearch/ElasticSearchEventPublisher.java
@ -47,8 +47,8 @@ import org.elasticsearch.action.support.WriteRequest;
 import org.elasticsearch.action.update.UpdateRequest;
 import org.elasticsearch.client.RequestOptions;
 import org.elasticsearch.client.RestHighLevelClient;
-import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.xcontent.XContentType;
+import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.index.engine.DocumentMissingException;
 import org.elasticsearch.index.query.BoolQueryBuilder;
 import org.elasticsearch.index.query.QueryBuilders;
--- a/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/DataInsightChartRepository.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/jdbi3/DataInsightChartRepository.java
@ -9,7 +9,7 @@ import java.util.List;
 import java.util.concurrent.TimeUnit;
 import org.elasticsearch.action.search.SearchRequest;
 import org.elasticsearch.action.search.SearchResponse;
-import org.elasticsearch.common.unit.TimeValue;
+import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.index.query.BoolQueryBuilder;
 import org.elasticsearch.index.query.QueryBuilders;
 import org.elasticsearch.index.query.RangeQueryBuilder;
--- a/openmetadata-service/src/main/java/org/openmetadata/service/resources/search/SearchResource.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/resources/search/SearchResource.java
@ -54,11 +54,11 @@ import org.elasticsearch.client.RestHighLevelClient;
 import org.elasticsearch.common.lucene.search.function.CombineFunction;
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.unit.Fuzziness;
-import org.elasticsearch.common.unit.TimeValue;
 import org.elasticsearch.common.xcontent.LoggingDeprecationHandler;
 import org.elasticsearch.common.xcontent.NamedXContentRegistry;
 import org.elasticsearch.common.xcontent.XContentParser;
 import org.elasticsearch.common.xcontent.XContentType;
+import org.elasticsearch.core.TimeValue;
 import org.elasticsearch.index.query.BoolQueryBuilder;
 import org.elasticsearch.index.query.MultiMatchQueryBuilder;
 import org.elasticsearch.index.query.Operator;
--- a/pom.xml
+++ b/pom.xml
@ -108,7 +108,7 @@
    <!--  We need ElasticSearch client to be compatible with both ElasticSearch and AWS OpenSearch
    This compatibility broken in 7.14, so lets keep this version pinned to 7.13.x
     -->
-    <elasticsearch.version>7.13.4</elasticsearch.version>
+    <elasticsearch.version>7.14.0</elasticsearch.version>
    <httpasyncclient.version>4.1.5</httpasyncclient.version>
    <openapiswagger.version>2.2.9</openapiswagger.version>
    <spring-security-kerberos-core.version>1.0.1.RELEASE</spring-security-kerberos-core.version>
@ -149,6 +149,8 @@
    <maven-release-plugin.version>2.5.3</maven-release-plugin.version>
    <unboundsdk.version>6.0.8</unboundsdk.version>
    <dropwizard-web.version>1.5.1</dropwizard-web.version>
+    <snakeyaml.version>2.0</snakeyaml.version>
+    <woodstox.version>5.4.0</woodstox.version>
  </properties>
  <dependencyManagement>
    <dependencies>