From 1e5d434501d40b2e394d18dbbf30ad7c4f7f590f Mon Sep 17 00:00:00 2001
From: david-leifker <114954101+david-leifker@users.noreply.github.com>
Date: Fri, 9 Dec 2022 14:11:12 -0600
Subject: [PATCH] fix(security): commons-text in frontend, hadoop-commons in
 datahub-upgrade (#6723)

---
 datahub-frontend/play.gradle | 3 +++
 datahub-upgrade/build.gradle | 7 +++++++
 2 files changed, 10 insertions(+)

diff --git a/datahub-frontend/play.gradle b/datahub-frontend/play.gradle
index 4d0a340d9c..08a1891fec 100644
--- a/datahub-frontend/play.gradle
+++ b/datahub-frontend/play.gradle
@@ -26,6 +26,9 @@ dependencies {
     play('com.typesafe.akka:akka-actor_2.12:2.6.20')
     play('net.minidev:json-smart:2.4.8')
     play('io.netty:netty-all:4.1.85.Final')
+    implementation(externalDependency.commonsText) {
+      because("previous versions are vulnerable to CVE-2022-42889")
+    }
   }
 
   compile project(":metadata-service:restli-client")
diff --git a/datahub-upgrade/build.gradle b/datahub-upgrade/build.gradle
index 4d4d2b9939..79b3076a9f 100644
--- a/datahub-upgrade/build.gradle
+++ b/datahub-upgrade/build.gradle
@@ -14,6 +14,13 @@ dependencies {
     exclude group: 'com.nimbusds', module: 'nimbus-jose-jwt'
     exclude group: "org.apache.htrace", module: "htrace-core4"
   }
+
+  constraints {
+    implementation(externalDependency.hadoopCommon3) {
+      because("previous versions are vulnerable to CVE-2021-37404")
+    }
+  }
+
   implementation externalDependency.slf4jApi
   compileOnly externalDependency.lombok
   compile externalDependency.picocli