CORE-19766 increase apache commons compress version due to Snyk vulne…

…rability (#1528) commons compress requires commons codec to resolve in OSGI
corda · Feb 22, 2024 · 23b48e6 · 23b48e6
1 parent 7aaf294
commit 23b48e6
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/data/avro-schema/build.gradle b/data/avro-schema/build.gradle
@@ -20,6 +20,8 @@ dependencies {
             because "CVE-2023-42503, current version of Avro uses an outdated version"
         }
     }
+    //needed by commons-compress
+    implementation libs.apache.commons.codec
 
     implementation platform(project(':corda-api'))
     implementation project(':base')

diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -6,7 +6,8 @@ slf4jVersion = { strictly = "1.7.36" }
 
 # Main implementation dependencies
 avroVersion = "1.11.3"
-commonsCompressVersion = "1.25.0"
+apacheCommonsCodecVersion="1.16.1"
+commonsCompressVersion = "1.26.0"
 bouncycastleVersion = "1.77"
 javaxPersistenceApiVersion = "2.2"
 jacksonVersion = "2.16.1"
@@ -37,6 +38,7 @@ taskTreeVersion = "2.1.1"
 [libraries]
 slf4j = { group = "org.slf4j", name = "slf4j-api", version.ref = "slf4jVersion" }
 avro = { group = "org.apache.avro", name = "avro", version.ref = "avroVersion" }
+apache-commons-codec = { group = "commons-codec", name = "commons-codec", version.ref = "apacheCommonsCodecVersion" }
 commons-compress = { group = "org.apache.commons", name = "commons-compress", version.ref = "commonsCompressVersion" }
 bouncycastle-prov = { group = "org.bouncycastle", name = "bcprov-jdk18on", version.ref = "bouncycastleVersion" }
 bouncycastle-pkix = { group = "org.bouncycastle", name = "bcpkix-jdk18on", version.ref = "bouncycastleVersion" }