Exclude bouncycastle CVEs, fix janino dep

exasol · Jun 3, 2024 · 31caa3c · 31caa3c
1 parent 60abdae
commit 31caa3c
Showing 1 changed file with 26 additions and 5 deletions.
diff --git a/pom.xml b/pom.xml
@@ -199,6 +199,14 @@
                     <groupId>org.slf4j</groupId>
                     <artifactId>slf4j-reload4j</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.codehaus.janino</groupId>
+                    <artifactId>janino</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.codehaus.janino</groupId>
+                    <artifactId>commons-compiler</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
@@ -215,6 +223,18 @@
             <version>0.27</version>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.codehaus.janino</groupId>
+            <artifactId>janino</artifactId>
+            <version>3.1.12</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.codehaus.janino</groupId>
+            <artifactId>commons-compiler</artifactId>
+            <version>3.1.12</version>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>org.apache.hadoop</groupId>
             <artifactId>hadoop-aws</artifactId>
@@ -385,10 +405,6 @@
                     <groupId>org.bouncycastle</groupId>
                     <artifactId>bcprov-ext-jdk15on</artifactId>
                 </exclusion>
-                <exclusion>
-                    <groupId>org.bouncycastle</groupId>
-                    <artifactId>bcprov-jdk15on</artifactId>
-                </exclusion>
                 <exclusion>
                     <groupId>org.codehaus.jackson</groupId>
                     <artifactId>*</artifactId>
@@ -656,7 +672,7 @@
                              janino is not included in the released artifact,
                              but 'provided' by the runtime Spark cluster.
                         -->
-                        <exclude>CVE-2023-33546</exclude>
+<!--                        <exclude>CVE-2023-33546</exclude>-->
                         <!-- Ignore vulnerability reported for transitive
                              dependency com.nimbusds:nimbus-jose-jwt:jar:9.8.1
                              via org.apache.hadoop:hadoop-client:jar:3.3.6
@@ -672,6 +688,11 @@
                         <exclude>CVE-2024-29857</exclude>
                         <exclude>CVE-2024-30171</exclude>
                         <exclude>CVE-2024-30172</exclude>
+                        <exclude>CVE-2023-33201</exclude>
+                        <exclude>CVE-2023-33202</exclude>
+                        <exclude>CVE-2024-29857</exclude>
+                        <exclude>CVE-2024-30171</exclude>
+                        <exclude>CVE-2024-34447</exclude>
                     </excludeVulnerabilityIds>
                 </configuration>
             </plugin>