From e7a9cd3709ce59454546e19aa37b0c4c5a03c6df Mon Sep 17 00:00:00 2001
From: Shaojun Liu <61072813+liu-shaojun@users.noreply.github.com>
Date: Mon, 4 Mar 2024 10:33:47 +0800
Subject: [PATCH] Fix BDBA Vulnerabilities for BigDL Release 2.5.0 (#10275)
* update protobuf-java to 3.25.2
* update sqlite-jdbc to 3.45.1.0
* update jackson.version to 2.16.1
* exclude snappy and netty
* test
* test
* update
* revert akka.actor.version
* update
* exclude protobuf-java
* exclude com.google.protobuf:protobuf-java
* update
* update
* fix
* revert
---
scala/assembly/src/main/assembly/assembly-all.xml | 5 +++++
scala/dllib/pom.xml | 4 ++--
scala/friesian/pom.xml | 4 ++--
scala/orca/pom.xml | 8 ++++----
scala/pom.xml | 2 +-
scala/ppml/pom.xml | 6 +++---
scala/serving/pom.xml | 2 +-
7 files changed, 18 insertions(+), 13 deletions(-)
diff --git a/scala/assembly/src/main/assembly/assembly-all.xml b/scala/assembly/src/main/assembly/assembly-all.xml
index 4d9112fc546..f654100b9f2 100644
--- a/scala/assembly/src/main/assembly/assembly-all.xml
+++ b/scala/assembly/src/main/assembly/assembly-all.xml
@@ -162,8 +162,13 @@
com.intel.analytics.bigdl:*:jar
com.intel.analytics.zoo:*:jar
com.intel.analytics.bigdl.core.dist:all:jar
+ org.xerial.snappy:*
io.grpc:grpc-netty-shaded:jar
io.netty:netty-tcnative-boringssl-static:jar
+ io.netty:netty-codec-http:jar
+ io.netty:netty-buffer:jar
+ io.netty:netty-common:jar
+ com.typesafe.akka:akka-protobuf*:jar
com.intel.analytics.bigdl.core.native.opencv:opencv-java-x86_64-linux:jar
org.lz4:lz4-java:jar
org.apache.hadoop:*:jar
diff --git a/scala/dllib/pom.xml b/scala/dllib/pom.xml
index d126d55dfc8..eec3c635ebe 100644
--- a/scala/dllib/pom.xml
+++ b/scala/dllib/pom.xml
@@ -35,7 +35,7 @@
com.google.protobuf
protobuf-java
- 3.19.6
+ 3.25.2
org.apache.hadoop
@@ -529,7 +529,7 @@
com.google.protobuf
- com.intel.analytics.shaded.protobuf_v_3_5_1
+ com.intel.analytics.shaded.protobuf_v_3_25_2
diff --git a/scala/friesian/pom.xml b/scala/friesian/pom.xml
index 8a08e7725e1..0f5e96dc808 100644
--- a/scala/friesian/pom.xml
+++ b/scala/friesian/pom.xml
@@ -210,7 +210,7 @@
com.google.protobuf
protobuf-java
- 3.19.6
+ 3.25.2
${serving.scope}
@@ -460,7 +460,7 @@
com.google.protobuf
- com.intel.analytics.shaded.protobuf_v_3_5_1
+ com.intel.analytics.shaded.protobuf_v_3_25_2
diff --git a/scala/orca/pom.xml b/scala/orca/pom.xml
index 8cc6eea5b54..3493696a68d 100644
--- a/scala/orca/pom.xml
+++ b/scala/orca/pom.xml
@@ -214,9 +214,9 @@
com.google.protobuf
- protobuf-java
- 3.19.6
- ${spark-scope}
+ protobuf-java
+ 3.25.2
+ ${spark-scope}
org.scalatest
@@ -438,7 +438,7 @@
com.google.protobuf
- com.intel.analytics.shaded.protobuf_v_3_5_1
+ com.intel.analytics.shaded.protobuf_v_3_25_2
diff --git a/scala/pom.xml b/scala/pom.xml
index 25cb5d6fbf7..fce539a998c 100644
--- a/scala/pom.xml
+++ b/scala/pom.xml
@@ -169,7 +169,7 @@
0.9.2
1.7.7
2.17.1
- 2.15.3
+ 2.16.1
6.1.26
6.1.14
1.2
diff --git a/scala/ppml/pom.xml b/scala/ppml/pom.xml
index b816db5e0a8..146e383bfc6 100644
--- a/scala/ppml/pom.xml
+++ b/scala/ppml/pom.xml
@@ -147,10 +147,10 @@
shamir
0.7.0
-
+
org.xerial
sqlite-jdbc
- 3.41.2.2
+ 3.45.1.0
org.apache.parquet
@@ -232,7 +232,7 @@
com.google.protobuf
protobuf-java
- 3.19.6
+ 3.25.2
com.google.protobuf
diff --git a/scala/serving/pom.xml b/scala/serving/pom.xml
index cbf99b98112..97a3363d46d 100644
--- a/scala/serving/pom.xml
+++ b/scala/serving/pom.xml
@@ -49,7 +49,7 @@
com.google.protobuf
protobuf-java
- 3.19.6
+ 3.25.2
org.apache.spark