[HDDS-10600] Bump nimbus-jose-jwt version - ASF JIRA

Log work

Agile Board

Rank to Top

Rank to Bottom

Attach files

Attach Screenshot

Bulk Copy Attachments

Bulk Move Attachments

Voters

Watch issue

Watchers

Create sub-task

Convert to sub-task

Link

Clone

Labels

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Major
Resolution: Done
Affects Version/s: 1.5.0
Fix Version/s: 1.5.0, 1.4.1
Component/s: None
Labels:
- pull-request-available

Target Version/s:

1.4.1

Description

It's a continuation of the investigation made in ~~HDDS-10589~~
hdds-hadoop-dependency-(client|server) modules depend on hadoop-common, the latter depends on com.nimbusds:nimbus-jose-jwt:9.8.1 (through org.apache.hadoop:hadoop-auth).

The 9.8.1th version of the com.nimbusds:nimbus-jose-jwt library contains a shaded version of the net.minidev:json-smart:1.3.2 (https://bitbucket.org/connect2id/nimbus-jose-jwt/src/815b98228df7be7b918ae368ea003a034768f769/pom.xml#lines-59) that has a CVE - https://nvd.nist.gov/vuln/detail/CVE-2021-31684.

The nearest version of the nimbus-jose-jwt that doesn't have the CVE is 9.24 - there the json-smart library was replaced with com.google.code.gson:gson.
Hence, we need to exclude nimbus-jose-jwt dependency from the hadoop-common transitive dependencies list in hdds-hadoop-dependency-(client|server) modules and include it directly with the certain version (9.24)