Use jackson 2.15.4 in snapshot-tool to avoid vulnerability (#120927)

prdoyle · web-flow · commit 5468a83fe07e · 2025-01-30T22:08:10.000+01:00
* Disable thirdPartyAudit task

* Jackson 2.15.4 in snapshot-tool to avoid vulnerability

* Another version exclusion

* Explanatory comment
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
@@ -244,6 +244,11 @@
             <sha256 value="2c6869d505cf60dc066734b7d50339f975bd3adc635e26a78abb71acb4473c0d" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.fasterxml.jackson.core" name="jackson-annotations" version="2.15.4">
+         <artifact name="jackson-annotations-2.15.4.jar">
+            <sha256 value="f204ebbd552614a22b8531ffe350d47f8fd42c45bb60517c07974dc27a5a1dd3" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.fasterxml.jackson.core" name="jackson-core" version="2.10.4">
          <artifact name="jackson-core-2.10.4.jar">
             <sha256 value="564f6e5706096179537114299e6d7492d2c38da182df8d7834a4c9141b078ef3" origin="Generated by Gradle"/>
@@ -264,6 +269,11 @@
             <sha256 value="b5d37a77c88277b97e3593c8740925216c06df8e4172bbde058528df04ad3e7a" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.fasterxml.jackson.core" name="jackson-core" version="2.15.4">
+         <artifact name="jackson-core-2.15.4.jar">
+            <sha256 value="8dc9210dd285db366f45f518dd1e6a9ccfeb0f1a8e184a899fe96d29edf1fd94" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.fasterxml.jackson.core" name="jackson-databind" version="2.10.4">
          <artifact name="jackson-databind-2.10.4.jar">
             <sha256 value="55312662a420c71508e6159c86aa41c1694c52e89a1b90dc94bcf4358134005e" origin="Generated by Gradle"/>
@@ -284,6 +294,11 @@
             <sha256 value="501d3abce4d18dcc381058ec593c5b94477906bba6efbac14dae40a642f77424" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.fasterxml.jackson.core" name="jackson-databind" version="2.15.4">
+         <artifact name="jackson-databind-2.15.4.jar">
+            <sha256 value="0f99ff7719eef3ee85608b3dee6ecf3c698003fe9d6e34eabbfabccdc9b5ac2c" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.fasterxml.jackson.dataformat" name="jackson-dataformat-cbor" version="2.10.4">
          <artifact name="jackson-dataformat-cbor-2.10.4.jar">
             <sha256 value="5e15ea426db254c2e98454165b2d9f8dffc4be1f2da4aa18eedf7d7c076cdb59" origin="Generated by Gradle"/>
@@ -294,6 +309,11 @@
             <sha256 value="c942726863a8b7e0483d30d9213f9dadc8b07eadf0767003a4fe6dc56daa7135" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.fasterxml.jackson.dataformat" name="jackson-dataformat-cbor" version="2.15.4">
+         <artifact name="jackson-dataformat-cbor-2.15.4.jar">
+            <sha256 value="a1e5414ca383efcb6dbfa2667d4f899ff749b7d5b988da4193eba9f701e68d50" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.fasterxml.jackson.dataformat" name="jackson-dataformat-smile" version="2.10.4">
          <artifact name="jackson-dataformat-smile-2.10.4.jar">
             <sha256 value="21cb36dbe1eb4782edc35d6eb5da82720f92fbfa3c440f6680e50d8ac65750db" origin="Generated by Gradle"/>
@@ -309,6 +329,11 @@
             <sha256 value="9c279bb29770de09289c14cf8862dd195112687cd7fde815919f54a9157ce213" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.fasterxml.jackson.dataformat" name="jackson-dataformat-smile" version="2.15.4">
+         <artifact name="jackson-dataformat-smile-2.15.4.jar">
+            <sha256 value="e1873375acdd276dbfec222fac8347e5fdf1ce64459e6f5c30e7e6a4e6aaa3da" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.fasterxml.jackson.dataformat" name="jackson-dataformat-xml" version="2.10.4">
          <artifact name="jackson-dataformat-xml-2.10.4.jar">
             <sha256 value="bca111429a4766f8d3f721a249eb1d14ca67809396c8626deb3c89a7fa6823ef" origin="Generated by Gradle"/>
@@ -319,6 +344,11 @@
             <sha256 value="edbda6c775a36049cf0088b111ab958cca0dc70cb9326918d6cf153cb3fa426b" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.fasterxml.jackson.dataformat" name="jackson-dataformat-xml" version="2.15.4">
+         <artifact name="jackson-dataformat-xml-2.15.4.jar">
+            <sha256 value="90d8109cda7b90c494a7bfde44e96e2fa25021191b67a5924dfa5cbd698025c3" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.fasterxml.jackson.dataformat" name="jackson-dataformat-yaml" version="2.10.4">
          <artifact name="jackson-dataformat-yaml-2.10.4.jar">
             <sha256 value="47bf4e8ad64e87def3f4f9ab73c7ed5ca9b51c53cb203b622c29b9640825512c" origin="Generated by Gradle"/>
@@ -329,6 +359,11 @@
             <sha256 value="5c3a0a71d0339529c80ae771497b20fdc0fa7cb67c772f99af5935927560006a" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.fasterxml.jackson.dataformat" name="jackson-dataformat-yaml" version="2.15.4">
+         <artifact name="jackson-dataformat-yaml-2.15.4.jar">
+            <sha256 value="9a463ac8ce75fa20c4c16365f6a71ea8808bbc4eca3736e315667cd31e1b549c" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.fasterxml.jackson.datatype" name="jackson-datatype-jsr310" version="2.10.4">
          <artifact name="jackson-datatype-jsr310-2.10.4.jar">
             <sha256 value="86ad491d756afad579f2867701cc2979a66db9300292e726407654c295f799ea" origin="Generated by Gradle"/>
@@ -339,6 +374,11 @@
             <sha256 value="75651b65733ed94e4e28e4ba0817218d93e71e8a7f06f6ab3662752974d2bcae" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.fasterxml.jackson.datatype" name="jackson-datatype-jsr310" version="2.15.4">
+         <artifact name="jackson-datatype-jsr310-2.15.4.jar">
+            <sha256 value="472498cbba2726012ff82f86fc8feef9593663bda1a695a17db804a63fa733ff" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.fasterxml.jackson.jaxrs" name="jackson-jaxrs-base" version="2.10.4">
          <artifact name="jackson-jaxrs-base-2.10.4.jar">
             <sha256 value="3ee1100025dfc51f5fe52c94a64ca5cdaf8775c16d94428ac324b528575aae99" origin="Generated by Gradle"/>
@@ -354,6 +394,11 @@
             <sha256 value="cc0689c44be8d235a643ab58b5d4fb638c8753ce5f8560c13c6fa5f14ac20b55" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.fasterxml.jackson.jaxrs" name="jackson-jaxrs-base" version="2.15.4">
+         <artifact name="jackson-jaxrs-base-2.15.4.jar">
+            <sha256 value="352eb410c61ca7946988ae411a15778c64bf71625661d138058e0cc0872132ff" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.fasterxml.jackson.jaxrs" name="jackson-jaxrs-json-provider" version="2.10.4">
          <artifact name="jackson-jaxrs-json-provider-2.10.4.jar">
             <sha256 value="5a98a9a2916bef19b531f2699e196fd52201c3230057978852ddb822eedc34f3" origin="Generated by Gradle"/>
@@ -369,6 +414,11 @@
             <sha256 value="37e2ef9926b41724a1d725f962404e1ed8cac916aa0d466dbcbc7ea61a6881be" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.fasterxml.jackson.jaxrs" name="jackson-jaxrs-json-provider" version="2.15.4">
+         <artifact name="jackson-jaxrs-json-provider-2.15.4.jar">
+            <sha256 value="6feadc29eeb58ffe21c8343ca9773d51ae2d8eeeeae6e1fbc12118aab36083df" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.fasterxml.jackson.module" name="jackson-module-jaxb-annotations" version="2.10.4">
          <artifact name="jackson-module-jaxb-annotations-2.10.4.jar">
             <sha256 value="1600c21d8d4e98cc22d482e57a437c5c529ec5310fb5970b342a3c006e341e3c" origin="Generated by Gradle"/>
@@ -384,6 +434,11 @@
             <sha256 value="3cc848dc4c370a76d8a36351505bd36fb025588d1ebbb00061af7f5d414b84fe" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.fasterxml.jackson.module" name="jackson-module-jaxb-annotations" version="2.15.4">
+         <artifact name="jackson-module-jaxb-annotations-2.15.4.jar">
+            <sha256 value="20bf4d2ce22fa76c6feba48dc2e770bfeb313a36f984e00e3403af405e1c83b2" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.fasterxml.jackson.module" name="jackson-module-kotlin" version="2.12.4">
          <artifact name="jackson-module-kotlin-2.12.4.jar">
             <sha256 value="73993e2bd00354a9dbcaef547f827cd8ab8a7ff0a1cbc3c5b72b585899fb6be4" origin="Generated by Gradle"/>
@@ -394,6 +449,11 @@
             <sha256 value="60bed76698430659a4dbd103915ee4a8bb3f3ab0ac91971dc1aa1e05a49ae072" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.fasterxml.jackson.module" name="jackson-module-kotlin" version="2.15.4">
+         <artifact name="jackson-module-kotlin-2.15.4.jar">
+            <sha256 value="4859f57a6718682022a69d2cdeec7fda00011e67a49d40e54a75d82c27ee9777" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.fasterxml.jackson.module" name="jackson-module-parameter-names" version="2.12.4">
          <artifact name="jackson-module-parameter-names-2.12.4.jar">
             <sha256 value="d1336fe625a5b030fe99227a721e890a559e43efe0ac05a8bcf7a5e5f8bc6432" origin="Generated by Gradle"/>
@@ -404,6 +464,11 @@
             <sha256 value="b4e3fbea545a155a14dcb8a65c46b57ad8d0fb9627c84f789858263f05299330" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="com.fasterxml.jackson.module" name="jackson-module-parameter-names" version="2.15.4">
+         <artifact name="jackson-module-parameter-names-2.15.4.jar">
+            <sha256 value="a620ee11f89deae6e2ce6cd5a64d9f2d1480bf08b45ec2f0730bddf9177f37fc" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="com.fasterxml.woodstox" name="woodstox-core" version="5.3.0">
          <artifact name="woodstox-core-5.3.0.jar">
             <sha256 value="b2bd29c31fda49a9b28a22b9e5c2b26443bcfa99c1a28eab70ab9c7d349b5002" origin="Generated by Gradle"/>
@@ -4694,6 +4759,11 @@
             <sha256 value="11ff459788f0a2d781f56a4a86d7e69202cebacd0273d5269c4ae9f02f3fd8f0" origin="Generated by Gradle"/>
          </artifact>
       </component>
+      <component group="org.yaml" name="snakeyaml" version="2.1">
+         <artifact name="snakeyaml-2.1.jar">
+            <sha256 value="69a4537045ddbcaed4c68eef074462eb12d324d7953f62c5ecd35df645e8aec9" origin="Generated by Gradle"/>
+         </artifact>
+      </component>
       <component group="org.yaml" name="snakeyaml" version="2.2">
          <artifact name="snakeyaml-2.2.jar">
             <sha256 value="1467931448a0817696ae2805b7b8b20bfb082652bf9c4efaed528930dc49389b" origin="Generated by Gradle"/>
diff --git a/x-pack/snapshot-tool/build.gradle b/x-pack/snapshot-tool/build.gradle
@@ -18,9 +18,13 @@ versions << [
 ]
 
 dependencies {
-  api project(":server")
+  api(project(":server")) {
+    exclude group: 'com.fasterxml.jackson.core'
+  }
   api project(":libs:elasticsearch-cli")
-  testImplementation project(":test:framework")
+  testImplementation(project(":test:framework")) {
+    exclude group: 'com.fasterxml.jackson.core'
+  }
 
   api "com.amazonaws:aws-java-sdk-s3:${versions.aws}"
   api "com.amazonaws:aws-java-sdk-core:${versions.aws}"
@@ -30,9 +34,9 @@ dependencies {
   api "commons-logging:commons-logging:${versions.commonslogging}"
   api "commons-codec:commons-codec:${versions.commonscodec}"
   api "org.apache.logging.log4j:log4j-1.2-api:${versions.log4j}"
-  api "com.fasterxml.jackson.core:jackson-core:${versions.jackson}"
-  api "com.fasterxml.jackson.core:jackson-databind:${versions.jackson}"
-  api "com.fasterxml.jackson.core:jackson-annotations:${versions.jackson}"
+  api "com.fasterxml.jackson.core:jackson-core:2.15.4"
+  api "com.fasterxml.jackson.core:jackson-databind:2.15.4"
+  api "com.fasterxml.jackson.core:jackson-annotations:2.15.4"
 
   // GCS dependencies
   api 'com.google.cloud:google-cloud-storage:2.13.1'
@@ -89,6 +93,11 @@ tasks.named("dependencyLicenses").configure {
   mapping from: /proto-google.*/, to: 'proto-google'
 }
 
+tasks.named('thirdPartyAudit').configure {
+  // This tool can't cope with newer classfiles in Jackson 2.15.4 onward
+  enabled = false
+}
+
 // TODO: Investigate using the new Gradle test-fixture plugin here after the upgrade to 5.6
 // There is only AbstractCleanupTests class in test directory and it's abstract
 tasks.named("test").configure {
diff --git a/x-pack/snapshot-tool/qa/google-cloud-storage/build.gradle b/x-pack/snapshot-tool/qa/google-cloud-storage/build.gradle
@@ -10,8 +10,12 @@ import java.nio.file.Files
 apply plugin: 'elasticsearch.java'
 
 dependencies {
-  api project(":plugins:repository-gcs")
-  testImplementation project(":test:framework")
+  api(project(":plugins:repository-gcs")) {
+    exclude group: 'com.fasterxml.jackson.core'
+  }
+  testImplementation(project(":test:framework")) {
+    exclude group: 'com.fasterxml.jackson.core'
+  }
   testImplementation project(':x-pack:snapshot-tool')
   testImplementation files(project(':x-pack:snapshot-tool').sourceSets.test.output)
 }
@@ -51,7 +55,7 @@ def gcsThirdPartyTest = tasks.register("gcsThirdPartyTest", Test) {
   systemProperty 'test.google.bucket', gcsBucket
   classpath = sourceSets.test.runtimeClasspath
   testClassesDirs = sourceSets.test.output.classesDirs
-  
+
   nonInputProperties.systemProperty 'test.google.base', gcsBasePath ? gcsBasePath + "_snapshot_tool_tests" + BuildParams.testSeed : 'base_path'
   nonInputProperties.systemProperty 'test.google.account', "${-> encodedCredentials.call()}"
 }
diff --git a/x-pack/snapshot-tool/qa/s3/build.gradle b/x-pack/snapshot-tool/qa/s3/build.gradle
@@ -9,8 +9,12 @@ import org.elasticsearch.gradle.internal.info.BuildParams
 apply plugin: 'elasticsearch.java'
 
 dependencies {
-  api project(":plugins:repository-s3")
-  testImplementation project(":test:framework")
+  api(project(":plugins:repository-s3")) {
+    exclude group: 'com.fasterxml.jackson.core'
+  }
+  testImplementation(project(":test:framework")) {
+    exclude group: 'com.fasterxml.jackson.core'
+  }
   testImplementation project(':x-pack:snapshot-tool')
   testImplementation files(project(':x-pack:snapshot-tool').sourceSets.test.output)
 }
