Fix for vunerabilities reported by snky (#1121)

velo · web-flow · commit 2087d4bee166 · 2019-11-25T09:58:56.000+13:00
* Fix for HTTP Request Smuggling Vulnerable module: io.netty:netty-codec-http Introduced through: io.reactivex:rxnetty-http@0.5.2 and io.reactivex:rxnetty-spectator-http@0.5.2 Exploit maturity: No known exploit * Fix for Deserialization of Untrusted Data Vulnerable module: com.google.guava:guava Introduced through: com.netflix.ribbon:ribbon-core@2.3.0 and com.netflix.ribbon:ribbon-loadbalancer@2.3.0 Exploit maturity: No known exploit https://app.snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-32236
diff --git a/benchmark/pom.xml b/benchmark/pom.xml
@@ -27,15 +27,22 @@
   <name>Feign Benchmark (JMH)</name>
 
   <properties>
-    <jmh.version>1.20</jmh.version>
-    <!-- override default bytecode version for src/main from parent pom -->
-    <main.java.version>1.8</main.java.version>
-    <main.signature.artifact>java18</main.signature.artifact>
+    <jmh.version>1.22</jmh.version>
     <main.basedir>${project.basedir}/..</main.basedir>
-    <maven.compiler.source>1.8</maven.compiler.source>
-    <maven.compiler.target>1.8</maven.compiler.target>
   </properties>
 
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>io.netty</groupId>
+        <artifactId>netty-bom</artifactId>
+        <version>4.1.43.Final</version>
+        <type>pom</type>
+        <scope>import</scope>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
   <dependencies>
     <dependency>
       <groupId>${project.groupId}</groupId>
@@ -84,7 +91,6 @@
     <dependency>
       <groupId>io.netty</groupId>
       <artifactId>netty-buffer</artifactId>
-      <version>4.1.5.Final</version>
       <scope>compile</scope>
     </dependency>
     <dependency>
@@ -107,7 +113,6 @@
       <groupId>org.slf4j</groupId>
       <artifactId>slf4j-nop</artifactId>
     </dependency>
-
   </dependencies>
 
   <build>
diff --git a/hystrix/pom.xml b/hystrix/pom.xml
@@ -44,6 +44,12 @@
         <artifactId>hystrix-core</artifactId>
         <version>1.5.18</version>
       </dependency>
+
+      <dependency>
+        <groupId>com.google.guava</groupId>
+        <artifactId>guava</artifactId>
+        <version>24.1.1-jre</version>
+      </dependency>
     </dependencies>
   </dependencyManagement>
 
diff --git a/ribbon/pom.xml b/ribbon/pom.xml
@@ -32,6 +32,16 @@
     <ribbon-version>2.3.0</ribbon-version>
   </properties>
 
+  <dependencyManagement>
+    <dependencies>
+      <dependency>
+        <groupId>com.google.guava</groupId>
+        <artifactId>guava</artifactId>
+        <version>24.1.1-jre</version>
+      </dependency>
+    </dependencies>
+  </dependencyManagement>
+
   <dependencies>
     <dependency>
       <groupId>${project.groupId}</groupId>
@@ -63,4 +73,5 @@
       <scope>test</scope>
     </dependency>
   </dependencies>
+
 </project>
