Merge pull request #1903 from liuliaozhong/3.6.x_fileupload

bugfix: 修复Apache Commons FileUpload安全漏洞(CVE-2023-24998) #1901

src/backend/commons/common-security/build.gradle

@@ -27,6 +27,11 @@ dependencies {
     implementation 'io.jsonwebtoken:jjwt'
     implementation 'com.google.guava:guava'
     implementation 'org.springframework.cloud:spring-cloud-starter-openfeign'
+    constraints {
+        implementation('commons-fileupload:commons-fileupload:1.5') {
+            because 'version 1.4 pulled from spring-cloud-starter-openfeign has vulnerabilities(CVE-2023-24998)'
+        }
+    }
     implementation 'org.springframework:spring-context'
     api 'org.springframework.boot:spring-boot'
     api 'org.springframework.boot:spring-boot-autoconfigure'

src/backend/commons/common-service/build.gradle

@@ -34,6 +34,11 @@ dependencies {
     api 'org.springframework.boot:spring-boot-starter-actuator'
     api 'org.springframework.boot:spring-boot-starter-logging'
     api 'org.springframework.cloud:spring-cloud-starter-openfeign'
+    constraints {
+        implementation('commons-fileupload:commons-fileupload:1.5') {
+            because 'version 1.4 pulled from spring-cloud-starter-openfeign has vulnerabilities(CVE-2023-24998)'
+        }
+    }
     api 'org.springframework.cloud:spring-cloud-starter-sleuth'
     if (k8s) {
         println("Compile with kubernetes mode")

src/backend/job-analysis/service-job-analysis/build.gradle

@@ -42,6 +42,11 @@ dependencies {
     implementation "org.springframework.boot:spring-boot-starter-jooq"
     implementation "org.springframework.cloud:spring-cloud-starter-sleuth"
     implementation "org.springframework.cloud:spring-cloud-starter-openfeign"
+    constraints {
+        implementation('commons-fileupload:commons-fileupload:1.5') {
+            because 'version 1.4 pulled from spring-cloud-starter-openfeign has vulnerabilities(CVE-2023-24998)'
+        }
+    }
     implementation "ch.qos.logback:logback-core"
     implementation "ch.qos.logback:logback-classic"
     implementation "org.slf4j:slf4j-api"

src/backend/job-crontab/service-job-crontab/build.gradle

@@ -39,6 +39,11 @@ dependencies {
     implementation "org.apache.commons:commons-collections4"
     api("org.springframework.cloud:spring-cloud-starter-sleuth")
     implementation('org.springframework.cloud:spring-cloud-starter-openfeign')
+    constraints {
+        implementation('commons-fileupload:commons-fileupload:1.5') {
+            because 'version 1.4 pulled from spring-cloud-starter-openfeign has vulnerabilities(CVE-2023-24998)'
+        }
+    }
     implementation "ch.qos.logback:logback-core"
     implementation "ch.qos.logback:logback-classic"
     implementation "org.slf4j:slf4j-api"

src/backend/job-execute/service-job-execute/build.gradle

@@ -41,6 +41,11 @@ dependencies {
     implementation "org.springframework.cloud:spring-cloud-stream"
     implementation "org.springframework.cloud:spring-cloud-starter-sleuth"
     implementation 'org.springframework.cloud:spring-cloud-starter-openfeign'
+    constraints {
+        implementation('commons-fileupload:commons-fileupload:1.5') {
+            because 'version 1.4 pulled from spring-cloud-starter-openfeign has vulnerabilities(CVE-2023-24998)'
+        }
+    }
     implementation 'org.springframework.boot:spring-boot-starter-amqp'
     implementation "ch.qos.logback:logback-core"
     implementation "ch.qos.logback:logback-classic"

src/backend/job-file-gateway/service-job-file-gateway/build.gradle

@@ -33,5 +33,10 @@ dependencies {
     implementation "org.springframework.boot:spring-boot-starter-web"
     implementation "org.springframework.cloud:spring-cloud-starter-sleuth"
     implementation('org.springframework.cloud:spring-cloud-starter-openfeign')
+    constraints {
+        implementation('commons-fileupload:commons-fileupload:1.5') {
+            because 'version 1.4 pulled from spring-cloud-starter-openfeign has vulnerabilities(CVE-2023-24998)'
+        }
+    }
     implementation 'org.apache.httpcomponents:httpclient'
 }

src/backend/job-manage/service-job-manage/build.gradle

@@ -43,6 +43,11 @@ dependencies {
     implementation "org.springframework.cloud:spring-cloud-stream"
     implementation "org.springframework.cloud:spring-cloud-starter-sleuth"
     implementation "org.springframework.cloud:spring-cloud-starter-openfeign"
+    constraints {
+        implementation('commons-fileupload:commons-fileupload:1.5') {
+            because 'version 1.4 pulled from spring-cloud-starter-openfeign has vulnerabilities(CVE-2023-24998)'
+        }
+    }
     implementation "ch.qos.logback:logback-core"
     implementation "ch.qos.logback:logback-classic"
     implementation "org.slf4j:slf4j-api"

support-files/dependJarInfo/md5List.txt

@@ -29,7 +29,7 @@ e9158e0983096d3df09236f7b53125aa
 f54a8510f834a1a57166970bfc982e94
 4a37023740719b391f10030362c86be6
 a69448e8c1e24d989266083c301e354b
-0c3b924dcaaa90c3fb93fe04ae96a35e
+e57ac8a1a6412886a133a2fa08b89735
 467c2a1f64319c99b5faf03fc78572af
 4d5c1693079575b362edf41500630bbd
 fa752c3cb5474b05e14bf2ed7e242020

support-files/dependJarInfo/versionList.txt

@@ -29,7 +29,7 @@
 3.2.2
 4.4
 1.8
-1.4
+1.5
 2.6
 2.6
 3.9