chore(security): updates for security vulnerabilities (datahub-projec…

…t#10740)

build.gradle

@@ -32,21 +32,21 @@ buildscript {
 
   ext.junitJupiterVersion = '5.6.1'
   // Releases: https://github.com/linkedin/rest.li/blob/master/CHANGELOG.md
-  ext.pegasusVersion = '29.51.6'
+  ext.pegasusVersion = '29.57.0'
   ext.mavenVersion = '3.6.3'
-  ext.springVersion = '6.1.4'
-  ext.springBootVersion = '3.2.3'
-  ext.springKafkaVersion = '3.1.2'
+  ext.springVersion = '6.1.5'
+  ext.springBootVersion = '3.2.6'
+  ext.springKafkaVersion = '3.1.6'
   ext.openTelemetryVersion = '1.18.0'
   ext.neo4jVersion = '5.14.0'
   ext.neo4jTestVersion = '5.14.0'
   ext.neo4jApocVersion = '5.14.0'
   ext.testContainersVersion = '1.17.4'
   ext.elasticsearchVersion = '2.11.1' // ES 7.10, Opensearch 1.x, 2.x
   ext.jacksonVersion = '2.15.3'
-  ext.jettyVersion = '11.0.19'
-  ext.playVersion = '2.8.21'
-  ext.log4jVersion = '2.19.0'
+  ext.jettyVersion = '11.0.21'
+  ext.playVersion = '2.8.22'
+  ext.log4jVersion = '2.23.1'
   ext.slf4jVersion = '1.7.36'
   ext.logbackClassic = '1.4.14'
   ext.hadoop3Version = '3.3.5'

datahub-upgrade/build.gradle

@@ -46,6 +46,9 @@ dependencies {
     implementation(externalDependency.guava) {
       because("CVE-2023-2976")
     }
+    implementation('io.airlift:aircompressor:0.27') {
+      because("CVE-2024-36114")
+    }
   }
 
 

docker/datahub-gms/Dockerfile

@@ -6,8 +6,7 @@ ARG ALPINE_REPO_URL=http://dl-cdn.alpinelinux.org/alpine
 ARG GITHUB_REPO_URL=https://github.com
 ARG MAVEN_CENTRAL_REPO_URL=https://repo1.maven.org/maven2
 
-FROM golang:1-alpine3.18 AS binary
-FROM golang:1-alpine3.18 AS binary
+FROM golang:1-alpine3.20 AS binary
 
 # Re-declaring arg from above to make it available in this stage (will inherit default value)
 ARG ALPINE_REPO_URL

docker/datahub-ingestion-base/Dockerfile

@@ -7,7 +7,7 @@ ARG GITHUB_REPO_URL=https://github.com
 ARG DEBIAN_REPO_URL=https://deb.debian.org/debian
 ARG PIP_MIRROR_URL=https://pypi.python.org/simple
 
-FROM golang:1-alpine3.18 AS dockerize-binary
+FROM golang:1-alpine3.20 AS dockerize-binary
 
 # Re-declaring arg from above to make it available in this stage (will inherit default value)
 ARG ALPINE_REPO_URL

docker/datahub-mae-consumer/Dockerfile

@@ -6,7 +6,7 @@ ARG ALPINE_REPO_URL=http://dl-cdn.alpinelinux.org/alpine
 ARG GITHUB_REPO_URL=https://github.com
 ARG MAVEN_CENTRAL_REPO_URL=https://repo1.maven.org/maven2
 
-FROM golang:1-alpine3.18 AS binary
+FROM golang:1-alpine3.20 AS binary
 
 # Re-declaring arg from above to make it available in this stage (will inherit default value)
 ARG ALPINE_REPO_URL

docker/datahub-mce-consumer/Dockerfile

@@ -6,7 +6,7 @@ ARG ALPINE_REPO_URL=http://dl-cdn.alpinelinux.org/alpine
 ARG GITHUB_REPO_URL=https://github.com
 ARG MAVEN_CENTRAL_REPO_URL=https://repo1.maven.org/maven2
 
-FROM golang:1-alpine3.18 AS binary
+FROM golang:1-alpine3.20 AS binary
 
 # Re-declaring arg from above to make it available in this stage (will inherit default value)
 ARG ALPINE_REPO_URL

docker/datahub-upgrade/Dockerfile

@@ -6,7 +6,7 @@ ARG ALPINE_REPO_URL=http://dl-cdn.alpinelinux.org/alpine
 ARG GITHUB_REPO_URL=https://github.com
 ARG MAVEN_CENTRAL_REPO_URL=https://repo1.maven.org/maven2
 
-FROM golang:1-alpine3.18 AS binary
+FROM golang:1-alpine3.20 AS binary
 
 # Re-declaring arg from above to make it available in this stage (will inherit default value)
 ARG ALPINE_REPO_URL

docker/elasticsearch-setup/Dockerfile

@@ -6,7 +6,7 @@ ARG APP_ENV=prod
 # Defining custom repo urls for use in enterprise environments. Re-used between stages below.
 ARG ALPINE_REPO_URL=http://dl-cdn.alpinelinux.org/alpine
 
-FROM golang:1-alpine3.18 AS binary
+FROM golang:1-alpine3.20 AS binary
 
 ARG ALPINE_REPO_URL
 

docker/mysql-setup/Dockerfile

@@ -1,7 +1,7 @@
 # Defining custom repo urls for use in enterprise environments. Re-used between stages below.
 ARG ALPINE_REPO_URL=http://dl-cdn.alpinelinux.org/alpine
 
-FROM golang:1-alpine3.18 AS binary
+FROM golang:1-alpine3.20 AS binary
 
 ARG ALPINE_REPO_URL
 

docker/postgres-setup/Dockerfile

@@ -1,7 +1,7 @@
 # Defining custom repo urls for use in enterprise environments. Re-used between stages below.
 ARG ALPINE_REPO_URL=http://dl-cdn.alpinelinux.org/alpine
 
-FROM golang:1-alpine3.18 AS binary
+FROM golang:1-alpine3.20 AS binary
 
 ARG ALPINE_REPO_URL
 

metadata-integration/java/datahub-client/build.gradle

@@ -120,6 +120,7 @@ shadowJar {
   relocate 'nonapi.io.github.classgraph', 'datahub.shaded.nonapi.io.github.classgraph'
   relocate 'org.eclipse.parsson', 'datahub.shaded.parsson'
   relocate 'jakarta.json', 'datahub.shaded.json'
+  relocate 'io.netty', 'datahub.shaded.io.netty'
 
   finalizedBy checkShadowJar
 }