remove unnecessary elasticsearch dependencies to fix CVE regressions (#…

…15443)

Recent upgrade of ranger introduced CVE regressions due to outdated elasticsearch components.
Druid-ranger-plugin does not elasticsearch components , and they have been explicitly removed.

Update woodstox-core to 6.4.0 to address GHSA-3f7h-mf4q-vrm4

extensions-core/druid-ranger-security/pom.xml

@@ -34,6 +34,21 @@
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>com.fasterxml.woodstox</groupId>
+                <artifactId>woodstox-core</artifactId>
+                <version>6.4.0</version>
+            </dependency>
+            <dependency>
+                <groupId>com.amazonaws</groupId>
+                <artifactId>aws-java-sdk-bundle</artifactId>
+                <version>${aws.sdk.version}</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
         <dependency>
             <groupId>org.apache.druid</groupId>
@@ -133,6 +148,18 @@
                     <groupId>org.apache.hadoop</groupId>
                     <artifactId>hadoop-common</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.elasticsearch</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.elasticsearch.client</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.elasticsearch.plugin</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
@@ -144,14 +171,27 @@
                     <groupId>org.apache.hadoop</groupId>
                     <artifactId>hadoop-common</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.elasticsearch</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.elasticsearch.client</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.elasticsearch.plugin</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
             </exclusions>
             <scope>compile</scope>
         </dependency>
+
         <dependency>
             <groupId>com.google.code.gson</groupId>
             <artifactId>gson</artifactId>
-            <version>${apache.ranger.gson.version}</version>
             <scope>compile</scope>
+            <version>${gson.version}</version>
         </dependency>
 
         <!-- Tests -->

licenses.yaml

@@ -4608,6 +4608,16 @@ libraries:
 
 ---
 
+name: gson
+license_category: binary
+module: druid-ranger-security
+license_name: Apache License version 2.0
+version: 2.10.1
+libraries:
+  - com.google.code.gson: gson
+
+---
+
 name: com.kstruct gethostname4j
 license_category: binary
 version: 1.0.0
@@ -4620,7 +4630,7 @@ libraries:
 
 name: com.amazonaws aws-java-sdk-bundle
 license_category: binary
-version: 1.12.125
+version: 1.12.497
 module: druid-ranger-security
 license_name: Apache License version 2.0
 libraries:
@@ -4699,16 +4709,6 @@ libraries:
 
 ---
 
-name: org.elasticsearch securesm
-license_category: binary
-version: 2.1.9
-module: druid-ranger-security
-license_name: Creative Commons CC0
-libraries:
-  - org.hdrhistogram: HdrHistogram
-
----
-
 name: Apache Lucene
 license_category: binary
 version: 8.4.0
@@ -4733,38 +4733,6 @@ libraries:
 
 ---
 
-name: org.elasticsearch securesm
-license_category: binary
-version: 1.2
-module: druid-ranger-security
-license_name: Apache License version 2.0
-libraries:
-  - org.elasticsearch: securesm
-
----
-
-name: Elastic Search
-license_category: binary
-version: 7.10.2
-module: druid-ranger-security
-license_name: Apache License version 2.0
-libraries:
-  - org.elasticsearch: elasticsearch
-  - org.elasticsearch: elasticsearch-cli
-  - org.elasticsearch: elasticsearch-core
-  - org.elasticsearch: elasticsearch-geo
-  - org.elasticsearch: elasticsearch-secure-sm
-  - org.elasticsearch: elasticsearch-x-content
-  - org.elasticsearch.client: elasticsearch-rest-client
-  - org.elasticsearch.client: elasticsearch-rest-high-level-client
-  - org.elasticsearch.plugin: aggs-matrix-stats-client
-  - org.elasticsearch.plugin: lang-mustache-client
-  - org.elasticsearch.plugin: mapper-extras-client
-  - org.elasticsearch.plugin: parent-join-client
-  - org.elasticsearch.plugin: rank-eval-client
-
----
-
 name: org.apache.httpcomponents httpcore-nio
 license_category: binary
 version: 4.4.6
@@ -4803,7 +4771,7 @@ libraries:
 
 name: Woodstox
 license_category: binary
-version: 6.2.4
+version: 6.4.0
 module: druid-ranger-security
 license_name: Apache License version 2.0
 libraries:

pom.xml

@@ -78,6 +78,7 @@
         <apache.curator.version>5.5.0</apache.curator.version>
         <apache.kafka.version>3.6.0</apache.kafka.version>
         <apache.ranger.version>2.4.0</apache.ranger.version>
+        <gson.version>2.10.1</gson.version>
         <apache.ranger.gson.version>2.10.1</apache.ranger.gson.version>
         <scala.library.version>2.13.11</scala.library.version>
         <avatica.version>1.23.0</avatica.version>