From ab099f06188eaa2c48cc66755dfd89cd78f4b3b5 Mon Sep 17 00:00:00 2001
From: Jan Werner <jwerner@confluent.io>
Date: Tue, 28 Nov 2023 15:30:57 -0500
Subject: [PATCH 1/3] remove unnecessary elasticsearch dependencies to fix CVE
 regressions introduced by ranger update

---
 extensions-core/druid-ranger-security/pom.xml | 45 ++++++++++++++---
 licenses.yaml                                 | 48 ++-----------------
 2 files changed, 42 insertions(+), 51 deletions(-)

diff --git a/extensions-core/druid-ranger-security/pom.xml b/extensions-core/druid-ranger-security/pom.xml
index d30f1a2d2360..4e93872eb5a7 100644
--- a/extensions-core/druid-ranger-security/pom.xml
+++ b/extensions-core/druid-ranger-security/pom.xml
@@ -34,6 +34,21 @@
         <relativePath>../../pom.xml</relativePath>
     </parent>
 
+    <dependencyManagement>
+        <dependencies>
+            <dependency>
+                <groupId>com.fasterxml.woodstox</groupId>
+                <artifactId>woodstox-core</artifactId>
+                <version>6.4.0</version>
+            </dependency>
+            <dependency>
+                <groupId>com.amazonaws</groupId>
+                <artifactId>aws-java-sdk-bundle</artifactId>
+                <version>${aws.sdk.version}</version>
+            </dependency>
+        </dependencies>
+    </dependencyManagement>
+
     <dependencies>
         <dependency>
             <groupId>org.apache.druid</groupId>
@@ -133,6 +148,18 @@
                     <groupId>org.apache.hadoop</groupId>
                     <artifactId>hadoop-common</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.elasticsearch</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.elasticsearch.client</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.elasticsearch.plugin</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>
@@ -144,15 +171,21 @@
                     <groupId>org.apache.hadoop</groupId>
                     <artifactId>hadoop-common</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.elasticsearch</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.elasticsearch.client</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.elasticsearch.plugin</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
             </exclusions>
             <scope>compile</scope>
         </dependency>
-        <dependency>
-            <groupId>com.google.code.gson</groupId>
-            <artifactId>gson</artifactId>
-            <version>${apache.ranger.gson.version}</version>
-            <scope>compile</scope>
-        </dependency>
 
         <!-- Tests -->
         <dependency>
diff --git a/licenses.yaml b/licenses.yaml
index fc73348bbc0c..5155e5600534 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -4597,7 +4597,7 @@ libraries:
 
 name: com.amazonaws aws-java-sdk-bundle
 license_category: binary
-version: 1.12.125
+version: 1.12.497
 module: druid-ranger-security
 license_name: Apache License version 2.0
 libraries:
@@ -4676,17 +4676,7 @@ libraries:
 
 ---
 
-name: org.elasticsearch securesm
-license_category: binary
-version: 2.1.9
-module: druid-ranger-security
-license_name: Creative Commons CC0
-libraries:
-  - org.hdrhistogram: HdrHistogram
-
----
-
-name: Apache Lucene 
+name: Apache Lucene
 license_category: binary
 version: 8.4.0
 module: druid-ranger-security
@@ -4710,38 +4700,6 @@ libraries:
 
 ---
 
-name: org.elasticsearch securesm
-license_category: binary
-version: 1.2
-module: druid-ranger-security
-license_name: Apache License version 2.0
-libraries:
-  - org.elasticsearch: securesm
-
----
-
-name: Elastic Search
-license_category: binary
-version: 7.10.2
-module: druid-ranger-security
-license_name: Apache License version 2.0
-libraries:
-  - org.elasticsearch: elasticsearch
-  - org.elasticsearch: elasticsearch-cli
-  - org.elasticsearch: elasticsearch-core
-  - org.elasticsearch: elasticsearch-geo
-  - org.elasticsearch: elasticsearch-secure-sm
-  - org.elasticsearch: elasticsearch-x-content
-  - org.elasticsearch.client: elasticsearch-rest-client
-  - org.elasticsearch.client: elasticsearch-rest-high-level-client
-  - org.elasticsearch.plugin: aggs-matrix-stats-client
-  - org.elasticsearch.plugin: lang-mustache-client
-  - org.elasticsearch.plugin: mapper-extras-client
-  - org.elasticsearch.plugin: parent-join-client
-  - org.elasticsearch.plugin: rank-eval-client
-
----
-
 name: org.apache.httpcomponents httpcore-nio
 license_category: binary
 version: 4.4.6
@@ -4780,7 +4738,7 @@ libraries:
 
 name: Woodstox
 license_category: binary
-version: 6.2.4
+version: 6.4.0
 module: druid-ranger-security
 license_name: Apache License version 2.0
 libraries:

From 8444038286075b26d951a279a14983db2c90f160 Mon Sep 17 00:00:00 2001
From: Jan Werner <jwerner@confluent.io>
Date: Tue, 28 Nov 2023 16:29:36 -0500
Subject: [PATCH 2/3] add explicit version of gson, update licenses

---
 extensions-core/druid-ranger-security/pom.xml |  7 +++++++
 licenses.yaml                                 | 10 ++++++++++
 pom.xml                                       |  2 +-
 3 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/extensions-core/druid-ranger-security/pom.xml b/extensions-core/druid-ranger-security/pom.xml
index 4e93872eb5a7..4b75eaa530d5 100644
--- a/extensions-core/druid-ranger-security/pom.xml
+++ b/extensions-core/druid-ranger-security/pom.xml
@@ -187,6 +187,13 @@
             <scope>compile</scope>
         </dependency>
 
+        <dependency>
+            <groupId>com.google.code.gson</groupId>
+            <artifactId>gson</artifactId>
+            <scope>compile</scope>
+            <version>${gson.version}</version>
+        </dependency>
+
         <!-- Tests -->
         <dependency>
             <groupId>junit</groupId>
diff --git a/licenses.yaml b/licenses.yaml
index 5155e5600534..0d39420ce2b7 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -4585,6 +4585,16 @@ libraries:
 
 ---
 
+name: gson
+license_category: binary
+module: extensions/protobuf-extensions
+license_name: Apache License version 2.0
+version: 2.10.1
+libraries:
+  - com.google.code.gson: gson
+
+---
+
 name: com.kstruct gethostname4j
 license_category: binary
 version: 1.0.0
diff --git a/pom.xml b/pom.xml
index 63d675d2f236..26addc7c8c8a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -78,7 +78,7 @@
         <apache.curator.version>5.5.0</apache.curator.version>
         <apache.kafka.version>3.6.0</apache.kafka.version>
         <apache.ranger.version>2.4.0</apache.ranger.version>
-        <apache.ranger.gson.version>2.2.4</apache.ranger.gson.version>
+        <gson.version>2.10.1</gson.version>
         <scala.library.version>2.13.11</scala.library.version>
         <avatica.version>1.23.0</avatica.version>
         <avro.version>1.11.3</avro.version>

From 4ae8a5f797dbc84d8bbfded11b4464cc57cb2be4 Mon Sep 17 00:00:00 2001
From: Jan Werner <jwerner@confluent.io>
Date: Tue, 28 Nov 2023 16:31:22 -0500
Subject: [PATCH 3/3] fix license module

---
 licenses.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/licenses.yaml b/licenses.yaml
index 0d39420ce2b7..3e107b37b845 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -4587,7 +4587,7 @@ libraries:
 
 name: gson
 license_category: binary
-module: extensions/protobuf-extensions
+module: druid-ranger-security
 license_name: Apache License version 2.0
 version: 2.10.1
 libraries: